top of page

Privacy Policy 

Last Updated: January 2, 2026

​

Dr. Mandana Modirrousta Medical Corporation, doing business as BrainWave Clinic (referred to as “BrainWave Clinic,” “we,” “us,” or “our”), is committed to protecting your privacy. This Privacy Policy explains how and why we collect, use, disclose, and safeguard your personal information – including sensitive health information – when you interact with us, such as by visiting our website (https://www.brainwaveclinic.ca) or receiving our clinical services. It also outlines your rights regarding your personal information and how you can exercise them. We strive to comply with all applicable Canadian privacy laws, including the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and relevant provincial health information privacy legislation.

​

Questions or concerns? Reading this Privacy Policy will help you understand how we handle your information and your options. If you do not agree with our practices, please do not use our services. If you have any questions or concerns about this policy, you can contact us at info@brainwaveclinic.ca (see the Contact Us section below for more details).

Summary of Key Points

For your convenience, here are some key takeaways from our Privacy Policy. However, we encourage you to read the full policy for complete details:

  • Personal Information Collected: We collect personal information that you provide to us (for example, your name, contact details, medical history, etc.). We also collect some information automatically (such as your IP address and device type when you visit our website). See Section 1 for more details.

  • Sensitive Information: As a healthcare provider, we may collect sensitive personal information (like health data, racial or ethnic origin, or sexual orientation) with your consent or as permitted by law, as needed to provide you with care. See Section 1 for more details on sensitive information.

  • Information from Third Parties: We may receive information about you from other sources – for example, from another healthcare provider if you were referred to us, or from public databases to update contact information. See Section 1 for more details.

  • Use of Information: We use your personal information to provide and improve our services, to communicate with you (e.g. appointment reminders), to ensure security and prevent fraud, and to comply with our legal and regulatory obligations. We will only use your information when we have a legal basis to do so (such as your consent or another lawful justification). See Section 2 for more details.

  • Sharing of Information: We do not sell your personal information. We only share it in limited situations, such as with service providers that help us run our operations (e.g. our website hosting company), with other healthcare professionals involved in your care (with your consent or as allowed by law), if required by law or to protect safety, or as part of a business transfer (e.g. if the clinic is ever merged or sold). In all cases, we ensure any third parties protect your information. See Section 4 for more details.

  • Data Retention: We keep your personal information only as long as necessary for the purposes it was collected and as required by law (for example, medical record retention requirements). When it’s no longer needed, we will securely delete or anonymize it. See Section 5 for more details.

  • Data Security: We have implemented appropriate technical and organizational measures to safeguard your information. However, no method of transmission or storage is 100% secure, so we cannot guarantee absolute security. We will notify you of any significant data breach affecting your personal information, as required by law. See Section 6 for more details.

  • Your Privacy Rights: You have rights regarding your personal information. These may include the right to access your data, correct any inaccuracies, withdraw consent to certain uses, or request deletion of your information in some circumstances. (There may be legal exceptions – for example, we generally must retain medical records for a minimum period as required by law.) See Section 8 for more details on your rights.

  • Minors: Our services are intended for adults. We do not knowingly collect personal information from children under 18 without parental consent. See Section 7 for more details.

  • Do-Not-Track Signals: Our website currently does not respond to “Do Not Track” (DNT) signals due to the absence of an industry standard. See Section 9 for more details.

  • Policy Updates: We may update this Privacy Policy from time to time to stay compliant with laws or reflect changes in our practices. We will post any changes on this page and update the “Last Updated” date. For significant changes, we may also notify you directly. See Section 10 for more details.

  • Contacting Us: If you have questions about this policy or want to exercise any of your rights, please contact us at info@brainwaveclinic.ca or by mail at our clinic address. See Section 11 for our full contact information.

​

Please read the full Privacy Policy below for a more detailed explanation of these points.

Table of Contents

  1. What Information Do We Collect?

  2. How Do We Process Your Information?

  3. What Legal Bases Do We Rely On?

  4. When and With Whom Do We Share Your Personal Information?

  5. How Long Do We Keep Your Information?

  6. How Do We Keep Your Information Safe?

  7. Do We Collect Information from Minors?

  8. What Are Your Privacy Rights?

  9. Controls for Do-Not-Track Features

  10. Do We Make Updates to This Policy?

  11. How Can You Contact Us About This Policy?

  12. How Can You Review, Update, or Delete Your Data?

1. What Information Do We Collect?

We collect personal information in several ways:

(a) Personal Information You Provide to Us: We collect personal information that you voluntarily provide when you interact with BrainWave Clinic. This includes, for example:

  • Contact Information: Your name, address, phone number, email address, and other contact details.

