Privacy Policy

This policy sets out how we collect, use, disclose and protect personal information for our Users and Providers.

As a principle, Clearhead will never sell personal, identifiable information. Clearhead does collate personal information into aggregated, anonymised and de-identified data analytics at an employer, insurance provider, or community level. Aggregated and anonymised data analytics are used for the purposes of a third party better understanding and taking actions to address mental health and wellbeing trends using non-identifiable information. Personal information from Users and Providers will never be identifiable in these circumstances. The details of this are transparently outlined in this Policy.

Clearhead also endeavours to collect personal information from Users and Providers directly rather than via third parties. However, there are instances where information is obtained from third parties. We transparently outline these instances in this Policy.

Last Updated: 10th October 2024.

We collect personal information from you, including information about your;

• Name
• Contact information
• Employer and/or insurance provider (where applicable)
• Employee ID and/or insurance policy ID (where applicable)
• Department, Division, Site (where applicable)
• Location
• Computer or network
• Interactions with us
• Billing or purchase information

We collect your personal information in order to;

• Provide a personalised wellbeing service to you.
• Understand how you interact with our services to inform our ongoing quality improvement.
• Provide aggregated, anonymised and de-identified data analytics to Employer, Insurance Providers, or other third parties (see the remainder of this policy for transparent information about this).

Besides our staff, we share information;

• About Users with Providers, and about Providers with Users, in order to action booking requests. This is only with User consent.
• Aggregated, anonymized and de-identified data about our Users with Employer clients, and other third parties, for the purposes of understanding, responding and marketing wellbeing trends and other insights.
• About Users with Insurance Provider clients to allow the Insurance Provider to process the claim. This is only with User consent.
• About Users and Providers with third parties that host or maintain any underlying IT system (see sub-processors), data centre, or communications system that we use to provide our products and services. Any information shared with these parties will remain confidential unless required by law.

Providing some information is optional;

• If, while using our platform, a User chooses not to enter optional personal information, to enter details about her/his/their particular wellbeing challenge/interest, or to enable sharing of passive mobile phone data, we will be unable to provide the full personalised experience to that User.
• If, while entering a booking request, a User chooses not to enter information required to confirm her/his/their eligibility for funded therapy sessions, such as insurance policy number or employee ID number, Clearhead will be unable to book these sessions.
• Users and Providers can opt out of email notifications and mobile phone push notifications.
• Users and Providers can disable Cookies, however this may make some functions on the Clearhead Platform unavailable to that User or Provider.

Maintaining the trust and privacy of our Users and Providers is extremely important to us. We keep your information safe by storing it in encrypted files and only allow essential staff access to it .

We keep your information for ten years in accordance with New Zealand Health Information Privacy Code 2020 guidelines, or seven years in accordance with Australian state or territory privacy laws, whichever is applicable, at which point we destroy it by securely digitally erasing all digital files.

You have the right to ask for a copy of any personal information we hold about you, and to ask for it to be corrected if you think it is wrong. If you would like to ask for a copy of your information, or to have it corrected, please contact us at [email protected] or +64 9 801 1532.

To register a compliment or complaint, including about how your personal information has been handled, please contact us at [email protected] or +64 9 801 1532. We will acknowledge your compliment or complaint within 14 calendar days and confirm any actions we are taking in response to your compliment or complaint within 20 working days.

We collect personal information from:

• Users
  • When Users provide personal information directly to us, including via the website, mobile application and any related service, through any registration or subscription process, through any contact with us (e.g. telephone call or email), and/or when using our services.
  • Users may also choose to use a personal authentication, such as a Google, Apple, Microsoft, or Facebook account, to create and log into the Clearhead Platform. This saves the User from remembering another username and password and allows the User to share some information from this account with Clearhead. The information provided to us includes the User’s unique identifier for their account, their email address, name, date of birth, and profile picture. Clearhead does not share or sell information back to these authentication accounts. However, the personal authentication, such as Google, Apple, Microsoft, or Facebook, will record that Users logged into the Clearhead platform against their personal authentication account.
  • Users may also be able to use a workplace authentication, such as their employer Microsoft 365 or Active Directory account, to create and log into the Clearhead Platform. This has the same advantages as a personal authentication. However, users should be aware that when using a workplace authentication provider, their employer may be able to see the date and time they logged into Clearhead via the authentication provider. Clearhead never directly provides this information to workplaces.
  • Users may also choose to share passive data with us from their mobile phones, such as about her/his/their physical activity or sleep, so that we can provide a more personalised experience, such as wellbeing prompts. Users can opt out of this offering if they prefer.
  • Employers, Insurance Companies, or other third parties who fund therapy sessions for Users, can provide personal information about Users to us in order to confirm eligibility to receive funded Clearhead services. This includes name, email address, and unique identification such as an employee ID number. Clearhead never sells or shares this information to a third party.
  • Providers can provide personal information about Users to Clearhead so that we can confirm a service can or has been provided. Clearhead never sells or shares this information to a third party.
    
