Privacy Policy - New Zealand 🇳🇿

Introduction

This Privacy Policy outlines the commitment of Heron Health Limited (we, us, or our) to safeguarding Personal Information provided to us by our customers (you or your) and ensuring that all data processing activities are conducted in strict compliance with the Privacy Act 2020 (the Privacy Act) and the Health Information Privacy Code 2020.

Scope

This Privacy Policy applies to all Personal Information collected, used and disclosed through Heron, our cloud-based patient booking and inquiry software system, and any related services, products, or other engagements that we have with you.

Where we process Personal Information on behalf of healthcare providers using Heron, those providers act as the 'agency' (data controller) and are responsible for ensuring appropriate notices and consents are obtained from their patients in accordance with applicable privacy laws.

Important Notice: Not a System of Record

Heron is a communication and booking interface, not a clinical System of Record (SoR). While Heron may capture and temporarily store health information (such as call transcripts or summaries), you are solely responsible for ensuring that any relevant health information is transferred to and maintained in your own System of Record (such as your Patient Management System) in accordance with your legal obligations. Heron does not accept responsibility for your regulatory compliance obligations, including but not limited to health record retention requirements.

Information We Collect

We collect Personal Information about you and your customers when you sign up as a user of Heron and use Heron and our related services. The types of information we may collect include:

1. Account Data: personal details such as your name, email address, phone number, physical address, payment information, and business information, to provide and enhance our services.

2. Customer Data: various types of data relating to your customers that is input into Heron. This data may include Personal Information such as patient appointment booking information, names, contact details, conversation transcripts, demographic information (such as date of birth, gender, and location), medical identification numbers, appointment histories, information relating to your customer's health and health conditions, medical history and health insurance.

3. Usage Data: data on how you and your customers interact with Heron, including call transcriptions, call summaries, web chat and feedback provided.

4. Voice Recordings (optional): audio recordings of telephone calls placed through the Heron telephony module when your clinic chooses to enable call recording. Recordings may capture patient identifiers and clinical information. By enabling this feature, you confirm that you have implemented appropriate consent procedures and caller notification systems in accordance with the Privacy Ac 2020 and the Crimes Act 1961. You acknowledge that failure to obtain proper consent may result in serious legal penalties including criminal liability. While Heron provides the recording technology, you remain responsible for all compliance obligations relating to the collection and use of voice recordings. Heron disclaims any liability for your failure to comply with applicable recording consent laws.

5. Technical Data: Information automatically collected and retained for up to 9 months after the user becomes inactive that is reasonably necessary for service delivery, security, and technical support. Essential technical data includes device type and browser information (for compatibility and troubleshooting), browser version, operating system information, screen resolution, and IP address (for security protection and geographic routing). Application analytics data is collected for enhancement purposes and may be disabled in your account settings if preferred.

6. Cookies: Heron uses cookies which are small text files placed on your device to enhance your user experience. Types of cookies we use include:

(a) session cookies for managing user sessions;

(b) persistent cookies for remembering user preferences; and

(c) third-party cookies for tracking and analytics, advertising, and other purposes.

Cookies collect information such as IP addresses, browser types, device information, and browsing activity. You can manage cookie preferences in your account settings and opt-out of third-party cookies if applicable.

7. Security of Personal Information: We will take reasonable steps to secure Personal Information against unauthorised access or breaches. Our security measures are in accordance with our legal obligations, our Internal Privacy Policies and industry standards, taking into account the nature of the Personal Information.

Use of Information

We process, use, collect, and retain your data in a manner that complies with applicable laws and regulatory requirements. In particular:

1. Provision of Services: We collect and use your data, including the data inputted into Heron relating to your customers, to operate Heron and deliver our services, and support your account.

1.1 Quality assurance: we review voice recordings for this purposes only and do not use the audio to train any AI models.

2. Service Improvement: We collect and use your data to identify bugs, improve features, and enhance the overall user experience of Heron. This processing is based on our legitimate interest in improving our service. To the extent that we use information relating to your customers to improve and enhance our services, it is only used in an aggregate or other de-identified form.