  • Identification and Demographics: Date of birth, gender, and other identifying details. We may also record government-issued identifiers you provide, such as a provincial health card number or driver’s license, for purposes like patient identification or insurance claims.

  • Health and Medical Information: As a medical clinic, we collect information relating to your health and medical history. This may include symptoms, diagnoses, treatment history, medications, test results, referral information, and any other health information you or other healthcare providers supply to us in the course of your care. This category can also include sensitive details such as mental health information or information about your sexual health or lifestyle if relevant to your treatment.

  • Payment or Insurance Information: If you pay for services or provide insurance details, we may collect information needed to process payments or claims (for example, credit card details or insurance policy numbers).

  • Other Information You Choose to Provide: Any other personal information you decide to share with us. For instance, if you send us an inquiry, fill out a form on our website, or respond to a patient satisfaction survey, you may provide personal data that we will collect.

​

Please ensure that any personal information you provide is accurate and complete, and let us know if it needs to be updated. Providing false or someone else’s information without permission is prohibited.

​

(b) Sensitive Personal Information: In the course of providing healthcare services, we may need to process sensitive personal information with your consent or as permitted by law. This includes details like your health or medical data (as described above), information about your racial or ethnic origin, sexual orientation or sexual life (if you choose to share such information and it is relevant to your care), or any biometric identifiers or genetic information (for example, test results) if applicable. We handle all sensitive information with extra care and confidentiality.

​

(c) Information Collected Automatically: When you visit our website or use our online services, we automatically collect certain technical information about your device and usage of our site. This information, by itself, typically does not identify you personally, but it may be linked to you. Examples include:

  • Device and Usage Data: We receive details such as your IP address, browser type and version, device identifiers, operating system, language preference, screen resolution, and referring website or link. We also collect information about how you interact with our site, such as the pages or content you view, the dates/times of your visits, search terms, and any actions you take (for example, clicking a video or submitting a form).

  • Log Files: Our servers automatically keep log files that record visits to the website. These logs may include IP addresses, date/time stamps, pages viewed, and technical information about your web browser and device. We use this data for security purposes (e.g., to detect malicious activity), to administer the site, and for internal analytics that help us improve our website’s performance and usability.

  • Location Data: Your device or browser may share approximate location data with us (such as your city or region, inferred from your IP address). We do not use GPS or precise geolocation without your explicit permission. You can control location data sharing by adjusting your device or browser settings. Note that some features of the site (for example, location-based directions) may not work properly if location services are disabled.

  • Cookies and Similar Technologies: Our website may use cookies or similar tracking technologies to enhance user experience, remember your preferences, and gather aggregate analytics information. Cookies are small text files stored on your device. For more information about how we use cookies and how you can manage them, please see our [Cookie Policy](if applicable). (If no separate cookie policy exists, we can integrate a brief explanation here.)

​

The automatically collected information helps us secure our website, optimize its functionality, and understand how visitors use our online services. We do not use this data to determine your identity, and we do not combine it with your medical records.

​

(d) Information from Third-Party Sources: Occasionally, we may obtain information about you from other sources, such as:

  • Other Healthcare Providers: If another doctor or clinic referred you to BrainWave Clinic or is involved in your care, they may send us medical records or relevant health information about you. For example, we might receive a referral letter, test results, or a summary of your medical history from your family physician or a specialist. We include this information as part of your medical record with us.

  • Public Databases and Directories: We may update or verify contact details using publicly available information (for instance, ensuring we have your correct address or phone number from public records, if allowed by law). This is done to keep our records accurate and to be able to reach you with appointment reminders or important notices.

  • Service Partners: If you engage with us through a partner or find us via a third-party service, that third party might send us some of your information. For example, if you were referred through a healthcare network or employer assistance program, they might provide your name and contact information to facilitate the referral.

  • Social Media or Online Platforms: BrainWave Clinic has a presence on platforms like Facebook, Twitter, or Instagram. If you interact with us through social media (for example, by messaging us or commenting on our posts), we may receive information such as your public profile name, contact information you provide, and any other information you chose to share. We will handle any such information according to this Policy. (Please remember that any content you post publicly on social media is visible to others and not controlled by this Privacy Policy.)

​

We will only collect information from third parties as allowed by law, and we will use it only for the purposes described in this Privacy Policy (or as otherwise explained to you at the time we receive it).

​

Note: All personal information you provide or we collect about you will be handled in accordance with applicable privacy laws and professional confidentiality standards. We do not collect any more information than is reasonably necessary for the purposes described, and we do not collect any personal information from you without your consent unless permitted by law.

