BOOK APPOINTMENT
BOOK APPOINTMENT

Privacy Policy

Effective date: 21 April 2026

Meridian Osteopathy Ltd ("we", "us", "our") is committed to protecting the privacy of our patients, applicants, and website visitors. This policy explains what personal information we collect, why we collect it, how we use and protect it, and the rights you have over it.

This policy is written to comply with the New Zealand Privacy Act 2020 and, where health information is involved, the Health Information Privacy Code 2020.

1. Who we are

Meridian Osteopathy Ltd operates an osteopathy, acupuncture, and herbal medicine clinic at 21 Coppell Place, Hillmorton, Christchurch 8025. We are an ACC-registered provider.

2. Information we collect

Through the referral form

When you submit a referral (for yourself or someone else), we collect the patient's name, date of birth, contact details, reason for referral, and any relevant clinical or health information you choose to share. If you are referring on behalf of another person, we also collect your name and contact details as the referrer.

Through the careers form

When you apply for a role with us, we collect your name, contact details, CV, and cover letter (if provided).

During your appointment

As part of delivering clinical care, we collect health information including your medical history, presenting condition, examination findings, treatment records, and progress notes. This is governed by the Health Information Privacy Code 2020.

Technical information

Our website host (Netlify) records basic request logs — IP address, user agent, and requested URL — for security, abuse prevention, and service reliability. We plan to add Google Analytics shortly to help us understand how visitors use the site; when we do, we will update this policy and disclose what is collected.

3. How we use your information

  • To provide clinical care and follow-up treatment
  • To contact you about your appointments or referral
  • To process ACC claims on your behalf, where applicable
  • To evaluate your job application and contact you about it
  • To improve our services and the security of our website
  • To meet our legal and regulatory obligations as registered health practitioners

4. Who we share your information with

We do not sell or rent your personal information. Within Meridian Osteopathy, access to your information is restricted to the internal clinical team for the purposes described above.

We use the following service providers ("processors") who may handle your information on our behalf, under contractual and technical safeguards:

  • Supabase (Sydney, Australia) — stores referral submissions, career applications, and clinical records
  • Netlify (United States) — website hosting, content delivery, and form function execution
  • Resend (United States) — sends us email notifications when a form is submitted
  • Cloudflare Turnstile — bot protection on our forms; does not store form content

We may also share your health information with ACC where you have an active ACC claim with us, and with other parties only where you have given consent or where the law permits or requires disclosure (for example, in response to a lawful request, or to protect someone's safety).

5. Cross-border data transfer

Your health information is stored in Sydney, Australia (via our Supabase project). Australia has a comparable privacy framework to New Zealand under the Australian Privacy Act 1988, and Supabase is contractually bound to protect your information to standards consistent with the NZ Privacy Act 2020 and HIPC 2020. By submitting a referral, you acknowledge this transfer.

6. How we protect your information

  • All connections to our website and forms use HTTPS/TLS encryption
  • Your information is stored with access controls that restrict it to authorised staff and service accounts only
  • Uploaded CVs and cover letters are kept in a private storage bucket; access requires short-lived signed URLs and is restricted to our internal team
  • We apply reasonable technical and organisational measures to prevent unauthorised access, alteration, disclosure, or loss

7. How long we keep your information

  • Clinical health records — retained for a minimum of 10 years after the date of our last contact with you, as required by the Health (Retention of Health Information) Regulations 1996
  • Referral submissions that do not proceed to a booking — retained for 6 months and then deleted
  • Unsuccessful careers applications — retained for 12 months and then deleted
  • Website request logs — retained by our host for a short period (typically 30 days) for security and reliability purposes

8. Your rights

Under the Privacy Act 2020 and HIPC 2020, you have the right to:

  • Ask what personal or health information we hold about you
  • Request a copy of that information
  • Ask us to correct information that is inaccurate, incomplete, or out of date
  • Withdraw consent for future uses (this does not affect uses that have already occurred)

To exercise any of these rights, contact our Privacy Officer using the details in section 12 below. We will respond within 20 working days, as required by law. There is no charge for most requests.

9. Children's privacy

We provide osteopathic care to infants and children. Where a patient is under 16, consent for care and for the handling of their health information is generally given by a parent or legal guardian. Children aged 16 and over are presumed capable of making decisions about their own health information unless there are specific concerns.

10. Cookies and analytics

Our public website does not currently set tracking cookies. Our forms use Cloudflare Turnstile, which sets short-lived technical cookies solely to distinguish real visitors from automated bots.

We plan to add Google Analytics to our website. Once enabled, it will set cookies to measure visits, page views, and referring sites — but not to identify individual visitors. This policy will be updated to reflect the exact data collected and any opt-out options at that time.

11. Changes to this policy

We may update this policy from time to time — for example, when we change service providers, add new technologies, or respond to changes in law. The effective date at the top of this page indicates when the most recent version took effect. Material changes will be flagged prominently on the site for a reasonable period.

12. Contact us

Our Privacy Officer is Na (Nina) Hu. You can contact her for any privacy question, access request, correction request, or complaint:

13. Making a complaint

If you are not satisfied with how we have handled your privacy concern, you can escalate to the Office of the Privacy Commissioner — the independent regulator for privacy in New Zealand: