Clearhead Limited (we, us, our) complies with the New Zealand Privacy Act 1993 (the Act) when dealing with personal information. Personal information is information about an identifiable individual (a natural person). This policy sets out how we will collect, use, disclose and protect your personal information. This policy does not limit or exclude any of your rights under the Act. If you wish to seek further information on the Act, see www.privacy.org.nz.
Changes to this policy
We may change this policy by uploading a revised policy onto the website. The change will apply from the date that we upload the revised policy.
Who do we collection your personal information from
We collect personal information about you from:
- you, when you provide that personal information to us, including via the website, mobile application and any related service, through any registration or subscription process, through any contact with us (e.g. telephone call or email), or when you use our services.
- You may be able to use your social media login (such as Facebook Login, or Google Login) to create and log into the Clearhead Platform. This saves you from remembering another user name and password and allows you to share some information from your social media account with us. The information provided to us from these companies includes their unique identifier for your account, your email address, your name, date of birth and profile picture.
- For users of our provider platform who are mental health professionals and who connect their calendar to our system, we will receive details about all events on your calendar, for each of these events the time and title will be stored on our system and be used to display accurate real-time availability information for the online booking system.
- third parties where you have authorised this or the information is publicly available.
If possible, we will collect personal information from you directly.
When you interact with our Service through various social media, such as when you follow Clearhead or share Clearhead content on Facebook, Twitter, LinkedIn, Instagram or other sites, we may receive information from those social networks including your profile information, picture, user ID associated with your social media account, friends list, and any other information you permit the social network to share with third parties. The data we receive is dependent upon your privacy settings with the social network. You should always review, and if necessary, adjust your privacy settings on third-party websites and services before linking or connecting them to our website or Service.
How we use your personal information
We will use your personal information:
- to verify your identity
- to provide our recommendations of mental health professionals to you and to pass it onto the mental health professional you made a therapy booking with to contact you.
- to provide our recommendations of a range of mental health resources available to you
- to provide use of our self-management tools for mental wellbeing to you
- to check and publish up to date availability for mental health professionals on our site
- to communicate directly with you, such as to send you email messages and push notifications. We may also send you Service-related emails or messages (e.g., account verification, change or updates to features of the Service, technical and security notices). You are able to control your communication preferences. Some of our communication will be handled via a third-party mail provider such as Mailchimp and Sendgrid.
- to improve the features and functionality of the services we provide to you.
- to improve the improve quality and design of the Website, including without limitation, saving you the trouble of re-entering data and quarries, personalize and customize the Clearhead Platform, track your use of the Clearhead Platform and generate statistics regarding the Clearhead Platform. Third party provider, Hotjar, is utilised to support some of this improvement work.
- to authorise and send self-referrals to your healthcare provider, based on your completed self-assessments, after you have consented for us to do so. These information would be securely transferred by Ministry of Health authorised Health IT vendors, Healthlink and Valentia, through their systems to your nominated GP's practice management system.
- to authorise and process payment including credit card transactions
- to respond to communications from you, including a complaint
- to conduct research and statistical analysis but only with de-identified data
- to protect and/or enforce our legal rights and interests, including defending any claim
- for any other purpose authorised by you or the Act
Disclosing your personal information
- We do not disclose personal information to any third parties. Except in the following circumstances:
- to any mental health professional that you book online with through our platform. We will provide them any information required for them to process your booking
- any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products. Any information shared with these parties will remain confidential unless required by law. The cloud hosting service that supports our platform is located outside New Zealand which means your personal information is held and processed outside New Zealand but complies with the New Zealand Ministry of Health guidelines. These are currently Microsoft Azure, Google Cloud Platform, Google Analytics, Google Tag Manager, Cloudflare, HotJar and Sentry
- other third parties for aggregated non-personally identifiable statistical information only and the purpose of maintaining, operating, providing or improving the Clearhead Platform, including by sending you non-marketing, administrative or customer service e-mail messages.
- to service providers and other persons working with us to make the Clearhead Platform available or improve or develop its functionality (e.g. we may use a third party supplier to host the Clearhead Platform). These providers and other persons will be covered by confidentiality agreements. Clearhead also has strict permission schemes that determine what level of access to the data the person is granted with and is on a need-to-know only basis. We also provide privacy training on all our employees and contractors before they are able to access the Clearhead system and keep an audit log of who has accessed the system.
- in relation to the proposed purchase or acquisition of our business or assets
- a person who can require us to supply your personal information (e.g. a regulatory authority)
- any other person authorised by the Act or where required by applicable law or any court, or in response to a legitimate request by a law enforcement agency.
