Herb Dispenser — Privacy Policy
Last Updated: January 2025
Website: herbdispenser.com
Company: Herb Dispenser
Address: 213 Queensway S. Unit 400, Keswick, Ontario, L4P 0A2, Canada
1. Introduction
Herb Dispenser (“we”, “us”, “our”, or “the Company”) is committed to protecting the privacy and security of the personal information of everyone who interacts with our website and services, including minors. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit our website at herbdispenser.com (the “Website”), create a practitioner or patient account, use our herbal medicine dispensing platform, or otherwise interact with us.
This Privacy Policy applies to:
- Practitioners — qualified herbal medicine practitioners, TCM practitioners, acupuncturists, naturopaths, western herbalists, and TCM students who register for and use a Herb Dispenser practitioner account
- Patients — individuals who receive herbal medicine formulas dispensed and shipped by Herb Dispenser on behalf of their prescribing practitioner, including minor patients whose prescriptions are managed by a parent or legal guardian
- Website Visitors — anyone who visits herbdispenser.com regardless of whether they create an account
Please read this Privacy Policy carefully. By using our Website or services, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this policy. Where a patient is a minor, the parent or legal guardian of that minor acknowledges and agrees to this policy on their behalf.
This Privacy Policy should be read alongside our Cookie Policy and Terms of Service, which together govern your use of the Herb Dispenser website and services.
2. About Us
Herb Dispenser is a practitioner-only herbal medicine dispensing platform that allows qualified herbal medicine practitioners to build custom herbal formulas and have them dispensed and shipped directly to their patients worldwide, including minor patients under the care of a qualified practitioner. Our platform is powered by Dispensary Tree.
Company Name: Herb Dispenser
Business Address: 213 Queensway S. Unit 400, Keswick, Ontario, L4P 0A2, Canada
Website: herbdispenser.com
Email: (Mark for client to insert privacy contact email)
Phone: (Mark for client to insert phone number)
For the purposes of applicable privacy legislation, Herb Dispenser acts as the data controller in respect of personal information collected through the Website and our services. Where Herb Dispenser processes personal information on behalf of practitioners in relation to their patients — including minor patients — Herb Dispenser may act as a data processor.
3. Children’s Privacy and Collection of Information From Minors
Herb Dispenser recognises the importance of protecting the privacy of minor patients. Because our platform is used by qualified herbal medicine practitioners to dispense and ship herbal medicine formulas to their patients — including patients who are minors — we do collect certain personal information relating to minor patients as part of the dispensing and delivery process.
3.1 How We Collect Information About Minors
We do not collect personal information about minors directly from the minor themselves. All personal information relating to a minor patient is provided to Herb Dispenser exclusively by the prescribing practitioner, who is a qualified herbal medicine professional, or by the minor’s parent or legal guardian through the patient portal.
Minor patients do not register for accounts independently. Patient portal accounts for minors are created and managed by the prescribing practitioner or by the minor’s parent or legal guardian.
3.2 What Information We Collect About Minors
The personal information we collect in relation to minor patients is limited strictly to what is necessary to fulfil the dispensing and delivery of their prescribed herbal formula. This includes:
- Full name of the minor patient
- Delivery address
- Email address of the parent or legal guardian for order notifications
- Phone number of the parent or legal guardian where provided
- Prescribed herbal formula details including herb names, doses, and format
- Order history and shipment tracking information
- Invoice and payment records
We do not collect any additional personal information about minor patients beyond what is strictly necessary for the provision of our dispensing and delivery services.
3.3 How We Use Information About Minors
Personal information relating to minor patients is used exclusively for the following purposes:
- To dispense the herbal formula prescribed by the minor’s qualified practitioner
- To package and ship the formula to the delivery address provided
- To send order and delivery notifications to the parent or legal guardian
- To maintain order records for the practitioner’s account
- To process payment for the order
We do not use personal information relating to minor patients for marketing purposes. We do not share personal information relating to minor patients with any third party except as strictly necessary to fulfil the dispensing and delivery of their order, as described in Section 8 of this Privacy Policy.