3. Communication: We may use your contact information to send updates, gather feedback, and inform you about changes or new features. You can opt out of marketing communications at any time.

4. Security: Technical data is processed to maintain the security and integrity of our systems, to fulfil our legitimate interest in protecting our services and users, and your data.

5. Artificial Intelligence (AI): Heron leverages AI to enrich your experience, boost operational efficiency and to offer advanced functionalities. We do not currently collect or use any data from you or your customers for the purposes of training any AI models. Should we consider any changes to this approach in the future to align with evolving industry standards or technological developments, we will provide you with at least 60 days' advance written notice and an opportunity to provide feedback before implementing any such changes. Any future modifications to our AI data use practices would be subject to updated privacy disclosures and, where required by law, your explicit consent.

Data Protection

We take data security seriously and have implemented appropriate technical and organisational measures to protect data from misuse, interference, loss, unauthorised access, modification, or disclosure. This includes:

1. Encryption: All personal and usage data is industry-standard encrypted both in transit and at rest. Any third-party integration keys and secrets will be encrypted before being sent and stored.

2. Access Control: Access to data is restricted to authorised personnel involved in the maintenance, development and improvement of Heron. We enforce strict access controls and regularly review permissions.

3. Anonymisation: Where possible, we anonymise data to further protect your and your customer's privacy.

4. Notifiable Privacy Breaches: If we experience a privacy breach that has caused or is likely to cause "serious harm" to an affected individual (as defined under Part 6 of the Privacy Act 2020), we will, acting reasonably and in good faith based on information available at the time of assessment and in accordance with guidance published by the Office of the Privacy Commissioner, promptly notify the Office of the Privacy Commissioner (OPC) and affected individuals, outlining the steps we have taken to remediate the breach.

Collection Authority

The collection of Personal Information through Heron and our related services is conducted in a lawful manner, where such collection is either authorised or required by New Zealand law. Where applicable, we will inform you whether the provision of Personal Information is voluntary or mandatory, as well as the possible consequences of failing to provide such data.

Data Retention

(a) Account Data: We retain invoices, payment records and other corporate financial records only for as long as reasonably necessary for business and operational purposes, which may include account management, financial reporting, and customer support. We will not retain such records beyond seven (7) years from the end of the financial year in which the transaction occurred, as required by the Tax Administration Act 1994.

(b) Personal Information: We keep personal information only while it is reasonably necessary for the specific purpose for which it was collected or to meet a legal obligation. When that purpose ends, we securely delete or de-identify the data as required by IPP 9 of the Privacy Act 2020.

(c) Customer Data: We retain health-related data - such as bookings, transcripts, voice recordings and call summaries containing health information - on a strictly temporary basis for up to 90 days to enable you to review and transfer relevant information to your own systems. This temporary storage is provided as a convenience only and does not constitute permanent record-keeping.

You acknowledge that:

(i) You are solely responsible for exporting all relevant health information to your own System of Record (such as your Patient Management System) within this 90-day period and for meeting all applicable regulatory requirements for health record retention;

(ii) After 90 days, this data is automatically deleted from our systems; and

(iii) We do not retain health information for the statutory 10-year period required of health providers; this obligation rests entirely with you as the agency holding the primary health record.

Third-Party Services

We do not share Personal Information with third parties except as reasonably necessary to provide our services. We may engage third-party providers for services such as cloud hosting, payment processing, and other operational functions. All third-party providers are bound by written contracts ensuring compliance with New Zealand privacy standards.

Data Transfers

Personal Information may be stored and processed in New Zealand, Australia, and the United States through our third-party service providers. For data transfers to Australia, we rely on the recognised similarity of Australian privacy laws to New Zealand's Privacy Act 2020. For data transfers to the United States, we ensure protection through binding contractual arrangements that provide equivalent safeguards to the Privacy Act 2020.

