Spa Utopia All Rights Reserved. 2022
At The 360 Degrees Health & Wellness Company (“360”), we are committed to providing our customers with exceptional service. As providing this service involves the collection, use and disclosure of some personal information about our customers, protecting their personal information is one of our highest priorities.
We will inform our customers of why and how we collect, use and disclose their personal information, obtain their consent where required, and only handle their personal information in a manner that a reasonable person would consider appropriate in the circumstances.
Scope of this Policy
This policy also applies to any service providers collecting, using or disclosing personal information on behalf of 360, but does not apply to any third-party websites linked from our websites, as such websites are governed by their own privacy policies.
Personal Information –means information about an identifiable individual, such as their name, date of birth, gender, home address, personal phone number, personal email address, Internet Protocol (IP) address, personal interests and shopping preferences. Personal information does not include business contact information (described below).
Personal Health Information – Personal Health Information (“PHI”) is Personal Information that is related to a person’s health or the provision of health services to them. Examples are: medical histories, test and laboratory results, mental health conditions, insurance information and other Personal Information that we use to provide quality care and services and to meet our legal and professional requirements.
Business Contact Information – means information that would enable an individual to be contacted at a place of business and includes name, position name or title, business telephone number, business address, business email or business fax number. This is information that would normally be found on someone’s business card. Contact information is not covered by this policy or PIPA.
Privacy Officer – means the individual designated responsibility for ensuring that 360 complies with this policy and PIPA.
360 has adopted privacy principles consistent with the Canadian Standards Association’s “Model Code for the Protection of Personal Information”. The code contains ten (10) information principles that are generally described as follows:
Accountability – An organization is responsible for Personal Information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with these principles.
Identifying Purposes – The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
Consent – The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when obtaining consent would be inappropriate.
Limiting Collection – The collection of personal information shall be limited to what is necessary for the purposes identified by the organization. Information shall only be collected by fair and lawful means.
Limiting Use, Disclosure and Retention – Personal Information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal Information shall be retained only as long as necessary for the fulfilment of those purposes.
Accuracy – Personal Information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
Safeguards – Personal Information shall be protected by security safeguards appropriate to the sensitivity of the information.
Openness – An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Individual Access – Upon request, an individual shall be informed of the existence, use, and disclosure of their personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Challenging Compliance – An individual shall be able to address a challenge concerning compliance with the above principles to the organization’s Privacy Officer or other individual accountable for the organization’s compliance.
Collecting Personal Information
1.1 Unless the purposes for collecting personal information are obvious and the customer voluntarily provides his or her personal information for those purposes, we will communicate the purposes for which personal information is being collected, either orally or in writing, before or at the time of collection.
1.2 We will collect customer personal information that is necessary to fulfill the following purposes:
To respond to customer inquiries and concerns about 360’s business or the products it sells or offers;
To verify identity, including but not limited to the identity of persons placing online orders on 360’s on-line shopping website(s) and to respond to and communicate regarding orders placed;
To identify customer needs and preferences;
To open or manage a customer account, whether with our online shopping website(s), loyalty programs, or any other services that require the customer to sign up for an account;
To deliver requested products and services
To provide health services;
To enrol the customer in a program;
To ensure a high standard of service to our customers;
To meet regulatory requirements;
2.1 We will obtain customer consent to collect, use or disclose personal information (except where, as noted below, we are authorized to do so without consent).
2.2 Consent can be provided orally, in writing, or electronically, through an authorized representative, or it can be implied where the purpose for collecting using or disclosing the personal information would be considered obvious and the customer voluntarily provides personal information for that purpose.
2.3 Consent may also be implied where a customer is given notice and a reasonable opportunity to opt-out of their personal information being used and the customer does not opt-out.
2.4 Subject to certain exceptions (e.g., the personal information is necessary to provide the service or product, or the withdrawal of consent would frustrate the performance of a legal obligation), customers can withhold or withdraw their consent for 360 to use their personal information in certain ways. A customer’s decision to withhold or withdraw their consent to certain uses of personal information may restrict our ability to provide a particular service or product. If so, we will explain the situation to assist the customer in making the decision.