3.4 Parental and Guardian Consent
Where a practitioner prescribes a herbal formula for a minor patient, it is the responsibility of the prescribing practitioner to ensure that the parent or legal guardian of the minor has given their informed consent to:
- The prescription of herbal medicine for the minor
- The collection and processing of the minor’s personal information by Herb Dispenser for the purpose of dispensing and delivering the formula
- The direct-to-address shipping of herbal medicine to the minor’s delivery address
By submitting an order for a minor patient through the Herb Dispenser platform, the prescribing practitioner confirms that they have obtained the necessary parental or guardian consent for the processing of the minor’s personal information.
3.5 Parental and Guardian Rights
Parents and legal guardians of minor patients have the right to:
- Request access to the personal information we hold about their minor child
- Request correction of any inaccurate personal information we hold about their minor child
- Request deletion of personal information we hold about their minor child, subject to our legal obligations to retain certain records
- Withdraw consent to the processing of their minor child’s personal information, subject to the impact this may have on the ability to fulfil ongoing prescriptions
- Lodge a complaint with the relevant data protection authority in their jurisdiction
To exercise any of these rights, parents or legal guardians should contact us using the details provided in Section 15 of this Privacy Policy.
3.6 Security of Minor Patient Information
We apply the same rigorous security standards to the personal information of minor patients as we do to all personal information we hold. All minor patient information is stored securely, transmitted using encryption, and accessible only to authorised personnel and the prescribing practitioner. We never share minor patient information with third parties for marketing, advertising, or any purpose unrelated to the fulfilment of their prescription.
4. The Personal Information We Collect
We collect different types of personal information depending on whether you are a practitioner, a patient (including a minor patient), or a general website visitor.
4.1 Information We Collect From Practitioners
When you register for and use a Herb Dispenser practitioner account, we collect the following information:
Account Registration Information:
- Full name
- Email address
- Phone number
- Country and business address
- Practitioner type (e.g. TCM Practitioner, Acupuncturist, Naturopath)
- Clinic or practice name
- Professional registration number or qualification details
- How you heard about Herb Dispenser
Professional Verification Information:
- Copies of professional qualifications, registration certificates, or institutional enrolment documents submitted for account verification
Account Activity Information:
- Login history and session data
- Formula building and ordering history
- Patient records created within the platform including records for minor patients
- Saved formulas and formula templates
- Order history and invoices
- Communication history with our support team
Payment Information:
- Billing address
- Payment card details — note that full card details are processed and stored by our third-party payment processor and are not stored on Herb Dispenser servers
- Transaction history and invoices
Branding Information:
- Clinic logo uploaded for use on product labels
- Any other branding assets uploaded to the platform
Communication Information:
- Emails, messages, and enquiries sent to our team
- Newsletter subscription preferences
- Marketing communication preferences
4.2 Information We Collect From Patients
Patient information is provided to Herb Dispenser by the prescribing practitioner when an order is placed. Patients — or in the case of minor patients, their parent or legal guardian — may also provide information directly when accessing the patient portal. We collect the following patient information:
Information Provided by the Prescribing Practitioner:
- Full name of the patient (including minor patients)
- Delivery address
- Email address for order notifications and portal access — for minor patients this will be the email address of the parent or legal guardian
- Phone number where provided — for minor patients this will be the phone number of the parent or legal guardian
- Prescribed herbal formula details including herb names, doses, and format
Information Provided Directly by Patients or Parents and Guardians:
- Patient portal login credentials (email and password) — for minor patients, managed by the parent or legal guardian
- Updated delivery address or contact details
- Payment details for direct patient payment (processed by our third-party payment processor)
- Refill requests submitted through the patient portal
Order and Delivery Information:
- Order history and status
- Shipment tracking information
- Invoice and payment records
Health-Related Information:
- The herbal formula prescribed to a patient — including a minor patient — may indirectly reflect health information. We treat all formula and prescription information as sensitive health data and apply the highest standards of protection to this information regardless of the age of the patient.