2. How Do We Process Your Information?

“Processing” of personal information means any action taken with your data – such as collecting it, using it, storing it, or sharing it. We only process your personal information for legitimate purposes that are related to our services as a medical clinic. Specifically, we may use your information for the following purposes:

  • Providing Healthcare Services: To deliver and coordinate medical services you request from us. For example, we use your information to evaluate your health condition, provide diagnosis and treatment, refer you to specialists if needed, and generally manage your care.

  • Patient Account Management: To create and maintain your patient records and files, schedule appointments, send appointment confirmations or reminders, and handle billing or insurance claims.

  • Communicating with You: To contact you with information related to your care or our services. This includes sending you appointment reminders, test results, follow-up care instructions, and responding to any inquiries or messages you send us. We may also contact you with newsletters or health-related updates if you have subscribed or otherwise given consent to receive such communications (you can opt out of marketing emails at any time).

  • Improvement of Services: To improve and develop our services and operations. For example, we might analyze feedback you provide or aggregate trends in patient outcomes to enhance the quality of care, train our staff, or evaluate the effectiveness of our treatments. Any research or analysis we perform would use anonymized or aggregated data whenever possible, so individuals are not identified.

  • Safety and Security: To ensure the security of our systems, website, and premises. We monitor for and attempt to prevent fraud, unauthorized access, malware, or other security issues that could compromise your information. For instance, we may use the information we collect automatically (like IP addresses and log data) to detect and block security threats to our website or unauthorized attempts to access patient data.

  • Legal and Regulatory Compliance: To comply with applicable laws, regulations, and professional obligations. As a medical practice, we have certain legal requirements to fulfill, such as maintaining proper medical records, reporting notifiable diseases or conditions to public health authorities, or providing information when required by court order. We will use and disclose your information as needed to meet these obligations. We also keep records as required for tax, audit, or compliance purposes.

  • Protecting Rights and Interests: To protect your vital interests or the public interest. For example, if you have a medical emergency while at our clinic, we might share information with emergency responders to protect your life. We may also use or disclose information to protect our rights, privacy, safety, or property, or that of our patients or others (e.g., to establish or defend against legal claims).

  • Other Purposes with Your Consent: If we ever need to use your personal information for a purpose not listed here, we will explain the purpose to you and request your explicit consent before proceeding, unless otherwise permitted by law. For example, if we want to use a quote from your feedback as a testimonial on our website, we would ask for your permission. You are under no obligation to consent, and if you do, you may withdraw your consent at any time.

​

We will only process your personal information for the reasons we collected it, or for reasons that are compatible with the original purpose. If we need to process your information for an unrelated purpose, we will notify you and obtain your consent unless the new purpose is required or allowed by law.

3. What Legal Bases Do We Rely On to Process Your Personal Information?

In Canada, organizations must have a valid legal basis (legal permission) to collect, use, or disclose personal information. At BrainWave Clinic, we process your personal information only when one or more of the following bases apply:

  • Your Consent: In most cases, we rely on your consent. By engaging our services (for example, by becoming a patient, using our website, or otherwise providing your information), you consent to our necessary collection and use of your personal information to serve you. For more sensitive information (like your health data), we will often obtain express consent (for instance, having you sign a consent form for treatment which includes privacy consent). In some situations, your consent can be implied – for example, if you voluntarily provide information or continue to use our services after being notified of this Privacy Policy, we infer that you consent to the collection and use of that information for the purposes stated. You have the right to withdraw your consent at any time (see Section 8 and Section 12 on how to do this). If you withdraw consent, we will stop the specific processing of your information that was based on consent, except where continuing to process is permitted or required by law. Please note that withdrawing consent will not affect any processing that has already occurred, and sometimes we might have alternative legal grounds to continue processing your information (for example, we cannot erase medical records that we are legally required to keep, even if you withdraw consent for us to use them for new purposes).

  • Legal Obligations: We may process or disclose personal information if we are required to do so by law. This covers situations where a law, regulation, court order, subpoena, or warrant compels us to provide information. It also covers our obligations under medical regulatory laws (for instance, to report certain communicable diseases or to retain records for a minimum period). We will only disclose what is necessary and will inform you whenever possible, unless legally prohibited.

  • Provision of Services / Contractual Necessity: If you are receiving medical services from us, there is an implied understanding (and often a direct contract when you consent to treatment) that we need to process your personal information to fulfill our services to you. In other words, we rely on the necessity of processing for providing the service you requested. For example, we must use your health information to diagnose and treat you; without processing that information, we cannot deliver the care you expect.

  • Vital Interests: In rare cases, we may process personal information to protect someone’s vital interests – for example, in a life-threatening situation where consent cannot be obtained, we might share your information with a hospital emergency department.

