Heron | AI-Powered Healthcare Communication

Schedule Demo

Our Privacy Policy

Privacy Policy - New Zealand 🇳🇿

Introduction

This Privacy Policy outlines the commitment of HeyX Limited (we, us, or our) to safeguarding Personal Information provided to us by our customers (you or your) and ensuring that all data processing activities are conducted in strict compliance with the Privacy Act 2020 (the Privacy Act) of New Zealand.

Scope

This Privacy Policy applies to all Personal Information collected, used and disclosed through Heron, our cloud-based patient booking and inquiry software system, and any related services, products, or other engagements that we have with you.

Information We Collect

We collect Personal Information about you and your customers when you sign up as a user of Heron and use Heron and our related services. The types of information we may collect include:

1. Account Data: personal details such as your name, email address, phone number, physical address, payment information, and business information, to provide and enhance our services.

2. Customer Data: various types of data relating to your customers that is input into Heron. This data may include Personal Information such as patient appointment booking information, names, contact details, conversation transcripts, demographic information (such as date of birth, gender, and location), medical identification numbers, appointment histories, information relating to your customer's health and health conditions, medical history and health insurance.

3. Usage Data: data on how you and your customers interact with Heron, including call transcriptions, call summaries, web chat and feedback provided.

5. Technical Data: information such as your device type, browser, application analytics, operating system, and IP address may be collected.

6. Cookies: Heron uses cookies which are small text files placed on your device to enhance your user experience. Types of cookies we use include:

(a) session cookies for managing user sessions;

(b) persistent cookies for remembering user preferences; and

(c) third-party cookies for tracking and analytics, advertising, and other purposes.

Cookies collect information such as IP addresses, browser types, device information, and browsing activity. You can manage cookie preferences in your account settings and opt-out of third-party cookies if applicable.

7. Security of Personal Information: We will take reasonable steps to secure Personal Information against unauthorised access or breaches. Our security measures are in accordance with our legal obligations, our Internal Privacy Policies and industry standards, taking into account the nature of the Personal Information.

Use of Information

We process, use, collect, and retain your data in a manner that complies with applicable laws and regulatory requirements. In particular:

1. Provision of Services: We collect and use your data, including the data inputted into Heron relating to your customers, to operate Heron and deliver our services, and support your account.

1.1 Quality assurance: we review voice recordings for this purposes only and do not use the audio to train any AI models.

2. Service Improvement: We collect and use your data to identify bugs, improve features, and enhance the overall user experience of Heron. This processing is based on our legitimate interest in improving our service. To the extent that we use information relating to your customers to improve and enhance our services, it is only used in an aggregate or other de-identified form.

3. Communication: We may use your contact information to send updates, gather feedback, and inform you about changes or new features. You can opt out of marketing communications at any time.

4. Security: Technical data is processed to maintain the security and integrity of our systems, to fulfil our legitimate interest in protecting our services and users, and your data.

5. Artificial Intelligence (AI): Heron leverages AI to enrich your experience, boost operational efficiency and to offer advanced functionalities. We do not collect or use any data from you or your customers for the purposes of training any AI models.

Data Protection

We take data security seriously and have implemented appropriate technical and organisational measures to protect data from misuse, interference, loss, unauthorised access, modification, or disclosure. This includes:

1. Encryption: All personal and usage data is industry-standard encrypted both in transit and at rest. Any third-party integration keys and secrets will be encrypted before being sent and stored.

2. Access Control: Access to data is restricted to authorised personnel involved in the maintenance, development and improvement of Heron. We enforce strict access controls and regularly review permissions.

3. Anonymisation: Where possible, we anonymise data to further protect your and your customer's privacy.

Collection Authority

The collection of Personal Information through Heron and our related services is conducted in a lawful manner, where such collection is either authorised or required by New Zealand law. Where applicable, we will inform you whether the provision of Personal Information is voluntary or mandatory, as well as the possible consequences of failing to provide such data.

Data Retention

(a) Account Data: Subject to paragraphs (b) and (c) below, your account data will be retained for the duration of your period as a user and for up to 6 months thereafter to analyse and improve the service. You can request the deletion of your data or the data of your customers at any time by contacting us at hello@heyjane.ai. We will endeavour to process deletion requests within 20 working days, subject to any legal requirements and will only retain data to the extent necessary to comply with our legal obligations.

