Privacy Policy (New Zealand)

Introduction

This Privacy Policy outlines the commitment of Heron Health Limited (we, us, or our) to safeguarding Personal Information provided to us by our customers (you or your) and ensuring that all data processing activities are conducted in strict compliance with the Privacy Act 2020 (the Privacy Act) and the Health Information Privacy Code 2020.

Scope

This Privacy Policy applies to all Personal Information collected, used and disclosed through Heron, our cloud-based patient booking and inquiry software system, and any related services, products, or other engagements that we have with you.

Where we process Personal Information on behalf of healthcare providers using Heron, those providers act as the 'agency' (data controller) and are responsible for ensuring appropriate notices and consents are obtained from their patients in accordance with applicable privacy laws.

Where we collect Customer Data indirectly (that is, from your clinic rather than from the patient), we rely on the exception under IPP 3A of the Privacy Act 2020 on the basis that healthcare providers have already informed the patient of the collection. You are responsible for ensuring that your patients are made aware that their Personal Information may be processed through Heron, including the purposes of collection, the categories of recipients, and their rights of access and correction under IPP 6 and IPP 7.

Important Notice: Not a System of Record

Heron is a communication and booking interface, not a clinical System of Record (SoR). While Heron may capture and temporarily store health information (such as call transcripts or summaries), you are solely responsible for ensuring that any relevant health information is transferred to and maintained in your own System of Record (such as your Patient Management System) in accordance with your legal obligations. Heron does not accept responsibility for your regulatory compliance obligations, including but not limited to health record retention requirements.

Information We Collect

We collect Personal Information about you and your customers when you sign up as a user of Heron and use Heron and our related services. The types of information we may collect include:

• Account Data: personal details such as your name, email address, phone number, physical address, payment information, and business information, to provide and enhance our services.
• Customer Data: various types of data relating to your customers that is input into Heron. This data may include Personal Information such as patient appointment booking information, names, contact details, conversation transcripts, demographic information (such as date of birth, gender, and location), medical identification numbers, appointment histories, information relating to your customer’s health and health conditions, medical history and health insurance.
• Usage Data: data on how you and your customers interact with Heron, including call transcriptions, call summaries, web chat and feedback provided.
• Voice Recordings (optional): Audio recordings of telephone calls placed through the Heron telephony module when your clinic chooses to enable call recording. Recordings may capture patient identifiers and clinical information. By enabling this feature, you confirm that you have implemented appropriate procedures for collecting health information via voice recording in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020. You are responsible for all compliance obligations relating to the collection and use of voice recordings. Heron disclaims any liability for your failure to comply with applicable recording and privacy laws.
• Technical Data: Information automatically collected and retained for up to 9 months after the user becomes inactive that is reasonably necessary for service delivery, security, and technical support. Essential technical data includes device type and browser information (for compatibility and troubleshooting), browser version, operating system information, screen resolution, and IP address (for security protection and geographic routing). Application analytics data is collected for enhancement purposes and may be disabled in your account settings if preferred.
• Cookies: Heron uses cookies which are small text files placed on your device to enhance your user experience. Types of cookies we use include:
  • session cookies for managing user sessions;
  • persistent cookies for remembering user preferences; and
  • third-party cookies for tracking and analytics, advertising, and other purposes.

Cookies collect information such as IP addresses, browser types, device information, and browsing activity. You can manage cookie preferences in your account settings and opt-out of third-party cookies if applicable.

Security of Personal Information: We will take reasonable steps to secure Personal Information against unauthorised access or breaches. Our security measures are in accordance with our legal obligations, our Internal Privacy Policies and industry standards, taking into account the nature of the Personal Information.

Use of Information

We process, use, collect, and retain your data in a manner that complies with applicable laws and regulatory requirements. In particular:

