Book Your Skin Assessment Today
Victoria Park Medispa
Book now
Last updated · May 2026 · v2.0

Privacy Policy

Compliant with Ontario's Personal Health Information Protection Act (PHIPA, 2004), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), and the Accessibility for Ontarians with Disabilities Act (AODA).

1. Who we are

Victoria Park Medispa ("we", "us", "our") is a medical aesthetic clinic located at 483 Bay St #104, Toronto, ON M5G 2C9, part of the Victoria Park Medispa group. This policy applies to book.vicpark.com, our Toronto clinic operations, and any communication we have with you by email, SMS, phone, or in person. For the chain-wide privacy practices that apply across all Victoria Park Medispa locations, see vicpark.com/privacy-policy.

Our chain-level Privacy Officer is Darren Yaphemedispa@victoriapark.com · (514) 488-8668. For Toronto-specific requests you can also reach our local Health Information Custodian (PHIPA) at info@vicpark.com · +1 437-475-7355.

2. Information we collect

Identifying + contact information

  • Name, email, phone, postal address, date of birth.
  • Government photo ID at consultation when required for medical record verification.

Personal Health Information (PHI)

  • Medical history, current medications, allergies, prior treatments + outcomes.
  • Clinical photographs of the treatment area (face, skin, body).
  • Consent forms, treatment notes, post-treatment follow-up records.

Payment information

  • Card information is collected and stored only by our PCI-DSS compliant payment processor. We do not store full card numbers on our systems.

Marketing + communication preferences

  • Email + SMS opt-in choices, treatment interests, frequency preferences.

Site analytics + technical data

  • Anonymised page views, device type, referral source, country/region (not city/precise location).
  • IP address (truncated for analytics; full IP only retained in server security logs).

3. Why we collect it (purposes + legal basis)

  • Provide care — schedule, deliver, and follow up on consultations + treatments. Legal basis: PHIPA s.29 (consent for treatment-purposes use).
  • Appointment + treatment communication — confirmations, reminders, pre/post-treatment care. Legal basis: implied consent for service delivery.
  • Marketing — only if you opt in (CASL-compliant express consent). You can withdraw at any time.
  • Comply with regulatory + insurance requirements — College of Physicians and Surgeons of Ontario, Health Canada, professional liability insurance.
  • Improve services — using aggregated, anonymised analytics that cannot identify individuals.

4. SMS + email messaging (CASL)

By providing your phone number or email, you consent to receive transactional messages from us (booking confirmations, appointment reminders, treatment instructions, payment receipts). These are not marketing under CASL.

You will only receive marketing emails or SMS if you explicitly opt in. We send approximately 3–5 messages per month to opted-in subscribers. Every marketing message contains:

  • Our clinic name + business address (CASL identification requirement).
  • A working unsubscribe link or "Reply STOP" instruction.
  • Unsubscribe requests honoured within 10 business days, as required by CASL.

To opt out of SMS at any time, text STOP to +1 437-475-7355 or reply STOP to any message we send you. Reply HELP for assistance. Message + data rates may apply. We never sell, rent, or share phone numbers or email addresses.

5. Cookies + tracking technologies

We use cookies and similar technologies (pixels, server-side conversion APIs, tag managers) on book.vicpark.com for site functionality, analytics, and marketing measurement. You can manage your choices at any time through the consent banner or by clicking Cookie Preferences.

Strictly necessary cookies — required for the booking widgets, secure photo upload form, and your session. Cannot be disabled.

Functional cookies — remember your form progress + your cookie preference itself.

Analytics — we run:

  • Google Analytics 4 with IP anonymisation enabled.
  • Google Signals for cross-device aggregated reporting.
  • Cloudflare Web Analytics (cookieless, privacy-first page-view counts).
  • Hotjar for anonymised session recordings + heatmaps where enabled, with PII auto-masking turned on.

Marketing + advertising — we run a substantial advertising stack to measure campaign performance + retarget visitors who have shown interest in our services:

  • Meta Pixel (Facebook + Instagram) — browser-side pixel.
  • Meta Conversions API (CAPI) — server-side event reporting for bookings, hashed/anonymised before transmission per Meta's requirements.
  • Google Ads conversion tracking including Enhanced Conversions (hashed email/phone forwarded to Google for match quality).
  • TikTok Pixel for ad measurement + remarketing.
  • Other paid-media pixels we may run from time to time, disclosed in our chain-level policy at vicpark.com/privacy-policy.

How consent is handled. When you first visit, our consent banner asks you to accept or reject the Analytics and Marketing cookie categories. Your preference is stored on your device. If you reject or change your preference, we will not load those categories of pixels on subsequent page loads, and you can withdraw consent at any time via Cookie Preferences. Server-side conversion events (Meta CAPI, Google Enhanced Conversions) fire when you submit a booking or contact form, on the basis of your express opt-in to be contacted about treatment; we send only hashed identifiers and event metadata, never your raw email, phone, or health information. To request deletion of data already collected, contact our Privacy Officer (Section 16).

You may also use your browser's "Do Not Track" or Global Privacy Control (GPC) setting, or block cookies entirely; some site features may not function without strictly-necessary cookies.