(b) Personal Information: We will retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected, as required by law. To the extent that the Personal Information is also Customer Data, paragraph (c) also applies.

(c) Customer Data: Upon termination or expiry of your use of Heron and/or our related services, Customer Data is deleted or returned as instructed by you or the customer.

(d) Voice Recordings: Voice Recordings are retained for 90 days unless a longer period is required to resolve a dispute or comply with a legal obligation, after which they are securely deleted or irreversibly anonymised.

Third-Party Services

We do not share Personal Information with third parties except as necessary to provide the service (for example, cloud hosting providers). All third-party providers are thoroughly vetted and are bound by strict privacy agreements that comply with the Privacy Act, ensuring that data is handled securely and confidentially.

Data Transfers

To the extent we disclose Personal Information to third parties outside of New Zealand, we will take reasonable steps to ensure such third party is subject to at least as stringent obligations as those in the Privacy Act or is otherwise required to protect the information in a way that, overall, provides comparable safeguards to those under the Privacy Act.

Your Rights

1. Access: You have the right to request access to the Personal Information we hold about you and/or your customers. We will provide this information within 30 days of receiving your request.

2. Correction: You can request corrections to any inaccurate or incomplete information we hold about you or your customers. We will update our records promptly upon verification of the new information.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We will notify you of any significant changes by email or through the Heron app, or we will post an updated version on our website www.heyheron.ai. Significant changes include alterations to how we collect, use, or share Personal Information. We encourage you to review this Privacy Policy periodically to stay informed of any updates.

The agency collecting and holding your information is:

HeyX Limited
9 Huron Street, Takapuna, Auckland, 0622, New Zealand

If you have any questions or concerns about this Privacy Policy or your data, please contact our Privacy Officer:

Email: hello@heyjane.ai
Attention: Heron Privacy

Last Updated

This Privacy Notice was last updated on 30 June 2025.

Definitions

For the purposes of this Privacy Policy:

"Customer Data" means any data provided by you or your customers, that is entered into, stored in, or processed Heron, and any data that is based on or derived from this data and provided to you via Heron.

"Internal Privacy Policies" means our internal data policies including in relation to information security, information retention, incident response and recovery.

"Personal Information" means any information about an identifiable individual, as defined under the New Zealand Privacy Act 2020.

-
Privacy Policy - Australia 🇦🇺

Introduction

Scope

Where we process Personal Information on behalf of healthcare providers using Heron, those providers act as the data controller and are responsible for ensuring appropriate notices and consents are obtained from their patients in accordance with applicable privacy laws.

Information We Collect

We collect Personal Information about you and your customers when you sign up as a user of Heron and use Heron and our related services. The types of information we may collect include:

1. Account Data: personal details such as your name, email address, phone number, profile picture, physical address, payment information, and business information, to provide and enhance our services.

3. Usage Data: data on how you and your customers interact with Heron, including real-time call audio, call transcriptions, call summaries, web chat and feedback provided.

4. Voice Recordings (optional): audio recordings of telephone calls placed through the Heron telephony module when your clinic chooses to enable call recording. Recordings may capture patient identifiers and clinical information. We record calls only where lawful consent is obtained in accordance with s 7 & s 7 B of the Telecommunications (Interception and Access) Act 1979 (Cth) and any applicable State/Territory Surveillance Devices Act.

5. Technical Data: information such as your device type, browser, application analytics, operating system, and IP address may be collected.

6. Cookies: Heron uses cookies which are small text files placed on your device to enhance your user experience. Types of cookies we use include:

(a) session cookies for managing user sessions;

(b) persistent cookies for remembering user preferences; and

(c) third-party cookies for tracking and analytics, advertising, and other purposes.

Use of Information

We process, use, collect, and retain your data in a manner that complies with applicable laws and regulatory requirements. In particular:

1. Provision of Services: We collect and use your data, including the data inputted into Heron relating to your customers, to operate Heron and deliver our services, and support your account.

1.1 Quality assurance: we review voice recordings for this purposes only and do not use the audio to train any AI models.

3. Communication: We may use your contact information to send updates, gather feedback, and inform you about changes or new features. You can opt out of marketing communications at any time.