  • Public Interest or Official Requirements: Sometimes we might process data in the interest of public health or safety, or to carry out duties as permitted for certain public interest reasons, as authorized under privacy laws. An example could be using or sharing information to contain an outbreak of a disease, if authorized by public health authorities.

  • Our Legitimate Interests: We may process your information for our legitimate business interests if it does not override your fundamental rights. For instance, it’s in our interest to ensure the security of our clinic’s systems; using certain data to detect fraud or intrusions is legally permitted as a legitimate interest. Another example is using your email to send a satisfaction survey – this helps us improve our services (our interest) and does not harm your rights (especially since you can opt out). We will always consider your rights and expectations and will not process personal data for legitimate interests if your rights outweigh ours.

  • Exceptions Permitted by Law Without Consent: Canadian privacy law (including PIPEDA) contains specific circumstances where personal information can be collected, used, or disclosed without an individual’s consent. We will only rely on these exceptions in exceptional cases. These may include situations such as:

    • If the collection is clearly in your interests and consent cannot be obtained in a timely way (for example, if you are unconscious in an emergency).

    • To investigate a breach of an agreement or a contravention of law, where seeking consent might compromise the investigation.

    • For fraud detection and prevention purposes.

    • In connection with a prospective business transaction (e.g., merger or sale of the clinic), provided certain safeguards are in place (see also Section 4 on business transfers).

    • If the information is contained in a witness statement and necessary to assess, process, or settle an insurance claim.

    • To identify or locate an injured, ill, or deceased person and communicate with their next of kin.

    • If we have reasonable grounds to believe an individual may be the victim of financial abuse, and using or disclosing the information with appropriate authorities is necessary to prevent or investigate the abuse.

    • If required for the purposes of law enforcement or national security (e.g., we receive a lawful demand or subpoena for records, or to report a crime on our premises).

    • If the information is publicly available (as defined by regulations) and is collected, used, or disclosed strictly for purposes that align with its public availability.

    • If the information is solely being used for journalistic, artistic, or literary purposes (unlikely in our context, except possibly if we were compiling anonymized patient stories with consent for a publication).

    • If the information was produced in the course of your employment, business, or profession and the collection is consistent with the purposes for which the information was produced (for example, if you’re a healthcare professional collaborating with us and you provide your professional credentials or opinions).

​

In summary, consent is the cornerstone of our data practices, especially for anything beyond basic care or legal requirements. When in doubt, we will seek your consent. We commit to processing your personal information only as permitted by Canadian laws and regulations.

4. When and With Whom Do We Share Your Personal Information?

We understand that your personal information – particularly your health information – is sensitive. We do not sell or trade your personal data. We only share or disclose your information in a limited number of scenarios, and always with safeguards in place. Here are the situations in which we might share your personal information and the types of third parties who may receive it:

  • Service Providers (Processors): We may share your information with trusted third-party companies or individuals who provide services on our behalf, only to the extent necessary for them to perform their functions. This can include:

    • Website and IT Hosting Providers: companies that host our website or provide IT infrastructure. For example, our website might be hosted on a secure server provided by a third-party hosting company, which as a result holds any data you submit through the site (such as contact forms).

    • Technical Support and Software Vendors: providers of software or cloud services that we use for clinic operations, such as electronic medical record systems, appointment scheduling software, or email service providers. These parties might process data (e.g., store patient records or send emails on our behalf) but only under our instructions and control.

    • Analytics or Security Services: we might use third-party analytics tools to understand how our website is used, or security services to protect our systems. These providers could receive technical data (like IP addresses or usage data), but they are not allowed to use it for any purpose other than providing services to us.

    We require all our service providers to sign confidentiality agreements or data protection agreements. They must commit to safeguarding your data, to using it only for the purposes we specify, and to complying with applicable privacy laws.

​

  • Other Healthcare Professionals and Institutions: With your knowledge and implied or express consent, we may share relevant portions of your health information with other professionals involved in your care:

    • For example, if your family doctor referred you to our clinic, we will typically send a report or letter back to your doctor about our findings or treatment plan.

    • If we refer you to a specialist or coordinate care with a hospital, laboratory, or another clinic, we will share the necessary information with those providers.

    • In emergencies, we might share information with hospital staff or emergency responders if needed for your urgent treatment (even if you cannot give formal consent at that moment).

    In all such cases, we share only what is needed for your care, and the receiving providers are also bound to maintain confidentiality under their own professional and legal obligations.

  • Payment Processors or Insurers: If you have insurance coverage or a government health plan (e.g., Manitoba Health), and it is necessary to bill them for our services, we may share the necessary information with the billing department or insurer to process payment. For instance, we might send your name, health card number, date of service, and diagnosis code to Manitoba Health or a private insurance company for reimbursement purposes. These entities are typically subject to their own privacy regulations. We do not share more information than required for billing or verification.

