Skip to main content
Cornerstone Psychological Services logo
Cornerstone Psychological Services

Legal

Privacy Policy

How Cornerstone Psychological Services collects, uses, retains, and protects personal information and personal health information under PHIPA and PIPEDA.

Effective
April 28, 2026
Version
1.0
Last Updated
April 28, 2026

This Privacy Policy explains how Cornerstone Psychological Services collects, uses, retains, and protects personal information and personal health information when you visit cornerpsych.com or contact us through this website. It is written in plain language, with citations to the Ontario statutes and professional standards that govern our work.

PHIPA

Cornerstone Psychological Services is a health information custodian under the Personal Health Information Protection Act, 2004 (S.O. 2004, c.3, Sched. A), commonly referred to as PHIPA. PHIPA s.3 defines a "health information custodian" to include health-care practitioners who provide health care for payment; the psychologists and psychological associates working with this practice meet that definition.

Our PHIPA obligations include:

  • Collecting personal health information only as necessary for providing assessment and consultation services (PHIPA s.30 — limiting collection).
  • Using and disclosing personal health information only for the purposes for which it was collected, or as permitted or required by law (PHIPA s.29).
  • Obtaining your consent — express where required, implied within the circle of care — before collection, use, or disclosure (PHIPA ss.18, 20).
  • Providing you with access to and the ability to correct your personal health information (PHIPA ss.52, 55 — see "Your rights" below).
  • Notifying you and the Information and Privacy Commissioner of Ontario of any privacy breach that meets the threshold for reporting under PHIPA s.12(2) and the regulations.

This Privacy Policy applies to information collected through this website and through routine intake and clinical activities at the practice. Clinical records are governed in addition by the standards described in the CPBAO section below.

What we collect

The website collects only the personal information you choose to give us. The single intake surface on this website is the contact form, which collects:

  • Full name (required)
  • Email address (required)
  • Phone number (optional)
  • Free-text message (optional)
  • Locale flag (en or fr) — used internally to send any reply in the language you submitted in
  • Anti-spam fields — a hidden honeypot field and a submission timestamp; these are not personal information and are discarded after verifying the submission is human

We do not collect demographic information, IP addresses (beyond what your browser sends to our hosting provider in the normal course of serving a web page), or any field outside the list above through this website. The contact form is not intended for clinical or PHI disclosure: please do not include diagnoses, symptoms, treatment history, or other personal health information in the free-text message. The form is for intake and scheduling inquiries only. Any clinical information you wish to share will be collected in a separate, secure intake process after we connect with you.

How information flows

When you submit the contact form, the following sequence occurs:

  1. The form is sent to a server endpoint at /api/contact (an Astro server route hosted on Netlify).
  2. The endpoint creates a contact record (and an associated opportunity record) in Daylite, our client relationship management system from Marketcircle, using a server-side personal access token. Daylite stores the contact information for follow-up by our intake team.
  3. The endpoint sends a transactional notification email to our clinic intake address infoteam@cornerpsych.ca via Resend, our transactional email provider. This is how the clinic team is alerted to new inquiries.
  4. The endpoint sends a confirmation email to the email address you provided, also via Resend, so you have a record of your submission.

Server regions used to process this data: Netlify (the website host) operates a global CDN; the form-submission endpoint runs on a Netlify Function, which executes in a region that depends on Netlify's routing — typically a Canadian or US edge. Daylite servers are operated by Marketcircle in accordance with Marketcircle's data-handling policies (see daylite.app for current data-residency disclosures). Resend servers operate in the United States; transactional message metadata and content traverse Resend's infrastructure for delivery.

If the clinic-notification email fails to dispatch (for example, because of a transient Resend outage), we surface a visible error to you on the form, in English or French according to your locale, with apology copy and an alternate way to reach us by phone or email. This means a failed submission is never silently lost from the clinic's perspective — but it does mean the visitor (you) sees the error explicitly. A failure of the confirmation email to you, however, is not user-visible: in that case the clinic still received the inquiry and we will follow up.

We do not share the contents of your contact-form submission with any third party other than Daylite and Resend as described above. We do not sell, rent, or trade contact information.