4.3 Information We Collect From Website Visitors
When you visit herbdispenser.com without creating an account, we may collect the following information automatically:
Technical Information:
- IP address
- Browser type and version
- Operating system and device type
- Screen resolution
- Referring website or search query
- Pages visited and time spent on each page
- Links clicked
- Date and time of visit
Cookie and Tracking Data:
- Information collected through cookies and similar tracking technologies as described in our Cookie Policy
Enquiry Information:
- Name, email address, and message content if you submit a contact form or enquiry without creating an account
5. How We Collect Your Personal Information
We collect personal information through the following means:
Directly from you — when you register for an account, place an order, submit a contact form, subscribe to our newsletter, upload branding assets, or communicate with our team
From your prescribing practitioner — when a practitioner creates a patient record and places an order on your behalf, including for minor patients whose information is provided by their prescribing practitioner with parental or guardian consent
From parents and legal guardians — when a parent or legal guardian manages a patient portal account on behalf of a minor patient
Automatically — through cookies, web beacons, and similar tracking technologies when you visit our Website, as described in our Cookie Policy
From third parties — including our platform provider Dispensary Tree, payment processors, shipping carriers, and analytics providers, in connection with the services they provide to us
From publicly available sources — such as professional registration databases, where we verify practitioner qualifications during the account approval process
6. How We Use Your Personal Information
We use the personal information we collect for the following purposes:
6.1 To Provide Our Services
- To process and verify practitioner account registrations
- To provide access to the formula builder and ordering platform
- To process and fulfil herbal formula orders for all patients including minor patients
- To dispense and ship herbal medicine formulas to patients and their families
- To provide access to the patient portal for patients, parents, and legal guardians
- To process payments and generate invoices
- To print practitioner branding on product labels
- To provide order tracking and delivery notifications to patients, parents, and legal guardians
- To process refill requests
Legal Basis (where applicable): Performance of a contract — this processing is necessary to provide the services you have requested.
6.2 To Verify Practitioner Qualifications
- To review and verify the professional qualifications submitted during account registration
- To ensure that our platform is used only by qualified herbal medicine practitioners and accredited students
- To maintain the integrity and safety of our practitioner-only platform and protect the wellbeing of all patients including minors
Legal Basis (where applicable): Legitimate interests — we have a legitimate interest in ensuring our platform is used only by qualified practitioners to protect patient safety including the safety of minor patients.
6.3 To Communicate With You
- To send order confirmations, shipping notifications, and delivery updates to practitioners, patients, parents, and legal guardians
- To respond to enquiries, support requests, and complaints
- To send account-related notifications including security alerts and policy updates
- To send our practitioner newsletter and resource updates where you have subscribed
- To send marketing communications where you have given your consent or where we have a legitimate interest to do so
- We do not send marketing communications to patients who are minors or to email addresses associated exclusively with minor patient accounts
Legal Basis (where applicable): Performance of a contract for transactional communications. Consent or legitimate interests for marketing communications.
6.4 To Improve Our Website and Services
- To analyse how practitioners and patients use our Website and platform
- To identify and fix technical issues and errors
- To develop new features and improve existing functionality
- To conduct internal research and analysis
- To monitor and improve the performance of our Website
Legal Basis (where applicable): Legitimate interests — we have a legitimate interest in improving our Website and services for the benefit of all users.
6.5 To Ensure Security and Prevent Fraud
- To protect the security of our Website, platform, and user accounts
- To detect, investigate, and prevent fraudulent transactions and other illegal activity
- To verify the identity of account holders and parents or legal guardians managing minor patient accounts
- To enforce our Terms of Service and other policies
- To protect the rights, property, and safety of Herb Dispenser, our users, minor patients, and the public
Legal Basis (where applicable): Legitimate interests and legal obligations.
6.6 To Comply With Legal Obligations
- To comply with applicable laws and regulations in Canada and in the jurisdictions where we operate
- To respond to lawful requests from regulatory authorities, law enforcement agencies, and courts
- To maintain records as required by applicable law including health and pharmacy regulations
- To comply with our obligations under applicable privacy laws including PIPEDA, CASL, GDPR, and other applicable legislation
- To comply with our specific obligations in relation to the processing of personal information of minor patients under applicable children’s privacy laws
Legal Basis (where applicable): Legal obligation.
