Privacy Policy
Effective date: 23 June 2026
Meridian Osteopathy Ltd ("we", "us", "our") is committed to protecting the privacy of our patients, applicants, and website visitors. This policy explains what personal information we collect, why we collect it, how we use and protect it, and the rights you have over it.
This policy is written to comply with the New Zealand Privacy Act 2020 and, where health information is involved, the Health Information Privacy Code 2020.
1. Who we are
Meridian Osteopathy Ltd operates an osteopathy, acupuncture, and herbal medicine clinic at 21 Coppell Place, Hillmorton, Christchurch 8025. We are an ACC-registered provider.
2. Information we collect
Through the referral form
When you submit a referral (for yourself or someone else), we collect the patient's name, date of birth, contact details, reason for referral, and any relevant clinical or health information you choose to share. If you are referring on behalf of another person, we also collect your name and contact details as the referrer. Where a referral is made about someone by another person, see section 3 below for how we let that patient know.
Through the careers form
When you apply for a role with us, we collect your name, contact details, CV, and cover letter (if provided).
During your appointment
As part of delivering clinical care, we collect health information including your medical history, presenting condition, examination findings, treatment records, and progress notes. This is governed by the Health Information Privacy Code 2020.
Technical information
Our website host (Netlify) records basic request logs — IP address, user agent, and requested URL — for security, abuse prevention, and service reliability. We also use Google Analytics 4 to understand how visitors use the site; see section 11 below for detail and opt-out options.
3. Information we receive from others, and how we tell you
Sometimes we receive information about you from someone other than you. This is known as indirect collection. Common examples in our clinic are:
- a referral or clinical report from your doctor or another health provider
- claim, cover, or injury information from ACC
- notes shared with us where another provider is co-managing your care
- information given to us by a family member or caregiver
- information passed to us through a third-party booking or referral system
Under the Privacy Act 2020 (Information Privacy Principle 3A), when we collect your health information indirectly like this, we take reasonable steps to make sure you are aware of it. When that happens, we will tell you:
- What we have received — the fact that we hold information about you, and that it came from someone else;
- Why we collected it — to arrange and provide your care;
- Who else may see it — our internal clinical team, and ACC where you have an active claim with us (see section 5);
- Who we are — our clinic's name, address, and contact details, so you can reach us (see section 13);
- Any legal basis — where the law authorises the collection. For ACC-related information, this may be authorised under the Accident Compensation Act 2001;
- Your rights — that you can ask to see the information or have it corrected, and how to do that (see section 9).
How and when we tell you. We will usually let you know by email soon after we receive the information, or in person at the start of your first appointment. If someone refers you to us using the referral form on this website, we will email you automatically to let you know we have received it. We only need to tell you once — we will not repeat the same notice at every visit.
In limited cases the law does not require us to notify you — for example, where you have already been told by the person who referred you, or where notifying you is not reasonably practicable. We rely on these exceptions narrowly and record our reason for doing so.
4. How we use your information
- To provide clinical care and follow-up treatment
- To contact you about your appointments or referral
- To process ACC claims on your behalf, where applicable
- To evaluate your job application and contact you about it
- To improve our services and the security of our website
- To meet our legal and regulatory obligations as registered health practitioners
5. Who we share your information with
We do not sell or rent your personal information. Within Meridian Osteopathy, access to your information is restricted to the internal clinical team for the purposes described above.
We use the following service providers ("processors") who may handle your information on our behalf, under contractual and technical safeguards:
- Supabase (Sydney, Australia) — stores referral submissions, career applications, and clinical records
- Netlify (United States) — website hosting, content delivery, and form function execution
- Resend (United States) — sends email notifications when a form is submitted, including the notice we send you when you are referred to us
- Cloudflare Turnstile — bot protection on our forms; does not store form content
We may also share your health information with ACC where you have an active ACC claim with us, as part of managing that claim under the Accident Compensation Act 2001, and with other parties only where you have given consent or where the law permits or requires disclosure (for example, in response to a lawful request, or to protect someone's safety).
6. Cross-border data transfer
Your health information is stored in Sydney, Australia (via our Supabase project). Australia has a comparable privacy framework to New Zealand under the Australian Privacy Act 1988, and Supabase is contractually bound to protect your information to standards consistent with the NZ Privacy Act 2020 and HIPC 2020. By submitting a referral, you acknowledge this transfer.
7. How we protect your information
- All connections to our website and forms use HTTPS/TLS encryption
- Your information is stored with access controls that restrict it to authorised staff and service accounts only
- Uploaded CVs and cover letters are kept in a private storage bucket; access requires short-lived signed URLs and is restricted to our internal team
- We apply reasonable technical and organisational measures to prevent unauthorised access, alteration, disclosure, or loss
8. How long we keep your information
- Clinical health records — retained for a minimum of 10 years after the date of our last contact with you, as required by the Health (Retention of Health Information) Regulations 1996
- Referral submissions that do not proceed to a booking — retained for 6 months and then deleted
- Unsuccessful careers applications — retained for 12 months and then deleted
- Website request logs — retained by our host for a short period (typically 30 days) for security and reliability purposes
9. Your rights
Under the Privacy Act 2020 and HIPC 2020, you have the right to:
- Ask what personal or health information we hold about you
- Request a copy of that information
- Ask us to correct information that is inaccurate, incomplete, or out of date
- Withdraw consent for future uses (this does not affect uses that have already occurred)
To exercise any of these rights, contact our Privacy Officer using the details in section 13 below. We will respond within 20 working days, as required by law. There is no charge for most requests.
10. Children's privacy
We provide osteopathic care to infants and children. Where a patient is under 16, consent for care and for the handling of their health information is generally given by a parent or legal guardian. Children aged 16 and over are presumed capable of making decisions about their own health information unless there are specific concerns.
11. Cookies and analytics
Our forms use Cloudflare Turnstile, which sets short-lived technical cookies solely to distinguish real visitors from automated bots.
We also use Google Analytics 4 to understand how visitors use the site — which pages are viewed, how people arrive at the site, and which browsers and devices they use. Google Analytics sets cookies to recognise returning visitors across a session and aggregates the information into statistical reports. It does not collect your name, email address, or any information that directly identifies you, and IP addresses are anonymised by Google before storage. We use this information only to improve the website.
If you would prefer to opt out of Google Analytics, you can install Google's official opt-out browser add-on, or use a private/incognito browsing window, or block analytics cookies using your browser's settings or an extension such as uBlock Origin.
We do not use advertising, remarketing, or cross-site tracking cookies.
12. Changes to this policy
We may update this policy from time to time — for example, when we change service providers, add new technologies, or respond to changes in law. The effective date at the top of this page indicates when the most recent version took effect. Material changes will be flagged prominently on the site for a reasonable period.
The June 2026 update added section 3, explaining the information we receive about you from third parties and how we let you know — reflecting the Information Privacy Principle 3A amendments to the Privacy Act 2020, which took effect on 1 May 2026.
13. Contact us
Our Privacy Officer is Na (Nina) Hu. You can contact her for any privacy question, access request, correction request, or complaint:
- Email: info@meridianosteopathy.co.nz
- Phone: 02108655151
- Post: Privacy Officer, Meridian Osteopathy Ltd, 21 Coppell Place, Hillmorton, Christchurch 8025
14. Making a complaint
If you are not satisfied with how we have handled your privacy concern, you can escalate to the Office of the Privacy Commissioner — the independent regulator for privacy in New Zealand:
- Website: privacy.org.nz
- Phone: 0800 803 909