Note: This is the New Zealand Privacy Policy. For Australian residents, please click here to view the Australian Privacy Policy.
Cardihab Pty Ltd ("Cardihab", "we", "us", "our") gives serious importance to privacy. We maintain to ensure that we comply with the New Zealand Privacy Act 2020 ("Act") and the Health Information Code 2020 when dealing with your personal and health information. In this policy we set out how we use, collect, disclose and protect your personal and health information. This Privacy Policy does not limit your existing rights under, the Act relevant privacy and data protection laws.
We strongly encourage you to go through this Privacy Policy carefully. A thorough understanding will help you make an informed decision when giving us your personal and health information. This policy will apply to your use of Cardihab's website, apps and services. If there is any conflict between this Privacy Policy and the Terms of Service (including our End User License Agreements), then the Terms of Service prevail.
1.1. We handle personal and/or health information in mainly three situations:
a) When you are not a patient, Health Care Provider ("HCP") and engage us in business, including visiting our website www.cardihab.com;
b) When you are a patient who chooses to use our mobile applications, visit our website or engage with us by other methods; and
c) When you are an HCP and use our portal or visit our website.
1.2. Our apps and portals (our "Services") help patients complete, and HCPs deliver convenient, engaging, evidence-based cardiac rehabilitation programs.
2.1. If you are a business contact or HCP we do not collect your health information and minimise the amount of personal information we collect about you. If you are a patient, we may collect personal and health information about you when you or your HCP(s) use our Services. We collect this information to help you and the HCP(s) access, use and deliver our Service.
2.2. If we collect your health information, we limit the amount of health information we collect about you to information required by us to deliver our Services.
2.3. If we collect your personal information we may collect your name, position, email address, phone number, postal and street address, and information about our interactions.
2.4. If we collect your health information we may collect your name, date of birth, gender, phone number, address, postal code, marital status, employment status, indigenous status, living status, email address, contact details for your care team (GP, cardiologist, etc), cardiac history, your principal diagnosis, current episode or procedure, current medications, past medical history, past surgical history, your prescribed medical program and the period or length of that program, health measures being monitored, health measures, symptoms, exercise completed, medication taken, your goals, medical notes about your progress through the delivery of the Service.
3.1. We may we collect your personal information in the following ways:
a) When you give it directly to us, for example when contact us via our website, send us email, speak to our technical support staff, subscribe to receive communications;
b) If you are a business contact, in the course of discharging any commercial arrangements between us and your organization;
c) If your employer or a third-party gives us your information in the course of discharging a commercial arrangement between us and their organization;
d) When you visit our website and our website analytics collects information about your visit; and/or
e) Indirectly in the course of normal business, for example, when a third party gives us information about a business contact, or we seek information about a business contact from a third party. We might do this if we are finding people to invite to an event or to offer a service.
3.2. We may collect your health information in the following ways:
a) Directly from you when you, as a patient, use our Apps and record your personal health information; and
b) When a HCP uses our portal to design and deliver you our Services, and the provide us with your health information.
3.3. You may choose to not disclose either your personal or health information to us. However, this may mean we are restricted or prevented from providing our Services to you. Where possible, we will endeavour to collect your personal information directly from you.
4.1. We only share or use personal information to provide an agreed Service to you, including to:
4.1.1 verify your identity and undertake checks (if necessary);
4.1.2 provide the requested Services to you;
4.1.3 market our Services and products relating to these Services. We may also send you newsletters and up to date information on changes via text, email or other electronic means (you can opt out of this by contacting us at any time);
4.1.4 carry out training of our personnel in relation to the Services;
4.1.5 ensure we comply with laws and regulations in applicable jurisdictions;
4.1.6 keep open lines of communication with you, including in response to a complaint;
4.1.7 send you our bills and to collect any money owing to us. This includes authorising us to process credit card transactions;
4.1.8 ensure that you are adhering to our Terms of Services; and
4.1.9 any other use that is authorised by you or relevant privacy laws.
4.2. We only use your health information for the purposes of providing our Services.
4.3. By using our website, app or asking us to provide you with the Services, you consent to your personal and health information being collected, held and used in this way and for any other use you authorise. We will only use your personal information in the ways outlined in this Privacy Policy or if we have your express permission. If you have any personal information related to your engagement with our Services such as a password, it is your responsibility to keep that safe. If you become aware of any breach of your security, you should contact us immediately.
4.4. We retain personal information held by business contacts indefinitely, unless the business contact asks to be forgotten.
