Your information,
on your terms.

Vellum Ritual House Inc. (“Vellum,” “we,” “our,” or “us”) is a Canadian corporation with its registered office at 100 Ossington Avenue, Toronto, Ontario M6J 2Z4. We operate two member-based bathhouse and recovery facilities in the City of Toronto and the website at vellumritual.com (together, the “Services”).

We respect your privacy and are committed to protecting the personal information you entrust to us. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you interact with the Services. It has been written to comply with the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), Ontario’s Personal Health Information Protection Act, 2004 where applicable to intake information, Canada’s Anti-Spam Legislation (“CASL”), and the Accessibility for Ontarians with Disabilities Act, 2005 (“AODA”).

By booking a session, joining a membership, creating an online account, subscribing to our newsletter, or otherwise using the Services, you acknowledge that you have read and understood this Privacy Policy.

We collect the following categories of personal information:

• Identity & contact information — your full name, date of birth (age 18+ verification for cold plunge and sauna), email address, mailing address, and mobile phone number.
• Booking & session history — the services you book, location preference (Queen West or North York), date and time of visits, check-in records, and whether you completed the session.
• Health intake — voluntary disclosures about pregnancy, cardiovascular conditions, photosensitive medications, injuries, and physical limitations that help our staff keep you safe. This is treated as sensitive personal health information.
• Membership & billing — membership tier, subscription status, billing address, and the last four digits of your payment card. Full card numbers are processed and stored directly by our PCI-DSS-compliant payment processors (Stripe Canada and Square Canada) and are never stored on Vellum servers.
• Locker & facility data — assigned locker numbers, RFID wristband identifier, and access logs used for guest safety and facility accountability.
• Device & analytics data — IP address, browser type and version, operating system, referring URL, pages visited, session duration, and aggregated booking funnel data. We collect this through first-party cookies and privacy-respecting analytics (Plausible Analytics, hosted in the EU).
• Marketing preferences — the consent you have given or withdrawn for commercial electronic messages, including newsletter, SMS reminders, and re-engagement campaigns.

We only collect personal information for purposes that a reasonable person would consider appropriate in the circumstances. Specifically:

• To create and administer your account, booking, or membership.
• To confirm appointments and send service reminders by email and SMS.
• To operate the facility safely — including verifying age, respecting declared contraindications, and performing basic emergency-response due diligence.
• To process payments, refunds, membership freezes, and cancellations.
• To meet our legal, tax, accounting, and insurance obligations (including HST filings with the Canada Revenue Agency and retention of corporate records under the Ontario Business Corporations Act).
• To improve the Services through aggregated, pseudonymized analytics.
• To send newsletters and promotional messages, with your express consent, in compliance with CASL.
• To respond to inquiries, complaints, and feedback.

Under PIPEDA, we rely on one or more of the following lawful bases:

• Express consent — for health intake, membership subscriptions, SMS reminders, and marketing emails.
• Implied consent — for obvious service-related communications, such as sending you a booking confirmation after you complete a reservation.
• Legitimate business purposes — for fraud prevention, security logs, and aggregated analytics that do not meaningfully impact your privacy.
• Legal obligation — where we must retain records for tax, accounting, workplace safety, or public health reasons.

You may withdraw your consent at any time (see Section 9). Withdrawal will not affect services already rendered.

Vellum does not sell or rent personal information. We share limited information only in the following circumstances:

• Service providers — vetted vendors who process data on our behalf under written data-processing agreements. This includes Stripe Canada (payments), Square Canada (in-person checkout), Twilio (SMS reminders), Postmark (transactional email), Resend (newsletter delivery), Cloudflare (security and DNS), Vercel (website hosting in Canadian and US regions), and Plausible Analytics (website analytics, EU-hosted).
• Professional advisors — our auditors, lawyers, and insurers, under professional privilege or confidentiality obligations.
• Authorities — law enforcement, regulators (e.g., Toronto Public Health, the Office of the Privacy Commissioner of Canada), or courts, where legally compelled by subpoena, warrant, or valid production order. We evaluate each request and will object to overbroad requests.
• Corporate transactions— in connection with a merger, acquisition, or sale of substantially all of Vellum’s assets, provided the acquirer agrees to honour this Privacy Policy.

Some of our service providers are located or maintain servers outside Canada. When personal information is transferred outside of Canada, it becomes subject to the laws of the country in which it is held and may be accessible to foreign courts, law enforcement, and national-security authorities. We use contractual safeguards, including standard data-protection addenda modeled on PIPEDA’s accountability principle, to protect transferred data.

A detailed sub-processor list is available on request by emailing privacy@vellumritual.com.

We retain personal information only as long as necessary to fulfill the purposes identified in Section 3 or as required by applicable law:

• Booking records: 24 months after your last visit.
• Health intake disclosures: 36 months after your last visit, then securely destroyed.
• Billing and tax records: 7 years, per the Canada Revenue Agency’s retention guidance.
• Incident reports (e.g., first-aid logs): 5 years, per our insurance carrier’s requirements.
• Marketing preferences and unsubscribe records: indefinitely, to honour your opt-out choices.
• CCTV footage at our locations: 30 days rolling, unless preserved for an active incident review.

We use a layered approach to safeguard personal information:

• All data is encrypted in transit using TLS 1.3 and at rest using AES-256.
• Passwords are hashed using Argon2id with per-user salts.
• Multi-factor authentication is required for all staff accounts with access to member data.
• Access is granted on a need-to-know basis and logged.
• Our staff complete annual privacy and workplace-safety training.
• We maintain an internal breach-response plan and will notify the Office of the Privacy Commissioner of Canada and affected individuals without undue delay if a breach poses a real risk of significant harm, as required by PIPEDA.

You have the right to:

• Access the personal information we hold about you, and request a copy.
• Request correction of inaccurate, incomplete, or outdated information.
• Withdraw your consent to certain uses of your information (for example, marketing emails) at any time.
• Ask us to delete your account, subject to our retention obligations in Section 7.
• Ask questions about our privacy practices or challenge our compliance with PIPEDA.

To exercise any of these rights, contact our Privacy Officer (Section 12). We will respond within 30 days. If you are not satisfied with our response, you may escalate the matter to the Office of the Privacy Commissioner of Canada at priv.gc.ca or by calling 1-800-282-1376.

We use first-party cookies to:

• Keep you signed in to your member account.
• Remember the location you last booked at.
• Protect against cross-site request forgery (CSRF).
• Collect aggregated, pseudonymized analytics through Plausible Analytics. Plausible does not use third-party cookies, does not collect personal data, and does not track users across sites.

We do not use Google Analytics, Meta Pixel, or any other third-party advertising trackers. You may block cookies in your browser settings; some site features will not function without them.

Our facilities are adult environments. We do not knowingly collect information from anyone under the age of 18. Guests between 16 and 17 may attend with a parent or guardian and written consent, for bodywork and tea lounge only — sauna and cold plunge access requires verified age 18+.

Our designated Privacy Officer is Rohan Arora.

• Email: privacy@vellumritual.com
• Mail: Vellum Ritual House Inc., Attn: Privacy Officer, 100 Ossington Ave, Toronto, ON M6J 2Z4
• Phone: (416) 482-RITE (7483), extension 2

Please do not include sensitive health information in unsolicited email. We will arrange a secure channel if needed.

We review this Privacy Policy annually. Material changes will be communicated by email to active members and posted to this page with an updated “Last updated” date at least 30 days before taking effect. Your continued use of the Services after an update takes effect constitutes acceptance of the revised policy.