Skip to content

Subscribe to the free Brightly newsletter

0800 159 753

Privacy Policy

Last updated: 18/03/2026

1. Introduction 

We comply with the Privacy Act 2020, the Health Information Privacy Code 2020, and any other applicable privacy and health information regulations. This Policy applies to all personal and health information we collect, hold, use, and disclose in connection with our services. It explains what information we collect, how we use it, with whom we may share it, how long we keep it, and the rights you have in relation to your information.  

2. Information we collect 

We collect: 

  • identity, contact, and insurance and billing details;

  • health information such as your medical history, test results, prescriptions and discharge letters (including through TestSafe, Health New Zealand), and investigations including blood results and imaging, as well as other information on your lifestyle, home environment, wellbeing, and social support;

  • information you enter or generate in the platform (e.g., wellbeing/progress tracking, bookings, notes, uploaded documents, and preferences);

  • referral information you provide about another person (e.g., their name and contact details);

  • technical data about your use of the platform, such as log files, device identifiers, IP addresses, browser type, and usage statistics; and

  • any communications you have with us (including support requests, feedback, or complaints).

We will collect information directly from you, unless impractical, in which case we may collect it from another source (such as a family member or other health professional) provided that you have authorised this, or where required/permitted by law, or where you are unable to give authority and your representative authorises it.

Where we collect information about you from another source (for example, from a family member or representative, a health professional, a referral partner, or a publicly available source), we will take reasonable steps to ensure you are aware of the following: (a) the fact the information has been collected; (b) the purpose; (c) intended recipients; (d) our name and contact details; (e) the specific law (if authorised/required by law); and (f) your access and correction rights.

We may not provide a notice where a regulatory exception applies (for example, where notification is not reasonably practicable, where the information is publicly available, where notification would prejudice certain purposes such as the prevention, detection, investigation, and prosecution of offences, or where you have already been made aware of the relevant matters). If we rely on an exception, we will keep a brief record of why.

3. Purpose of collection 

We collect information with your consent and because it is necessary to: 

  • prepare an assessment and a care plan following your assessment;

     

  • support you to carry out your plan;

     

  • support your discussions with your GP and other health care providers;

     

  • administer promotions;

     

  • comply with our legal obligations;

     

  • conduct service improvement, quality assurance, and de-identified research or statistical analysis; and

     

  • contribute de-identified and aggregated information to research and analysis projects that aim to research health trends, design better support for older people, improve the health system, or develop new health products and services, including projects conducted by government agencies or private organisations.

Providing information is voluntary, but without it we may not be able to provide services. Where information is mandatory under law, we will tell you which law requires it and the consequences of not providing it.

4. Use of information 

Your information may be used to: 

  • generate draft assessments and care plans for review and approval by a Qualified Medical Practitioner;

     

  • communicate with you about your use of the platform including those assessments and care plans;

     

  • provide platform features (including progress tracking, bookings, and sharing settings you control);

     

  • support your interactions with your GP and care team;

     

  • facilitate access to non-clinical support services (e.g. legal and financial);

     

  • seek approval and submit and manage claims with your insurer (where you request this); and

     

  • monitor, maintain, and improve the platform and our services, using de-identified and aggregated information wherever reasonably practicable.

We may use approved AI-enabled technologies in connection with patient care to assist with tasks such as transcription of discussions, preparation of draft transcripts, and preparation of draft documents.

These tools are used to support documentation and care delivery workflows. They do not replace human clinical judgement. Brightly clinicians remain responsible for reviewing, interpreting, and approving any clinically relevant output before it is included in a final report, entered into the medical record, or used to support care decisions.

Where required by applicable professional or legal standards, we will seek your informed consent before using AI in connection with your care, including where an AI tool is used or where AI plays a significant role in diagnosis, treatment, or delivery of care. If you decline, we will explain how this may affect the way we provide the service, including timing, workflow, or availability of certain service features. 

We do not use fully automated decision-making processes to diagnose or treat health conditions without human clinical oversight.

We may also use your contact details and information about how you interact with our platform, newsletter, and educational content to send you updates, health insights, and community news that you have opted to receive, and personalise your experience by providing educational content and ageing support tailored to the interests or health markers identified in your profile. You can opt out of marketing communications at any time by using the 'unsubscribe' link in our emails or updating your account settings.

We take reasonable steps to ensure that the information we use is accurate, up to date, complete, relevant, and not misleading.

We will not use your personal or health information for purposes unrelated to those described in this policy unless we have your consent or are permitted by law. Before any new use that is materially different, we will notify you and, if required, seek your consent.

De-identified and aggregated information may also be shared with government agencies, research institutions, or commercial partners to support health system improvement, service design, and innovation. This information will not be published or shared in a form that could reasonably be expected to identify you.

5. Disclosure of information 

We may disclose your information: 

  • to members of the Brightly care team involved in your care, including Qualified Medical Practitioners, nurses, physiotherapists, occupational therapists, pharmacists, dietitians, psychologists, and health coaches, on a need-to-know basis and subject to professional and contractual confidentiality obligations;

     

  • to your GP or other care providers, or your nominated family members or other supporters, with your consent;

     

  • to laboratory and diagnostics providers for tests you arrange or results you receive;

     

  • to Brightly network partners (such as specialist clinics, optometrists, audiologists, podiatrists, dentists, pharmacists, and legal or financial advisers) where a referral is made on your behalf. We will seek your consent before making a referral. Once a referral is made, the partner receives only the information necessary to provide the referred service and will handle your information in accordance with their own privacy obligations and applicable law. We are not responsible for the privacy practices of network partners after a referral has been made;

     

  • to service and technology providers under confidentiality, privacy and security arrangements;

     

  • to payment providers (for processing payments);

     

  • to ACC, insurers, or funders, where you ask us to assist and you consent (to consider whether the service is eligible for cover under policies; authorise, process and settle claims; and evaluate the provision and quality of our services;

     

  • where required by law or to prevent serious threat to health; and

     

  • where otherwise permitted under the Health Information Privacy Code, such as for quality assurance, accreditation, or risk management.

Some Qualified Medical Practitioners are overseas (including in the UK). They are registered in New Zealand, hold Annual Practising Certificates, and are legally bound by New Zealand law. They may access your health information to review and approve draft assessments and care plans, and undertake activities reasonably incidental to doing so. By using our service, you consent to this disclosure. We take our obligations under New Zealand law seriously and ensure that any overseas-based practitioner is contractually and professionally bound to protect your information to the same standard as if they were in New Zealand.

Where an approved AI scribe is used during a discussion, information from the discussion and related health information may be processed by that provider for the purpose of generating a transcript and draft documentation for clinician review,  

6. Security and retention 

We take the protection of your personal and health information seriously. In line with the Privacy Act 2020, the Health Information Privacy Code 2020, and recognised industry standards, we apply a range of administrative, technical, and physical safeguards to keep your information safe.

All personal and health information is encrypted both in transit and at rest. Access is restricted by role-based access controls and the principle of least privilege. Multi-factor authentication is required for administrative and staff access. All access and changes are logged in immutable audit trails and are subject to periodic review. Our systems are monitored for unusual or unauthorised activity, supported by intrusion detection and incident response procedures. All staff receive regular privacy, security, and data handling training. Any third-party service provider engaged by us must comply with equivalent security and privacy standards, including contractual obligations under the Privacy Act 2020.

Data is backed up regularly, stored securely, and encrypted. Redundant systems and disaster recovery processes are in place and tested periodically to ensure continuity of services.

Health information is retained for at least 10 years from the date of your last interaction with us, in accordance with New Zealand law. Other personal information is only retained for as long as necessary for the purpose it was collected, or as required by law. As a guide: Support requests and communications are normally retained for up to 2 years; technical logs and analytics are normally anonymised or deleted after 12 months; complaints correspondence may be retained for up to 7 years. At the end of these retention periods, information is securely destroyed or permanently anonymised, unless further retention is required by law or for legitimate business purposes (e.g., ongoing dispute resolution).

While we take all reasonable steps to safeguard your information, no system can be guaranteed to be completely secure. If a notifiable privacy breach occurs that poses a risk of serious harm, we will notify both you and the Office of the Privacy Commissioner as soon as practicable, and provide details of the breach, actions taken to contain it, and steps you can take to protect yourself.

7. Your rights 

You may see and request correction of your information, by contacting us at privacy@agebrightly.co.nz. We will respond to access or correction requests within 20 working days or inform you if we need more time. If we do not agree to correct, we will attach your statement to the record.

You may withdraw or limit your consent to our collection, use, or disclosure of your information at any time, subject to legal or contractual restrictions. This will not affect information already used with your consent, but it may affect our ability to continue providing services. You may refuse or withdraw consent to a proposed AI use in your care where consent is required. This may affect how we deliver the relevant service, and we will explain the practical effect at the time.

If you are unable to make decisions, your authorised representative may exercise your rights on your behalf, including access, correction, or withdrawal of consent.

If we identify a privacy breach involving your personal or health information with a risk of serious harm, we will notify both you and the Office of the Privacy Commissioner in accordance with New Zealand law.

8. Complaints 

If you have a concern, please first contact us at privacy@agebrightly.co.nz.

We will acknowledge your complaint within 5 working days, keep you informed of progress, and provide a decision or update within 10 working days. If more time is needed, we will explain why and when you can expect a final response. If you are not satisfied, you may complain to the Privacy Commissioner (www.privacy.org.nz) or the Health and Disability Commissioner (www.hdc.org.nz).

9. Changes to this Policy 

We may update this policy from time to time. If we make material changes that affect how we collect, use, or disclose your health information, we will notify you directly (for example by email or through the platform) and, where required by law, seek your consent. The latest version will always be available on the platform.