Legal

Privacy policy

Last updated 29 April 2026

Connect Clinic Limited ("Connect Clinic", "we", "us", "our") is a New Zealand company committed to protecting your personal and health information. This policy explains how we collect, use, and safeguard the information you share with us. We comply with the Privacy Act 2020 and the Health Information Privacy Code 2020.

1. Who we are

Connect Clinic Limited (NZBN to be confirmed). Registered office: 26 Whakahui Lane, Mangere Bridge, Auckland 2022. Sole director and Privacy Officer: Dr Francis Katoa MBChB, FRNZCGP.

Privacy queries: connectclinic@outlook.com · 09 873 5039 ext. 800.

2. What we collect

Identifying information

• Full name, date of birth, gender, NHI (if provided), ethnicity (optional)
• Email, mobile, residential address, preferred pharmacy
• Emergency contact (if you choose to share one)

Health information

• Reason for consult, current symptoms, family history, current medications, allergies
• Clinical notes generated during your consult, prescriptions issued, certificates issued
• Outcomes you share with your health coach (mood, weight, blood-sugar, behaviour goals)
• Lab results uploaded by you or sent to us with your consent

Technical information

• Booking timestamps, payment confirmation references (no card numbers, Stripe handles those)
• IP address and browser type for security and analytics (anonymised)

3. Why we collect it

• To assess your health concern and provide safe clinical care
• To issue scripts, certificates, referrals, and lab requests
• To coordinate care between your GP and your health coach
• To meet our legal record-keeping obligations under the Health Practitioners Competence Assurance Act 2003 and Medicines Act 1981
• To process payments via Stripe
• To improve our service (de-identified, aggregated)

4. Where your data lives

• Clinical records: Elixir PMS, NZ-hosted (Microsoft Azure Australia East and NZ)
• Bookings: Supabase (encrypted, EU-hosted by default; we are evaluating NZ-region options)
• Payments: Stripe (PCI-DSS Level 1 certified)
• Email: Microsoft 365
• Video consultations: Zoom (end-to-end encrypted, not recorded by us)

We never sell your data, ever. We never use your data to train AI models. Connect Clinic-built apps (Mahino, Talanoa) process all sensitive information on your device and do not transmit photos or health data to our servers.

5. Who we share it with

We only share with:

• Your nominated pharmacy (for prescriptions only, via NZePS)
• Your usual GP or health provider, with your written consent (for continuity of care)
• Specialists or labs you've been referred to
• NZ Police, Coroner, or HDC if required by law
• The Medical Council of NZ in the event of a competence inquiry

We do not share with insurers, employers, advertisers, or family members without your explicit consent.

6. Your rights

Under the Privacy Act 2020 and HIPC 2020 you have the right to:

• Access your records, usually within 20 working days, free of charge
• Correct errors in your records
• Restrict some uses of your information
• Withdraw consent for marketing or non-clinical uses at any time
• Complain to us, then to the Office of the Privacy Commissioner if unresolved

To exercise any of these, email connectclinic@outlook.com.

7. Retention

Clinical records are retained for at least 10 years after your last visit, as required by the Health Practitioners Competence Assurance Act and the National Health Index Information Governance. Booking and payment records are kept for 7 years for tax purposes.

8. Children and tamariki

Patients under 16 require a parent or guardian to be present for the consult, and the consenting adult is the named record-holder. Information about young people aged 12–17 is treated with extra confidentiality where they consent independently and the law allows.

9. Pacific and Māori data sovereignty

We acknowledge tino rangatiratanga and Pacific data sovereignty principles. Where research or de-identified data is requested by Pacific or Māori-led research bodies, we'll only participate with your explicit informed consent and applicable iwi or community sign-off.

10. Security

We use industry-standard encryption in transit (TLS) and at rest. Two-factor authentication on all clinical systems. Annual audit of access logs. Reportable breaches are notified to you and the OPC within 72 hours.

11. Changes to this policy

We'll post any material changes here with a new "last updated" date and email registered patients if the change affects how their data is used.

Connect Clinic Limited · 26 Whakahui Lane, Mangere Bridge, Auckland 2022 · connectclinic@outlook.com