4.5. If you are a patient, we will only share your personal and health information with HCPs who are engaged to facilitate deliver the Services, or where we believe you would reasonably expect us to share the information to support the delivery of the Service and treatment being provided to you. This may include sharing your personal and health information with other members of your care team.
4.6. With your permission we may create a de-identified and pseudo-anonymised version of your personal and health information, which may be used to improve the quality and performance of our Products and Services and the improve the experience for HCPs using our Services. For example, we may provide the de-identified and pseudo-anonymised information to clinical registries so that patient outcomes and clinical practice can be analysed, compared and improved over time. Our de-identification/pseudo-anonymisation process follows guidance from the OAIC and CSIRO to remove and alter the parts of the information so that the risk of re-identification of the involved is very low. This process involves removing personal identifiers (e.g. name, mobile phone number, email address and care team if provided), to create the de-identified and pseudo-anonymised information.
5.1. All information that you provide to us, that is provided by your HCP if you are a patient or is entered into our website, app or collected from your visiting our website or app is automatically transferred to our servers. When you use our Services, you consent to your personal and health information being held by our servers as outlined in this privacy policy.
5.2. As at the date of this privacy policy, our servers are located in Australia, hosted by Amazon Web Services in Australia). Your personal and health information will be transmitted through and stored on, those servers as part of the Services. If the location of our servers' changes in the future, we will update this privacy policy. We would encourage you to frequently review our privacy policy so you are aware of any changes.
5.3. By providing your personal and health information to us, you consent to us storing your personal and health information on servers hosted by Amazon Web Services and accessing your personal information from Australia. If your personal and health information is be stored on servers located in other countries, it will remain within our effective control at all times. The server host's role is limited to providing a hosting and storage service to us, and we've taken steps to ensure that our server hosts do not have access to, and use the necessary level of protection for, your personal and health information.
5.4. If you are not comfortable with your personal and health information being transferred to a server in another jurisdiction, you should not provide us with your personal information, use our website and Services.
5.5. Despite our best efforts, the internet itself cannot be trusted as a secure environment. Consequently, we are unable to give an absolute promise that your personal and health information will always be safe. Sharing of personal and health information is done at your own risk. You should only provide your personal and health information to our website or app within a secure environment.
6.1. The personal and health information which you provide to us will only be disclosed if it is necessary, appropriate and achieves the outcome for which you engaged our Services and as outlined in our Terms of Service.
6.2. Unless there is a sale, merger, consolidation, liquidation, reorganisation or acquisition, we will not disclose your personal and health information to a third party unless we have your express consent. It is important to note however, that we may have to do so without your consent to comply with any court orders, subpoenas, or other legal process or investigation including by tax authorities, required by law. If it is possible and appropriate, we will endeavour to notify you to let you know this has occurred.
6.3. Your personal and health information is not controlled, accessed or used by the third parties who host our servers, except for the intended use of storing that information.
6.4. Our advertising and analytics partners may receive information about your use of our website or apps through cookies, web beacons and similar storage technologies. More information on this can be found in the Cookies section of this Privacy Policy.
7.1. A cookie is a small text file that is stored on your computer or device for record-keeping purposes. It does not identify you personally or contain any other information about you, but it does identify your computer. Our website and app use these cookies.
7.2. Along with some of our affiliates and third-party service providers, we may use a combination of "persistent cookies" (cookies that remain on your hard drive for an extended period of time) and "session ID cookies" (cookies that expire when you close your browser) on our website and app. Amongst other purposes, these can be used to track how the website is being used.
7.3. You have the ability to get your browser to send you an alert when you receive a cookie. This then gives you the chance to accept or reject it. If you refuse a cookie, this can have a negative impact on how the website is used or functions. Note, we do not respond to or honour "Do Not Track" requests at this time.
7.4. Performance cookies may be used when you visit our website.
8.1. We use sub-contractors to help us deliver our Services. If we share personal or health information with a sub-contractor, we enter into a contractual agreement to keep the information secure. We thoroughly vet these sub-contractors, then enter into contractual agreements to keep personal and health information secure. We check from time to time that they have complied with their agreement. We do not share or use information about you for any other purpose than delivering our Services without their permission unless required by law.
8.2. The Sub-contractors we may share your personal or health information with include:
a) Web Site Analytics
We gather website analytics whenever someone (including HCPs) visits our website. Google Analytics uses cookies and JavaScript to collect website traffic data. The following information is transmitted to and stored on Google's servers for analysis:
A) The time the current visit occurred
B) Whether the visitor has been to the site before
C) What site referred the visitor to the web page
D) The visitor's IP address.