• Provision of Services: We collect and use your data, including the data inputted into Heron relating to your customers, to operate Heron and deliver our services, and support your account.
• Quality assurance: we review voice recordings for this purposes only and do not use the audio to train any AI models.
• Service Improvement: We collect and use your data to identify bugs, improve features, and enhance the overall user experience of Heron. This processing is based on our legitimate interest in improving our service. To the extent that we use information relating to your customers to improve and enhance our services, it is only used in an aggregate or other de-identified form.
• Communication: We may use your contact information to send updates, gather feedback, and inform you about changes or new features. You can opt out of marketing communications at any time.
• Security: Technical data is processed to maintain the security and integrity of our systems, to fulfil our legitimate interest in protecting our services and users, and your data.
• Artificial Intelligence (AI): Heron leverages AI to enrich your experience, boost operational efficiency and to offer advanced functionalities. We do not currently collect or use any data from you or your customers for the purposes of training any AI models. Should we consider any changes to this approach in the future to align with evolving industry standards or technological developments, we will provide you with at least 60 days' advance written notice and an opportunity to provide feedback before implementing any such changes. Any future modifications to our AI data use practices would be subject to updated privacy disclosures and, where required by law, your explicit consent.

Data Protection

We take data security seriously and have implemented appropriate technical and organisational measures to protect data from misuse, interference, loss, unauthorised access, modification, or disclosure. This includes:

• Encryption: All personal and usage data is industry-standard encrypted both in transit and at rest. Any third-party integration keys and secrets will be encrypted before being sent and stored.
• Access Control: Access to data is restricted to authorised personnel involved in the maintenance, development and improvement of Heron. We enforce strict access controls and regularly review permissions.
• Anonymisation: Where possible, we anonymise data to further protect your and your customer’s privacy.
• Notifiable Privacy Breaches: If we experience a privacy breach that has caused or is likely to cause "serious harm" to an affected individual (as defined under Part 6 of the Privacy Act 2020), we will, acting reasonably and in good faith based on information available at the time of assessment and in accordance with guidance published by the Office of the Privacy Commissioner, notify, as soon as practicable and in any event within 72 hours of becoming aware of the breach, the Office of the Privacy Commissioner (OPC) and affected individuals, outlining the steps we have taken to remediate the breach.

Collection Authority

The collection of Personal Information through Heron and our related services is conducted in accordance with specific legal bases under New Zealand law:

Account Data: collected for the performance of our contractual obligations under the Terms of Service and our legitimate interests in account security, billing, and regulatory compliance.

Customer Data (health information): collected on the basis of healthcare provider obligations under the Health Information Privacy Code 2020, patient consent obtained by healthcare providers, and our legitimate interests in service delivery where permitted by IPP 10.

Usage Data: collected for the performance of essential service features (such as transcriptions and summaries) and our legitimate interests in service improvement and operational continuity.

Technical Data: collected for our legitimate interests in system security, technical support, service compatibility, and fraud prevention.

Voice Recordings: collected only where your clinic has enabled call recording and confirmed that appropriate procedures are in place in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020.

Where applicable, we will inform you whether the provision of Personal Information is voluntary or mandatory, as well as the possible consequences of failing to provide such data. Healthcare providers using Heron are responsible for obtaining appropriate patient consents and notices as agencies under applicable privacy laws.

Data Retention

Account Data: We retain invoices, payment records and other corporate financial records only for as long as reasonably necessary for business and operational purposes, which may include account management, financial reporting, and customer support. We will not retain such records beyond seven (7) years from the end of the financial year in which the transaction occurred, as required by the Tax Administration Act 1994.

Personal Information: We keep personal information only while it is reasonably necessary for the specific purpose for which it was collected or to meet a legal obligation. When that purpose ends, we securely delete or de-identify the data as required by IPP 9 of the Privacy Act 2020.

Customer Data: We retain health-related data - such as bookings, transcripts, voice recordings and call summaries containing health information - on a strictly temporary basis for up to 90 days to enable you to review and transfer relevant information to your own systems. This temporary storage is provided as a convenience only and does not constitute permanent record-keeping. For the avoidance of doubt, Heron processes Customer Data on your behalf as a data processor and does not independently hold health information as a health agency under the Health Information Privacy Code 2020. The retention obligations applicable to health agencies, including the 10-year minimum retention period under the Health (Retention of Health Information) Regulations 1996, apply to you as the agency holding the primary health record and not to Heron.

You acknowledge that:

You are solely responsible for exporting all relevant health information to your own System of Record (such as your Patient Management System) within this 90-day period and for meeting all applicable regulatory requirements for health record retention;

After 90 days, this data is automatically deleted from our systems; and

We do not retain health information for the statutory 10-year period required of health providers; this obligation rests entirely with you as the agency holding the primary health record.