6. Who we share information with

We never sell personal information or personal health information. We share it only with:

  • Our clinical team — clinicians and trained support staff who need access to deliver your care.
  • Service providers (data processors), bound by written confidentiality + security agreements. Current processors:
    • Practice management + CRM: Health Hue Digital (HIPAA-compliant platform built on GoHighLevel infrastructure).
    • Booking widgets: LeadConnector (GoHighLevel).
    • Website hosting + edge security: Cloudflare (Pages + Web Analytics).
    • Analytics: Google (Analytics 4, Signals), Hotjar.
    • Advertising measurement: Meta (Facebook/Instagram Pixel + Conversions API), Google Ads (incl. Enhanced Conversions), TikTok.
    • Payment processing: our PCI-DSS compliant merchant processor.
  • Regulators + legal authorities when required by Canadian or Ontario law (e.g., court order, subpoena, mandatory reporting under the Regulated Health Professions Act).
  • Other health care providers with your express written consent (e.g., your family physician or dermatologist).

7. Cross-border data transfers

Some of our service providers (Cloudflare, Google Analytics, our CRM infrastructure) store or process data on servers located outside Canada, primarily in the United States. By using our site or services, you acknowledge that your information may be processed in jurisdictions with different data protection laws than Canada. We contract these providers to maintain protections substantially equivalent to PIPEDA + PHIPA.

8. How we protect your information

  • Personal health information is stored in an access-controlled, encrypted medical records system. Role-based access — only clinicians + designated support staff can view PHI relevant to their role.
  • All data flows between your browser and our systems are encrypted in transit using TLS (HTTPS).
  • Photos uploaded through our secure photo upload portal are encrypted in transit + at rest and attached only to your patient record.
  • We maintain administrative, physical, and technical safeguards reviewed at least annually.

9. How long we keep your information

We retain personal information only as long as reasonably necessary for the purposes described in this policy or as required by applicable law and professional regulation. For our Toronto clinic, medical records are retained in accordance with the College of Physicians and Surgeons of Ontario record-retention standard (generally a minimum of 10 years from the date of last visit, longer for minors). Marketing opt-in records are retained while you remain subscribed; opt-out records are retained indefinitely so we can honour your withdrawal. Anonymised analytics data is retained per industry-standard intervals.

10. Clinical photographs + before/after media

Clinical photographs taken before, during, and after treatment are part of your medical record and are stored only in that record by default.

Marketing use (website, social media, advertising) of identifiable photographs requires separate express written consent, signed at your request. This consent is:

  • Specific (you choose which images and which channels).
  • Time-limited if you specify.
  • Revocable in writing at any time — we will remove the imagery from new marketing within 30 days and from our channels we control as soon as reasonably practicable.

11. Minors + youth

Consistent with our chain-wide privacy practices, we do not knowingly collect personal information from individuals under the age of 14. For patients under the Ontario age of consent for their own health care decisions, capacity is assessed individually under PHIPA + the Health Care Consent Act; a parent or guardian consents on behalf of a patient who is not capable of consenting to their own treatment.

12. Your rights

Under PHIPA, PIPEDA, and applicable Canadian law you have the right to:

  • Access — request a copy of your personal information + personal health information.
  • Correction — request that we correct inaccurate or incomplete information.
  • Withdraw consent for marketing communications at any time.
  • Withdraw consent for non-essential uses of your information (treatment uses may be limited if consent is withdrawn).
  • Request deletion of non-clinical data, subject to our legal retention obligations.
  • Complain to the Information and Privacy Commissioner of Ontario (for PHIPA matters) or the Office of the Privacy Commissioner of Canada (for PIPEDA matters).

To exercise any of these rights, contact our Privacy Officer at info@vicpark.com. We respond to requests within 30 days as required by law.

13. Data breach notification

If a privacy breach occurs that creates a real risk of significant harm, we will:

  • Notify affected individuals as soon as feasible, in plain language, with details of what happened + steps you can take.
  • Notify the Information and Privacy Commissioner of Ontario for PHI breaches (PHIPA s.12.3).
  • Notify the Office of the Privacy Commissioner of Canada for non-PHI breaches meeting the PIPEDA threshold.
  • Maintain a breach record for at least 24 months as required by PIPEDA.

14. Accessibility (AODA)

We comply with the Accessibility for Ontarians with Disabilities Act and aim for WCAG 2.1 Level AA on this site. If you need this policy or any of our communications in an accessible format (large print, plain text, screen-reader-friendly format), contact us at info@vicpark.com.

15. Changes to this policy

We may update this policy as our practices or the law change. Material changes will be posted on this page with an updated "Last updated" date. If a change materially affects how we handle existing personal health information, we will notify affected patients directly.

16. Contact

For any privacy question, access request, or complaint:

Privacy Officer · Victoria Park Medispa
483 Bay St #104, Toronto, ON M5G 2C9
info@vicpark.com · +1 437-475-7355

This Privacy Policy is provided for general information and is not legal advice. For specific situations, consult a qualified lawyer in your jurisdiction.