• Providers
  • When Providers give personal information directly to us, including via the website, mobile application and any related service, through any registration or subscription process, through any contact with us (e.g. telephone call or email), and/or when using our services.
  • Providers may also choose to use a personal authentication, such as a Google, Apple, Microsoft, or Facebook account, to create and log into the Clearhead Platform. This saves the Provider from remembering another username and password and allows the Provider to share some information from this account with Clearhead. The information provided to us includes the Provider’s unique identifier for their account, their email address, name, date of birth, and profile picture. Clearhead does not share or sell information back to these authentication accounts. However, the personal authentication, such as Google, Apple, Microsoft, or Facebook, will record that Providers logged into the Clearhead platform against their personal authentication account.
  • Providers may also be able to connect their digital calendar, such as Google Calendar or iCal, to our system. The information provided to us includes the Provider’s name, their email address, and details about the events on that Provider’s calendar. For each of these events, the time and title will be stored on our system and used to display accurate, real-time availability information for the online booking system. Clearhead never sells or shares this information to a third party.
  • Providers may authorise Clearhead access to third-party information or information that is publicly available, for example, to verify her/his/their registration with a professional body.

We use User and Provider personal information to:

• Verify identity.
• Verify eligibility for certain services including but not limited to funded therapy.
• Match and support bookings between, Users and Providers. This includes checking and publishing up-to-date Provider availability.
• Recommend and provide access to mental health and wellbeing resources including self-management tools.
• Communicate email messages and push notifications.
• Send service-related emails or messages, such as account verification, service changes or updates, technical and security notices.
• Inform improvements to the features, functionality, quality and design of the products and services we provide to Users and Providers.
• Communicate via email messages and push notifications, including sending service-related emails or messages, such as account verification, service changes or updates, technical and security notices.
• Collect technical information to a) better understand the way people use our Clearhead Platform, b) to improve the way it works and c) to personalise it to be more relevant and useful to particular needs of Users and Providers. This may include, for instance, information about the way Users arrive at, browse through and interact with our Clearhead Platform. We may collect this type of technical information through the use of Cookies. Cookies are alphanumeric identifiers that we transfer to the computer hard drive of Users and Providers so that our systems can recognise Users and Providers. If a User or Provider want to opt out by disabling Cookies, she/he/they may do so by changing the settings on her/his/their browser. However, this may make some functions on the Clearhead Platform unavailable to that User or Provider.
• Respond to communications from Users and Providers, including compliments and complaints.
• Conduct research and statistical analysis but only with aggregated, anonymised and de-identified data.
• Provide aggregated, anonymised and de-identified data to our employer clients, insurance provider clients , or other third-party partner organisations.
• Process payments that Users and Providers have given Clearhead permission to process, including for bookings.
• Protect and/or enforce our legal rights and interests, including defending any claim.
• For any other purpose authorised by Users and Providers.

We do not disclose personal information to any third parties except in the following circumstances:

• Third parties may receive personal information for the purpose of providing or improving the Clearhead Platform. This includes business that support our products and services, including any third party that hosts or maintains any underlying IT system, data centre, or communications system that we use to provide our products and services. Any information shared with these parties will remain confidential unless required by law. Please see our Sub-processors section for the full list.
• In relation to the proposed purchase or acquisition of our business or assets.
• A person who can require us to supply Users and Providers personal information by applicable law or any court, or in response to a legitimate request by a law enforcement agency.
• those circumstances outlined under the sub-section headed; "Who does Clearhead collect personal information from?"

