This policy explains what personal and health information MyoMesh collects, how it is used, who it is shared with, and how it is protected — in plain language.
MyoMesh is a cloud-based practice management platform designed for registered health professionals including massage therapists, physiotherapists, chiropractors, and other regulated and unregulated practitioners. The platform provides tools for scheduling, clinical documentation, billing, analytics, and team management.
References to "MyoMesh," "we," "us," or "our" in this policy refer to the legal entity operating the MyoMesh platform. References to "you" or "Subscriber" refer to the practice owner, administrator, or practitioner who has created or uses a MyoMesh account. References to "Client" refer to the end patients or clients whose information is entered into the platform by the Subscriber.
When processing personal health information on behalf of a Subscriber, MyoMesh acts as a Health Information Custodian Agent, information manager, or equivalent role depending on the applicable provincial legislation (PHIPA in Ontario, HIA in Alberta, PHIA in Newfoundland and Labrador, and the applicable framework in all other provinces and territories). The Subscriber — as the regulated health professional — remains the primary Custodian or trustee of their clients' records under whichever provincial legislation applies to their practice.
We collect information in three broad categories: information about the Subscriber's practice and account, information about the Subscriber's clients (entered by the Subscriber), and information generated automatically by use of the platform.
Business name, address, province, postal code, phone number, booking URL, and business logo.
Email address and hashed password managed by Firebase Authentication. We do not store plaintext passwords.
Payment method tokens provided by Stripe. We do not store full card numbers. Billing address, currency, and plan selection are stored.
Name and email address of practitioners you invite. Their role (Owner, Admin, Practitioner), approved session types, pay rates, and calendar integration credentials.
This is the most sensitive category of information handled by MyoMesh and is treated as Protected Health Information (PHI). Subscribers enter this information directly into the platform on behalf of their clients.
Full name, date of birth, gender and pronouns, address, phone, email, emergency contact, and occupation.
Reason for visit, medical history, current medications, known allergies, past surgeries, relevant diagnoses, pain levels, and body chart annotations.
Appointment history, session type, assigned practitioner, SOAP notes, treatment plans, progress milestones, and session outcomes.
Invoice history, payment method used, amounts charged, outstanding balances, package usage, and promotional discounts applied.
Liability waiver status, digital signature name and timestamp, and intake form responses.
Exercise level, type of work, stress level, sleep quality, and other intake form responses where collected.
When you use the MyoMesh platform, we automatically generate and collect the following operational data:
We use collected information only for the purposes described below. We do not sell personal information to third parties. We do not use client health records for advertising, profiling, or any purpose unrelated to service delivery.
MyoMesh is designed for regulated and allied health practitioners across Canada and is built to support compliance with applicable personal health information legislation in every Canadian province and territory. The specific legislation that applies to a Subscriber depends on the province or territory in which they practice. MyoMesh's platform features — including audit logging, role-based access, session timeouts, and data export — are designed to meet or exceed the requirements of all Canadian provincial health privacy frameworks.
Note: Quebec, British Columbia, and Alberta have been deemed to have substantially similar privacy legislation to PIPEDA by the federal government. Subscribers in those provinces should comply with their provincial legislation as the primary applicable law.
Regardless of province, MyoMesh acts as an agent or custodian agent of the Subscriber in relation to personal health information. We collect, use, and retain PHI only as necessary to provide the platform services, only in accordance with the Subscriber's instructions and applicable law, and never for our own commercial purposes. In the terminology of Ontario's PHIPA, we act as a Health Information Custodian Agent; under Alberta's HIA, we act as an information manager; under other provincial frameworks, our role is equivalent.
Every access to, edit of, export of, and deletion of a client health record is logged in a tamper-evident audit trail. Log entries include the date and time, the identity of the user who performed the action, the affected client record, and a description of the action. Audit logs are retained for a minimum of 10 years — the period required under Ontario's PHIPA, Alberta's HIA, and consistent with best practices for health information custodians across all Canadian jurisdictions. Subscribers can access, filter, and export their organisation's full audit log at any time from the Compliance section of Settings.
