Privacy Policy

When you use our lead form, search the directory, or contact us, we may collect: - Identity: name, email address, phone number - Health-adjacent information: the procedure you're interested in, your location, any context you choose to include in the message body (preferred timeline, treatment history, budget range) - Technical: IP address (truncated for analytics), browser type, device type, referring page, pages viewed - Cookies: see "Cookies" below We deliberately do not ask for clinical details (medical history, diagnoses, medications, etc.) on this site. If you choose to include them in a free-text message, we treat them as health information under the Health Information Privacy Code 2020 and apply the stricter consent + disclosure rules below. We are not a registered medical practice and do not create or hold clinical records.

We collect this information to: 1. Connect you with clinics matching your stated interest (the primary purpose of the lead form). 2. Improve the directory — anonymised aggregate analytics on which procedures + locations are searched most. 3. Respond to enquiries you send directly to us. 4. Comply with legal obligations (tax records, lawful requests from regulators). We do not use your data for any other purpose without your specific, informed consent.

Clinics you select. When you submit a lead form, your name, contact details and stated procedure interest are sent to the one or more clinics you explicitly chose in the form. We do not broadcast leads to clinics you did not select. Processors that handle data on our behalf (each bound by their own privacy commitments): | Processor | What they handle | Location | |---|---|---| | Supabase (Vercel) | Clinic + procedure directory + lead-form submissions | Singapore (ap-southeast-1) | | Netlify | Static site hosting + edge CDN | Global, primary AU/US | | Google Analytics 4 | Aggregate site-usage analytics (IP-truncated) | US | | Email delivery (planned: Resend / Postmark) | Transactional emails (lead confirmations) | US | We do not sell personal information to advertisers, data brokers, or any third party. We do not participate in advertising networks that re-target you across the web. Legal disclosures. We may disclose information if required by NZ law (e.g. valid Police warrant, Court order, Privacy Commissioner enquiry) — never voluntarily.

- Lead-form submissions: 12 months from submission, then deleted (unless you've started an ongoing conversation with us or a clinic, in which case the longer of 12 months or the active engagement period). - Anonymous analytics (page views, session counts): retained at aggregate level only — no individual user records kept beyond 26 months (Google Analytics 4 default). - Email correspondence with us: 24 months unless ongoing. - Records required by law (tax, regulator requests): the statutory retention period (typically 7 years for financial records — not applicable to lead data). You can request earlier deletion at any time (see "Your rights" below).

The Privacy Act 2020 and the Health Information Privacy Code 2020 give you these rights: - Access — request a copy of the personal information we hold about you. - Correction — ask us to correct anything inaccurate. - Deletion — ask us to delete your information (we will, unless we're legally required to keep it). - Object to processing — withdraw consent for specific uses. - Portability — receive your data in a common format you can take elsewhere. - Opt-out — unsubscribe from any non-transactional emails at any time. - Complain — to the Office of the Privacy Commissioner at privacy.org.nz or 0800 803 909. We aim to respond to all rights requests within 20 working days (the statutory maximum). To exercise any of these rights, email privacy@cliniccompare.co.nz with the request + enough detail for us to identify your records.

Strictly necessary cookies (cannot be disabled): session state, form CSRF token. Analytics cookies (Google Analytics 4): set when you visit the site. We use IP truncation + don't enable Google Signals or cross-device tracking. Marketing cookies: we do not set marketing cookies and do not participate in advertising networks (no Facebook Pixel, no Google Ads remarketing, etc.). You can disable analytics cookies in your browser settings or via the privacy preferences signal (Global Privacy Control).

- HTTPS / TLS 1.2+ enforced on all pages (Netlify-managed). - Service-role database keys never exposed to the browser — only at server-side via Netlify environment variables. - Row Level Security on Supabase tables holding personal data. - Access controls on the admin / clinic-submission paths. - Incident response: any unauthorised access to personal data triggers notification to affected individuals + the Privacy Commissioner within the timeframe required by the Privacy Act 2020 Notifiable Privacy Breach scheme. No system is 100% secure. We've worked to apply industry-standard protections and we keep the stack updated.

Some of our processors (Supabase, Google Analytics, Netlify) store or process data outside New Zealand. We rely on either (a) the processor's own privacy commitments meeting the standard of the Privacy Act 2020, or (b) the contractual data-processing terms (DPAs) we've agreed with them. If you have specific concerns about international transfer, contact us before submitting any data.

This site is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we hold information about a child, please contact us so we can delete it.

Material changes to this policy will be announced at the top of this page with a dated change log for at least 60 days. Minor wording cleanups won't trigger a notice. The "Last reviewed" date at the top reflects the most recent edit.

Privacy enquiries / rights requests: privacy@cliniccompare.co.nz General contact: hello@cliniccompare.co.nz Complaints: in the first instance to us, then to the Office of the Privacy Commissioner (privacy.org.nz, 0800 803 909).