7. Legal Bases for Processing Personal Information
Where the General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your personal information, we rely on the following legal bases:
| Processing Purpose | Legal Basis |
|---|---|
| Providing dispensing and delivery services | Performance of a contract |
| Processing orders for minor patients | Legitimate interests with parental consent obtained by the prescribing practitioner |
| Verifying practitioner qualifications | Legitimate interests |
| Sending transactional communications | Performance of a contract |
| Sending marketing communications | Consent or legitimate interests |
| Improving our Website and services | Legitimate interests |
| Security and fraud prevention | Legitimate interests |
| Complying with legal obligations | Legal obligation |
| Processing sensitive health-related formula information | Explicit consent obtained by the prescribing practitioner or, for minors, by the parent or legal guardian |
8. How We Share Your Personal Information
We do not sell your personal information to third parties. We do not share your personal information with third parties for their own marketing purposes. We share personal information only in the following circumstances and only to the extent necessary for the stated purpose:
8.1 Dispensary Tree
Our platform is powered by Dispensary Tree. Personal information entered into the Herb Dispenser platform — including practitioner account information, patient information, and minor patient information — is processed by Dispensary Tree as part of the platform infrastructure. Dispensary Tree processes this information on our behalf and is bound by data processing obligations consistent with applicable privacy law. (Mark for client to insert link to Dispensary Tree privacy policy.)
8.2 Payment Processors
We use a third-party payment processor to handle all payment card transactions. Your full payment card details are transmitted directly to and stored by the payment processor and are never stored on Herb Dispenser servers. The payment processor processes payment information on our behalf and is bound by applicable payment security standards including PCI DSS. (Mark for client to insert name and privacy policy link of payment processor.)
8.3 Shipping Carriers
We share the name and delivery address of the patient — including minor patients — with our shipping carrier partners for the sole purpose of delivering the dispensed herbal formula to the specified address. Shipping carriers are not permitted to use this information for any other purpose. (Mark for client to insert names of shipping carriers used.)
8.4 Analytics Providers
We use third-party analytics providers including Google Analytics to collect and analyse information about how our Website is used. Analytics data is aggregated and anonymised where possible. We do not share identifiable patient information — including minor patient information — with analytics providers. Please refer to our Cookie Policy for full details of the analytics cookies we use.
8.5 Email and Communication Platforms
We use third-party email and communication platforms to send transactional emails, order notifications, and newsletter communications. These platforms process email addresses and communication content on our behalf. (Mark for client to insert name and privacy policy link of email platform used.)
8.6 Legal and Regulatory Authorities
We may disclose personal information — including information relating to minor patients — to regulatory authorities, law enforcement agencies, courts, or other government bodies where we are required to do so by applicable law, court order, or regulatory requirement. We will notify affected individuals of any such disclosure where we are legally permitted to do so.
8.7 Professional Advisors
We may share personal information with our legal advisors, accountants, auditors, and insurers where necessary for the provision of professional services to Herb Dispenser. All professional advisors are bound by confidentiality obligations.
8.8 Business Transfers
In the event that Herb Dispenser is involved in a merger, acquisition, sale of assets, or other business transfer, personal information held by Herb Dispenser — including practitioner and patient information — may be transferred to the acquiring entity as part of that transaction. We will notify affected individuals of any such transfer and ensure that the acquiring entity is bound by privacy obligations consistent with this Privacy Policy.
9. International Transfers of Personal Information
Herb Dispenser is based in Ontario, Canada and operates a worldwide dispensing and shipping service. As a result, personal information we collect — including information relating to minor patients — may be transferred to, stored in, and processed in countries other than the country in which it was collected.
