Solacare Privacy Policy
This Privacy Policy explains how Stellocare Inc. ("Solacare", "we", or "the Platform") collects, uses, discloses, transfers, stores, and protects your personal data when you use the Solacare website, online booking system, client portal, practitioner management system, and related services (collectively, the "Services"). This Policy should be read together with the Terms of Service.
Important: for a client's clinical and case records, the practitioner is the party that decides how such data is used. Solacare processes such data only on the practitioner's instructions. If you are a client and wish to access, correct, or exercise rights over clinical records, please contact your practitioner directly.
Part One: Scope and Our Role
1. Who This Applies To and Which Laws Apply
The Platform is aimed mainly at users in Hong Kong and is operated by a company based in Canada. Depending on your location and status, the following privacy laws may apply to you.
- Hong Kong: for personal data we collect and process in connection with Hong Kong users, we work to comply with the Personal Data (Privacy) Ordinance, Cap. 486 ("PDPO").
- Canada (federal): as a Canadian company processing personal data in the course of commercial activity, we are subject to the Personal Information Protection and Electronic Documents Act ("PIPEDA").
- Ontario: where a practitioner regulated under Ontario law processes personal health information through the Platform, the Personal Health Information Protection Act ("PHIPA") applies to that data.
Different laws may apply to different data or users at the same time. Where these laws differ, we apply the higher standard required by the applicable law for the relevant data.
2. Our Role Under Each Law
Solacare is an ementalhealth platform, not a medical institution or health service provider. Our role differs depending on the category of data and the law that applies.
- For your account and general platform data, we are the party that decides the purpose and manner of processing (a data user under the PDPO, an organization under PIPEDA).
- For a client's clinical and case records, the practitioner is the party that decides how the data is used, and we process it on their instructions (processing on behalf of a data user under the PDPO).
- Where PHIPA applies, for personal health information processed by a practitioner (the health information custodian), we generally act as their agent or electronic service provider, not as the custodian.
This description of our role is consistent with the statement in the Terms of Service that the Platform is not itself a service provider.
Part Two: Data We Collect
3. Data You Provide to Us
Depending on how you use the Services, we may collect the following data that you provide to us.
- Account and identity data: legal English name, display name, email address, and phone number.
- Practitioner data: professional profile, scope of services, fees, and proof of professional credentials.
- Client data: booking information, and content you submit in forms, assessments, or homework tasks.
- Communication content: messages, chat, or emails you exchange with a practitioner or with us through the Platform.
- Payment related data: payment status and transaction records (full payment card data is handled by our payment processor, Stripe, and is not stored by us).
4. Sensitive Data and Personal Health Information
Because the Services relate to mental health, some data we handle is sensitive in nature and may be personal health information under PHIPA, including health conditions, clinical records, and assessment content. We store such data in encrypted form and process it only to the extent needed to provide the Services.
Clinical content is kept separately by practitioner and is isolated between different practitioners. We do not use this data for any purpose beyond its original purpose.
5. Data Collected Automatically
When you use the Services, we may automatically collect device and usage data such as your IP address, browser type, device information, access times, and usage records, to keep the Platform running, secure, and to improve the Services.
Providing personal data is entirely voluntary, but if you do not provide certain required data, we may not be able to provide the related service to you.
Part Three: Use, Legal Basis, and Sharing
6. Purposes of Use
We use personal data for the following purposes.
- creating and managing accounts, and providing, maintaining, and improving the Services;
- enabling bookings, communication, and online counselling between practitioners and clients;
- processing payments, subscriptions, and payment collection;
- verifying a practitioner's professional credentials;
- providing the practitioner directory and matching features;
- sending service related notifications, such as booking reminders;
- protecting Platform security and detecting and preventing fraud or misuse;
- complying with applicable law and regulatory requirements.
7. Legal Basis for Processing and Consent
We process personal data only for the purpose stated at the time of collection, or a purpose directly related to it. Under the PDPO, we notify you of the purpose of collection at the time data is collected. Under PIPEDA, we obtain your meaningful consent where reasonable and appropriate. Where PHIPA applies, processing of personal health information is based on the consent obtained by the practitioner (as custodian).
If we intend to use data for a new purpose that is not directly related to the original purpose, we will give you further notice or seek your consent.
8. AI Matching
Our practitioner matching feature processes practitioner directory data and any query you provide to generate matching suggestions, using the third party AI provider OpenAI. We limit the data sent to this provider to what is reasonably necessary. Matching results are for reference only, do not constitute medical advice, and do not involve any fully automated decision with legal or otherwise significant effects.
9. How We Share Data
We do not sell your personal data. We may share data with third parties in the following circumstances.
- Service providers: to operate the Platform, we engage third parties to handle specific functions, including identity verification, payment processing, video and realtime messaging, message and email delivery, file storage, and cloud infrastructure. These providers may only process data on our instructions and for the purpose of providing the Services, and must maintain appropriate security.
- Between practitioners and clients: to enable the Services, relevant booking and communication data is shared between you and your practitioner or client.
- Legal requirements: where required by law, or where reasonably necessary to protect rights, property, or safety.
- Business transfers: if a merger, acquisition, or asset transfer occurs, data may be transferred as part of the transaction and will continue to be protected under this Policy.
10. Direct Marketing
We will never, under any circumstances, use for marketing purposes any data submitted or generated by users, including without limitation personal data, counselling content, and case records.
11. Cross Border Data Transfers
We and our service providers may store or process your data outside of Hong Kong or Canada. When data is transferred across borders, we remain responsible for it and take reasonable steps, such as contractual safeguards, to ensure the data receives protection comparable to this Policy and applicable law.
Part Four: Your Rights and Choices
12. Access and Correction
Under applicable law, you have the right to access personal data we hold about you and to request correction of any inaccuracy. For a client's clinical records, such a request should be made to your practitioner (as custodian). Other requests can be made using the contact details below. We may need to verify your identity first, and may charge a reasonable fee for an access request where permitted by law.
13. Withdrawing Consent and Choices
You may withdraw consent you previously gave at any time (this does not affect processing carried out before withdrawal), and you may opt out of nonessential communications. Where PHIPA applies, you may give the custodian instructions restricting the use or disclosure of your personal health information. Withdrawing certain consents may affect our ability to provide the Services to you.
14. Regional Rights and Regulators
Depending on your location, you may contact or file a complaint with the relevant regulator.
- Hong Kong: you have access and correction rights under the PDPO, and may complain to the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD).
- Canada (federal): you have rights under PIPEDA to access your data, challenge its accuracy, and withdraw consent, and may complain to the Office of the Privacy Commissioner of Canada (OPC).
- Ontario: for personal health information, you have rights under PHIPA to access and correct records (generally exercised through the custodian), and may complain to the Information and Privacy Commissioner of Ontario (IPC).
15. Cookies and Similar Technologies
We use cookies and similar technologies to keep you logged in, remember your preferences, and analyze how the Platform is used. You can manage cookies through your browser settings, but disabling some cookies may affect the functionality of the Services.
16. Children and Minors
The Services are not directed at children. If a minor uses the Services with the consent and supervision of a parent or guardian, that parent or guardian is responsible for the provision of the minor's personal data.
Part Five: Security, Retention, Incidents, and Other Matters
17. Data Security
We take reasonable technical and organizational measures to protect personal data, including encryption of sensitive data, access controls, permission management, and audit logging. That said, no method of transmission over the internet or electronic storage can be guaranteed to be completely secure.
18. Data Breach Notification
If a breach involving your personal data occurs, we will assess it within a reasonable time after discovery and take action as required by applicable law.
- Under PIPEDA, if a breach creates a real risk of significant harm to an individual, we will notify the Office of the Privacy Commissioner of Canada and the affected individuals, and keep a record of the breach.
- Where PHIPA applies and personal health information is involved, we will notify the relevant custodian so they can meet their own obligation to notify affected individuals and the Information and Privacy Commissioner of Ontario.
- For Hong Kong users, we will make a notification where appropriate, in accordance with the PDPO and guidance from the PCPD.
19. Data Retention
We keep personal data only for as long as needed to fulfill the purpose for which it was collected, or as required by applicable law, professional standards, and reasonable business needs. The retention period for clinical records is decided mainly by the practitioner (as custodian) based on their professional and legal obligations. Once data is no longer needed, we delete it or render it anonymous.
20. Third Party Links and Services
The Services may contain links to third party websites or services. These third parties have their own privacy policies, and we are not responsible for their content or privacy practices.
21. Changes to This Policy
We may update this Policy from time to time. The updated version will be posted on the Platform along with its effective date. For material changes, we will make reasonable efforts to notify you separately.
22. Contact and Complaints
If you have any question or complaint about this Policy or how we handle your personal data, please contact our privacy contact, Nicholas Wong, at [email protected].
You may also file a complaint with the relevant regulator in your location, as described in Section 14 above.