Skip to content

Brightly Privacy Policy

Last updated: 08/12/2025

1. Introduction 

We comply with the Privacy Act 2020, the Health Information Privacy Code 2020, and any other applicable privacy and health information regulations. This Policy applies to all personal and health information we collect, hold, use, and disclose in connection with our services. It explains what information we collect, how we use it, with whom we may share it, how long we keep it, and the rights you have in relation to your information. 

2. Information we collect 

We collect: 

  • identity and contact details;
  • health information such as your medical history, test results, prescriptions and discharge letters (including through TestSafe, Health New Zealand), and investigations including blood results and imaging, as well as other information on your lifestyle, home environment, wellbeing, and social support;
  • technical data about your use of the platform, such as log files, device identifiers, IP addresses, browser type, and usage statistics; and
  • any communications you have with us (including support requests, feedback, or complaints). 

We will collect information directly from you, unless impractical, in which case we may collect it from another source (such as a family member or other health professional) provided that you have authorised this, or where required/permitted by law, or where you are unable to give authority and your representative authorises it. 

Where we collect information about you from another source (for example, from a family member or representative, a health professional, a referral partner, or a publicly available source), we will take reasonable steps to notify you as soon as practicable (and before we use or disclose the information where reasonable). Our notice will explain who we are, what we collected, why we collected it, who we may share it with, whether providing information is voluntary or required, and how you may access and correct your information. 

We may not provide a notice where a regulatory exception applies (for example, where notification is not reasonably practicable, where the information is publicly available, where notification would prejudice certain purposes such as the prevention, detection, investigation, and prosecution of offences, or where you have already been made aware of the matters above). If we rely on an exception, we will keep a brief record of why. 

3. Purpose of collection 

We collect information with your consent and because it is necessary to: 

  • prepare an assessment and a care plan following your assessment;
  • support you to carry out your plan;
  • support your discussions with your GP and other health care providers;
  • comply with our legal obligations;
  • conduct service improvement, quality assurance, and de-identified research or statistical analysis; and
  • contribute de-identified and aggregated information to research and analysis projects that aim to research health trends, design better support for older people, improve the health system, or develop new health products and services, including projects conducted by government agencies or private organisations. 

Providing information is voluntary, but without it we may not be able to provide services. Where information is mandatory under law, we will tell you which law requires it and the consequences of not providing it. 

4. Use of information 

Your information may be used to: 

  • generate draft assessments and care plans for review and approval by a Qualified Medical Practitioner;
  • communicate with you about your use of the platform including those assessments and care plans;
  • support your interactions with your GP and care team; and
  • monitor, maintain, and improve the platform and our services, using de-identified and aggregated information wherever reasonably practicable. 

Draft assessments and care plans may be generated with the assistance of automated tools. This material is subject to human review and approval by a Qualified Medical Practitioner.  

We take reasonable steps to ensure that the information we use is accurate, up to date, complete, relevant, and not misleading. 

We will not use your personal or health information for purposes unrelated to those described in this policy unless we have your consent or are permitted by law. Before any new use that is materially different, we will notify you and, if required, seek your consent.  

De-identified and aggregated information may also be shared with government agencies, research institutions, or commercial partners to support health system improvement, service design, and innovation. This information will not be published or shared in a form that could reasonably be expected to identify you. 

5. Disclosure of information 

We may disclose your information: 

  • to our team of Qualified Medical Practitioners;
  • to your GP or other care providers, or your family members, with your consent;
  • to service providers under confidentiality agreements;
  • where required by law or to prevent serious threat to health; and
  • where otherwise permitted under the Health Information Privacy Code, such as for quality assurance, accreditation, or risk management. 

Some Qualified Medical Practitioners are overseas (including in the UK). They are registered in New Zealand, hold Annual Practising Certificates, and are legally bound by New Zealand law. They may access your health information to review and approve draft assessments and care plans, and undertake activities reasonably incidental to doing so. By using our service, you consent to this disclosure. We take our obligations under New Zealand law seriously and ensure that any overseas-based practitioner is contractually and professionally bound to protect your information to the same standard as if they were in New Zealand. 

6. Security and retention 

We take the protection of your personal and health information seriously. In line with the Privacy Act 2020, the Health Information Privacy Code 2020, and recognised industry standards, we apply a range of administrative, technical, and physical safeguards to keep your information safe. 

All personal and health information is encrypted both in transit and at rest. Access is restricted by role-based access controls and the principle of least privilege. Multi-factor authentication is required for administrative and staff access. All access and changes are logged in immutable audit trails and are subject to periodic review. Our systems are monitored for unusual or unauthorised activity, supported by intrusion detection and incident response procedures. All staff receive regular privacy, security, and data handling training. Any third-party service provider engaged by us must comply with equivalent security and privacy standards, including contractual obligations under the Privacy Act 2020. 

Data is backed up regularly, stored securely, and encrypted. Redundant systems and disaster recovery processes are in place and tested periodically to ensure continuity of services. 

Health information is retained for at least 10 years from the date of your last interaction with us, in accordance with New Zealand law. Other personal information is only retained for as long as necessary for the purpose it was collected, or as required by law. As a guide: Support requests and communications are normally retained for up to 2 years; technical logs and analytics are normally anonymised or deleted after 12 months; complaints correspondence may be retained for up to 7 years. At the end of these retention periods, information is securely destroyed or permanently anonymised, unless further retention is required by law or for legitimate business purposes (e.g., ongoing dispute resolution). 

While we take all reasonable steps to safeguard your information, no system can be guaranteed to be completely secure. If a notifiable privacy breach occurs that poses a risk of serious harm, we will notify both you and the Office of the Privacy Commissioner as soon as practicable, and provide details of the breach, actions taken to contain it, and steps you can take to protect yourself. 

7. Your rights 

You may see and request correction of your information, by contacting us at privacy@agebrightly.co.nz. We will respond to access or correction requests within 20 working days or inform you if we need more time. If we do not agree to correct, we will attach your statement to the record. 

You may withdraw or limit your consent to our collection, use, or disclosure of your information at any time, subject to legal or contractual restrictions. This will not affect information already used with your consent, but it may affect our ability to continue providing services. 

If you are unable to make decisions, your authorised representative may exercise your rights on your behalf, including access, correction, or withdrawal of consent. 

If we identify a privacy breach involving your personal or health information with a risk of serious harm, we will notify both you and the Office of the Privacy Commissioner in accordance with New Zealand law. 

8. Complaints 

If you have a concern, please first contact us at privacy@agebrightly.co.nz 

We will acknowledge your complaint within 5 working days, keep you informed of progress, and provide a decision or update within 10 working days. If more time is needed, we will explain why and when you can expect a final response. If you are not satisfied, you may complain to the Privacy Commissioner (www.privacy.org.nz) or the Health and Disability Commissioner (www.hdc.org.nz). 

9. Changes to this Policy 

We may update this policy from time to time. If we make material changes that affect how we collect, use, or disclose your health information, we will notify you directly (for example by email or through the platform) and, where required by law, seek your consent. The latest version will always be available on the platform.