Skip to content
ally
ally

Privacy policy

How Ally collects, uses, and protects your information.

Last updated June 1, 2026

Version 1.0

Important: Ally collects and uses personal health information as described in this policy. By using Ally, you consent to these practices. Residents of Ontario should also refer to our obligations under the Personal Health Information Protection Act (PHIPA).

1. About this policy

Ally Health Technologies Inc. ("Ally," "we," "our," or "us") operates an online marketplace connecting clients and their families with licensed, college-regulated healthcare professionals (such as Registered Massage Therapists and Physiotherapists) who provide in-home treatment sessions. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Ontario's Personal Health Information Protection Act (PHIPA), and applicable provincial privacy legislation.

Health information is protected. Care details, treatment notes, and exercise plans are personal health information. They're encrypted, access-controlled, and shared only with the people directly involved in that person's care.

2. Information we collect

We collect the following categories of personal information:

2.1 Account information

  • Full name and date of birth
  • Email address and phone number
  • Home address
  • Profile photo (optional)
  • Preferred language

2.2 Health and care information (clients and recipients)

When you add a care recipient profile (e.g., a family member receiving care), we collect:

  • Recipient's name, date of birth, and contact information
  • Health conditions, mobility needs, and the services or treatment requested
  • Medications, allergies, and care preferences you record in their care profile
  • Medical notes and special instructions
  • Treatment and session notes (including SOAP-format clinical notes) recorded by your provider after a session
  • Emergency contact information

This information constitutes personal health information under PHIPA and is treated with the heightened protections that designation requires.

2.3 Provider credentials

  • Profession and professional qualifications
  • College registration number and public-registry status (for example, the College of Massage Therapists of Ontario for Registered Massage Therapists, or the College of Physiotherapists of Ontario for Physiotherapists)
  • Languages spoken and service regions
  • Government-issued identification (for verification)

2.4 Booking and usage data

  • Booking history, visit requests, and appointment records
  • Messages sent through the Ally platform
  • Payment records (processed by third-party payment providers)

2.5 Device and usage data

  • IP address, browser type, and operating system
  • Pages visited and features used within the app
  • Log data and error reports

3. How we use your information

We use your personal information to:

  • Create and manage your account
  • Match clients with suitable healthcare providers
  • Facilitate booking, scheduling, and visit coordination
  • Send booking confirmations, updates, and care reminders
  • Conduct safety screening and credential verification of Providers
  • Resolve disputes and enforce our Terms of Service
  • Improve platform features and user experience
  • Comply with legal and regulatory obligations
  • Send administrative and service-related communications

We do not sell your personal information to third parties for marketing purposes.

4. Disclosure to third parties

We disclose personal information only as necessary for the operation of the platform:

4.1 Third-party service processors

ProviderPurposeData shared
Auth0 (Okta Inc.)Identity and authenticationEmail, name, account metadata
Amazon Web Services (AWS)Cloud data storage and infrastructureAll platform data (encrypted at rest)
TwilioIn-app messaging and SMSMessages, user identifiers
Postmark (Wildbit LLC)Transactional email deliveryEmail address, message content
Google Maps PlatformAddress autocomplete and location servicesAddress queries
Stripe, Inc.Payment processing and provider payoutsBilling amount, currency, and an internal booking reference only. We never send health information, treatment details, or diagnoses to Stripe.
Regulatory college registriesVerifying provider licensing and good standing (e.g., CMTO, College of Physiotherapists of Ontario)Provider name and registration number

4.2 Other disclosures

We may also disclose information:

  • To Providers you book, to the extent necessary to deliver services (including recipient care information)
  • When required by law, court order, or regulatory authority
  • To prevent fraud, abuse, or imminent harm to any person
  • In connection with a business transaction (merger, acquisition), with notice

5. Cross-border data transfers

Ally is operated from Canada. However, some of our third-party service providers (including AWS, Auth0, Twilio, and Postmark) process data on servers located in the United States or other jurisdictions. By using Ally, you consent to the transfer of your personal information to these jurisdictions, which may have different privacy laws than your province of residence. We take contractual and technical measures to protect your information during such transfers.

6. Personal health information (PHIPA)

For users in Ontario, information about a care recipient's health conditions, care needs, or medical history may constitute personal health information under PHIPA. Ally acts as a non-health-information custodian agent: we store and transmit health information on behalf of clients and providers for the sole purpose of facilitating care. We do not use personal health information for any secondary purpose (e.g., marketing, research) without your explicit consent.

Providers who access recipient health information through Ally, and who author treatment or session notes, are health information custodians independently responsible for complying with PHIPA and with the record-keeping standards of their regulatory college. Access to personal health information on Ally is restricted to the parties to a booking (the client or recipient's account holder and the assigned provider), and every access to that information is logged for accountability.

7. Data retention

We retain personal information as follows:

  • Active accounts: for the duration of your account plus 7 years for legal and tax purposes
  • Treatment and session notes: retained in accordance with the record-keeping requirements of the provider's regulatory college. The College of Massage Therapists of Ontario and the College of Physiotherapists of Ontario generally require clinical records to be kept for at least 10 years from the date of the last entry, or, where the client was a minor, until 10 years after the client would have reached the age of majority
  • Health tracking data (legacy): purged after 365 days of inactivity
  • Cancelled appointments: deleted after 90 days (treatment notes associated with a completed session are retained per the schedule above)
  • Expired visit requests: deleted automatically via database TTL
  • Messages: retained for the life of the conversation, or until account deletion

You may request earlier deletion of your data. See Section 8 below.

8. Your privacy rights

Under PIPEDA and applicable provincial law, you have the right to:

  • Access: request a copy of the personal information we hold about you
  • Correction: request correction of inaccurate or incomplete information
  • Deletion: request deletion of your personal information, subject to legal retention obligations
  • Withdrawal of consent: withdraw consent to non-essential uses of your information; note that withdrawal may affect your ability to use certain features
  • Complaint: file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca priv.gc.ca.

To exercise any of these rights, contact our Privacy Officer at privacy@allyhealth.co. We will respond within 30 days.

9. Security

We implement industry-standard security measures to protect your personal information, including:

  • Encryption in transit (TLS) and at rest (AWS encryption)
  • Access controls and role-based permissions
  • Presigned URLs with short expiry for document access (never public URLs)
  • Regular security reviews and dependency updates

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but commit to notifying affected users of any breach as required by applicable law.

10. Cookies and tracking

Ally uses session cookies necessary for authentication and platform functionality. We do not use third-party advertising cookies or cross-site tracking. You may disable cookies in your browser, but some features may not function correctly.

11. Children's privacy

Ally is intended for users aged 18 and over. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us at privacy@allyhealth.co.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 30 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy. The version number and effective date at the top of this page indicate the current version.

13. Contact: Privacy Officer

For privacy-related questions, concerns, or requests:

Privacy Officer, Ally Health Technologies Inc.
Email: privacy@allyhealth.co