Your Rights

1. Access: You have the right under IPP 6 to request access to the Personal Information we hold about you and/or your customers. We will provide a decision on your request within 20 working days of receiving a valid request, subject to verification of your identity and provided that the request is sufficiently specific to enable us to locate the relevant information. For complex requests involving large volumes of data or requiring extensive search efforts, we may extend this timeframe by up to an additional 20 working days with prior notice. We may charge reasonable costs for processing requests that require substantial time or resources.

2. Correction: We will update our records promptly upon verification of the new information. Under IPP7, you can request corrections to any inaccurate, out-of-date, incomplete, or misleading information we hold. We will respond to correction requests within 20 working days of receiving a reasonable period valid request, provided that you supply sufficient evidence to support the requested correction and the request is sufficiently specific to enable us to locate the relevant information.

3. Deletion: You can request the deletion of your, and your customers', personal data at any time. We will process deletion requests unless we are legally required or permitted to retain the information (such as under the Tax Administration Act 1994 or Health (Retention of Health Information Regulations 1996).

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We will notify you of any significant changes by email or through the Heron app, or we will post an updated version on our website www.heyheron.ai. Significant changes include alterations to how we collect, use, or share Personal Information. We encourage you to review this Privacy Policy periodically to stay informed of any updates.

Contact Us

The agency collecting and holding your information is:

Heron Health Limited
9 Huron Street, Takapuna, Auckland, 0622, New Zealand

If you have any questions or concerns about this Privacy Policy or your data, please contact our Privacy Officer:

Email: hello@heyheron.ai

Attention: Heron Privacy

Last Updated

This Privacy Notice was last updated on 5 December 2025.

Definitions

For the purposes of this Privacy Policy:

"Customer Data" means any data provided by you or your customers, that is entered into, stored in, or processed Heron, and any data that is based on or derived from this data and provided to you via Heron.

"Internal Privacy Policies" means our internal data policies including in relation to information security, information retention, incident response and recovery.

"Personal Information" means any information about an identifiable individual, as defined under the New Zealand Privacy Act 2020.

-
Privacy Policy - Australia 🇦🇺

Introduction

This Privacy Policy outlines the commitment of Heron Health Limited (we, us, or our) to safeguarding Personal Information provided to us by our customers (you or your) and ensuring that all data processing activities are conducted in strict compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Scope

This Privacy Policy applies to all Personal Information collected, used and disclosed through Heron, our cloud-based patient booking and inquiry software system, and any related services, products, or other engagements that we have with you.

Where we process Personal Information on behalf of healthcare providers using Heron, those providers act as the data controller and are responsible for ensuring appropriate notices and consents are obtained from their patients in accordance with applicable privacy laws.

Important Notice: Not a System of Record

Heron is a communication and booking interface, not a clinical System of Record (SoR). While Heron may capture and temporarily store health information (such as call transcripts or summaries), you are solely responsible for ensuring that any relevant health information is transferred to and maintained in your own System of Record (such as your Patient Management System) in accordance with your legal obligations. Heron does not accept responsibility for your regulatory compliance obligations, including but not limited to health record retention requirements.

Information We Collect

We collect Personal Information about you and your customers when you sign up as a user of Heron and use Heron and our related services. The types of information we may collect include:

1. Account Data: personal details reasonably necessary for system setup, user authentication, and service provision, including your name (for account identification and communication), email address (for account access, authentication, and service communications), phone number (for account security and support), physical address (for billing and regulatory compliance), and payment information (for subscription billing and transaction processing). Optional information includes profile picture and business information, which you may provide to enhance your user experience but are not required for basic service functionality.

2. Customer Data: information reasonably necessary for appointment booking, patient identification, and service delivery through Heron. Mandatory information includes full name, date of birth, and phone number (required for all appointment bookings and patient identification). Additional information may include contact details, demographic information, medical identification numbers (where required by clinic systems), appointment histories (retained for 90 days for operational continuity), health insurance information (where requested by participating clinics), and information relating to health conditions or medical history (where required by clinics for appointment purposes). Please note that conversation transcripts - a core product feature enabling front desk staff to review AI agent interactions - may capture additional personal or health information that patients voluntarily disclose during conversations, including details beyond what is specifically requested for appointments.

