Last updated: SEP 2025
This Privacy Policy describes how Vensa Health Limited ("Vensa", "we", "us" or "our") collects, uses, discloses, stores, and protects personal information (including health information) in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020 ("HIPC").
By using our website, applications, products, or services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any aspect of this Policy, please do not use our services or platforms.
1. OUR COMMITMENT TO PRIVACY
1.1 We are committed to safeguarding the privacy of all personal information, including health information, in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020.
1.2 We will only collect, use, disclose, and store your personal information as permitted by New Zealand law and in accordance with the principles of transparency, fairness, and security.
2. WHAT INFORMATION WE COLLECT
We may collect and store the following personal information to provide our services:
2.1 Categories of information we may store
| Category | Examples | Do we store it? | Basis |
|---|---|---|---|
| Identity & contact | Name, DOB, NHI, mobile, email | Yes (account & identity matching) | Necessary to provide the service (IPP 1; HIPC Rule 1) |
| Lab & radiology results | Laboratory results, imaging reports | Yes, if enabled by your clinic and you opt in | Explicit user controls; necessary for portal display; disclosed to you in advance (IPP 3; HIPC Rule 3) |
| Clinical notes | Consult notes, discharge summaries | Yes, if enabled by your clinic and you opt in | As above |
| Medications | Current and past medications | Yes, if enabled by your clinic and you opt in | As above |
| PMS classifications | Diagnoses, conditions, problem lists | Yes, if enabled by your clinic and you opt in | As above |
| Usage data | App interactions, device & session metadata | Yes (de-identified/aggregated where possible) | Service improvement and security (IPP 5, 10) |
2.2 Sources of information
- You, when you create/manage your account or use the app.
- Your health provider, to the extent necessary to deliver portal services and subject to your privacy settings.
- Your authorised representative (e.g., parent/guardian or attorney).
2.3 Children and representatives Where a representative acts on your behalf, we will confirm authority consistent with the Code of Rights and HIPC.
2.4 Aggregated data We may create de-identified or aggregated datasets for service improvement and reporting. We will not re-identify these datasets without your consent or a lawful basis.
3. PURPOSES FOR USE OF PERSONAL INFORMATION
3.1 We use your information only for the following purposes:
- To provide our services and administer user accounts.
- To communicate your appointment reminders, prescription updates, or service alerts.
- To facilitate payment processing (we do not store payment card details).
- To support healthcare providers in delivering care through our platform.
- To improve and develop our services based on usage analytics.
- To comply with legal obligations or respond to lawful requests.
- To conduct ethically approved health research in accordance with Rule 11 of the HIPC (only in de-identified or approved contexts).
3.2 No secondary use without consent:
We do not use your identifiable clinical information for advertising, product training, or unrelated analytics without your express consent.
3.4 Source of truth and accuracy:
Your GP practice's PMS is the record of truth. If you believe clinical information is inaccurate, please request correction via your provider.
Vensa will reflect corrections on the next update.
4. DISCLOSURE OF PERSONAL INFORMATION
4.1 We may disclose your personal information to:
- Healthcare providers involved in your care as required.
- Our trusted service providers (e.g. IT infrastructure, hosting, and communications providers), under strict contractual privacy obligations.
- Regulatory or enforcement agencies where required by law for research or analytics purposes, but only in anonymised and non-identifiable form.
4.2 We will not disclose personal information to overseas recipients unless we ensure that the recipient is subject to comparable privacy safeguards in accordance with Principle 12 of the Privacy Act 2020.
4.3 Overseas hosting and disclosures:
We host personal information in Microsoft Azure data centres located in Australia. Where personal information is disclosed or made available to an overseas recipient, we take reasonable
steps to ensure the recipient is subject to comparable safeguards consistent with Privacy Act 2020 – IPP 12 (for example, through contractual controls, security standards and audit obligations).
By using our services, you acknowledge that your information may be hosted in Australia.
4.4 Sub-processors:
We use carefully selected service providers (e.g., hosting, communications, support tools) under strict contractual privacy and security obligations.
A current list of core sub-processors is available on request (or link to a public page) and will be updated periodically.
5. SECURITY AND STORAGE OF PERSONAL INFORMATION
5.1 Security measures
We implement role-based access controls, multi-factor authentication, encryption in transit and at rest, logging and monitoring, least-privilege access reviews, and regular security testing and audits.
5.2 Where we store your information We store information in Microsoft Azure (Australia). Controls are designed to meet NZ sector expectations for health data security and privacy.
5.3 How long we keep information (retention & deletion)
- Clinic PMS data: Your health provider must retain their clinical records for at least 10 years after your last treatment, under the Health (Retention of Health Information) Regulations 1996.
- Vensa portal copy: Vensa retains any stored clinical information only for as long as it is needed to provide portal services or until you withdraw consent or your clinic disables storage, whichever occurs first. When no longer required, we securely delete and de-identify it.
5.4 Access logs We maintain detailed access logs. You may request a record of accesses to your information made by Vensa personnel, subject to applicable law.
6. YOUR RIGHTS
6.1 You have the right to:
- Request access to, and a copy of, personal information we hold about you, including access logs relating to your information.
- Request correction of your information. Clinical content should be corrected by your provider; Vensa will reflect those changes.
- Manage your privacy settings in the app and withdraw consent to Vensa storing specific categories (labs, clinical notes, medications, classifications). If you withdraw consent, Vensa will cease storage and will delete previously stored copies unless we are legally required to retain them.
6.2 To exercise your rights, please contact our Privacy Officer.
7. NOTIFIABLE PRIVACY BREACHES
7.1 In the event of a notifiable privacy breach (i.e. where it is reasonable to believe the breach has caused or is likely to cause serious harm), we will notify:
- You as soon as practicable.
- The Office of the Privacy Commissioner, as required under section 114 of the Privacy Act 2020.
7.2 Sector notifications Where appropriate, we will also notify your health provider and CERT NZ alongside the Office of the Privacy Commissioner, and cooperate with any investigation.
8. CONTACT US
For any questions, access or correction requests, or privacy concerns, please contact:
Privacy Officer
Vensa Health Limited
PO Box 8349, Symonds Street, Auckland, New Zealand
Phone: 0800 736 463
Email: support@vensa.com
9. YOUR PRIVACY CONTROLS (OPT-IN/OPT-OUT)
You may manage the following settings at any time in the app:
- Store lab & radiology results in Vensa: On / Off
- Store clinical notes (including discharge summaries) in Vensa: On / Off
- Store current & past medications in Vensa: On / Off
- Store PMS classifications (diagnoses/conditions) in Vensa: On / Off
If these settings are Off, Vensa will only retrieve your information from your clinic's PMS in real time to display it to you and will not store a copy. This may slow your user experience. We will clearly explain these options at sign-up and in your settings.
10. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect legal or operational changes. We will notify you of any material updates by posting a notice on our website or sending direct communications where appropriate.
Your continued use of our services constitutes your agreement to the revised Privacy Policy.
Defined Terms
Personal Information: Any information about an identifiable individual, including health information.
Health Provider: A healthcare professional or clinic involved in your care.
HIPC: Health Information Privacy Code 2020.
Notifiable Privacy Breach: A breach causing or likely to cause serious harm.
Vensa Health is committed to protecting your privacy and ensuring the safe, lawful, and respectful handling of your health information.