  • Business Transfers: If BrainWave Clinic or Dr. Mandana Modirrousta Medical Corporation is ever involved in a business transaction, such as a merger, acquisition, financing, or sale of all or part of our business or assets, your personal information (including patient records) may be transferred to the new owner or counterparties as part of that transaction. We will ensure that any such transfer is done in accordance with applicable privacy laws (which typically means the receiving party must commit to honoring the existing Privacy Policy or give you notice of changes). If such a transfer occurs, we will notify you and ensure that the successor organization continues to protect your information and uses it only for the same purposes for which it was originally collected.

  • Legal Compliance and Protection: We may disclose your information to third parties if we believe in good faith that such disclosure is necessary:

    • To comply with the law: If we are compelled by applicable laws, regulations, legal processes, or government requests to disclose information. For example, responding to a court order, subpoena, or a lawful request by a government authority (like fulfilling duties under public health law or providing records to a regulatory body during an investigation). We will verify any such request and only comply if it is legally binding.

    • To enforce our rights or agreements: We might disclose information to enforce our contractual terms or to respond to claims against us.

    • To prevent harm: If disclosure is necessary to prevent or investigate fraud, suspected illegal activity, security or technical issues, or to protect the rights, property, and safety of BrainWave Clinic, our patients, our staff, or the public. For instance, if someone’s safety is at risk, we might notify law enforcement or appropriate authorities.

  • With Your Consent: Aside from the above, if you ask us to or explicitly consent to us sharing your information with a third party, we will do so. For example, if a family member or caregiver calls us and you have given permission for them to receive information about your care, we will share information with that person. Another example is if you want us to transfer your records to a new healthcare provider; we will send them upon your written request or consent.

 

Important: Whenever we share your information with third parties, we share only what is necessary for that specific purpose and, whenever feasible, we anonymize or pseudonymize data (especially for research or analytical purposes) so that you are not readily identifiable. All third parties are expected to handle your data securely and confidentially, in line with this Privacy Policy and their legal obligations.

If you have questions about third parties that may have access to your information, please contact us and we can provide more specific information relevant to your situation.

5. How Long Do We Keep Your Information?

We retain personal information for only as long as it is needed to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

In practice:

  • Medical Records: We keep patient health records for the period mandated by healthcare regulations and guidelines. (For example, healthcare providers in Canada often must retain adult patient records for at least 10 years from the date of the last entry, and longer in some cases such as if the patient was a minor at the time of treatment. We adhere to any such requirements under Manitoba’s medical laws and regulatory college standards.) Keeping these records is important for continuity of care and legal compliance.

  • General Inquiries or Contact Information: If you contact us but do not become a patient, we may retain your communications (and our responses) for a reasonable period in case you decide to proceed with our services or have follow-up questions.

  • Website Usage Data: Information collected automatically (see Section 1(c)) is typically retained for a shorter period. We might keep logs and analytics data for internal analysis and security monitoring for a certain timeframe (e.g. 12 months), unless we need to retain it longer to investigate security incidents or fulfill legal obligations. Web cookies may persist on your browser until they expire or you delete them – see our Cookie information for specific lifespans.

 

When personal information is no longer needed for the purposes for which it was collected, and we are not legally required to keep it, we will securely dispose of it or anonymize it. Secure disposal may include permanent deletion of electronic records and shredding of paper records. Anonymization means we alter the information so that it no longer identifies you (for example, aggregating data into statistics). Once anonymized, the information is no longer personal information and we may use it for research or analytical purposes without further notice to you.

 

If we have archived backup copies of data (for example, in secure data backups that are not immediately accessible), we will isolate and protect those backups until they are eventually overwritten or deleted. We will not use backed-up personal data for any other purpose except as required for backup recovery or security integrity checks.

 

Note: Even if you request deletion of your data (see Section 12 below), we may retain certain information as necessary to comply with law, prevent fraud, resolve disputes, troubleshoot problems, or enforce our agreements. We always assess requests in line with applicable laws and will inform you of what data can and cannot be deleted upon request.

6. How Do We Keep Your Information Safe?

We take the security of your personal information very seriously. BrainWave Clinic has implemented a combination of administrative, technical, and physical safeguards to protect your data from unauthorized access, use, alteration, and disclosure. These measures include, for example:

  • Administrative Safeguards: We train our staff on privacy obligations and ensure that only authorized personnel (such as your healthcare providers or support staff who need the information to perform their duties) have access to your personal data. We have internal policies and procedures to prevent unauthorized access or sharing of patient information.