Retention

Records collected through the website are retained as follows:

  • Daylite contact records — retained per the practice's records policy and the College of Psychologists and Behaviour Analysts of Ontario record-keeping standards. For records that become part of a clinical file, retention is at least 10 years following the last service provided to an adult client, or 10 years following the client's 18th birthday for records relating to a minor (the age of majority in Ontario).
  • Transactional email logs in Resend — retained per Resend's account default retention; we do not configure long-term archival of email content in Resend.
  • Netlify access logs — retained per Netlify's default short-window logging; we do not target visitor identifiers in these logs and we do not export them.

A submission to the contact form does not itself constitute a clinical record. A clinical record is opened only after a clinician has accepted the inquiry and a service relationship has begun. Inquiries that do not become clinical engagements are retained in Daylite per the practice's administrative-records policy and are then deleted or anonymised in accordance with that policy.

When retention periods expire, electronic records are permanently deleted and any paper records are securely shredded.

Analytics & Cookies

This website is built on Astro and hosted on Netlify. The site uses Google Tag Manager (GTM) as a tag management surface and Google Analytics 4 (GA4) for usage analytics. Both load only when an environment variable (PUBLIC_GTM_ID) is configured for the production deployment.

We implement Google Consent Mode v2 with a default-denied posture. This means:

  • When you first visit the site, no analytics cookies are set, and no advertising or measurement signals are sent. Default state for analytics_storage, ad_storage, ad_user_data, and ad_personalization is denied.
  • A cookie-consent banner asks whether you want to allow analytics. If you accept, the consent state is updated and GA4 may set first-party analytics cookies to provide aggregated usage data (page views, navigation paths, referral sources) — never personally identifying information.
  • If you decline (or take no action), no analytics cookies are set and GA4 does not record measurement signals.

We do not use:

  • Advertising or marketing trackers
  • Retargeting pixels
  • Third-party social-network embed trackers (e.g., Facebook Pixel, LinkedIn Insight Tag)
  • Cross-site tracking or device fingerprinting

You can clear your browser cookies at any time to reset your consent state. The consent flag itself is stored in your browser's local storage (technically not a cookie); clearing site data clears it.

If the production deployment does not have PUBLIC_GTM_ID configured, no analytics or tag-management script loads at all.

Your rights

Under PHIPA and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the following rights regarding your personal and health information:

  • Right to access (PHIPA s.52) — You may request a copy of the personal health information we hold about you. We will respond within 30 days. In limited circumstances, access may be restricted (for example, if disclosure could cause serious harm to you or another person).
  • Right to correction (PHIPA s.55) — If you believe information we hold is inaccurate or incomplete, you may request a correction. If we agree, we will update the record. If we disagree, you may attach a statement of disagreement to your record.
  • Right to withdraw consent — You may withdraw consent for the collection, use, or disclosure of your personal information at any time, subject to legal and contractual restrictions. We will explain any consequences before processing the withdrawal (for example, withdrawal may affect our ability to continue services).
  • Right to complain — If you believe we have mishandled your personal information, you may raise the concern with us directly (see "Contact" below). You may also complain to:
    • The Information and Privacy Commissioner of Ontario (IPC) — 1-800-387-0073 — ipc.on.ca
    • The Office of the Privacy Commissioner of Canada (OPC) — 1-800-282-1376 — priv.gc.ca

CPBAO

Our clinicians are registered with the College of Psychologists and Behaviour Analysts of Ontario (CPBAO) and follow the CPBAO Standards of Professional Conduct, 2024 (effective July 1, 2024). The Standards govern, among other obligations, our duties of confidentiality, record-keeping, and public communications. Standard 5 (Confidentiality) and Standard 7 (Records) are the primary anchors for the retention and disclosure practices described above. Standard 6 (Public Statements and Advertising) governs how we describe our services on this website.

The full text of the Standards is published by the College at cpbao.ca/standards.

Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or in the legal and regulatory framework. When we make a change, we update the "Effective" line and the version number at the top of this page. We do not proactively notify visitors of routine updates; we will, however, provide direct notice to current clients of any change that is materially adverse to them.

Contact

For privacy-related questions, requests, or complaints — including access requests under PHIPA s.52, correction requests under PHIPA s.55, and consent-withdrawal requests — please contact:

Privacy Lead

Cornerstone Psychological Services

1 Promenade Circle, Suite 300A
Thornhill, Ontario, Canada

Email: infoteam@cornerpsych.ca

We acknowledge privacy requests within 5 business days and provide a full response within 30 days, in accordance with PHIPA. If your request is urgent or relates to ongoing care, please indicate that in your email so we can prioritise the response.