Privacy Policy

Kāhu Privacy Policy

Kāhu.ai Limited, a registered New Zealand company and their respective subsidiaries and affiliates in New Zealand and Australia (collectively referred to as Kāhu) are committed to managing personal information in accordance with the New Zealand Privacy Act 1993 and the Australian Privacy Act 1988 (including the Australian Privacy Principles contained within that Act) (Privacy Acts), as well as other Australian State and Territory laws that regulate health information, such as the Health Records Act 2001 (Victoria), Health Records Information Privacy Act 2002 (New South Wales) and Health Records (Privacy and Access) Act 1997 (ACT) (Health Record Laws), to the extent that they are applicable.
This document sets out our policies for managing your personal information and is referred to as our Privacy Policy.

In this Privacy Policy, "we" and "us" refers to Kāhu and "you" refers to any individual about whom we collect personal information.
This policy does not limit or exclude any of your rights under the Privacy Acts and Health Record Laws. If you wish to seek further information on the Privacy Acts, see www.privacy.org.nz and www.oaic.gov.au (as applicable).

Other terms may also apply to you and the information we hold about you. For example, sometimes we also provide a privacy collection statement at the time we collect personal information from you, such as when you use our online products. This privacy collection statement may include additional terms. If you are employed with us, you may have specific privacy terms in your employment contract with us.

What information does Kāhu collect about you?

Customers and prospective customers
When you enquire about our services or when you become a patient of Kāhu or otherwise use our services, a record is made which includes your personal information.

The type of personal information that we collect will vary depending on the circumstances of collection and the kind of service that you request from us, but will typically include:

• your relevant health care or insurance agency related identifiers, such as your Medicare number, NHI number, etc. to support payment or referral processes if this applies to your care
• sensitive information (including details about your health and clinical history, images of your skin and lesions, histology results of lesions you may have excised)

Prospective employees/applicants
We collect personal information when recruiting personnel, such as your name, contact details, qualifications, and work and study history.Before offering you a position, we may collect additional details such as your tax file number and superannuation information and other information necessary to conduct background checks to determine your suitability for certain positions (for example, positions which involve working with children).

Business contacts
We collect personal information when we do business with you, such as if you are a doctor who is referring a patient to Kāhu. The personal information that we generally collect may include:

• full name
• title and position
• contact details (including your business address, phone number and email address)

How does Kāhu collect your personal Information?

Kāhu generally does not collect personal information directly from you. We may however collect information from you when you subscribe to receiving emails from us, complete an online survey or quiz, or participate in our markert research. We may collect and update your personal information over the phone, by email, over the internet or social media, or in person.

In particular, when you attend an appointment at a clinic that is using a Kāhu product (e.g. Skin Assist), the clinic may use a dermoscopic imaging camera to take clinical images of your body to capture the condition of your skin at that point in time. These images form part of your health information which is collected by us.

We may also collect personal information about you from other sources, for example:

• authorised persons or persons who act on your behalf

Personal information collected in relation to other data services we provide
We also provide certain data storage and processing services to other providers in the industry. For example, Kāhu may license its services to third party organisations such as General Practitioners, Skin clinics and Pharmacies. These third parties collect patient information and images using our systems and services.

Where we provide such services to a third party, we collect personal information about you indirectly via the third party (and not directly from you). Any personal information we collect via a third party is handled by Kāhu in accordance with this Privacy Policy. However, you should always check the privacy policy of the organization you provided your personal information to (and we are not responsible for the ways in which these third parties handle your personal information).

For what purposes does Kāhu collect, hold, use and disclose your personal information?

