Privacy Policy 

Effective date: May 5, 2026

1. About this Privacy Policy 

This Privacy Policy explains how Health-in-a-Box collects, uses, shares, and protects your personal information, including your personal health information. 

It applies to: 

  • the Health-in-a-Box website at healthinabox.com and any related sites or apps we publish (the “Website”); 
  • the Health-in-a-Box online store (the “Store”); and 
  • the Health-in-a-Box medical service, including blood testing, clinical and naturopathic consultations, health coaching, and related care (the “Service”). 

We refer to the Website, the Store, and the Service together as the “Platform”

By using the Platform, you confirm that you have read this Privacy Policy. Where the law requires your consent for a specific use of your information, we will ask for it. 

2. Who we are and who is responsible 

Health-in-a-Box is a brand operated by Innovation Health Group Inc. (“IHG”“we”“us”“our”). IHG also operates My Wellness File (the technology platform that powers the Service) and theBespoke\WellnessGroup (a separate clinic with its own privacy policy). 

For the purposes of Ontario’s Personal Health Information Protection Act (PHIPA), IHG is the Health Information Custodian for personal health information collected through the Service. The clinicians who deliver care — including Dr. Elaine Chin, IHG’s Chief Medical Officer, and the naturopaths and other regulated practitioners on your care team — act as agents of the custodian under PHIPA, and are also bound by the obligations of their respective professional colleges. 

In plain terms: when you receive care through Health-in-a-Box, IHG holds your health record, our clinicians provide the care, and the Health-in-a-Box Privacy Officer is your single point of contact for privacy questions.

3. The Privacy Officer 

Our Privacy Officer is responsible for our compliance with this Privacy Policy and with applicable privacy law. You can reach them here: 

Privacy Officer, Health-in-a-Box Email: privacy@healthinabox.com Mail: 1 Yorkville Avenue, Unit 1C, Toronto, Ontario M4W 0C1 

You can contact the Privacy Officer about any privacy question, request, or complaint, including questions about your health record.

4. The information we collect 

We collect only the information we need to provide the Platform to you and to meet our legal and professional obligations. 

Information you give us directly: 

  • Identifying and contact information — name, date of birth, gender, address, email, phone number. 
  • Account credentials — username and password (passwords are stored hashed and we never see them). 
  • Health information — your medical history, current medications, symptoms, lifestyle information, family history, and similar information you share when enrolling in or using the Service. 
  • Biological samples and results — blood and other samples you provide for testing, and the results of those tests. 
  • Communications — messages you send to your care team, customer service, or the Privacy Officer. 
  • Payment information — billing address and the last four digits of the card used. Full card details are entered by you directly into our payment processor’s secure form and we never see or store them (see Section 7). 
  • Marketing preferences — your consents and your unsubscribe choices. 

Information we collect automatically when you use the Website: 

  • Device and connection information — IP address, device type, operating system, browser type, language, and similar technical information. 
  • Usage information — pages you visit, links you click, time spent on pages, referring pages, and similar information. 
  • Cookies and similar technologies — see Section 11. 

Information we collect from others: 

  • Test results from accredited Canadian laboratories that process your blood and other samples. 
  • Information provided by another healthcare provider with your consent (for example, a referral letter from your family doctor). 
  • Information provided by an authorized substitute decision-maker, where applicable. 

Information we do not collect: 

  • We do not buy lists of personal information from data brokers. 
  • We do not collect more information than we need for the purpose described. 
  • We do not require you to provide health information to use the Website or to make a purchase from the Store that does not include the Service. 

5. Health information and PHIPA

Because the Service involves medical care, your health information is treated with additional protection under PHIPA. This section explains how.

The Health Information Custodian. IHG is the custodian of your health record. Health-in-a-Box (as IHG’s operating brand) and our clinicians (as IHG’s agents) are permitted to collect, use, and disclose your health information only for purposes consistent with this Privacy Policy and PHIPA. 

Circle of care. When you enrol in the Service, you give implied consent for the clinicians, naturopaths, coaches, and authorized support staff involved in your care to share your health information among themselves to the extent reasonably necessary to provide that care. This is your circle of care. We keep that circle as small as the care requires. 

Express consent for uses outside the circle of care. If we want to use or disclose your health information for any purpose outside the circle of care — for example, to share information with a researcher, with another healthcare provider you have not already authorized, or for a non-care purpose — we will ask for your express consent first, unless the law specifically permits or requires the disclosure without consent. 

Consent directives (“lockbox”). You can ask us to restrict the use or disclosure of all or part of your health information. We will respect your directive, with two exceptions: (a) where disclosure is required by law (for example, mandatory reporting of certain communicable diseases or risks of serious harm), and (b) where withholding information would, in our clinical judgment, prevent us from providing safe care — in which case we will tell you and you can decide whether to proceed. 

