Privacy Policy

This Privacy Policy explains how Mindwell Ltd (“Mindwell,” “we,” “us,” or “our”) collects, holds, uses, and discloses personal information and health information. We are committed to protecting your privacy in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020.

1. Who We Are

Mindwell Ltd is a New Zealand registered company that operates an online platform connecting clients with independent, registered psychologists. Our registered office is in New Zealand. You can contact us at team@mindwell.co.nz.

For privacy matters, please contact our Privacy Officer at team@mindwell.co.nz with the subject line “Privacy Enquiry.”

2. What Information We Collect

We collect the following categories of personal and health information:

• Identity information: full name, date of birth, gender
• Contact information: email address, phone number, location (region)
• Health information: presenting concerns, psychological history, session notes, intake form responses, and any other health-related information you share with us or your psychologist
• AI-generated transcripts and notes: where AI transcription is used during a session, a transcript of the session and any AI-assisted clinical notes derived from it form part of your clinical record and are stored accordingly
• Emergency contact and medical details: your nominated emergency contact (name, relationship, and phone number) and your GP or other healthcare provider’s details, collected as part of your intake form
• Payment information: payment card details (processed and stored by Stripe; we do not store full card numbers)
• Technical information: IP address, browser type, and usage data collected via our website
• Communications: emails, messages, or other correspondence you send to us

3. How We Collect Information

We collect information:

• Directly from you when you book a session, complete our intake form, or contact us
• From your psychologist in the course of providing services through our platform
• Automatically through our website (e.g. cookies and analytics tools)
• From our third-party service providers (Carepatron, Stripe) in the course of delivering services

4. How We Use Your Information

We use your personal and health information to:

• Facilitate and manage your psychology sessions
• Process payments securely
• Send appointment confirmations, reminders, and administrative communications
• Maintain clinical records as required by law and professional standards
• Comply with our legal and regulatory obligations
• Improve our platform and services (using de-identified data only)
• Respond to your enquiries

We will not use your health information for marketing purposes without your explicit consent.

5. Third-Party Service Providers

We share information with the following third parties solely for the purpose of delivering our services:

• Carepatron: our practice management platform, which stores appointment records, session notes, and intake forms. Carepatron is subject to its own privacy policy and security standards.
• Stripe: our payment processor. Card data is handled directly by Stripe and is subject to PCI-DSS compliance standards. We do not store full payment card details.

We do not sell, rent, or trade your personal information to any third party for commercial purposes.

6. Disclosure of Information

We may disclose your information in the following limited circumstances:

• To the psychologist facilitating your sessions, for clinical purposes
• Where required by law, court order, or regulatory authority
• To the extent necessary to prevent serious and imminent risk to life (your own or another person’s), consistent with the Health Information Privacy Code
• Where you disclose detailed and specific information about prior serious offences you have committed for which you have not been charged, and where disclosure is required or permitted by law
• Where disclosure to another healthcare provider is reasonably expected in the circumstances and is directly related to the purpose for which your information was collected, for example providing a treatment summary to a referring GP or other treating clinician
• With your explicit written consent

Your health information will not be disclosed to any other party without your consent, except where legally required or where there is a serious safety concern.

7. Storage and Security

Your information is stored securely using industry-standard encryption. Health records are retained for a minimum of 10 years from the date of last service, in accordance with New Zealand health records obligations. We take all reasonable steps to protect your information from unauthorised access, use, or disclosure.

Our service providers (Carepatron, Stripe) maintain their own security certifications. By using our services, you acknowledge that data transmission over the internet carries inherent risks, and we cannot guarantee absolute security.

8. Cybersecurity and Data Breach Notification

Security measures we take: Mindwell takes reasonable and appropriate technical and organisational steps to protect your personal and health information, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Access controls limiting who within Mindwell can access client information
• Reliance on Carepatron and Stripe, both of which maintain independent security certifications appropriate to health and payment data
• Regular review of our security practices

Video session security: Sessions are primarily conducted via Carepatron’s secure video platform, which runs in your browser with no download required. Your first session will always be via Carepatron. On occasion, an alternative platform such as Zoom or Google Meet may be used for subsequent sessions, and you will be advised in advance. While we take reasonable steps to ensure session security, we cannot guarantee that video transmissions are entirely free from interception. You are responsible for ensuring you conduct sessions in a private environment using a secure network connection.

