Sophia Healing Centre – Privacy Policy

Last updated: December 2025

1. Who we are

“Sophia Healing Centre”, “we”, “us”, and “our” means [Sophia Healing Centre legal entity name], a New Zealand–based organisation that provides consulting, training, and digital products to nonprofits and purpose-driven organisations around the world.

This Privacy Policy explains how we collect, use, store, share, and protect personal information when you:

  • visit our website [www.sophiahealingcentre.com] (the “Website”),

  • join our programmes or communities,

  • receive consulting or advisory services from us, or

  • otherwise interact with us (together, the “Services”).

By using our Services, you acknowledge that you’ve read and understood this Policy.

For individuals in the EU/EEA, UK and other GDPR-style jurisdictions, Sophia Healing Centre is the data controller of your personal data in connection with the Services.

2. The information we collect

“Personal information” means any information that can reasonably identify you or could be used to identify you.

The types of information we collect depend on how you interact with us, but may include:

Identity and contact details

  • Name, job title or role, organisation name

  • Email address, postal address, phone number

  • Country or region

Account and profile information

  • Login details and passwords (hashed/encrypted)

  • Programme enrolments, membership status, purchases, and interactions with our content

Payment and transaction information

  • Billing address

  • Limited payment details (e.g. last 4 digits of card, payment method type) – full card details are handled by our payment processor and not stored by us.

Professional and organisational information

  • Organisation size, sector, fundraising activities, funding profile

  • Survey responses, programme feedback, and application forms

Usage and technical information

  • IP address, device type, browser type, operating system

  • Pages visited, time and date of visits, referring site, and other usage analytics

  • Cookies and similar technologies (see Section 6)

Communications

  • Emails, messages, and other communications you send to us

  • Notes from calls or workshops where we capture actions and decisions

We generally do not seek to collect sensitive information (such as health data or information about ethnicity) through the Website. If such information arises in consulting work (for example, in relation to your beneficiaries), it is handled under your instructions and your own privacy framework.

3. How we collect information

We collect information in three main ways:

You give it to us directly

  • When you fill in a form, sign up for a newsletter, register for a programme, download resources, or contact us.

  • When you participate in workshops, coaching, or community spaces.

We collect it automatically

  • Through cookies and similar technologies when you visit our Website or log into our platforms.

  • Through basic analytics (e.g. Google Analytics or similar tools) to understand how people use our Website and improve it.

We receive it from third parties

  • From payment processors when you complete a purchase.

  • From platforms we use to host courses, communities, or email marketing (e.g. learning platforms or mailing list tools).

  • From referrers or partners who have your permission to share your details.

Where we receive information from third parties, we handle it in line with this Policy and any additional obligations under applicable privacy laws.

4. Why we use your information (and legal bases)

We use personal information for the following purposes:

To deliver and improve our Services

  • Registering you for programmes, bootcamps, or consulting engagements

  • Managing your account and providing customer support

  • Sending you course materials, call links, and relevant resources

  • Analysing how our Services are used so we can improve content, design, and user experience

Legal bases: performance of a contract, legitimate interests (providing and improving our Services).

To communicate with you

  • Responding to enquiries and support requests

  • Sending service-related messages (e.g. confirmations, billing notices, programme updates)

  • Asking for feedback or inviting you to participate in surveys or case studies

Legal bases: performance of a contract, legitimate interests (running and improving our business, staying in touch with clients).

For marketing (with controls)

  • Sending newsletters, invitations, and information about programmes or offers we think may be relevant to you

  • Profiling at a very basic level (for example, segmenting by country, sector, or programme history) so communication is more relevant and less noisy

Legal bases: consent (where required), or legitimate interests (responsible marketing to existing or prospective clients). You can opt out at any time – see Section 10.

To run our business and meet obligations

  • Handling payments and accounting

  • Managing risk, preventing fraud or misuse, and securing our systems

  • Complying with legal, regulatory, and tax obligations, and responding to lawful requests from authorities

  • Evaluating or managing a potential business sale, merger, or restructuring

Legal bases: legal obligations, legitimate interests.

We only process personal information where we have a lawful basis under New Zealand law and, where applicable, GDPR/UK GDPR or other local laws.

5. When we share your information

We do not sell your personal information.

We may share personal information with:

Service providers and vendors

  • Website hosting, email, CRM, learning platforms, payment processors, analytics, and other tools we use to deliver the Services

  • Contractors and team members who support our work

We require these providers to protect your information and only use it for the work they do for us.

Professional advisers

  • Lawyers, accountants, or other advisers where reasonably necessary for our business and legal obligations.

Business transfers

  • If we undergo a restructuring, merger, or sale of part or all of our business, personal information may be transferred as part of that process, subject to appropriate safeguards.

Legal and safety reasons

  • Where we believe disclosure is reasonably necessary to comply with law, respond to a legal request, or protect the rights, property, or safety of Sophia Healing Centre, our clients, or others.