3. Usage Data: information reasonably necessary for service delivery and operational continuity, retained for up to 90 days from each interaction. This includes call transcriptions and call summaries (automatically generated for all interactions to enable clinic staff to review and access information from patient-AI agent conversations - essential for basic service operation), web chat communications (between patients and AI agents or support teams for service delivery), and voluntary feedback or ratings provided by patients on their interactions. Real-time call audio for quality assurance is collected only where clinics opt-in to voice recording features as described in section 4 below.

4. Voice Recordings (optional): audio recordings of telephone calls placed through the Heron telephony module when your clinic chooses to enable call recording. Recordings may capture patient identifiers and clinical information. We record calls only where lawful consent is obtained in accordance with s 7 & s 7 B of the Telecommunications (Interception and Access) Act 1979 (Cth) and any applicable State/Territory Surveillance Devices Act.

5. Technical Data: information automatically collected and retained for up to 9 months after the user becomes inactive that is reasonably necessary for service delivery, security, and technical support. Essential technical data includes device type and browser information (for compatibility and troubleshooting purposes), browser version (for technical support and compatibility assessment), operating system information (for technical support and system compatibility), screen resolution (for interface optimization and technical support), and IP address (for security protection, system integrations, and geographic routing). Application analytics data (for understanding user behavior and service improvement) is collected for enhancement purposes and may be disabled in your account settings if preferred.

6. Cookies: Heron uses cookies and similar technologies based on our legitimate interests in providing secure, functional services and improving user experience.

Types of cookies we use include:

(a) session cookies for managing user sessions;

(b) persistent cookies for remembering user preferences; and

(c) third-party cookies for tracking and analytics, advertising, and other purposes.

Essential cookies collect minimal information necessary for service functionality, while analytics and advertising cookies collect additional data such as IP addresses, browser types, device information, and browsing activity. You have full control over cookie preferences through your account settings, browser settings, and can opt-out of non-essential cookies at any time without affecting core service functionality.

7. Security of Personal Information: We implement comprehensive security measures in accordance with APP 11 requirements, including regular security assessments, incident response procedures, staff training on data protection, and continuous monitoring systems. Our security framework is designed to protect Personal Information against unauthorised access, modification, disclosure, or destruction, taking into account the sensitivity of health information and other personal data we process.

Use of Information

We process, use, collect, and retain your data in a manner that complies with applicable laws and regulatory requirements, with each use based on specific legal authorities under Australian privacy law:

1. Provision of Services: We collect and use your data, including data inputted into Heron relating to your customers, to operate Heron and deliver our services, and support your account. This processing is based on contract performance (fulfilling our obligations under the Terms of Service) and healthcare provider obligations under applicable health records legislation.

1.1 Quality assurance: we may review voice recordings for quality assurance purposes only and do not use the audio to train any AI models or for any other secondary purposes.

2. Service Improvement: We collect and use your data to identify bugs, improve features, and enhance the overall user experience of Heron. This processing is based on our legitimate interests in service improvement, provided it does not override your privacy interests. Information relating to your customers is only used for service improvement in aggregate or de-identified form to protect patient privacy.

3. Communication: We may use your contact information to send service updates, gather feedback, and inform you about changes or new features. Service communications are based on contract performance, while marketing communications are based on consent (which you can withdraw by opting out at any time).

4. Security: Technical data is processed to maintain the security and integrity of our systems, based on our legitimate interests in protecting our services, users, and your data from security threats, fraud, and unauthorized access.

5. Artificial Intelligence (AI): Heron leverages AI to enrich your experience, boost operational efficiency and to offer advanced functionalities. We do not currently collect or use any data from you or your customers for the purposes of training any AI models. Should we consider any changes to this approach in the future to align with evolving industry standards or technological developments, we will provide you with at least 60 days' advance written notice and an opportunity to provide feedback before implementing any such changes. Any future modifications to our AI data use practices would be subject to updated privacy disclosures and, where required by law, your explicit consent.