To protect client health records from unauthorised access on shared or unattended devices, the platform automatically logs out inactive sessions. The inactivity timeout is configurable by the Subscriber (5, 10, 15, or 30 minutes). Each auto-logout is recorded in the audit log.
Under Canadian provincial health privacy legislation, clients have the right to access and request correction of their own personal health information. Subscribers are responsible for fulfilling these requests in accordance with the legislation that applies in their province. MyoMesh provides tools to export a complete individual client record (demographics, session history, clinical notes, body charts, invoices, and audit trail entries) from the client's profile at any time to assist Subscribers in meeting their obligations.
If you are a Health Information Custodian, trustee, or equivalent under the health privacy legislation of your province, you are responsible for ensuring that your collection and use of client health information meets the requirements of the Act that applies to your practice. This includes obtaining appropriate consent where required and fulfilling client access requests. MyoMesh provides the tools — the legal obligations as Custodian or equivalent remain yours.
For Subscribers operating in the United States who are subject to the Health Insurance Portability and Accountability Act (HIPAA), MyoMesh acts as a Business Associate in relation to any Protected Health Information (PHI) or Electronic Protected Health Information (ePHI) entered into the platform.
MyoMesh implements the required technical safeguards for ePHI under the HIPAA Security Rule, including:
U.S. Subscribers who require a Business Associate Agreement (BAA) to satisfy their HIPAA obligations should contact us at Hello@myomesh.com. We will enter into a BAA with covered entities and business associates as required by law. Use of the platform by U.S. covered entities prior to execution of a BAA is at the Subscriber's risk.
MyoMesh is built on Google Firebase and Cloud Firestore, which provides enterprise-grade security infrastructure maintained by Google Cloud. Below is a summary of the technical and organisational measures in place.
All data stored in Cloud Firestore is encrypted at rest using AES-256 by Google Cloud. All data transmitted between your browser and MyoMesh servers is encrypted in transit using TLS 1.2 or higher. The platform is accessible only over HTTPS; unencrypted HTTP connections are not accepted.
Every user account in MyoMesh is assigned one of three roles — Owner, Admin, or Practitioner. Access to client records, financial data, staff management, and compliance settings is restricted based on these roles. The account Owner holds the highest level of privilege and is the only user who can perform irreversible actions such as full account data deletion.
Sessions are managed by Firebase Authentication. The platform automatically logs out users after a configurable period of inactivity (between 5 and 30 minutes), ensuring that unattended devices do not expose client health records. Each automatic session termination is recorded in the audit log.
MyoMesh's backend infrastructure runs on Google Cloud Platform, which maintains ISO 27001, SOC 2, and SOC 3 certifications, and is independently audited on an ongoing basis. Google Cloud's security programme and certifications are available at cloud.google.com/security.
MyoMesh does not store credit card numbers, card verification codes, or full bank account details. Payment processing is handled entirely by Stripe, which is certified to PCI DSS Level 1 — the highest level of payment card security certification. MyoMesh receives and stores only a tokenised reference to the payment method.
MyoMesh supports and encourages Multi-Factor Authentication (MFA) for all user accounts. MFA is implemented through Firebase Authentication and provides a second layer of verification beyond a password, significantly reducing the risk of unauthorised account access even if login credentials are compromised.
When a Subscriber invites a new staff member to their practice, an email invitation is sent to the practitioner's verified email address. The invited user must click a unique, time-limited link in that email to create their account. This email verification step ensures that only the intended recipient can activate a staff account, and that the email address used for calendar invites and client communications is confirmed as valid.
We strongly recommend that all account holders enable MFA in their account settings, use a unique password for their MyoMesh account, and configure the shortest practical session timeout for their clinical environment. These measures are especially important in shared-device settings such as treatment rooms.
We retain different categories of data for different periods, based on legal requirements and legitimate operational need.
When a Subscriber cancels their account, full access to the platform continues until the end of the final billing period. Following that, the Subscriber has a further 30-day window to download their complete organisation data. After this window closes, active client records are deleted. Audit logs are retained separately for the 10-year statutory period, regardless of account status.