Where we share personal information internationally, we take reasonable steps to ensure it is protected in line with NZ Privacy Act 2020 and, where applicable, GDPR/UK GDPR standards (for example, using standard contractual clauses or dealing with providers in countries recognised as “adequate”).

6. Cookies and similar technologies

We use cookies and similar technologies on our Website to:

  • remember your preferences and login state;

  • understand how people use our Website; and

  • improve performance and user experience.

You can control cookies through your browser settings. If you disable cookies, some features of the Website may not work as intended.

Where analytics or advertising cookies are used, they are typically provided by third parties (for example, Google Analytics). These providers may collect or receive information about your use of our Website, which they use to provide analytics services to us and, in some cases, for their own purposes in line with their privacy policies.

7. International transfers

Sophia Healing Centre is based in New Zealand, but we work with clients and service providers worldwide. This means your information may be processed in countries that have different data protection laws to those in your home country.

When we transfer personal information across borders, we:

  • only use reputable providers who apply appropriate protections; and

  • take reasonable steps to ensure an adequate level of protection, such as contractual safeguards and technical security measures.

For individuals in the EU/EEA or UK, where your data is transferred outside those regions, we rely on lawful transfer mechanisms (such as standard contractual clauses) where required.

8. How we protect and retain information

We take reasonable technical and organisational steps to protect personal information from loss, unauthorised access, misuse, or disclosure. Measures may include:

  • secure hosting and access controls;

  • encryption in transit (e.g. HTTPS) and, where appropriate, at rest;

  • role-based access to systems; and

  • policies and training for team members handling personal information.

No method of transmission or storage is perfectly secure, but we work to keep protections in line with industry practice and our obligations under the Privacy Act 2020 and other applicable laws.

We keep personal information only as long as needed for the purposes described in this Policy, including:

  • to deliver the Services and maintain your relationship with us;

  • to meet legal, accounting, or reporting requirements; and

  • to resolve disputes or enforce agreements.

When personal information is no longer required, we will take reasonable steps to delete or de-identify it.

9. Your rights

Your privacy rights depend on where you live. However, we aim to be as transparent and accommodating as we reasonably can.

9.1 New Zealand
Under the Privacy Act 2020, you generally have the right to:

  • ask whether we hold personal information about you;

  • request access to that information; and

  • ask for corrections if you believe it is inaccurate, incomplete, or out of date.

To exercise these rights, please contact us using the details in Section 15. We may need to verify your identity before responding.

If we decline your request (for example, because an exception in the Act applies), we will explain why where we are able to do so.

You can also complain to the Office of the Privacy Commissioner if you’re unhappy with how we handle your personal information.

9.2 EU/EEA and UK (GDPR/UK GDPR)
If you are located in the EU/EEA or UK, you may have additional rights, including to:

  • access a copy of your personal data;

  • request correction or deletion;

  • restrict or object to certain processing;

  • receive your data in a structured, commonly used format and/or request that we transfer it to another controller (data portability);

  • withdraw consent where we rely on consent (this won’t affect prior processing); and

  • lodge a complaint with your local supervisory authority.

We will respond to such requests in line with the GDPR/UK GDPR and any applicable local law.

9.3 Other jurisdictions
If you live in a country or state with specific privacy rights (for example, certain US states or other jurisdictions with data protection laws), you may have additional rights. We will honour those rights to the extent required by law. If in doubt, contact us and we’ll explain what applies to you.

10. Marketing choices

You can control how we use your information for marketing:

Email: You can unsubscribe from marketing emails at any time by clicking the “unsubscribe” link in the email or by contacting us.

Service messages: You cannot opt out of essential service communications (e.g. billing notices, security alerts, important programme updates), as we need these to deliver the Services.

We do not send SMS marketing unless you have explicitly opted in.

11. Children’s privacy

Our Services are designed for adults working in organisations, and we do not knowingly collect personal information from children under 18 via the Website. If you believe a child has provided us with personal information, please contact us so we can investigate and delete it where appropriate.

12. Third-party links and social media

Our Website may include links to third-party websites, tools, or social media platforms. We don’t control those sites and are not responsible for their privacy practices. We encourage you to review their privacy policies before providing any personal information.

13. Notifiable privacy breaches (NZ)

If a privacy breach occurs that is likely to cause serious harm, we will:

  • assess the breach;

  • take steps to contain and mitigate it;

  • notify affected individuals where required or appropriate; and

  • notify the New Zealand Privacy Commissioner in line with the Privacy Act 2020.

14. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, our business, or the law. When we do, we will update the “Last updated” date at the top.

If changes are significant, we will take reasonable steps to let you know (for example, via email or a notice on the Website). Your continued use of the Services after any changes means you accept the updated Policy.

15. Contact us

If you have questions, requests, or concerns about this Privacy Policy or how we handle personal information, please contact:

Sophia Healing Centre Privacy Officer
If you are not satisfied with our response, you may have the right to complain to your local data protection authority. In New Zealand, this is the Office of the Privacy Commissioner: www.privacy.org.nz.