Data Protection

We take data security seriously and have implemented appropriate technical and organisational measures to protect data from misuse, interference, loss, unauthorised access, modification, or disclosure. This includes:

1. Encryption: All personal and usage data is industry-standard encrypted both in transit and at rest. Any third-party integration keys and secrets will be encrypted before being sent and stored.

2. Access Control: Access to data is restricted to authorised personnel involved in the maintenance, development and improvement of Heron. We enforce strict access controls and regularly review permissions.

3. Anonymisation: Where possible, we anonymise data to further protect your and your customer's privacy.

4. Notifiable Data Breaches: If we experience an eligible data breach under Part IIIC of the Privacy Act 1988 (Cth), we will promptly notify the Office of the Australian Information Commissioner (OAIC) and affected individuals, outlining the steps we have taken to remediate the breach.

Collection Authority

The collection of Personal Information through Heron and our related services is conducted in accordance with specific legal bases under Australian law. Account Data: collected for contract performance (to provide services under our Terms of Service) and legitimate interests (account security, billing, regulatory compliance).Customer Data (health information): collected based on healthcare provider obligations under applicable health records legislation, patient consent obtained by healthcare providers, and our legitimate interests in service delivery where permitted by APP 6.Usage Data: collected for contract performance (essential service features like transcriptions and summaries) and legitimate interests (service improvement, operational continuity).Technical Data: collected for legitimate interests in system security, technical support, service compatibility, and fraud prevention.Voice Recordings: collected only with explicit consent in accordance with section 7 of the Telecommunications (Interception and Access) Act 1979 (Cth) and applicable State/Territory surveillance legislation.Where applicable, we will inform you whether the provision of Personal Information is voluntary or mandatory, as well as the possible consequences of failing to provide such data. Healthcare providers using Heron are responsible for obtaining appropriate patient consents and notices as data controllers under applicable privacy laws.

Data Retention

(a) Account Data: We retain invoices, payment records and other corporate financial records only for as long as reasonably necessary for business and operational purposes, which may include account management, financial reporting, and customer support. We regularly review retention needs and will delete or irreversibly de-identify financial data once it is no longer required for these purposes, provided no tax, audit, dispute or other legal hold remains. In any case, we will not retain such records beyond seven (7) years from the end of the financial year in which the transaction occurred, as required by s 286(2) of the Corporations Act 2001 (Cth). You may request earlier deletion at any time, and we will action it as soon as operationally feasible and legally permissible.

(b) Personal Information: We keep personal information only while it is reasonably necessary for the specific purpose for which it was collected or to meet a legal obligation. We conduct regular reviews of retained data and proactively delete or de-identify personal information when the original collection purpose no longer exists and no legal duty prevents deletion. When that purpose (and any legal hold) ends, we securely delete or de-identify the data as required by APP 11.2; if no legal duty prevents it, we will process your deletion request within a reasonable period, taking into account the complexity of the request and any operational requirements. To the extent that the Personal Information is also Customer Data, paragraph (c) also applies.

(c) Customer Data (health information): We retain health-related data - such as bookings, clinical notes, transcripts and chat logs, voice recordings - only for as long as reasonably necessary for the provision of our services and to meet your operational needs as a healthcare provider. We conduct regular reviews and will delete or irreversibly de-identify health data when it is no longer required for these purposes. However, we will not retain health information beyond seven (7) years after the last service for adult patients, or until the patient turns twenty-five (25) if they were a minor, reflecting the maximum statutory periods for private-sector providers in NSW, Victoria and the ACT. Once data is no longer needed for operational purposes (and any legal hold ends), we delete or irreversibly de-identify the data unless you instruct us to return it and no statutory obligation prevents us.

