Skip to main content
Legal

Privacy policy

Plain-English explanation of what information we collect, what we do with it, how we protect it, and your rights under the NZ Privacy Act 2020 and the Health Information Privacy Code 2020.

Better Health Osteopathy (BHO) takes privacy seriously. We are bound by the New Zealand Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC). This page explains how we collect, use, store, and protect your personal and health information, and your rights to access and correct it.

Last updated: 2026-06-25. Effective from: 2026-05-09.

1. Who we are

Better Health Osteopathy is an Osteopathy clinic operating from two locations in Christchurch: our Fendalton clinic at 416 Ilam Road and our Cashmere clinic at 101 Colombo Street. We are registered with the Osteopathic Council of New Zealand (OCNZ) and are an ACC-accredited provider.

2. Privacy Officer

Under section 201 of the Privacy Act 2020, we have designated a Privacy Officer responsible for ensuring our compliance with the Act and HIPC. Our Privacy Officer is:

  • Lorraine Herity (Clinic Director, BHO)
  • Email: reception@betterhealthosteopathy.nz (subject: Privacy enquiry)
  • Postal address: 416 Ilam Road, Fendalton, Christchurch 8052, New Zealand

All privacy enquiries, access requests, and complaints are handled by the Privacy Officer. Statutory response time for access and correction requests is 20 working days (Privacy Act 2020 § 40).

3. What information we collect

3.1 Information you give us directly

When you book or attend an appointment, we collect:

  • Name, date of birth, contact details (phone, email, address)
  • Emergency contact and next of kin (where relevant)
  • NHI (National Health Index) number, if you provide it
  • ACC claim number and accident details (for ACC-funded treatment)
  • Health history, current health information, and treatment notes
  • Information about your GP and any other treating practitioners

3.2 Information collected automatically

When you use our website, we collect limited technical information:

  • IP address (used for security and aggregate analytics; not retained against your identity)
  • Browser type and version, device type, operating system
  • Pages visited and time spent on the site
  • Referring website (where you came from)
  • Approximate geographic location (city-level, derived from IP)

This information is used in aggregate to improve the website. Individual visitors are not identified in this data unless they fill in a form or book an appointment.

3.3 Information from third parties

We may receive information about you from:

  • Your GP, specialist, or other healthcare providers (with your consent or as part of an ACC claim)
  • ACC, regarding the status of your claim and treatment authorisations
  • Insurance providers, where you've authorised release for claim purposes
  • Family members or caregivers who book on your behalf (with appropriate consent)

4. How we use your information

We use the information we collect for the following purposes:

  • Providing your treatment: assessment, diagnosis, treatment planning, clinical record-keeping, and continuity of care across visits.
  • Booking and appointment management: scheduling, reminders, rescheduling, and follow-ups.
  • Billing and payment: processing fees, ACC claims, accredited employer claims, and insurance receipts.
  • Communication with you: appointment reminders, treatment-related messages, and responses to your enquiries.
  • Communication with other healthcare providers: sharing relevant clinical information with your GP, specialists, ACC, or other practitioners involved in your care (with your consent or where authorised by law).
  • Quality improvement and safety: reviewing treatment outcomes, peer review, and complaint investigation.
  • Compliance: meeting our obligations under the HPCA Act 2003, OCNZ standards, ACC contracts, the Health (Retention of Health Information) Regulations, and other applicable law.
  • Website analytics: understanding how the website is used so we can improve it (in aggregate; not for individual profiling).

5. When we share your information

We do not sell or trade your personal information. We may share it in the following limited circumstances:

  • With other healthcare providers involved in your care, with your consent or as part of normal clinical handover (e.g., your GP, specialists, other allied health).
  • With ACC and accredited employers, to administer claims, including treatment notes and outcomes as required by ACC.
  • With our service providers, who help us run the clinic and this website. These providers are bound by privacy obligations and may only use the information for the purposes we instruct. The full list of where information is stored is in section 6 below; the website-specific sub-processors are Cloudflare (Pages hosting and Turnstile spam protection on forms) and Resend (transactional email delivery for website form submissions). For website analytics and advertising measurement, Google (Analytics, Ads, and Tag Manager) and Meta (advertising pixel) also act as sub-processors; they receive website-usage data only, never patient-identifying or health information (see section 10). We also use Microsoft Clarity for anonymised session replay and heatmaps on the marketing website; Microsoft states that it acts as an independent data controller for that usage data under the Microsoft Privacy Statement. It too receives website-usage data only, with what you type into forms masked before it leaves your browser, and never any patient-identifying or health information (see section 10).
  • With insurers, where you've explicitly authorised us to do so (e.g., for Southern Cross or nib direct billing or claim verification).
  • Where required by law, including to the Health and Disability Commissioner, the Office of the Privacy Commissioner, the police, or in response to a court order.
  • Where there is a serious risk to life or safety, in line with HIPC Rule 11(2) exceptions.