2.5 We may collect, use or disclose personal information without the customer’s knowledge or consent in the following limited circumstances:
When the collection, use or disclosure of personal information is permitted or required by law;
In an emergency that threatens an individual’s life, health, or personal security;
When the personal information is available from a public source (e.g., a telephone directory);
When we require legal advice from a lawyer;
For the purposes of collecting a debt;
To protect ourselves from fraud;
To investigate an anticipated breach of an agreement or a contravention of law
Using and Disclosing Personal Information
3.1 We will only use or disclose customer personal information where necessary to fulfill the purposes identified at the time of collection or for a purpose reasonably related to those purposes such as:
To fulfill orders and requests for products, services, or information;
To process returns and exchanges;
To detect and protect against fraud and error;
To market and advertise products and services;
To conduct customer surveys in order to enhance the provision of our services;
To contact our customers directly about products and services that may be of interest;
3.2 We will not use or disclose customer personal information for any additional purpose unless we obtain consent to do so.
Retaining Personal Information
4.1 If we use customer personal information to make a decision that directly affects the customer, we will retain that personal information for at least one year so that the customer has a reasonable opportunity to request access to it.
4.2 Subject to policy 4.1, we will retain customer personal information only as long as necessary to fulfill the identified purposes or a legal or business purpose.
Ensuring Accuracy of Personal Information
5.1 We will make reasonable efforts to ensure that customer personal information is accurate and complete where it may be used to make a decision about the customer or disclosed to another organization.
5.2 Customers may request corrections to their personal information in order to ensure its accuracy and completeness. A request to correct personal information must be made in writing and provide sufficient detail to identify the personal information and the correction being sought. A request to correct personal information should be forwarded to the Privacy Officer or designated individual.
5.3 If the personal information is demonstrated to be inaccurate or incomplete, we will correct the information as required and send the corrected information to any organization to which we disclosed the personal information in the previous year. If the correction is not made, we will note the customers’ correction request in the file.
Securing Personal Information
6.1 We are committed to ensuring the security of customer personal information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
6.2 The following security measures will be followed to ensure that customer personal information is appropriately protected:
the use of locked filing cabinets;
physically securing offices where personal information is held;
the use of user IDs, passwords, encryption, and firewalls;
restricting employee access to personal information as appropriate (i.e., only those that need to know will have access;
contractually requiring any third-party service providers to provide comparable security measures.
6.3 We will use appropriate security measures when destroying customer’s personal information such as shredding documents and deleting electronically stored information].
6.4 We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security.
Providing Customers Access to Personal Information
7.1 Customers have a right to access their personal information, subject to limited exceptions:
Information that is protected by solicitor-client privilege
Information that, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organization
Information that was collected or disclosed without consent, as allowed under PIPA, for the purposes of an investigation and the investigation and associated proceedings and appeals have not yet been completed
Information that was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which they were appointed to act under a collective agreement, an enactment, or by a court
Information that is in a document that is subject to a solicitor’s lien.
Information that could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request
Information that could, if disclosed, be reasonably expected to cause immediate or grave harm to the safety or physical or mental health of the individual who made the request
Information that would, if disclosed, reveal personal information about another individual
Information that would, if disclosed, reveal the identity of an individual who provided personal information about another individual and the individual providing the personal information does not consent to the disclosure of their identity
7.2 A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought. A request to access personal information should be forwarded to the Privacy Officer or designated individual.
7.3 Upon request, we will also tell customers how we use their personal information and to whom it has been disclosed if applicable.
7.4 We will make the requested information available within 30 business days, or provide written notice of an extension where additional time is required to fulfill the request.
7.5 A minimal fee may be charged for providing access to personal information. Where a fee may apply, we will inform the customer of the cost and request further direction from the customer on whether or not we should proceed with the request.
7.6 If a request is refused in full or in part, we will notify the customer in writing, providing the reasons for refusal and the recourse available to the customer.
Questions and Complaints: The Role of the Privacy Officer or designated individual
8.1 The Privacy Officer or designated individual is responsible for ensuring 360’s compliance with this policy and PIPA (and any other applicable legislation).
8.2 Customers should direct any complaints, concerns or questions regarding 360’s compliance in writing to 360’s designated Privacy Officer. If the Privacy Officer is unable to resolve the concern, the customer may also write to the Information and Privacy Commissioner of British Columbia.
Contact information for 360’s Privacy Officer:
The 360 Degrees Health & Wellness Company
#206 – 10183 152A Street
Surrey, BC V3R 4H6
Attention: Privacy Officer
We will respond to your request or concern as soon as possible.