Third-Party Services

We do not share Personal Information with third parties except as reasonably necessary to provide our services (such as cloud hosting providers and payment processors). Each third-party provider is bound by written contracts that comply with APP 8 requirements, including: contractual obligations to protect Personal Information in accordance with Australian privacy law; restrictions on use of Personal Information for purposes other than providing services to us; and requirements to implement appropriate technical and organizational security measures. All third-party providers are thoroughly vetted for security and privacy compliance before engagement and are subject to ongoing monitoring to ensure continued compliance with their contractual obligations and Australian privacy law.

Data Transfers

Where we disclose Personal Information to recipients outside Australia, we ensure compliance with APP 8 through: Reasonable steps (APP 8.1): For sensitive transfers, we implement contractual safeguards, conduct due diligence on recipient privacy laws, and require equivalent privacy protections;Applicable exceptions (APP 8.2): For routine operational transfers with established cloud providers, we rely on exceptions such as consent, contract necessity, or where the recipient is subject to substantially similar privacy laws; and Risk assessment: We assess each transfer type to determine the most appropriate APP 8 compliance mechanism based on sensitivity, purpose, and recipient jurisdiction. Current likely overseas recipients include Google Cloud (United States and New Zealand) for hosting services and Stripe (United States) for payment processing. A complete, current list of overseas recipients and their locations is available upon request.

Your Rights Under the Privacy Act 1988 (Cth)

1. Access: You have the right under APP 12 to request access to the Personal Information we hold about you and/or your customers. We will provide this information within a reasonable period, taking into account the complexity of your request and any operational requirements, subject to verification of your identity and any applicable legal restrictions. Access may be provided in the format requested where technically feasible.

2. Correction: Under APP 13, you can request corrections to any inaccurate, out-of-date, incomplete, irrelevant or misleading information we hold about you or your customers. We will respond to correction requests within a reasonable period and update our records promptly upon verification of the correct information, including notifying relevant third parties where required.

3. Deletion: You can request the deletion of your, and your customers', personal data at any time. We will process deletion requests within 30 days unless we are legally required or permitted to retain the information, including where: (a) retention is required by law (such as financial records under the Corporations Act 2001 (Cth) or health records under applicable state legislation); (b) the information is subject to a legal hold, court order, or ongoing legal proceedings; (c) deletion would compromise the rights and freedoms of others; or (d) retention is necessary for the establishment, exercise or defence of legal claims. Where we refuse your deletion request, we will provide written reasons specifying the legal basis and information on how to complain to the Office of the Australian Information Commissioner (APP 12.9).

4.Complaints: If you believe we have breached your privacy rights, you may lodge a complaint with our Privacy Officer using the contact details below. We will investigate all complaints within a reasonable period and provide a written response outlining our findings and any remedial action taken. If you are not satisfied with our response, you have the right to complain to the Office of the Australian Information Commissioner.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We will notify you of any significant changes by email or through the Heron app, or we will post an updated version on our website www.heyheron.ai. Significant changes include alterations to how we collect, use, or share Personal Information. We encourage you to review this Privacy Policy periodically to stay informed of any updates.

Contact Us

The agency collecting and holding your information is:

Heron Health Limited
9 Huron Street, Takapuna, Auckland, 0622, New Zealand

If you have any questions or concerns about this Privacy Policy or your data, please contact our Privacy Officer:

Email: hello@heyheron.ai
Attention: Heron Privacy

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) by calling 1300 363 992 or visiting www.oaic.gov.au.

Last Updated

This Privacy Notice was last updated on 30 June 2025.

Definitions

For the purposes of this Privacy Policy:

"Australian Privacy Principles (APPs)" means the principles set out in Schedule 1 to the Privacy Act 1988 (Cth).

"Customer Data" means any data provided by you or your customers, that is entered into, stored in, or processed Heron, and any data that is based on or derived from this data and provided to you via Heron.

"Internal Privacy Policies" means our internal data policies including in relation to information security, information retention, incident response and recovery.

"Personal Information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not, as defined in section 6 of the Privacy Act 1988 (Cth).