Your responsibilities: You are responsible for keeping any account credentials, booking confirmation emails, and video links confidential. You must not share your session link with any unauthorised person. Mindwell is not liable for any unauthorised access resulting from your failure to keep your credentials or links secure.

Data breach notification: In the event of a privacy breach that is likely to cause serious harm to you, Mindwell will notify you and the Office of the Privacy Commissioner as required under Part 7 of the Privacy Act 2020. We will take prompt steps to contain the breach and mitigate harm. Notification will be made as soon as practicable after we become aware of the breach.

Limitation of liability for third-party breaches: Mindwell is not liable for any breach of security, data loss, or unauthorised access resulting from the acts or omissions of third-party service providers (including Carepatron and Stripe), provided we have taken reasonable steps to select reputable providers and comply with our own obligations.

Reporting a security concern: If you believe your account or information may have been compromised, please contact our Privacy Officer immediately at team@mindwell.co.nz with the subject line “Security Concern.”

9. Use of Artificial Intelligence

Mindwell and the psychologists operating through our platform use AI-powered tools to support the administration and delivery of services. We are committed to transparency about how AI is used and to ensuring your information is handled appropriately in this context.

AI tools used within our platform include:

• Session transcription: Carepatron’s AI transcription tool may be used to transcribe your session to assist your psychologist with note-taking. Transcripts are stored as part of your clinical record.
• Clinical reasoning support: Carepatron includes an AI assistant that your psychologist may use to help think through clinical concepts, treatment approaches, or documentation. This tool supports your psychologist’s thinking and does not make clinical decisions. All clinical decisions, treatment planning, and therapeutic advice are made solely by your treating psychologist.
• Other AI tools: psychologists and Mindwell staff may use third-party AI tools (such as AI writing assistants) for administrative purposes, including drafting correspondence and internal documentation. Where any AI tool is used in connection with client work, psychologists are required by Mindwell’s internal policies to use only de-identified information, meaning information that does not contain your name, date of birth, contact details, or any other information that could directly identify you.

Important principle: no AI tool used by Mindwell or its psychologists makes clinical decisions. AI tools are used to assist and support human professionals. Responsibility for all clinical and professional decisions remains with your treating psychologist.

Session transcription (default use and opt-out): AI transcription is used by default. Your psychologist initiates transcription at the start of each session. If you do not wish your session to be transcribed by AI, please inform your psychologist before the session begins and they will not activate the transcription tool. Opting out means your psychologist will take manual notes instead.

Third-party AI processing: where AI tools are provided by third parties (including Carepatron), your information may be processed by those third parties in accordance with their own privacy policies. Mindwell takes reasonable steps to ensure third-party AI providers maintain appropriate data security and privacy standards.

By booking and attending a session without notifying your psychologist of an objection to AI transcription, you consent to the use of AI transcription and AI clinical support tools as described above.

10. Clinical Supervision

As required by the New Zealand Psychologists Board and the Code of Ethics for Psychologists, psychologists providing services through Mindwell engage in regular clinical supervision. Supervision is a professional and ethical requirement designed to support the quality and safety of care provided to you.

Your psychologist may discuss de-identified case material in supervision in order to better understand how to support you. No identifying information about you will be disclosed in supervision. Your name, contact details, or any other information that could directly identify you will not be shared. For more information about supervision, please speak with your psychologist.

11. Your Rights

Under the Privacy Act 2020 and the Health Information Privacy Code 2020, you have the right to:

• Access the personal and health information we hold about you
• Request correction of inaccurate or incomplete information
• Complain about a breach of your privacy rights

To exercise these rights, contact our Privacy Officer at team@mindwell.co.nz. We will respond within 20 working days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner at www.privacy.org.nz or phone 0800 803 909.

12. Cookies

Our website uses cookies to improve your experience. You may disable cookies in your browser settings; however, this may affect the functionality of our website.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The current version will always be published on our website with the date of last update. Continued use of our services following any update constitutes acceptance of the revised policy.

14. Contact Us

For any privacy-related questions or concerns, please contact:
Privacy Officer, Mindwell Ltd
team@mindwell.co.nz