Substitute decision-makers. If you are not capable of making decisions about your health information, a substitute decision-maker may exercise your rights under this Privacy Policy on your behalf, in accordance with PHIPA. 

Mandatory reporting. Some disclosures are required by law without consent — for example, certain communicable disease reports, child protection reports, and reports of serious threats. We will make those disclosures only to the extent required and we will document them. 

6. How we use your information 

We use your information for the following purposes: 

To provide the Service. Assess your health, order and review tests, deliver clinical and coaching consultations, communicate care recommendations, schedule appointments, and follow up. 

To operate the Store and your account. Process orders, collect payment, ship products, manage subscriptions, handle returns and refunds, send order confirmations and receipts, and manage your login and profile. 

To communicate with you. Send the operational, clinical, and marketing messages described in Section 9. 

To run, improve, and secure the Platform. Maintain Website performance, fix bugs, prevent and investigate fraud and abuse, defend against attacks, and improve our products and content. 

To meet legal and professional obligations. Maintain medical records as required by Ontario healthcare regulation, respond to lawful requests, and comply with tax, accounting, and consumer protection requirements. 

To establish, exercise, or defend legal claims. For example, in response to a regulatory complaint or a lawsuit. 

We do not sell your personal information. We do not share it for cross-context behavioural advertising. We do not use your health information for marketing. 

7. How we share your information

We share your information only as described below. 

Within your circle of care. Among the clinicians, naturopaths, coaches, and authorized support staff involved in providing your care. 

With laboratories and other healthcare providers. When we order tests on your behalf, we share what is needed to identify you and process the test. Test results come back to your record. If we refer you to another provider, we share the information needed for that referral with your consent. 

With service providers. We work with reputable vendors who help us run the Platform — for example, cloud hosting, payment processing, email and SMS delivery, analytics, and (in the future) customer support tools. These vendors process information only on our instructions and only to the extent needed to provide their service to us, and they are bound by written confidentiality and data protection commitments. None of our service providers are used in a way that exposes your health information outside Canada (see Section 8). 

We deliberately do not list specific vendors in this Privacy Policy because the list changes from time to time. If you would like to know who specifically processes your information for a given purpose, contact the Privacy Officer and we will tell you. 

With regulators and authorities. Where the law requires, where we are responding to a valid legal process, or where we reasonably believe disclosure is necessary to prevent serious harm. 

In a corporate transaction. If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred, subject to the receiving party honouring this Privacy Policy. Where the law requires, we will notify you. 

With your consent. With anyone else you ask us to share information with, or where you have given us consent to do so.

8. Where your information is stored

Health information stays in Canada. All personal health information collected through the Service is stored on servers located in Canada, with backups also located in Canada. Laboratory partners that process biological samples on our behalf operate in Canada. 

Some non-health information is processed by service providers with operations outside Canada. A small number of vendors that handle non-clinical information — for example, payment processing, marketing email delivery, or website analytics — may have parent companies or infrastructure outside Canada. Where this is the case, we use vendors with appropriate Canadian operations, contractual data protection commitments, and security practices we consider adequate. These vendors never receive your health information. 

If you would like more detail about how a specific category of information is handled, contact the Privacy Officer.

9. Communications you will receive

There are three categories of messages we send. They are treated differently under this Privacy Policy and under Canada’s Anti-Spam Legislation (CASL). 

Operational messages — required while your account is active. Order confirmations, shipping and delivery notices, payment receipts, account and security notices, refund notices, changes to our Terms or this Privacy Policy, product safety and recall notices. 

Clinical messages — required while you are enrolled in the Service. Test results, clinical recommendations, appointment confirmations and reminders, follow-up messages from your care team, safety information about the Service, and other information your care team needs to give you. 

You cannot opt out of operational or clinical messages while your account or enrolment is active. To stop receiving them, close your account or cancel your enrolment. 

Marketing messages — opt-in, withdraw any time. Information about new programs, products, events, promotions, and surveys. We send marketing only to people who have given express consent. You can withdraw consent at any time using the unsubscribe link, your account preferences, or by contacting the Privacy Officer. Withdrawing marketing consent does not affect your operational or clinical messages or the Service you are receiving. 

We do not include health information in marketing messages and we do not share your health information with marketing service providers. 

Messages may be delivered by email, SMS, in-app notification, or postal mail.

10. How long we keep your information

Health records. We retain your health record for the period required by Ontario healthcare regulation — generally at least ten years from the date of your last visit, or for ten years past the age of majority for records relating to a person who was a minor at the time of care. We may retain longer where the law requires or where there is a legitimate clinical or legal reason. 

Account and Store information. We retain account, order, and billing information for as long as your account is active, and for a reasonable period afterward to comply with tax, accounting, consumer protection, and legal obligations (typically seven years). 