We use the statistics provided by Google Analytics to evaluate the effectiveness of our website and improve its functionality. We do not install any other cookies, local shared objects or other web technology to research the habits of individual visitors or collect nor store any login details.
For more information about how Google Analytics collects, uses and safeguards website traffic data, click here. You can opt out of Google Analytics by visiting here.
b) App Stores
Our apps are available for download from the Apple App Store and Google Play. Apple and Google gather personal information about downloads from these app stores. We never share patient health information with Apple and Google. Information about Apple's privacy policy can be found here. Information about Google's privacy policy can be found here.
c) App Analytics
Our use of the Apple App Store and Google Play to distribute our apps to patients provides us with information about the use, performance and stability of our apps. This includes information includes: installs, uninstalls, ratings, crashes and device type and operating system version. We also use Google Fabric to provide us similar information and other about use of specific features in our apps. We never share patient health information with Apple and Google.
8.3. For business contact we may share your personal with the following Sub-contractors:
a) Survey-based Feedback System
We use SurveyMonkey, a US-based online marketing company, to gain feedback from our business contacts. SurveyMonkey's privacy policy states that as Cardihab is the creator of the surveys that "Your surveys/forms/applications/questionnaires and any responses you collect to them are private by default (except if you have made them available via a public link). We don't sell individual responses to anyone and we don't use those responses for purposes unrelated to you or improving our services, except in the limited set of circumstances outlined in the privacy policy." SurveyMonkey also provides information on their data security arrangements.
b) Customer Relationship Management System
We use 'Insightly', a subsidiary of 'Unbounce', a Canadian company, to help us manage HCP information.
c) Email Communication System
We use Mailchimp, a US-based online marketing company, to send emails to our business contacts and HCP's using our Services. Mailchimp's privacy policy says that "much of the Personal Information we collect and process about Contacts through the Services, we act as a processor on behalf of our Members." Mailchimp also provides information on their data security arrangements.
9.1. We will allow you to access your personal private and health information that we hold unless the Act or the Health Information Code allows us to refuse providing you with this access, in which case access will be provided at our sole discretion.
9.2. Anyone who believes we hold personal or health information about them may ask us for access to, correction of or deletion of that information, with the exclusion of health information, which must be retained in accordance with the Act, Health Information Code or other legislation. Please contact our Privacy Officer (see section below) and tell us what you would like to do with your information.
9.3. We will respond within a reasonable time, usually within 5 working days. In line with our commitment to protect your privacy, we may ask you to verify your identity and provide a reason for your request.
9.4. If you are a patient or HCP, we will inform our Customer of your request, and you may be asked to pursue that request via our Customer's privacy processes. If you are not satisfied with the outcome of our Customer's process, we will respond to your request in a manner consistent with the Act and the Health Information Privacy Code. Your personal and health information will generally only be kept for as long as it is needed. There may be circumstances however where we have to keep the information for a specified amount of time to meet various legal and reporting requirements.
10.1. If you have a complaint about the way we have treated your personal or health information, please contact our Privacy Officer, who will work with you to address your complaint as quickly as possible. If you are a patient or HCP, we will inform our Customer of your request, and you may be asked to pursue that request via our Customer's privacy processes. If you are not satisfied with the outcome of our Customer's process, we will respond to your request in a manner consistent with the Privacy Act.
10.2. We welcome any questions and comments you may have about our privacy practices.
10.3. If your complaint is not resolved to your satisfaction, you are able to apply to the Office of the New Zealand Privacy Commissioner to see what courses of action may be available to you. For more information, you can contact the Commissioner's hot line service on 0800 803 909, or website at enquiries@privacy.org.nz.
Email: enquiries@oaic.gov.au
Telephone: 1300 363 992 (from overseas +61 2 9284 9749)
11.1. Office Address:
Level 3, 315 Brunswick Street, Fortitude Valley, QLD 4006, Australia
11.2. Postal Address:
PO Box 1319
Fortitude Valley, QLD 4006, Australia
11.3. Email: privacy@cardihab.com
Web: cardihab.com
12.1. This Privacy Policy may be updated from time to time for any reason. The date and nature of any modifications to our Privacy Policy will be included in our policy documentation, and updates will be posted on our website. Please be advised to consult this Privacy Policy regularly to review for any changes.
12.2. In the event that the modifications materially alter your rights or obligations, we will make reasonable efforts to notify you of the change. For example, we may send a message to your email address or generate a pop-up or similar notification when you access our Services for the first time after such material changes are made. Your continued use of our Services after the revised Privacy Policy has become effective indicates that you have read, understood and agreed to the current version of this Privacy Policy.
Updated 28 April 2025.