  • Technical Safeguards: Our electronic systems use security technologies such as encryption, firewalls, secure passwords, and access controls to protect electronic records. For instance, when we store data in an electronic medical record system, it is protected by user authentication and encryption. If we transmit sensitive information electronically (e.g., sending an email or transferring records), we strive to use secure channels (like encrypted email or secure file transfer) whenever possible. Our website employs HTTPS (secure socket layer/transport layer security) to encrypt data transmitted between your browser and our site.

  • Physical Safeguards: Sensitive paper records (if any) are stored in locked cabinets or secure areas with controlled access. Our clinic and offices are secured to prevent unauthorized entry. We also implement clean-desk policies and secure disposal methods (such as shredding) for documents containing personal information.

 

While we are committed to protecting your information, it’s important to recognize that no security measure is completely infallible. The Internet by its nature cannot be guaranteed to be 100% secure, and there is always some risk in transmitting information electronically. Cyber threats continue to evolve, and while we use commercially acceptable means to protect your data, we cannot guarantee absolute security against hackers, cybercriminals, or a highly sophisticated breach.

 

You can also play a part in protecting your data: please use strong, unique passwords for any accounts (if applicable) and be cautious about sharing your account details or personal information online. If you suspect any unauthorized access or activity related to your information and our services, notify us immediately.

 

Data Breach Procedures: BrainWave Clinic has a protocol in place to deal with any data security incident. In the unlikely event of a data breach that compromises your personal information, we will notify the affected individuals and the appropriate regulatory authorities (such as the Office of the Privacy Commissioner of Canada and Manitoba’s Ombudsman or Privacy Commissioner, if applicable) without undue delay, as required by law. We will also take all possible steps to mitigate the breach and prevent future occurrences.

 

Secure Environment Reminder: Whenever you access our services or website, especially if you use an online portal or communicate with us by email, try to do so from a secure environment. For example, use a trusted device and secure network (avoid public Wi-Fi for sensitive communications). This helps reduce the risk of your information being intercepted.

 

In summary, we are continuously working to protect your personal information. However, if you have reason to believe that your data is no longer secure with us or you have discovered a vulnerability, please contact us immediately so we can address the issue.

7. Do We Collect Information from Minors?

No, our services are not directed to minors under the age of 18, and we do not knowingly collect personal information from children under 18 without verifiable parental or guardian consent.

 

BrainWave Clinic is a healthcare provider primarily serving adults. By using our website or services, you represent that you are either an adult (18 or older) or a parent/guardian consenting on behalf of a minor. We do not market to children or offer services to individuals under 18 without appropriate consent.

 

If you are a parent or guardian and you believe we might have collected personal information from your child (for example, if a minor attempted to submit a form on our website), please contact us immediately. We will take prompt steps to investigate and, if appropriate, delete the information from our records. We understand the importance of protecting children’s privacy, and we comply with all applicable laws regarding children’s information.

 

In cases where we do provide services to minors (for instance, if in the future our clinic extends services to adolescents under a parent/guardian’s care), we will only do so with proper consent from a parent or legal guardian, and we will protect that information with the highest degree of care.

8. What Are Your Privacy Rights?

We believe in transparency and giving you control over your personal information. Depending on the laws that apply and your particular circumstances, you may have some or all of the following privacy rights regarding the information we hold about you:

  • Right to Access: You have the right to request confirmation of whether we are processing your personal information, and to access or get a copy of the personal information we have about you. For example, patients have a right to see or obtain copies of their health records (with only a few exceptions, such as if viewing certain information could result in serious harm, as determined by a healthcare professional). We will provide the information in a straightforward format, usually within a reasonable time and sometimes at a nominal cost as allowed by law.

  • Right to Correction (Rectification): If you believe that any personal information we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. For instance, if your contact information changes or you find an error in your medical record, let us know and we will correct it when possible. (In the case of medical opinions or observations recorded in a health record, we may add your statement of disagreement if we believe the original entry should not be changed for legal or medical reasons.)

  • Right to Withdraw Consent: If we are processing your personal information based on your consent, you have the right to withdraw that consent at any time. This includes opting out of marketing emails or newsletters (you can do so by clicking “unsubscribe” in the email or contacting us directly). For sensitive medical data, withdrawing consent might mean that we stop using it for optional purposes (like research or a specific service you no longer want). Please note that withdrawing consent will not affect the lawfulness of any processing we already carried out and might not affect processing that is allowed on other legal bases. Also, if you withdraw consent for us to use necessary information, it may affect our ability to continue providing you with certain services. We will explain any implications to you at that time.