The purposes for which Kāhu usually collects, holds, uses and discloses personal information depends on the nature of your interaction with us. This may include:

• verifying your identity
• providing services and products to you
• fulfilling administrative, management and operational functions associated with our services and products (such as administering billing and payments, quality improvement activities)
• researching, developing and innovating our products and services
• recruitment processes (including for volunteers, internships and work experience)
• responding to subpoenas and other legal orders and obligations
• protecting or enforcing our legal rights and interests (including defending any claim)
• responding to enquiries and complaints

Kāhu may disclose information to third parties to:

• fulfil your request to make a disclosure to a person authorised by you
• provide our services, including contractors and service providers used for data processing, data analysis, customer satisfaction surveys, information technology services and support, website and IT system maintenance/development, printing, archiving, mail-outs, and market research
• comply with any legal requirements (such as where regulatory authority or law enforcement agency requires us to disclose your personal information)

From time to time, we may also share de-identified information with partner organisations, such as universities, and research organisations for training, research and statistical analysis.
We may also collect, hold, use and disclose your personal information for other purposes explained at the time of collection or otherwise as set out in this Privacy Policy.
‍
What happens if your personal information is not provided to Kāhu?

You can always decline to give Kāhu any personal information we request, but that may mean we cannot provide you with some or all of the services you have requested. If you have any concerns about the personal information we have requested, please let us know using the contact information provided at the end of this policy.

Can you deal with Kāhu anonymously?
Kāhu will provide individuals with the opportunity of remaining anonymous or using a pseudonym in their dealings with us where it is lawful and practicable (for example, when making a general enquiry). Generally, it is not practicable for Kāhu to deal with individuals anonymously or pseudonymously on an ongoing basis. If we do not collect personal information about you, you may be unable to utilise our services.

How does Kāhu Hold Information?
Kāhu takes reasonable steps to protect your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.

We store information in electronic record keeping methods in secure databases (including trusted third-party storage providers) based in New Zealand and Australia for all personal and clinical information.

Kāhu maintains physical security over electronic data stores, such as through locks and security systems at our premises. We also maintain computer and network security; for example, we use firewalls (security measures for the Internet) and other security systems such as user identifiers and passwords to control access to our computer systems.

Our websites use encryption or other technologies to ensure the secure transmission of information via the internet. Users of our websites are encouraged to exercise care in sending personal information via the internet.
We take steps to destroy or de-identify information that we no longer require.

How does Kāhu interact with you via the Internet?

Cookies, Beacons and Similar Technologies
We, as well as certain third parties that provide content, advertising, or other functionality on our websites and services, may use cookies, beacons, and other technologies.

Cookies
Cookies are small files that store information on your computer, mobile phone or other device. They enable the entity that put the cookie on your device to recognise you across different websites, services, devices, and/or browsing sessions. Cookies serve many useful purposes. For example:

• Cookies can remember your sign-in credentials so you don’t have to enter those credentials each time you log on to a service (such as by logging into your My Kāhu account).
• Cookies help us and third parties understand which parts of our websites and services are the most popular because they help us to see which pages and features users are accessing and how much time they are spending on the pages. By studying this kind of information, we are better able to adapt the services and provide you with a better experience.
• Cookies help us and third parties understand which ads you have seen so that you don’t receive the same ad each time you access a website or service.
• Cookies help us and third parties provide you with relevant content and advertising by collecting information about your use of our services and other websites and apps.

When you use a web browser to access the Services, you can configure your browser to accept all cookies, reject all cookies, or notify you when a cookie is sent. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences. The operating system of your device may contain additional controls for cookies.

However, in doing so, you may be unable to access certain pages or content on our website or services. For more information about interest-based ads, or to opt out of having your web browsing information used for behavioral advertising purposes, please visit www.aboutads.info/choices.

Other Local Storage
We, along with certain third parties, may use other kinds of local storage technologies, such as Local Shared Objects (also referred to as “Flash cookies”) and HTML5 local storage, in connection with our websites and services. These technologies are similar to cookies, in that they are stored on your device and can be used to store certain information about your activities and preferences. However, these technologies may make use of different parts of your device from standard cookies, and so you might not be able to configure them using standard browser tools and settings. For more information about disabling or deleting information contained in Flash cookies, please visit https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html

Beacons
We, along with certain third parties, may also use technologies called beacons (or “pixels”) that communicate information from your device to a server. Beacons can be embedded in online content, videos, and emails, and can allow a server to read certain types of information from your device, know when you have viewed particular content or a particular email message, determine the time and date on which you viewed the beacon, and the IP address of your device. We and certain third parties use beacons for a variety of purposes, including to analyse the use of our website and other services and (in conjunction with cookies) to provide content and ads that are more relevant to you.
‍
Third party links
In some instances, our websites may contain links to third-party websites that are outside our control. The owner of that site or service will have its own privacy policy and statements relating to your personal information. We suggest you exercise caution and review that site’s privacy policy and statements before you provide personal information to any such third-party website. Kāhu is not responsible for the content or privacy practices of websites that are linked from our website.