Where we transfer personal information outside of Canada, the European Economic Area, or the United Kingdom, we take steps to ensure that appropriate safeguards are in place to protect your personal information in accordance with applicable privacy law. These safeguards may include:
- Standard contractual clauses approved by the European Commission or the UK Information Commissioner’s Office
- Adequacy decisions recognising the destination country as providing an adequate level of data protection
- Binding corporate rules where applicable
- Other legally recognised transfer mechanisms
By using our Website and services, you acknowledge that your personal information — and where applicable, the personal information of your minor patient — may be transferred internationally as described in this section.
10. How Long We Keep Your Personal Information
We retain personal information for as long as necessary to fulfil the purposes for which it was collected, to provide our services, and to comply with our legal obligations. The following retention periods apply:
| Information Type | Retention Period |
|---|---|
| Practitioner account information | Duration of the account plus 7 years after account closure |
| Patient order and formula records including minor patient records | 10 years from the date of the last order in compliance with health record retention requirements |
| Payment transaction records | 7 years for tax and accounting compliance |
| Professional qualification documents | Duration of the account plus 3 years after account closure |
| Website visitor analytics data | 26 months from collection |
| Marketing communication records | Until consent is withdrawn plus 3 years |
| Support and communication records | 3 years from the date of the last communication |
| Cookie consent records | 3 years from the date of consent |
Where we are required by applicable law to retain personal information for a longer period, we will retain it for the legally required period. When personal information is no longer required, we will securely delete or anonymise it.
11. How We Protect Your Personal Information
We take the security of your personal information — including the personal information of minor patients — very seriously. We implement appropriate technical and organisational measures to protect personal information against unauthorised access, accidental loss, destruction, alteration, or disclosure. These measures include:
Technical Measures:
- SSL/TLS encryption for all data transmitted between your browser and our Website
- Encryption of sensitive personal information stored in our systems
- Secure, access-controlled server infrastructure
- Regular security testing and vulnerability assessments
- Firewall protection and intrusion detection systems
- Secure password hashing and storage
- Two-factor authentication options for practitioner accounts
Organisational Measures:
- Access to personal information restricted to authorised personnel on a need-to-know basis
- Staff training on data protection and privacy obligations
- Data processing agreements with all third-party processors
- Internal data protection policies and procedures
- Regular review of security practices and procedures
- Incident response procedures for data breaches
Specific Measures for Minor Patient Information:
- Minor patient information is flagged within our systems and subject to additional access restrictions
- Minor patient information is never used for marketing, profiling, or any purpose beyond the fulfilment of their prescription
- Access to minor patient records is restricted to the prescribing practitioner and authorised Herb Dispenser personnel only
Despite these measures, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach affecting your personal information, we will notify you and the relevant regulatory authorities as required by applicable law.
12. Your Privacy Rights
Depending on your location and the applicable privacy laws in your jurisdiction, you may have the following rights in relation to your personal information. Parents and legal guardians may exercise these rights on behalf of their minor children.
12.1 Right of Access
You have the right to request a copy of the personal information we hold about you or your minor child. We will respond to access requests within the timeframe required by applicable law — typically within 30 days.
12.2 Right to Rectification
You have the right to request that we correct any inaccurate or incomplete personal information we hold about you or your minor child. If you believe any information we hold is incorrect, please contact us and we will correct it promptly.
12.3 Right to Erasure
You have the right to request that we delete personal information we hold about you or your minor child, subject to our legal obligations to retain certain records. We may not be able to delete all information where we are required by law to retain it — for example, health and financial records subject to statutory retention periods.
12.4 Right to Restrict Processing
You have the right to request that we restrict the processing of your personal information or that of your minor child in certain circumstances — for example, while the accuracy of the information is being contested.
12.5 Right to Data Portability
Where processing is based on your consent or on a contract, and processing is carried out by automated means, you have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit it to another controller.
12.6 Right to Object
You have the right to object to the processing of your personal information where processing is based on legitimate interests. You also have the right to object at any time to the processing of your personal information for direct marketing purposes.
