Kāhu.ai Limited, a registered New Zealand company and their respective subsidiaries and affiliates in New Zealand and Australia (collectively referred to as Kāhu) are committed to managing personal information in accordance with the New Zealand Privacy Act 1993 and the Australian Privacy Act 1988 (including the Australian Privacy Principles contained within that Act) (Privacy Acts), as well as other Australian State and Territory laws that regulate health information, such as the Health Records Act 2001 (Victoria), Health Records Information Privacy Act 2002 (New South Wales) and Health Records (Privacy and Access) Act 1997 (ACT) (Health Record Laws), to the extent that they are applicable.
This policy does not limit or exclude any of your rights under the Privacy Acts and Health Record Laws. If you wish to seek further information on the Privacy Acts, see www.privacy.org.nz and www.oaic.gov.au (as applicable).
Other terms may also apply to you and the information we hold about you. For example, sometimes we also provide a privacy collection statement at the time we collect personal information from you, such as when you use our online products. This privacy collection statement may include additional terms. If you are employed with us, you may have specific privacy terms in your employment contract with us.
What information does Kāhu collect about you?
Customers and prospective customers
When you enquire about our services or when you become a patient of Kāhu or otherwise use our services, a record is made which includes your personal information.
The type of personal information that we collect will vary depending on the circumstances of collection and the kind of service that you request from us, but will typically include:
We collect personal information when recruiting personnel, such as your name, contact details, qualifications, and work and study history.Before offering you a position, we may collect additional details such as your tax file number and superannuation information and other information necessary to conduct background checks to determine your suitability for certain positions (for example, positions which involve working with children).
We collect personal information when we do business with you, such as if you are a doctor who is referring a patient to Kāhu. The personal information that we generally collect may include:
How does Kāhu collect your personal Information?
Kāhu generally does not collect personal information directly from you. We may however collect information from you when you subscribe to receiving emails from us, complete an online survey or quiz, or participate in our markert research. We may collect and update your personal information over the phone, by email, over the internet or social media, or in person.
In particular, when you attend an appointment at a clinic that is using a Kāhu product (e.g. Skin Assist), the clinic may use a dermoscopic imaging camera to take clinical images of your body to capture the condition of your skin at that point in time. These images form part of your health information which is collected by us.
We may also collect personal information about you from other sources, for example:
Personal information collected in relation to other data services we provide
We also provide certain data storage and processing services to other providers in the industry. For example, Kāhu may license its services to third party organisations such as General Practitioners, Skin clinics and Pharmacies. These third parties collect patient information and images using our systems and services.
For what purposes does Kāhu collect, hold, use and disclose your personal information?
The purposes for which Kāhu usually collects, holds, uses and discloses personal information depends on the nature of your interaction with us. This may include:
Kāhu may disclose information to third parties to:
From time to time, we may also share de-identified information with partner organisations, such as universities, and research organisations for training, research and statistical analysis.
What happens if your personal information is not provided to Kāhu?
You can always decline to give Kāhu any personal information we request, but that may mean we cannot provide you with some or all of the services you have requested. If you have any concerns about the personal information we have requested, please let us know using the contact information provided at the end of this policy.
Can you deal with Kāhu anonymously?
Kāhu will provide individuals with the opportunity of remaining anonymous or using a pseudonym in their dealings with us where it is lawful and practicable (for example, when making a general enquiry). Generally, it is not practicable for Kāhu to deal with individuals anonymously or pseudonymously on an ongoing basis. If we do not collect personal information about you, you may be unable to utilise our services.
How does Kāhu Hold Information?
Kāhu takes reasonable steps to protect your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.
We store information in electronic record keeping methods in secure databases (including trusted third-party storage providers) based in New Zealand and Australia for all personal and clinical information.
Kāhu maintains physical security over electronic data stores, such as through locks and security systems at our premises. We also maintain computer and network security; for example, we use firewalls (security measures for the Internet) and other security systems such as user identifiers and passwords to control access to our computer systems.
Our websites use encryption or other technologies to ensure the secure transmission of information via the internet. Users of our websites are encouraged to exercise care in sending personal information via the internet.
We take steps to destroy or de-identify information that we no longer require.
How does Kāhu interact with you via the Internet?
Cookies, Beacons and Similar Technologies
Cookies are small files that store information on your computer, mobile phone or other device. They enable the entity that put the cookie on your device to recognise you across different websites, services, devices, and/or browsing sessions. Cookies serve many useful purposes. For example:
When you use a web browser to access the Services, you can configure your browser to accept all cookies, reject all cookies, or notify you when a cookie is sent. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences. The operating system of your device may contain additional controls for cookies.