4. Security: Technical data is processed to maintain the security and integrity of our systems, to fulfil our legitimate interest in protecting our services and users, and your data.

Data Protection

1. Encryption: All personal and usage data is industry-standard encrypted both in transit and at rest. Any third-party integration keys and secrets will be encrypted before being sent and stored.

3. Anonymisation: Where possible, we anonymise data to further protect your and your customer's privacy.

4. Notifiable Data Breaches: If we experience an eligible data breach under Part IIIC of the Privacy Act 1988 (Cth), we will promptly notify the Office of the Australian Information Commissioner (OAIC) and affected individuals, outlining the steps we have taken to remediate the breach.

Collection Authority

The collection of Personal Information through Heron and our related services is conducted in a lawful manner, where such collection is either authorised or required by Australian law. Where applicable, we will inform you whether the provision of Personal Information is voluntary or mandatory, as well as the possible consequences of failing to provide such data.

Data Retention

(a) Account Data: We retain invoices, payment records and other corporate financial records for seven (7) years from the end of the financial year in which the transaction occurred, as required by s 286(2) of the Corporations Act 2001 (Cth). After that period—and provided no tax, audit, dispute or other legal hold remains—we securely delete or irreversibly de-identify the data in line with Australian Privacy Principle 11.2. You may request earlier deletion, but we can action it only once statutory obligations allow.

(b) Personal Information: We keep personal information only while it is reasonably necessary for the purpose for which it was collected or to meet a legal obligation. When that purpose (and any legal hold) ends, we securely delete or de-identify the data as required by APP 11.2; if no legal duty prevents it, we will process your deletion request within 30 days. To the extent that the Personal Information is also Customer Data, paragraph (c) also applies.

(c) Customer Data (health information): We retain health-related data - such as bookings, clinical notes, transcripts and chat logs, voice recordings - for seven (7) years after the last service for adult patients, or until the patient turns twenty-five (25) if they were a minor, reflecting the statutory rules for private-sector providers in NSW, Victoria and the ACT, adopted nationally as best practice. Once that period (and any legal hold) ends, we delete or irreversibly de-identify the data unless you instruct us to return it and no statutory obligation prevents us.

Third-Party Services

We do not share Personal Information with third parties except as necessary to provide the service (for example, cloud hosting providers); each such provider is bound by a written contract that complies with APP 8 and, where relevant, the Privacy (Cross-Border Information Flows) Rules. All third-party providers are thoroughly vetted and are bound by strict privacy agreements that comply with the Privacy Act, ensuring that data is handled securely and confidentially.

Data Transfers

Where we disclose Personal Information to a recipient outside Australia, we will take reasonable steps under APP 8.1 to ensure the overseas recipient does not breach the APPs in relation to that information or otherwise rely on an exception in APP 8.2. Likely overseas recipients include Google Cloud in the United States and New Zealand. A full, up-to-date list is available on request.

Your Rights Under the Privacy Act 1988 (Cth)

1. Access: You have the right to request access to the Personal Information we hold about you and/or your customers. We will provide this information within a reasonable period (usually 30 days).

3. Deletion: You can request the deletion of your, and your customers', personal data at any time. Any request will be subject to our Internal Privacy Policies including Information Retention Policy. Where we refuse your erasure request, we will provide written reasons and information on how to complain (APP 12.9).

Changes to this Privacy Policy

The agency collecting and holding your information is:

HeyX Limited
9 Huron Street, Takapuna, Auckland, 0622, New Zealand

If you have any questions or concerns about this Privacy Policy or your data, please contact our Privacy Officer:

Email: hello@heyheron.ai
Attention: Heron Privacy

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) by calling 1300 363 992 or visiting www.oaic.gov.au.

Last Updated

This Privacy Notice was last updated on 30 June 2025.

Definitions

For the purposes of this Privacy Policy:

"Australian Privacy Principles (APPs)" means the principles set out in Schedule 1 to the Privacy Act 1988 (Cth).

"Internal Privacy Policies" means our internal data policies including in relation to information security, information retention, incident response and recovery.

"Personal Information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not, as defined in section 6 of the Privacy Act 1988 (Cth).

Our Privacy Policy

Privacy Policy - New Zealand 🇳🇿

-Privacy Policy - Australia 🇦🇺

-
Privacy Policy - Australia 🇦🇺