Privacy Policy
Sophia Healing Centre
Last updated: May 2026
1. Who we are
Sophia Healing Centre (“we”, “us”, “our”) is a New Zealand–based Primary Health Care practice providing specialised general practice, integrative, and specialist medical services locally and internationally. This policy explains how we collect, use, store, and protect personal and health information when you use our services, visit our website, or communicate with us.
2. The information we collect
Identity and contact details
– Name, date of birth, NHI number or identifiers
– Address, phone number, email
– Emergency contacts or next of kin
Administrative and billing information
– Appointment history
– Invoices and payments
– ACC or insurance information
– Limited payment details (full card details processed only by secure payment providers)
Health and clinical information (sensitive)
– Medical history and consultation notes
– Diagnoses and examination findings
– Laboratory or imaging results
– Prescriptions and medication history
– Treatment plans, referrals, specialist correspondence
Technical and usage information
– IP address, device and browser type
– Website usage analytics and cookies
3. How we collect information
We collect information about you in two ways:
Directly from you — via intake forms, consultations, phone calls, email, or other communications with our practice.
Indirectly from other sources — in the course of providing your care, we routinely receive health information from sources other than you. This includes:
– Clinic letters, referral correspondence, and clinical summaries from other practitioners
– Laboratory and imaging results
– Pharmacy updates and medication records
– Reports from specialists, hospitals, or allied health providers
– ACC or insurance information
– Information provided to us by a concerned third party (such as a family member or caregiver) about your health or welfare
In accordance with the Privacy Amendment Act 2025 and the new Information Privacy Principle 3A (IPP3A), we are required to take reasonable steps to make you aware whenever we collect information about you indirectly. We meet this obligation primarily through this Privacy Statement, which describes the types of information we collect indirectly, why, and how it is used.
Where information is received from a source not covered by this Statement — for example, unsolicited information from a third party — we will take steps to notify you within a reasonable time, except where a legal exception applies.
Please note: when a third party contacts us with information about your health or welfare, we may be obliged under IPP3A to inform you of that contact. In such situations, we cannot always guarantee the anonymity of the person who contacted us.
3A. Use of AI clinical documentation — Heidi
To help us provide attentive, unhurried care, some of our practitioners use Heidi (heidihealth.com), an AI-assisted clinical documentation tool. Heidi listens during your consultation and produces a written transcript, which is then used to generate structured clinical notes. This means your practitioner can remain fully present with you during your appointment, rather than typing notes at the same time.
How it works
Heidi listens and transcribes your consultation in real time. No audio recordings are ever saved — audio is converted to text and immediately discarded. Only the text transcript is retained, and this is automatically de-identified before Heidi processes it, meaning your name and other personal identifiers are removed before any AI analysis takes place.
Your consent
We will ask for your verbal consent before using Heidi in your consultation. You are welcome to decline — your care will not be affected in any way if you prefer not to have Heidi present.
Data storage and retention
Data is stored on encrypted servers located in Australia (Sydney), within the Australasia region. Our practice has configured Heidi to automatically and permanently delete all transcripts and notes after 14 days. Heidi does not use any patient data to train its AI models.
Security and compliance
Heidi is certified to ISO 27001 (information security management) and ISO 42001 (AI security management), and is SOC 2 compliant. It operates in full compliance with the New Zealand Information Privacy Principles and the Health Information Privacy Code. Heidi’s support team can only access data at the explicit request of the clinician (for example, to troubleshoot a technical issue), and all such access is logged.
Third-party access
Heidi does not share patient data with third parties and does not contact patients for any purpose. For more information about Heidi’s data and safety practices, visit heidihealth.com/en-nz/safety
4. Why we use your information
• Provide safe and effective medical care
• Maintain accurate clinical records
• Manage appointments and billing
• Improve our services and systems
• Meet legal and regulatory obligations
5. When we share your information
We do not sell personal or health information. We may share information only where necessary:
• With laboratories, specialists, pharmacists, or hospitals involved in your care
• With secure service providers supporting our systems
• Where required by law or to prevent serious harm
• With ACC or insurers where relevant
Complaints and indemnity: If you make a complaint about the care or services we provide, we may need to disclose relevant health information to our insurers, indemnity providers, or legal advisers for the purpose of managing and responding to that complaint. We include this notice so you are aware upfront of this possibility, in keeping with the transparency requirements of IPP3A.
Anonymisation: From 1 May 2026, where patient-identifying details are not required for the purpose for which information is being shared or used, we will take steps to anonymise or de-identify that information.
6. Cookies and similar technologies
Our website uses cookies to improve functionality and analyse usage. You can manage cookies through your browser settings.
7. International transfers
Information may be processed outside New Zealand when using reputable cloud or service providers. We take reasonable steps to ensure equivalent protections apply.
8. How we protect and retain information
• Secure hosting and encryption
• Restricted access controls
• Staff confidentiality obligations and training
• Retention only as long as required by clinical and legal obligations
9. Your rights
You have the right to request access to, or correction of, your personal and health information held by us. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner (New Zealand) at www.privacy.org.nz.
10. Marketing choices
• You may unsubscribe from marketing emails at any time
• Essential service communications cannot be opted out of
11. Children and young people
We provide healthcare services to patients of all ages and handle children’s information in accordance with guardianship and consent laws.
12. Notifiable privacy breaches
If a privacy breach is likely to cause serious harm, we will assess and contain it and notify affected individuals and the Privacy Commissioner as required.
13. Changes to this Policy
We may update this policy from time to time. The ‘Last updated’ date will reflect any changes. Patients will be notified of material changes by email, patient portal message, or notice in our waiting room.
14. Contact us
Sophia Healing Centre – Privacy Officer
Email: richard@sophiahealingcentre.co.nz
Website: www.sophiahealingcentre.co.nz
If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner at www.privacy.org.nz.