However, in doing so, you may be unable to access certain pages or content on our website or services. For more information about interest-based ads, or to opt out of having your web browsing information used for behavioral advertising purposes, please visit www.aboutads.info/choices.
Other Local Storage
We, along with certain third parties, may use other kinds of local storage technologies, such as Local Shared Objects (also referred to as “Flash cookies”) and HTML5 local storage, in connection with our websites and services. These technologies are similar to cookies, in that they are stored on your device and can be used to store certain information about your activities and preferences. However, these technologies may make use of different parts of your device from standard cookies, and so you might not be able to configure them using standard browser tools and settings. For more information about disabling or deleting information contained in Flash cookies, please visit https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html
We, along with certain third parties, may also use technologies called beacons (or “pixels”) that communicate information from your device to a server. Beacons can be embedded in online content, videos, and emails, and can allow a server to read certain types of information from your device, know when you have viewed particular content or a particular email message, determine the time and date on which you viewed the beacon, and the IP address of your device. We and certain third parties use beacons for a variety of purposes, including to analyse the use of our website and other services and (in conjunction with cookies) to provide content and ads that are more relevant to you.
Third party links
Does Kāhu use or disclose your personal information for direct marketing?
Kāhu may use or disclose your personal information for the purpose of informing you about our services, upcoming promotions and events, or other opportunities that may interest you. We may send promo codes to you via SMS or email. If you do not want to receive direct marketing communications, you can opt-out at any time by contacting us using the contact details below.If you opt-out of receiving marketing material from us, Kāhu may still contact you in relation to its ongoing relationship with you.
Does Kāhu disclose your personal information overseas?
Kāhu is a global organisation, and entities which are related entities of Kāhu, or who we provide services to or are otherwise affiliated with Kāhu, have operations in New Zealand and Australia.
Unless we have your consent, or an exception under the Privacy Acts or Health Record Laws applies, we will only disclose your personal information to overseas recipients where we have taken reasonable steps to ensure that the overseas recipient does not breach the Privacy Acts and Health Record Laws in relation to your personal information.
How can you access or seek correction of your personal information?
You are entitled to access your personal information held by Kāhu on request. To request access to your personal information please contact our Privacy Officer in writing using the contact details set out below.
You will not be charged for making a request to access your personal information, but you may be charged for the reasonable time and expense incurred in compiling information in response to your request.
We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and up-to-date. You can help us to do this by letting us know if you notice errors or discrepancies in information we hold about you and letting us know if your personal details change.
However, if you consider any personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading you are entitled to request correction of the information. After receiving a request from you, we will take reasonable steps to correct your information.
When you contact us to request access to and correction of your personal information, we may need to verify your identity. When you submit your request, please include your full name, date of birth and contact details, and set out the details of your request (such as the personal information you would like to access or the correction you would like to make).
We will take reasonable steps to notify you of a decision on the request within 30 days. We may decline your request to access or correct your personal information in certain circumstances in accordance with the Privacy Acts and Health Record Laws. If we do refuse your request, we will provide you with a reason for our decision and, in the case of a request for correction, we will include a statement with your personal information about the requested correction.
What should you do if you have a compliant about the handling of your personal information?
You may make a complaint about privacy to the Privacy Officer at the contact details set out below.
The Privacy Officer will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint. We will generally respond to your complaint within a week.
If your complaint requires more detailed consideration or investigation, we will acknowledge receipt of your complaint within a week and endeavour to complete our investigation into your complaint promptly. We may ask you to provide further information about your complaint and the outcome you are seeking. We will then typically gather relevant facts, locate and review relevant documents and speak with individuals involved.
In most cases, we will investigate and respond to a complaint within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, and we will let you know.
If you are not satisfied with our response to your complaint, or you consider that Kāhu may have breached the Privacy Acts or Health Record Laws, a complaint may be made to the New Zealand Privacy Commissioner (by telephone on 0800 803 909 or by email at firstname.lastname@example.org) or Office of the Australian Information Commissioner (by telephone on 1300 363 992, by email at email@example.com or by mail at GPO Box 5218, Sydney NSW 2001).
How can you contact Kāhu about matters related to this policy?
If you have any questions or concerns related to your privacy, you can email our privacy officer on firstname.lastname@example.org