- any other person authorised by you.
For mental health professionals who have connected using their Google/Outlook account and granted permission to access their calendar, the details of any bookings created on the Clearhead booking management system will be synced to their Google/Outlook account and calendar.
We do not disclose to any third-party any personally identifiable information (including any identifiable health information, emails, etc.) provided by you as a registered user that you do not make publicly available on the Clearhead Platform without your authorization, unless required by law. However, we reserve the right to notify public health authorities, law enforcement, or other persons capable of addressing the situation if we believe that such information (by itself or when coupled with information contained in any of your posts) indicates potential harm to yourself or others.
For users logging in with Google or Facebook
When a user logs in with their Google or Facebook Account, Clearhead receives and stores the following information from Google or Facebook.
- Your Google account information (name, email address and unique account identifier)
- Your Facebook account information (name, email address, date of birth, profile picture, and their unique account identifier)
Clearhead does not provide Google or Facebook with any information you provide to the Clearhead platform however Google or Facebook will record that you logged into the Clearhead platform against your Google or Facebook Account.
For users using Google or Outlook Calendar Integration (Mental health service providers only)
For practitioners who enable Google or Outlook Calendar Sync, we will collect the following pieces of information
- Your Google or Outlook account information (name, email address)
- The headline and ID of every Calendar events on your Google or Outlook calendar from the time you enable calendar sync to the time you disable it. A copy of these will be stored in our database and kept in sync with the Google or Outlook copy. This is to solely to provide a unified calendar view.
For practitioners who enable Google or Outlook Calendar Sync, we share the following information with Google.
- A copy of all future appointments and blocks from the time you have enabled calendar sync to the time you disable calendar sync. This allows Clearhead appointments to appear in your Google or Outlook Calendar.
Provision of personal information
- You are not required to provide personal information to us, although in some cases if you choose not to do so then we will be unable to make certain sections of the Clearhead Platform available to you. For example, we may need to have your contact information in order to complete the booking of therapy appointments with a selected mental health professional. Our recommendation engine is also only able to personalise the supports and services available to you if you provide an accurate summary of your challenge that you are facing.
- When you provide personal information to us, we will comply with the New Zealand Privacy Act 1993.
Protecting your personal information
Maintaining your trust and privacy is extremely important to us. Below are reasonable steps we have taken to keep your personal information safe from loss, unauthorised activity, or other misuse.
- Your data is yours and we do not sell any identifiable data to third parties
- Your data is encrypted using 256-bit Advanced Encryption Standard (AES-256) at Rest
- To protect your data as it travels over the Internet, we use Transport Layer Security (HTTPS) for all communications.
- We comply with the HISO 10029:2015 Standard.
- Our platform is hosted in the Google Cloud Sydney Data Centre. These data centers are certified for compliance with HIPAA, ISO/IEC27001, SOC 1 and FedRAMP. They have stringent security policies regarding access and are recommended by the New Zealand Ministry of Health.
- We ensure regular security audits will occur.
- We are a New Zealand company and we follow and abide the New Zealand Privacy Act 1993 and the Health Information Privacy Code 1994.
The Clearhead Platform is provided under the best commercially reasonable data security practices, in order to prevent unauthorized access, disclosure, alteration or deletion of any and all information stored in our systems. You acknowledge, however, that no such effort can completely guarantee the security of the stored data, that breaches of security are still a possibility both regarding our systems and that a data security breach resulting in unauthorized access to your information can occur in third party system (for example, ISP's, third party providers, and hosting services providers). As a result, we do NOT warrant or ensure the integrity and security of the data stored in its systems, including without limitation your information.
Accessing and correcting your personal information
Subject to certain grounds for refusal set out in the Act, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates. In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction. If you want to exercise either of the above rights, email us at [email protected] Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting). We may charge you our reasonable costs of providing to you copies of your personal information or correcting that information.
Control over your information
Profile and Data Sharing Settings. You may update your profile information, such as your user name and profile photo, and may change some of your data sharing preferences through your wellbeing portal.
How to control your communications preferences: You can stop receiving promotional email communications from us by clicking on the “unsubscribe link” provided in such communications. We make every effort to promptly process all unsubscribe requests. You may not opt out of service-related communications (e.g., account verification, transactional communications, changes/updates to features of the Service, technical and security notices).
Modifying or deleting your information: You have the right to request access to and correction of any of the personal information we hold about you. If you have any questions about reviewing, modifying, or deleting your information, or if you want to remove your name or comments from our website or publicly displayed content you can contact us at[email protected]
Last updated: 17/8/2020