Privacy Policy
Organisation: Health and Support One-on-One Therapy and Rehabilitation (the “Trust”), trading as Health and Support
Effective date: 24 August 2025 — Approved by Board: 14 August 2025 — Next review due: 24 August 2026
1. Who we are
We are a New Zealand charitable trust providing person‑centred one‑on‑one therapy, rehabilitation, education, and community workshops (“services”). We are a “health agency” for the purposes of the Health Information Privacy Code 2020.
2. Scope
This policy explains how we collect, use, store, share and protect personal information, including health information. It applies to clients, whānau/support people, donors, volunteers, employees, contractors and suppliers.
3. Our commitments
- We comply with the Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC).
- We collect only what we need, keep it safe, and don’t hold it longer than necessary.
- We help you access and correct your information as soon as reasonably practicable and within 20 working days (extensions with notice where allowed).
- We assess and notify notifiable privacy breaches to the Privacy Commissioner and affected people as soon as practicable.
3A. Collection notices (how we inform you)
When we collect information, we tell you: the purposes, who will receive/use it, whether it’s required and any consequences of not providing it, our contact details, and how to access/correct your information. We provide this notice on our forms and at the point of care. For donations: you can choose to donate anonymously (no tax receipt) or provide your details so we can issue a tax receipt.
4. What we collect
- Identity & contact information
- Therapy and rehabilitation notes (health information), referrals and assessments
- Whānau/support contact details
- Donation and tax‑receipt information (if you choose to receive a receipt): donor name, contact details (email and/or postal address), donation amount and date, receipt/transaction number, and any donation designation/purpose. We do not store full payment card numbers or bank account numbers. Payments are processed by our payment service provider(s).
- Employment/volunteer records and safety‑checking results where required by law
- Website/analytics data and device information
5. How we collect it
We collect information directly from you (e.g., intake and donation forms, emails, phone), from others with your consent (or where permitted/required by law), and from publicly available sources when appropriate. For donations: information may also come via our fundraising platform or payment service provider (e.g., receipt numbers, confirmation of payment). We receive only the information needed to issue receipts and reconcile donations; we do not receive or store full card or bank details.
6. Why we use it
- To deliver therapy and rehabilitation services and support plans
- To provide education and workshops
- To communicate with you about appointments and services (including SMS/email reminders)
- To manage donations, issue tax receipts (where requested/eligible), acknowledge gifts, and reconcile accounts (including responding to Inland Revenue or auditor queries)
- To meet legal and funding obligations (for example, health and safety, audit, reporting)
6A. Donations and tax receipts (your choices)
You may donate anonymously (we record only non‑identifiable transaction details and cannot issue a tax receipt), or you may provide your name and contact details so we can issue a tax receipt and send it to you. If you later ask us for a receipt for a past donation, we may need information that links you to that transaction (for example, the transaction/receipt number and contact details).
7. Sharing information
We may share information with you and your whānau (with consent where required), with health and social‑service providers involved in your care, emergency services, contractors acting for us (under confidentiality), funders/regulators, or law enforcement where required or permitted by law. For donations: we may share donor information with our service providers who help us process payments and issue/send receipts (under contract and confidentiality), our auditors, and with Inland Revenue if requested or required by law. We do not sell personal information.
8. Overseas disclosure
If we use overseas cloud or IT providers, we ensure comparable safeguards for your information (contractual and technical measures). If comparable protections are not in place, we will seek your express authorisation after explaining any risks.
9. Security
We protect information using layered security: role‑based access, MFA where available, encryption in transit and at rest (for systems that support it), staff training, confidentiality agreements, secure disposal, and privacy‑by‑design in new projects. We do not store full payment card numbers or bank account numbers.
10. Retention
- Health records: at least 10 years from the last date of service
- Donation/tax‑receipt records: at least 7 years (to meet financial and tax requirements)
- Financial records (general): at least 7 years
- HR/volunteer records: in line with legal requirements and our retention schedule
- Safeguarding records: retained in line with legal obligations and our risk‑management needs (and not less than any applicable health‑record minimums when part of the health file)
11. Your rights
You may access and correct your information. You may authorise an agent to act for you. Contact our Privacy Officer to make a request. We respond as soon as reasonably practicable and within 20 working days (we may extend timeframes where permitted, and we will tell you if we do). If unresolved, you may contact the Office of the Privacy Commissioner or, for health‑service concerns, the Health and Disability Commissioner.
12. Cookies & analytics
Our site uses essential cookies and optional analytics. We will tell you which analytics provider we use and the data it collects; you can control cookies via your browser or our banner.
13. If things go wrong (privacy breaches)
We will promptly contain and assess suspected breaches, and where a breach is likely to cause serious harm, we will notify the Privacy Commissioner (via NotifyUs) and affected people as soon as practicable, with guidance on steps you can take.