6. Where your information is stored

Your information is held in a combination of physical and digital systems:

  • Clinical records are stored in our practice management system (Cliniko), an Australian-hosted platform that meets healthcare data protection standards. Cliniko processes data within Australia under the Australian Privacy Act 1988.
  • Accounting records are kept in Xero (cloud-based, Australian and US storage as part of normal Xero operations).
  • Email correspondence is held by Google Workspace (US-based with global infrastructure).
  • Internal operational data may be hosted in Australian or New Zealand cloud regions (Supabase, AWS Sydney) for clinics' internal data needs.
  • This website is hosted on Cloudflare Pages (global edge network). When you submit a form (contact, careers, spinal decompression waitlist), the submission is verified by Cloudflare Turnstile (spam protection; no cookies, no cross-site tracking, IP briefly checked against Cloudflare's bot-reputation data) and delivered to our inbox via Resend (transactional email service; send log retained for ninety days). The contents then live in our Google Workspace inbox. Aggregate website-usage data for analytics and advertising measurement is processed by Google and Meta (see section 10); this contains no patient-identifying or health information. Anonymised session-replay and heatmap data from the marketing website is held by Microsoft Clarity in the Microsoft Azure cloud (session recordings are kept for up to thirty days, heatmaps for up to thirteen months); it too carries no patient-identifying or health information.

We choose providers that meet recognised security standards and that have data-processing agreements consistent with NZ privacy law.

7. How we protect your information

We take reasonable steps to protect your information from loss, misuse, and unauthorised access. These steps include:

  • Access controls limiting who can see clinical records
  • Multi-factor authentication on all administrative systems
  • Encryption of data in transit (TLS) and at rest where supported by our providers
  • Regular review of access permissions, including prompt removal when staff or contractors leave
  • Audit logging of access to patient records
  • Training of staff on privacy obligations
  • Privacy impact assessments before any new data-processing initiative

8. How long we keep your information

Health records are retained in line with the Health (Retention of Health Information) Regulations 1996, which require retention for at least 10 years after your last treatment. This is a statutory minimum, not a maximum; we may retain records longer where there is an ongoing clinical or legal reason to do so.

Non-clinical information (e.g., website enquiry forms not leading to a booking) is retained for shorter periods proportionate to its purpose, and disposed of securely.

9. Your rights

Under the Privacy Act 2020 and HIPC 2020, you have the following rights:

9.1 Right to access

You can ask to see any personal or health information we hold about you (HIPR 6 / IPP 6). We must respond within 20 working days. There is no charge for the first request in most cases.

9.2 Right to correct

If you believe information we hold is wrong or out of date, you can ask us to correct it (HIPR 7 / IPP 7). If we don't agree, we will at least attach a statement of correction to the record so the dispute is visible.

9.3 Right to complain

If you believe we have breached your privacy, you can:

10. Cookies and website tracking

This website uses cookies and similar technologies for site functionality, analytics (including anonymised session replay), and measuring the effectiveness of our advertising. We do not use them to identify you individually, and we never pass any patient-identifying or health information to these platforms. The technologies are managed through Google Tag Manager:

  • Essential cookies for site functionality (for example, remembering whether you have dismissed the announcement bar). These cannot be turned off.
  • Cloudflare Turnstile on pages with a form (contact, careers, spinal decompression waitlist). Turnstile is a privacy-respecting CAPTCHA replacement; it sets no cookies and does not track you across sites. It briefly checks your IP against Cloudflare's bot-reputation data to confirm you are not a bot.
  • Google Analytics 4 for aggregate website analytics (which pages are visited, how visitors arrive, broad device and city-level location). Google Analytics uses your IP address only briefly to estimate an approximate location and, per Google's documentation, does not log or store it. We send no name, email, phone number, or health information to Google Analytics.
  • Microsoft Clarity for session replay and heatmaps: an anonymised reconstruction of how visitors move through the pages (clicks, scrolling, where people pause) so we can find and fix confusing parts of the site. What you type into any form, and any numbers or email addresses shown on a page, are masked before they leave your browser, so Clarity never receives them; it cannot see who you are. Clarity sets a first-party cookie to recognise your browser and never receives any patient-identifying or health information from us. Microsoft acts as the data controller for this usage data, holds it in the Microsoft Azure cloud, and does not sell it.
  • Advertising pixels (Meta and Google). We run paid advertising on Google and on Meta (Facebook and Instagram). Their pixels measure which adverts lead to enquiries and let us show relevant adverts to people who have visited our site. These set advertising cookies and receive your activity on this website (such as the pages you view), but never any patient-identifying or health information from us.
  • Google Search Console for understanding how visitors find our site through search. This is search-side data; no extra cookies or tracking are loaded on the website for it.

How to opt out. You can refuse or delete cookies in your browser settings, or use your browser's private-browsing mode. You can also install the Google Analytics opt-out browser add-on, and manage personalised advertising through Google's Ad settings and Meta's ad preferences. Microsoft Clarity honours the Global Privacy Control signal, and you can opt out of Microsoft's behavioural analytics through the Digital Advertising Alliance opt-out (select Microsoft). Refusing cookies will not affect your ability to receive treatment with us.

We do not load any of these analytics or advertising technologies on the patient-portal areas of our digital services. The marketing website is the only surface where they run; patient-data surfaces are kept clean.

11. Breach notification

Under section 114 of the Privacy Act 2020, we are required to notify the Office of the Privacy Commissioner and affected individuals about any privacy breach that is likely to cause serious harm. We have a documented breach-response procedure to ensure prompt and appropriate action when a breach occurs.

12. Children's information

We provide care to children, including babies and infants. Information about a child is generally accessed by a parent or legal guardian. As a child grows, particularly through adolescence, their right to confidentiality strengthens. We follow OCNZ guidance on confidentiality for adolescent patients.

13. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of the page indicates when changes were last made. Material changes will be communicated to current patients where appropriate.

14. Contact us

If you have any questions about this privacy policy, your information, or your rights:

15. References