  • Right to Deletion (Erasure): You may have the right to request that we delete your personal information. This is sometimes referred to as the “right to be forgotten.” However, this right is not absolute and, especially in healthcare, is subject to limitations. We cannot delete medical information that we are required to keep by law or that is necessary for ongoing treatment or other legitimate purposes. For example, we generally must retain health records for a set time by law, and even beyond that, it may be important for us to have a record of the care provided. If you request deletion, we will remove what information we can, and we will inform you of any data we must keep and why. We will also keep a record of your deletion request.

  • Right to Restrict Processing: You have the right to ask us to limit or restrict the processing of your information in certain circumstances. For instance, if you contest the accuracy of your information, you can request we restrict use of that data until we verify the accuracy. Or if you object to a certain use, you can request restriction while we consider your objection. When processing is restricted, we will still store your information, but not use it for the purpose you objected to until resolved.

  • Right to Object: You have the right to object to certain processing of your personal information. For example, you can object to the use of your information for direct marketing (at which point we would stop sending you marketing messages). You might also object to processing based on our “legitimate interests” (see Section 3) if you believe your rights outweigh our interests. We will honor objections unless we have a compelling legitimate ground to continue or a legal obligation to do so.

  • Right to Data Portability: In some cases, you have the right to request a digital copy of your personal information in a common format, and/or to have that information transferred to another service provider. This typically applies to information you provided to us directly. In healthcare, this could overlap with your right to access your records. If you need your records sent to another provider, we can accommodate that in a secure manner rather than a standard “portability” format, but the principle is that you have control over moving your data.

  • Rights related to Automated Decision-Making: BrainWave Clinic does not make any significant decisions about you using purely automated processes without human involvement. (Automated decision-making rights are more relevant in scenarios like credit approval algorithms or marketing profiling, which we do not perform.) However, for completeness: if we ever use automated decision-making or profiling that produces legal or similarly significant effects on you, you would have the right not to be subject to such decisions without appropriate safeguards, including the right to request human intervention and to contest the decision.

 

These rights may vary based on your province or country. For example, PIPEDA gives Canadians the right to access personal information and request corrections, but it does not explicitly include some of the newer rights like data portability which are present under the EU’s GDPR. Regardless, BrainWave Clinic’s policy is to be as responsive as possible to your privacy-related requests.

 

Exercising Your Rights: Please see Section 12 below for details on how to submit a request to exercise any of these rights. Typically, you can do so by contacting us at info@brainwaveclinic.ca or by mail. We may need to verify your identity (for example, by asking for ID or confirming personal details) before fulfilling certain requests, especially for sensitive data, to ensure we don’t disclose information to the wrong person.

 

We will respond to your request within a reasonable timeframe and in accordance with applicable law. If we cannot fulfill your request (such as denying a request for deletion due to legal requirements), we will explain the reason. If you have unresolved concerns, you also have the right to contact the Privacy Commissioner of Canada or your provincial privacy authority (e.g., the Manitoba Ombudsman’s office for PHIA concerns) to file a complaint. We would appreciate the chance to address your concerns first, and we are committed to finding a satisfactory solution.

 

Your privacy rights are important, and we are here to help you exercise them and to answer any questions you may have.

9. Controls for Do-Not-Track Features

Do Not Track (DNT) is a privacy preference that users can set in some web browsers to signal that they do not wish to be tracked across different websites. At this time, there is no standardized industry protocol for websites to fully recognize or respond to DNT signals. As a result, our website currently does not respond to Do Not Track browser settings.

 

What this means: If you enable the DNT option in your web browser, our site will not treat you differently from other visitors based solely on that signal. We continue to operate as described in this Privacy Policy, and we will still collect the limited usage data as outlined in Section 1(c) when you visit our site.

It’s important to note that not responding to DNT does not mean we are tracking you in an invasive way. We do not engage in cross-site behavioral tracking of individual users, nor do we serve targeted advertising. The information we collect about your visit is mainly for functional and security purposes and analytics to improve our own site (as described earlier).

 

If a uniform standard for online tracking is established in the future (and/or if regulations mandate us to honor DNT), we will update this Privacy Policy and our practices accordingly and let you know about the change.

In the meantime, you can still control certain tracking aspects:

  • You may opt out of analytics cookies or third-party scripts if we use any (check our Cookie notices or browser plugin options).

  • You can use browser extensions or privacy-focused browsers that limit tracking.

  • We honor any specific opt-outs for analytics or marketing that we have offered (for example, if we ever implemented Google Analytics with an opt-out mechanism, we would respect those settings).

 

For any questions about online tracking, feel free to contact us.

10. Do We Make Updates to This Policy?

Yes. We may update or revise this Privacy Policy from time to time as needed to reflect changes in our practices, to keep up with new legal requirements, or to improve clarity.