Marketing information. We retain your marketing consent and preferences for as long as you have an active account or relationship with us, and we keep a record of unsubscribe requests so we can honour them. 

Website logs and analytics. We retain Website logs for a short period for security and troubleshooting purposes. Analytics information is aggregated and retained for service improvement. 

When the retention period ends and we have no continuing legal or business need to keep the information, we securely destroy or de-identify it, including in routine backups as those backups age out.

11. Cookies and similar technologies

The Website uses two categories of cookies and similar technologies: 

Strictly necessary — required for the Website, account login, the Store, and basic security to work. These are always on. They do not track you across other sites. 

Optional (analytics and functional) — help us understand how the Website is used and remember your preferences. These are off by default and are turned on only if you consent through the cookie banner. You can change your choice at any time through the banner or your account. 

We do not use advertising cookies, behavioural advertising cookies, or cross-site tracking. The Website collects very little information by default and we will respond to any opt-out you make through the cookie banner or your account.

12. How we protect your information

We use a combination of administrative, physical, and technical safeguards designed to protect your information from loss, theft, unauthorized access, disclosure, and alteration. These include: 

  • encryption of personal health information at rest and in transit; 
  • role-based access controls so staff see only the information they need; 
  • activity logging and monitoring; 
  • regular security testing and patching; 
  • written confidentiality and data protection commitments from our staff and our service providers; 
  • secure development practices for the Platform; and 
  • staff training on privacy and security. 

No system is perfectly secure. If a privacy breach occurs that creates a real risk of significant harm to you, we will notify you and the appropriate regulator (the Information and Privacy Commissioner of Ontario for health information, the Office of the Privacy Commissioner of Canada for other personal information, and the Commission d’accès à l’information du Québec for residents of Quebec, as applicable) as required by law. We will tell you what happened, what information was affected, and what you can do. 

If you suspect a privacy or security incident, please contact the Privacy Officer right away.

13. Your rights and choices

You have the following rights under Canadian privacy law. We will respond to your request within thirty days (or sooner where required), and at no cost in most cases. 

Access. You can ask for a copy of the personal information we hold about you, including your health record. Some health information may need to be reviewed by a clinician before release; we will explain if any portion is being withheld and why. 

Correction. If information we hold is inaccurate or incomplete, you can ask us to correct it. If we disagree with a proposed correction, we will note your disagreement on the record. 

Withdrawing consent. You can withdraw your consent for most uses of your personal information at any time, subject to legal or contractual restrictions. Withdrawing consent for clinical communications or for retention of your health record may not be possible during the periods required by professional regulation. 

Portability. You can ask us to provide your information in a structured, commonly used format, where the law requires. 

Deletion. You can ask us to delete personal information that we are no longer required to retain. Health records subject to mandatory retention periods cannot be deleted on request, but will be destroyed at the end of the retention period. 

Complaints. You can complain to the Privacy Officer at any time. If you are not satisfied with how we handle your complaint, you can also complain to the regulators listed in Section 14. 

To exercise any of these rights, contact the Privacy Officer (Section 3). We may need to verify your identity before acting on a request.

14. Regulators you can contact

If you are not satisfied with our response to a privacy concern, you can contact the appropriate regulator: 

Information and Privacy Commissioner of Ontario (for health information matters) 2 Bloor Street East, Suite 1400, Toronto, Ontario M4W 1A8 Phone: 416-326-3333 or 1-800-387-0073 Email: info@ipc.on.ca Website: ipc.on.ca 

Office of the Privacy Commissioner of Canada (for other personal information matters) 30 Victoria Street, Gatineau, Quebec K1A 1H3 Phone: 1-800-282-1376 Website: priv.gc.ca 

Commission d’accès à l’information du Québec (if you reside in Quebec) Website: cai.gouv.qc.ca 

15. Automated decision-making

We do not currently use automated decision-making to make decisions about your care or your account that produce legal or similarly significant effects. If that ever changes, we will update this Privacy Policy, tell you about it in advance, and explain your right to a human review. 

16. Children

The Platform is intended for adults. You must be at least 18 (or the age of majority in your province) to enrol in the Service or buy from the Store, and at least 16 to use the Website. We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal information, contact the Privacy Officer and we will delete it. 

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make a material change, we will give reasonable advance notice — for example, by email, in-app notice, or a banner on the Website — before the change takes effect. The “Effective date” at the top of this policy will always show the current version. Older versions are available on request.

18. How to contact us

For any privacy question, request, or complaint: 

Privacy Officer, Health-in-a-Box Innovation Health Group Inc., operating Health-in-a-Box 1 Yorkville Avenue, Unit 1C Toronto, Ontario M4W 0C1 Email: privacy@healthinabox.com