Privacy Policy

Top Notch Bodyworks is a multi-modality health clinic providing osteopathy, massage therapy, acupuncture, and related services. We are located in West Auckland, New Zealand, and are an ACC and Southern Cross Treatment Provider.

As a health provider, we are bound by the Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC), which govern how we collect, use, store, disclose, and provide access to personal and health information. Our Privacy Officer is responsible for overseeing compliance with these obligations (see Section 13).

We may collect the following types of information:

Personal Details

• Name, date of birth, gender, contact details (phone, email, address)
• Emergency contact information

Health Information

• Medical history, current conditions, medications, and treatment notes
• ACC claim numbers and claim-related documentation
• Referral letters and correspondence from other health practitioners
• Appointment history and clinical progress records

Administrative Details

• Payment information and insurance claim records (ACC, Southern Cross, NIB)
• Appointment booking history

Website & Online Data

• Cookies, IP addresses, browser/device information
• Online booking data and form submissions
• Analytics and advertising data (Google Analytics, Facebook Pixel)

We collect information directly from you in the following ways:

• Patient intake forms completed before or at your appointment
• During consultations and treatment sessions (verbal and written notes)
• By email, phone call, or text message
• Through our online booking platform
• Through our website contact forms and newsletter sign-up

Where we collect information directly from you, we will tell you why we are collecting it and how we intend to use it at the time of collection, unless it is obvious from context.

Sometimes we receive information about you from a third party rather than directly from you. When this occurs, we are required to notify you as soon as reasonably practicable. This includes:

Situations Where Indirect Collection May Occur

• ACC: We may receive claim details, cover decisions, or patient records directly from ACC as part of managing your injury claim and treatment.
• Referring health professionals: A GP, specialist, physiotherapist, or other practitioner may send us referral letters, clinical notes, or background health information before or during your care.
• Insurance providers: Southern Cross, NIB, or other insurers may provide information relating to your cover or treatment authorisation.
• Employers: In workplace injury or rehabilitation cases, your employer may provide relevant information as part of a return-to-work programme.
• Family members or support persons: In some cases (e.g. for minors or in emergency situations), a family member or support person may provide personal information on your behalf.

What We Will Tell You

When we collect information about you indirectly, we will notify you (as soon as reasonably practicable) of the following:

• That we have collected information about you and from whom
• The purpose for which the information was collected
• Who else may receive that information
• Your right to access and request correction of that information

In most cases this notification will occur at or before your first appointment. If information is received during an existing treatment relationship, we will notify you at your next contact.

We collect and use your information only for the purposes it was collected or closely related purposes, including:

• To provide safe, effective, and appropriate treatment and care
• To manage your bookings, payments, and ACC or insurance claims
• To communicate with you about your appointments and ongoing care
• To share relevant information with other members of your treating team for continuity of care
• To meet our legal and professional obligations as registered health practitioners
• To improve our services through feedback, audit, and analytics
• With your explicit consent, to send you marketing updates, health tips, or newsletters

Within Our Clinical Team

Your information may be accessed by practitioners within our clinic (osteopaths, massage therapists, acupuncturists) for the purpose of providing or coordinating your care. All staff are bound by professional and contractual obligations of confidentiality.

Third Parties

We may share your information with the following third parties where required or authorised:

• ACC — for treatment claim lodgement, management, invoicing, and audit
• Insurance providers (Southern Cross, NIB) — for treatment authorisation and claim processing
• Referring or receiving health practitioners — with your consent or where required for continuity of care
• Trusted technology providers — booking systems, secure email platforms, and AI clinical tools (see Section 7), all bound by data processing agreements

We do not sell your personal or health information to any third party.

To support accuracy and efficiency in patient note-taking, we may use a trusted AI scribe tool called Heidi Health. Here is how it works and how your privacy is protected:

• De-identified processing: Only de-identified text is used for AI transcription. Identifiable details are replaced with pseudonyms during processing.
• Data location: Heidi securely stores and processes information in Australia. While this is outside New Zealand, Heidi applies strong privacy and security safeguards consistent with Australian and New Zealand standards.
• Clinician review: All notes generated by Heidi are reviewed, edited, and approved by your practitioner before becoming part of your official health record.
• Access and audit: Heidi staff may only access information for troubleshooting purposes and only with your consent. All access is logged.
• Deletion: Data used by Heidi is deleted after transcription and finalisation. No long-term backups are retained by the AI system.

You may request that AI-assisted note-taking not be used during your appointment. Please let us know at the start of your consultation.

• Electronic records are kept in secure, password-protected systems with role-based staff access controls.
• Any physical files are scanned to your patient profile and then securely disposed of.
• We use encryption and secure connections to protect online data and communications.
• Access to health records is restricted to authorised clinical and administrative staff only.
• We regularly review our security practices to ensure they remain appropriate.

• Health records: At least 10 years after your last treatment, as required under the Health Information Privacy Code 2020.
• Financial and administrative records: As required under New Zealand tax and financial legislation (generally 7 years).
• Marketing consents: Until you withdraw your consent. You may unsubscribe at any time.

When information is no longer required to be retained, it will be securely deleted or destroyed.

Under the Privacy Act 2020 and the Health Information Privacy Code 2020, you have the right to:

• Access your personal or health information held by us
• Request correction of any information you believe is inaccurate or incomplete
• Withdraw consent for non-essential uses such as marketing communications at any time
• Request transfer of your health information to another health provider (see below)
• Be notified if we collect personal information about you from a third party (IPP 3A — see Section 4)
• Complain to us, or to the Office of the Privacy Commissioner if you are not satisfied with how we have handled your information

Sharing Your Records With Another Practitioner

You may formally request that we share your health information with another health professional through written consent:

• Regulated health practitioners (registered with a professional body): we can send records directly to them based on your written consent.
• Unregulated practitioners (e.g., some massage therapists): your records will be sent directly to you to pass on to that provider, in line with HIPC requirements.

We use cookies and website analytics tools to understand how visitors use our website and to improve our online services. These include:

• Google Analytics: Collects anonymised data about website traffic, pages visited, and device information.
• Facebook Pixel: Supports advertising effectiveness measurement on Meta platforms.
• Session and functional cookies: Enable our online booking system and website features to work correctly.

You can disable cookies through your browser settings at any time. Note that disabling some cookies may affect the functionality of our online booking system.

We do not use cookies to collect personally identifiable information without your knowledge.

In the event of a privacy breach that is likely to cause serious harm, we will:

• Notify the Office of the Privacy Commissioner as soon as reasonably practicable
• Notify affected individuals directly where required by law or where it is in their interests to do so
• Take immediate steps to contain and remediate the breach
• Review our practices to prevent recurrence

We maintain a privacy breach register and assess all potential breaches in accordance with our obligations under the Privacy Act 2020.

Our appointed Privacy Officer is responsible for handling privacy requests, questions, and complaints. If you have any concerns about how your information has been handled, please contact us first — we aim to resolve all concerns promptly and fairly.

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner at privacy.org.nz or by calling 0800 803 909.

We review and update this Privacy Policy regularly to reflect changes in law, our practices, or the services we provide. The most current version is always available on our website at topnotchbodyworks.co.nz/privacy-policy.

This version was last updated 28 April 2026 and is effective from 1 May 2026, incorporating the requirements of the Privacy Amendment Act 2025 (IPP 3A).

Previous version: 25 August 2025.