​

When we make changes, we will:

  • Update the “Last Updated” date at the top of this Privacy Policy. The new date will indicate when the changes become effective.

  • In the case of material changes (significant changes that affect how your personal information is handled), we will provide a more prominent notice. For example, we might post a notice on our website’s homepage, or if appropriate, send an email notification or a letter to inform you of the changes. We might also announce it during your clinic visit. We do this so you are aware of any new practices or rights.

  • We will keep older versions of this Privacy Policy archived (and you can request to see previous versions if needed, to understand how our practices have evolved).

 

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use our services or website after a revised Privacy Policy has been posted, it will signify your acceptance of the updated terms, to the extent permitted by law.

If we ever were to make a change that retroactively affects how we handle data collected previously (which is unlikely and would generally be disallowed by law without consent), we would either seek your consent or provide an opt-out opportunity.

 

In summary, this policy may be updated as our clinic and the regulatory environment grow. We remain committed to privacy principles and will not reduce your rights under this Privacy Policy without your explicit consent.

11. How Can You Contact Us About This Policy?

We welcome any questions, concerns, or feedback you may have about your privacy or this Privacy Policy. If you need further information, or if you want to exercise any of your rights as described above, please reach out to us using the contact details below.

Email: info@brainwaveclinic.ca
Phone: 204-414-0077 (during business hours)
Mailing Address:
Attn: Privacy Officer (Privacy Inquiry)
Dr. Mandana Modirrousta Medical Corporation (BrainWave Clinic)
400 Taché Avenue, Unit 700
Winnipeg, Manitoba R2H 3C3
Canada

​

When you contact us with a privacy-related request or question, please provide enough detail for us to understand your concern and locate relevant records (if applicable). For example, if you are requesting a copy of your records, specifying your full name and the dates of service will help us process your request faster. We may need to verify your identity before releasing personal information to ensure we protect your data from unauthorized access.

We will respond to inquiries or requests as promptly as possible, generally within 30 days or as required by law. If for some reason we need more time or we cannot fulfill your request, we will let you know the reason and the expected timeline.

 

Supervisory Authority: While we hope to resolve any issue directly with you, you also have the right to contact the relevant privacy regulatory authorities. In Canada, the federal oversight agency is the Office of the Privacy Commissioner of Canada (OPC), and for health information in Manitoba, the Manitoba Ombudsman oversees compliance with PHIA. They can provide you with information about your privacy rights and assist with unresolved complaints. We can provide contact information for these authorities upon request.

 

Thank you for trusting BrainWave Clinic with your personal information. We are dedicated to protecting your privacy and ensuring that you feel secure in all your interactions with us.

12. How Can You Review, Update, or Delete Your Data?

You have the right to review, update, or request deletion of the personal information we hold about you, as described in Section 8 above. To exercise these rights or make such requests, please contact us using any of the methods listed in Section 11 (for example, by emailing info@brainwaveclinic.ca with your request).

​

When making a request, please be clear about what information you would like to access, update, or delete. For instance, you might say, “I’d like a copy of my medical records from 2024,” or “Please update my address to the following new address…,” or “I request deletion of my contact information from your mailing list.” The more specific you are, the better we can assist you.

Process for Requests:

  • We may ask you to verify your identity before proceeding with your request, especially if it involves sensitive information (this is to protect your data from unauthorized access). Verification might involve answering a security question, showing ID, or confirming information we have on file.

  • We will acknowledge your request and let you know if we need additional information.

  • We will then search our records and process your request in accordance with applicable laws. As noted earlier, some data (particularly health records) cannot be deleted on demand, but we will do our best to accommodate your request and will explain any limitations.

  • If you requested access to data, we will provide it to you in a readable format. If you requested a correction and we agree, we will make the correction and confirm with you. If we do not agree that a correction is warranted, we will let you know why and note your request in the file.

  • If you requested deletion, we will remove the information that we are able to, and confirm with you once completed. If certain information must be retained, we’ll inform you of that.

 

There is typically no fee for making a request. In rare cases, if your request is unusually complex or repetitive, we may charge a minimal fee as allowed by law (we would inform you in advance). Our goal is to fulfill requests within 30 days, but if more time is needed, we will let you know and provide an explanation (for example, if the record is older and in archives).

​

Finally, if you have an account or online portal access through which you can directly review or update some of your information (for example, if we provide an online patient portal), you may use that as well. But the fastest way for most requests related to your data is to contact us directly.

Reminder: Exercising your rights is free and welcomed. We will never retaliate or refuse service because you exercised your privacy rights. Our duty is to assist you and ensure you are comfortable with how your personal information is handled.

bottom of page