What is personal information?
“Personal information” means information about an identifiable individual, including information about an individual’s health. Examples include a person’s:
- name and contact details;
- gender;
- date of birth;
- health, medical or treatment information;
- information about services we provide to you.
Types of personal information we collect
“Personal information” means information about an identifiable individual, including information about an individual’s health. The kinds of personal information we collect may include:
- Identity and contact information (e.g., name, address, phone, email);
- Demographic information (e.g., age, gender);
- Unique identifiers (e.g., NHI, client numbers);
- Employment and referral information;
- Financial information (e.g., invoice, payment details);
- Health or medical information (e.g., conditions, treatments);
- Technical and usage data (e.g., IP address, device details, browsing behavior).
We collect different personal information depending on your engagement with us (for example, whether you are a client, prospective client, referrer, employee, user of habithealth+, website visitor, or other contact).
Why we collect and use personal and health information
We collect, hold, use and share personal information where it is reasonably necessary to:
- identify you and manage your client record;
- assess your eligibility for and provide services;
- communicate with you, your referrer, your employer or funder;
- verify and manage financial and payment matters;
- provide secure access to digital tools and online records;
- monitor, evaluate and improve systems and service quality;
- comply with legal, regulatory and contractual obligations;
- support research and service development (in de-identified form where practicable);
- and any other purpose you authorise.
How we collect information
Collection methods
We collect personal information:
- directly from you (e.g., forms, intake processes, online submissions);
- via telephone or in person;
- through digital channels (website, apps, portals);
- when your referrer, employer, funder or other authorised third party provides it.
Collecting information from other sources
Sometimes we collect information about you from third parties where you have authorised this or it is permitted by law. This can include:
- health or disability service providers;
- your referrer or funder;
- government or regulatory agencies.
Providing personal information about others
If you provide personal information about another individual (for example, a dependent), you must ensure they know why their information is being collected and have consented where required.
- Specific privacy practices
- Phone call recordings
We may record inbound or outbound calls for training, quality assurance, or safety. If a call is recorded, we will inform you at the beginning of the call.
CCTV use
We use CCTV across some of our physical sites for safety, security and loss prevention. Camera use complies with relevant laws and is limited to public or common areas.
Mailing lists
If you subscribe to receive communications (such as newsletters or reminders), we will use your contact details for this purpose. You may unsubscribe at any time by following the instructions in the communication.
Automatically collected website information
When you use our websites or digital services, we may collect:
- browser and device information;
- usage and interaction data;
- IP addresses;
- analytics data using cookies or similar technologies.
You can manage cookies via your browser or device settings. For more information about how cookies work, how Google uses your data and how you can opt out is available on the Google website here.
Sharing and disclosing personal information
We only share your personal information where:
- it is necessary for the purpose it was collected (for example, quality assurance, service coordination);
- you have authorised the disclosure;
- we are permitted or required by law;
- it has been de-identified.
We may share with:
- health practitioners and service providers involved in your care;
- related Habit Health companies where necessary for service delivery;
- our professional advisors (lawyers, insurers, auditors);
- third-party service providers who help manage systems or services; and
- government or regulatory agencies where required.
Overseas disclosures:
In some cases, we may share personal information with third parties located overseas. We take steps to ensure it receives comparable protections.
Keeping your information secure
We store personal information securely using technical, physical and administrative safeguards. Access to personal information is restricted to those who need it to undertake their role. We regularly review and update our systems and security measures.
When personal information is no longer required, we de-identify or securely dispose of it in accordance with our retention practices and legal requirements.
How long we keep your information
We retain personal and health information only as long as necessary to provide services, comply with legal or contractual obligations, or allow for legitimate business purposes (including historical or research needs). Retention periods may be governed by specific rules for health information.
How to request access to your personal information
You have the right to request access to personal information we hold about you. You can do this by contacting our Privacy Team using the details below. We will respond to your request within a reasonable timeframe and notify you if any fees apply.
In some cases, access may be limited for legal or clinical reasons, and we will explain why.
How to request correction of your personal information
You have the right to request access to your personal information. You can request access by:
- Completing our Request to Access Personal Records Form and sending it with a copy of your photo identification to NotesRequests@habit.health
- Phoning 0800 557 556, or emailing hello@habit.health (You will still be required to complete our Request to Access Personal Records Form)
We will acknowledge your requests within 5 working days and respond to the request within 20 working days. If your request is urgent, please include the reasons and required timeframe in your request, and all efforts will be made to meet this timeframe.
In limited situations, an access request may be denied, or restricted access given. We will provide reasons in writing for any refusal or limitation of access (e.g., due to serious harm risk, legal proceedings) along with information on how to complain.
When providing personal information, we take steps to ensure that the information is accurate and does not impact the privacy of another individual. As part of our internal review during the access request process, we may use the AI tool ‘Heidi Health’ solely to assist with identifying information that could inadvertently disclose another person’s data. Heidi Health is not used to make decisions about your access request, and outputs are only used for this purpose and are not retained. For more information about Heidi Health’s privacy practices, please see Heidi Health’s Privacy Policy.
Complaints or privacy concerns
We are happy to discuss with you any concerns regarding the management of personal information or any information about our privacy statement. You can view our complaints management process here.
You can raise concerns or complaints by:
We will acknowledge your complaint within 5 working days and aim to resolve it within 10 working days after the complaint is received. If we cannot conclude the complaint within this timeframe, we will provide you with information on how long we think it will take to investigate and respond to it and keep you updated regularly.
If you are not satisfied with the response or the outcome of the complaint, you can lodge a complaint with the Office of the Privacy Commissioner here.
Personal identifiers
For clarity where relevant, we may use unique client identifiers in our systems (including numbers used for clinical or administrative purposes).
Updates to this Privacy Statement
We may amend or update this Privacy Statement occasionally with or without notice to you.
This privacy statement was last updated on 27/11/2025.
habithealth+ privacy details
habithealth+ is an app that works in tandem with professional support and features prompts and notifications to increase motivation. With habithealth+ you can:
- Manage your health on the move
- Customise notifications to boost motivation
- Manage regular check-ins
- Book in with a wide range of EAP professionals
- Access support and advice
- Integrate your device to access insights about your wellbeing
To delete your habithealth+ account and data:
- Open habithealth+ on your mobile phone.
- Open “Settings”, then click your “Profile” and then click “Delete My Account”.
- Follow the instructions to “Delete My Account” by entering your registered mobile phone number.
When you delete your habithealth+ account:
- You will permanently delete your personal data.
- You will lose access to the habithealth+ app.
To find out more, click here.
HealthOne - South Island-based patients
South Island based patients only - please note that this organisation is contributing to, and accessing healthcare information from HealthOne.
What is HealthOne?
HealthOne is a South Island based secure electronic record that allows registered healthcare providers directly involved in your healthcare, to quickly access information such as your test results, allergies, medications, GP summaries and hospital information. HealthOne adheres to the principles of the Privacy Act 2020 as well as the Rules set out in the Health Information Privacy Code 2020. Access is only possible via an approved highly secure healthcare information network which is regularly audited and tested. Privacy auditing is used to check that only those directly involved in your care are accessing your information.
To find out more about HealthOne please visit https://healthone.org.nz. Please note that you are entitled to restrict the sharing of your healthcare records by contacting 0508 837 872 or emailing HealthOne.privacy@pegasus.health.nz.