Third-Party Services

We do not share Personal Information with third parties except as reasonably necessary to provide our services (such as cloud hosting providers, payment processors, telephony infrastructure, and AI processing tools).

When engaging market-leading technology vendors, we take reasonable steps to ensure your data remains protected. Rather than bespoke contracts, these providers are typically engaged under standard industry Data Processing Agreements (DPAs) or Terms of Service. We conduct due diligence to ensure these standard agreements offer privacy, security, and confidentiality protections that are consistent with the Privacy Act 2020 and the Health Information Privacy Code 2020.

Our vendor agreements generally include:

• commitments to implement appropriate technical and organisational security measures to protect Personal Information from unauthorised access or loss;
• restrictions on the use of Personal Information for purposes other than providing their specific services to us (for example, our AI and telephony vendors are restricted from using your health data or transcripts to train their own foundational AI models); and
• obligations to notify us in the event of a data breach affecting our systems.

Data Transfers

Personal Information may be stored and processed in New Zealand, Australia, and the United States through our third-party service providers. For data transfers to Australia, we rely on the recognised similarity of Australian privacy laws to New Zealand's Privacy Act 2020. For data transfers to the United States, we ensure protection through binding contractual arrangements that provide equivalent safeguards to the Privacy Act 2020. Where Customer Data includes health information, cross-border disclosures are also made in accordance with Rule 12 of the Health Information Privacy Code 2020. For the avoidance of doubt, our primary database and core data storage reside securely within Australia. However, current likely overseas recipients include vendors located in the United States, which we utilise for specific critical infrastructure components. This includes providers for API hosting, telephony services, AI processing (such as real-time speech-to-text and text-to-speech), and payment processing. A complete, current list of our overseas recipients and their locations is available upon request.

Your rights

• Access: You have the right under IPP 6 to request access to the Personal Information we hold about you and/or your customers. We will provide a decision on your request within 20 working days of receiving a valid request, subject to verification of your identity and provided that the request is sufficiently specific to enable us to locate the relevant information. For complex requests involving large volumes of data or requiring extensive search efforts, we may extend this timeframe by up to an additional 20 working days with prior notice. We may charge reasonable costs for processing requests that require substantial time or resources.
• Correction: We will update our records promptly upon verification of the new information. Under IPP 7, you can request corrections to any inaccurate, out-of-date, incomplete, or misleading information we hold. We will respond to correction requests within 20 working days of receiving a reasonable period valid request, provided that you supply sufficient evidence to support the requested correction and the request is sufficiently specific to enable us to locate the relevant information.
• Retention and removal: We do not retain your personal information for longer than is reasonably necessary for the purpose for which it was collected, in accordance with IPP 9 of the Privacy Act 2020. You may ask us to review whether we still need to hold specific information about you or your customers. Where we determine that retention is no longer necessary and no legal obligation requires us to keep it (such as under the Tax Administration Act 1994 or the Health (Retention of Health Information) Regulations 1996), we will securely delete or de-identify the data.
• Complaints: If you believe we have breached your privacy rights, you may lodge a complaint with our Privacy Officer using the contact details below. If you are not satisfied with our response, you have the right to complain to the Office of the Privacy Commissioner (privacy.org.nz).

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We will notify you of any significant changes by email or through the Heron app, or we will post an updated version on our website www.heyheron.ai. Significant changes include alterations to how we collect, use, or share Personal Information. We encourage you to review this Privacy Policy periodically to stay informed of any updates.

Contact Us

The agency collecting and holding your information is:

Heron Health Limited
9 Huron Street, Takapuna, Auckland, 0622, New Zealand

If you have any questions or concerns about this Privacy Policy or your data, please contact our Privacy Officer:

Email: hello@heyheron.ai
Attention: Heron Privacy

If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner (OPC) by calling 0800 803 909 or visiting www.privacy.org.nz.

Last Updated

This Privacy Notice was last updated on 2 April 2026.

Definitions

For the purposes of this Privacy Policy:

“Customer Data” means any data provided by you or your customers, that is entered into, stored in, or processed Heron, and any data that is based on or derived from this data and provided to you via Heron.

“Internal Privacy Policies” means our internal data policies including in relation to information security, information retention, incident response and recovery.

"Personal Information" means any information about an identifiable individual, as defined under the New Zealand Privacy Act 2020.