12.7 Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
12.8 Rights Specific to Minor Patients
Parents and legal guardians have the right to:
- Access all personal information we hold about their minor child
- Request correction or deletion of their minor child’s personal information
- Withdraw consent to the processing of their minor child’s personal information
- Object to any processing of their minor child’s personal information that is not strictly necessary for the fulfilment of their prescription
- Request that their minor child’s information be deleted upon the minor reaching the age of majority, subject to applicable retention obligations
12.9 How to Exercise Your Rights
To exercise any of the rights described above, please contact us using the details provided in Section 15 of this Privacy Policy. We may need to verify your identity — or your identity as the parent or legal guardian of a minor patient — before processing your request. We will respond to all requests within the timeframe required by applicable law.
13. Marketing Communications
13.1 Practitioner Marketing
We may send marketing communications to practitioners who have subscribed to our newsletter or who have given their consent to receive marketing communications. We may also send marketing communications to practitioners where we have a legitimate interest to do so — for example, to inform existing practitioners of new herbs, products, or platform features.
13.2 Opting Out
You can opt out of marketing communications at any time by:
- Clicking the “Unsubscribe” link in any marketing email we send you
- Updating your communication preferences in your practitioner account settings
- Contacting us directly using the details in Section 15
13.3 No Marketing to Minor Patients
We do not send marketing communications to patients who are minors. We do not use the personal information of minor patients for any marketing or profiling purpose. Email addresses associated with minor patient accounts are used exclusively for transactional communications relating to their prescription and delivery.
13.4 Transactional Communications
Even if you opt out of marketing communications, we will continue to send you transactional communications that are necessary for the provision of our services — such as order confirmations, shipping notifications, account security alerts, and policy updates.
14. Applicable Privacy Laws
Herb Dispenser is based in Ontario, Canada and serves practitioners and patients worldwide. Our privacy practices are designed to comply with the following applicable privacy laws:
Canada:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Canada’s Anti-Spam Legislation (CASL)
- Applicable provincial privacy legislation including Ontario’s privacy laws
- Applicable health information legislation
European Union:
- General Data Protection Regulation (GDPR)
United Kingdom:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
Australia:
- Privacy Act 1988 (Cth)
- Australian Privacy Principles (APPs)
United States:
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) where applicable
- Children’s Online Privacy Protection Act (COPPA) — we comply with COPPA requirements in relation to the collection of personal information from or about minor patients
- Any other applicable state privacy laws
Other Jurisdictions:
We aim to comply with applicable privacy laws in all jurisdictions where our Website is accessed and where we ship herbal medicine products.
15. Contact Us
If you have any questions, concerns, or complaints about this Privacy Policy or our privacy practices — including our practices in relation to the personal information of minor patients — please contact us:
Privacy Contact
Herb Dispenser
213 Queensway S. Unit 400
Keswick, Ontario
L4P 0A2
Canada
Email: (Mark for client to insert privacy contact email)
Phone: (Mark for client to insert phone number)
Website: herbdispenser.com
We will respond to all privacy enquiries within the timeframe required by applicable law — typically within 30 days.
16. Complaints
If you are not satisfied with our response to your privacy enquiry or complaint, you have the right to lodge a complaint with the relevant data protection or privacy authority in your jurisdiction:
| Jurisdiction | Authority | Website |
|---|---|---|
| Canada | Office of the Privacy Commissioner of Canada | priv.gc.ca |
| Ontario | Information and Privacy Commissioner of Ontario | ipc.on.ca |
| European Union | Your local EU Data Protection Authority | edpb.europa.eu |
| United Kingdom | Information Commissioner’s Office | ico.org.uk |
| Australia | Office of the Australian Information Commissioner | oaic.gov.au |
| United States | Federal Trade Commission (for COPPA complaints) | ftc.gov |
17. Updates to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our privacy practices, changes in applicable law, or changes in our business. When we make material changes to this Privacy Policy — including any changes to how we collect or use the personal information of minor patients — we will update the “Last Updated” date at the top of this page and notify you by email or through a prominent notice on our Website.
We encourage you to review this Privacy Policy periodically. Your continued use of our Website and services after any changes to this Privacy Policy constitutes your acceptance of the updated policy. Where changes affect the processing of minor patient information, we will take additional steps to ensure that parents and legal guardians are informed of the changes.