Maintaining the trust and privacy of our Users and Providers is extremely important to us. Below are reasonable steps we have taken to keep Users and Providers personal information safe from misuse, interference, loss, unauthorised access, unauthorised modification, unauthorised disclosure, or other misuse:

• We store all data in encrypted files using 256-bit Advanced Encryption Standard (AES-256) at Rest.
• As data travels over the Internet, Transport Layer Security (HTTPS) is used for all communications.
• We only allow essential Clearhead staff access to data.
• All Clearhead staff complete privacy and information security training.
• We do not sell any identifiable data to third parties.
• We complete regular security audits.
• We comply with the HISO 10029:2015 Standard and are striving to follow industry best standards including ISO-27001, SOC 2.
• We are a New Zealand company and we follow and abide the New Zealand Privacy Act 2020, Health Information Privacy Code 2020, and Official Information Act 1982.
• We also comply with the Australian Privacy Act 1988, Australian Freedom Of Information Act 1982, NSW Government Privacy and Personal Information Protection Act 1998 No 133, NSW Government Health Records and Information Privacy Act 2002 No 71.
• We keep your information for ten years in accordance with New Zealand Health Information Privacy Code 2020 guidelines, or seven years in accordance with the Australian state or territory privacy laws, whichever is applicable, at which point we destroy it by securely digitally erasing all digital files.

Users and Providers acknowledge, however, that no efforts can completely guarantee the security of the stored data, in that breaches of security are still a possibility both regarding our systems and that a data security breach resulting in unauthorised access to Users and Providers information can occur in third party system (for example, third party providers and hosting services providers). As a result, we do not warrant or ensure the integrity and security of the data stored in its systems, including without limitation the personal information of our Users and Providers. While we take reasonable steps to maintain secure internet connections, if a User or Provider shares personal information with us over the internet, the provision of that information is at that User or Provider’s own risk.

If a User or Provider follows a link on our website to another website, the owner of that site will have its own privacy policy relating to that User or Provider’s personal information. We suggest the User or Provider review that site’s privacy policy before sharing personal information.

Subject to certain grounds for refusal set out in legislation, Users and Providers have the right to ask for a copy of any personal information Clearhead holds about her/him/themselves, and to ask for it to be corrected if she/he/they think it is incorrect.

If you would like to ask for a copy of your information, or to have it corrected, please contact us at [email protected] or +64 9 801 1532.

Before a User or Providers exercises this right, we will need evidence to confirm that the person is the individual to whom the personal information relates.

In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that the User or Provider requested the correction.

We may charge a User or Provider our reasonable costs to provide copies of requested personal information or to correct requested information.

To register a compliment or complaint, including about how your personal information has been handled, please contact us at [email protected] or +64 9 801 1532.

We will acknowledge your compliment or complaint in writing within 14 calendar days.

We will confirm in writing any actions we are taking in response to your compliment or complaint within 20 working days.

This section provides information about third-party subprocessors ("Subprocessors") that we use to assist in delivering our services. We maintain contractual relationships with each Subprocessor that requires them to protect personal data in a manner consistent with our privacy obligations.

Infrastructure Subprocessors: We utilize the following Subprocessors to provide infrastructure and hosting services, which in turn host the data we process.

• Amazon Web Services (AWS): Cloud service provider.
• Cloudflare: Web performance and security services.
• Google Cloud: Cloud service provider.
• Microsoft Azure: Cloud Service Provider
• MongoDB Inc: Database service provider.
• Vercel: Development and hosting platform.
• Sanity: Content platform.

Processing and Auxiliary Services: The following Subprocessors provide various services that enhance our offerings and, in some cases, may process data.

• Cronofy: Calendar integration services.
• OpenAI: Artificial intelligence research organization.
• SendGrid: Email services.
• Brevo: Email services.
• Sentry: Error tracking software.
• Typeform: Online form builder.
• Xero Limited: Online accounting software.
• Atlassian: Collaboration and development tools.
• Linear: Project Management Software
• Notion: Collaboration and documentation tools.
• Retool: Development platform.
• Microsoft 365: Email (Outlook), Messaging (Teams), and Document Management Services (OneDrive, SharePoint)
• Google Workspace: Reporting, Document and Collaboration Software

Marketing & Customer Engagement: Platforms that assist with marketing, sales, and customer service operations.

• Active Campaign: Marketing and automation platform.
• Amplitude: Analytics platform.
• Google Analytics: Analytics platform.
• Circle: Community Platform
• Hubspot: Marketing, sales, and service software. (Marketing Pages Only)
• ZoomInfo: Marketing & Sales (Marketing Pages Only)
• LinkedIn: Marketing & Sales (Marketing Pages Only)
• Facebook: Marketing & Sales (Marketing Pages Only)

We take privacy seriously and review our Subprocessors periodically to ensure they meet our data protection standards. We will update this list as our subprocessor relationships evolve.