Does Kāhu use or disclose your personal information for direct marketing?
Kāhu may use or disclose your personal information for the purpose of informing you about our services, upcoming promotions and events, or other opportunities that may interest you. We may send promo codes to you via SMS or email. If you do not want to receive direct marketing communications, you can opt-out at any time by contacting us using the contact details below.If you opt-out of receiving marketing material from us, Kāhu may still contact you in relation to its ongoing relationship with you.

Does Kāhu disclose your personal information overseas?
Kāhu is a global organisation, and entities which are related entities of Kāhu, or who we provide services to or are otherwise affiliated with Kāhu, have operations in New Zealand and Australia.

Unless we have your consent, or an exception under the Privacy Acts or Health Record Laws applies, we will only disclose your personal information to overseas recipients where we have taken reasonable steps to ensure that the overseas recipient does not breach the Privacy Acts and Health Record Laws in relation to your personal information.
‍
How can you access or seek correction of your personal information?
You are entitled to access your personal information held by Kāhu on request. To request access to your personal information please contact our Privacy Officer in writing using the contact details set out below.

You will not be charged for making a request to access your personal information, but you may be charged for the reasonable time and expense incurred in compiling information in response to your request.

We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and up-to-date. You can help us to do this by letting us know if you notice errors or discrepancies in information we hold about you and letting us know if your personal details change.

However, if you consider any personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading you are entitled to request correction of the information. After receiving a request from you, we will take reasonable steps to correct your information.
When you contact us to request access to and correction of your personal information, we may need to verify your identity. When you submit your request, please include your full name, date of birth and contact details, and set out the details of your request (such as the personal information you would like to access or the correction you would like to make).

We will take reasonable steps to notify you of a decision on the request within 30 days. We may decline your request to access or correct your personal information in certain circumstances in accordance with the Privacy Acts and Health Record Laws. If we do refuse your request, we will provide you with a reason for our decision and, in the case of a request for correction, we will include a statement with your personal information about the requested correction.
‍
What should you do if you have a compliant about the handling of your personal information?

You may contact Kāhu at any time if you have any questions or concerns about this Privacy Policy or about the way in which your personal information has been handled.

You may make a complaint about privacy to the Privacy Officer at the contact details set out below.

The Privacy Officer will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint. We will generally respond to your complaint within a week.

If your complaint requires more detailed consideration or investigation, we will acknowledge receipt of your complaint within a week and endeavour to complete our investigation into your complaint promptly. We may ask you to provide further information about your complaint and the outcome you are seeking. We will then typically gather relevant facts, locate and review relevant documents and speak with individuals involved.

In most cases, we will investigate and respond to a complaint within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, and we will let you know.

If you are not satisfied with our response to your complaint, or you consider that Kāhu may have breached the Privacy Acts or Health Record Laws, a complaint may be made to the New Zealand Privacy Commissioner (by telephone on 0800 803 909 or by email at enquiries@privacy.org.nz) or Office of the Australian Information Commissioner (by telephone on 1300 363 992, by email at enquiries@oaic.gov.au or by mail at GPO Box 5218, Sydney NSW 2001).

How are changes made to this Privacy Policy?
Kāhu may amend this Privacy Policy from time to time. The most up-to-date version of our Privacy Policy can be found on our website at https://www.kahu.ai

How can you contact Kāhu about matters related to this policy?
If you have any questions or concerns related to your privacy, you can email our privacy officer on contact@kahu.ai

‍
‍