Account Owners may request deletion of all organisation data at any time from the Account section of Settings. This action is irreversible. We strongly recommend downloading a full organisation data export before initiating deletion. Upon confirmation, all client records, session data, notes, invoices, and staff accounts are permanently deleted from active systems. Statutory records (audit logs, billing records) are retained only to the extent required by law.
Depending on your location, you may have specific statutory rights regarding your personal information. The rights described below apply to Subscribers' own account and business information. Client rights under applicable Canadian provincial health privacy legislation are addressed in Section 4.
MyoMesh integrates with the following third-party services to provide its features. Each third party processes data only as described below and is bound by its own privacy terms. We do not authorise any third party to use Subscriber or Client data for their own commercial purposes.
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Firebase & Cloud Firestore | Authentication, database storage, and backend infrastructure. | All account and client data is stored in Firestore. Authentication credentials managed by Firebase Auth. Privacy policy → |
| Stripe | Payment processing for Subscriber subscription billing. | Payment method details, billing address, subscription amount. Card numbers are never transmitted to or stored by MyoMesh. Privacy policy → |
| PayPal | Optional client-facing payment processing within the platform. | Client payment details handled by PayPal's hosted flow. MyoMesh receives only transaction confirmation. Privacy policy → |
| Google Calendar | Optional calendar integration for automatic appointment event creation. | Session date, time, client first name, and practitioner name for calendar event creation. Requires explicit OAuth authorisation by each practitioner. Privacy policy → |
| Microsoft Outlook / Azure | Optional calendar integration for automatic appointment event creation. | Same as Google Calendar. Requires explicit MSAL authorisation. Privacy policy → |
| Intuit QuickBooks | Optional accounting integration for income and expense synchronisation. | Invoice amounts, session types, and payment status. No client health information is shared with QuickBooks. Privacy policy → |
| SMS Provider (Twilio) | Optional SMS appointment reminders and notifications. | Client phone number, first name, and appointment date and time. SMS is an optional add-on and is only active if purchased by the Subscriber. Privacy policy → |
MyoMesh's primary data infrastructure is hosted on Google Cloud Platform. Google Cloud data residency is determined by the region configuration at the time of account creation. Canadian Subscribers' data is stored in data centres located in Canada by default.
Certain third-party integrations — such as Stripe and Twilio — may involve data processing in the United States or other jurisdictions. These providers maintain appropriate safeguards for international transfers including Standard Contractual Clauses where applicable. By enabling these integrations, Subscribers consent to any associated cross-border data transfers.
If you require specific data residency guarantees, contact us at Hello@myomesh.com before enabling any third-party integrations.
MyoMesh uses browser storage mechanisms to maintain sessions and improve performance. We do not use third-party advertising cookies or tracking pixels.
In the event of a security incident that results in the actual or suspected unauthorised access to, use, or disclosure of personal health information, MyoMesh will act promptly in accordance with applicable law.
Subscribers who become aware of a potential security incident involving their MyoMesh account — including lost devices, compromised credentials, or suspicious activity — should immediately contact us at Hello@myomesh.com and change their password.
MyoMesh accounts may only be created by individuals who are 18 years of age or older. We do not knowingly collect personal information from persons under 18 for the purpose of creating a Subscriber account.
Subscribers may enter health records for clients who are minors as part of legitimate clinical practice. The Subscriber is responsible for obtaining any parental or guardian consent required by applicable law before collecting health information from or about a minor client.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by email at the address associated with your account at least 30 days before the changes take effect.
The "Last updated" date at the top of this policy reflects the most recent revision. Continued use of the MyoMesh platform after the effective date of a revised policy constitutes your acceptance of those changes.
Questions, concerns, or requests relating to this Privacy Policy or the handling of your personal information should be directed to:
Privacy enquiries & data subject requests:
Hello@myomesh.com
Please include "Privacy Request" in the subject line.
Security incidents & breach reporting:
Hello@myomesh.com
Accessibility concerns:
accessibility@myomesh.com
In-app support: Available through the support chat inside your MyoMesh dashboard.
We aim to respond to all privacy requests within 5 business days, and to resolve them within 30 days.