Privacy Policy for The Therapy Project.

Introduction

At The Therapy Project, we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and disclose your personal information when you use our counselling and mental health coaching services, in accordance with New Zealand’s Privacy Act 2020 and the Health Information Privacy Code 2020. Whether you engage with us in person, online, or by phone, this policy applies to all clients and website users. We also adhere to professional ethical obligations of confidentiality to ensure your information is handled with the utmost care and respect.

What Information We Collect

We only collect personal information that is necessary to provide you with quality therapy services and to run our practice. This information is typically collected directly from you and with your knowledge, and we avoid any unnecessary or intrusive collection.

The types of information we may collect include:

  • Contact Details: Your name, address, phone number, email, and other contact information.

  • Personal Demographics: Date of birth, gender, and emergency contact.

  • Health and Background Information: Relevant medical or mental health history, reasons for seeking therapy, assessment information, and other details you share with us as part of the therapeutic process.

  • Session Notes and Reports: We maintain confidential case notes, session summaries, and related records of the counselling or coaching we provide to you. These may include information about your progress and any plans or recommendations.

  • Booking and Attendance Information: Appointment dates, attendance records, and communications regarding scheduling (since we use an electronic booking system).

  • Payment and Billing Information: Details necessary for processing payments or invoicing, such as records of fees charged and paid. (Note: We do not store credit card numbers on our own systems; if online payments are used, they are handled through secure third-party payment processors.)

  • Website and Communication Data: If you contact us via our website contact form or email, we may keep a record of that correspondence. Our website may also collect basic technical information (like IP address, browser type, and cookies – see Cookies section below) for functionality and analytics, but this does not usually identify you personally.

You are not required to provide any information that you are uncomfortable with; however, not providing certain details may affect our ability to offer services (for example, we need emergency contact info for safety, your home address, phone number, and email for contacting you). We will always explain why we are collecting any sensitive information. If we ever need to collect information about you from someone else (for example, from an EAP referral or a medical provider), we will do so only with your consent or as permitted by law.

How We Use Your Information

We use the personal information we collect from you for the following purposes:

  • To Provide Services: We use your information to plan and deliver appropriate counselling or coaching services. This includes reviewing your background information, conducting therapy sessions, and keeping clinical notes to track your progress and ensure best practice care.

  • Appointments and Communication: Your contact information is used to schedule and remind you of appointments, send you necessary information (i.e. session links for online therapy), and to communicate about any changes or follow-ups. We may contact you via phone call, SMS/text message, or email as needed for these service-related communications.

  • Service Improvement: Internally, we may use anonymized or aggregated information to improve our services, train staff, or for quality assurance. For example, we might track overall usage or outcomes in a de-identified way (you would not be identifiable in any such analysis).

  • Billing and Administration: We use your information to manage billing and payments for sessions. For instance, we record what services were provided and process your payments or health insurance/EAP claims if applicable. We use Xero accounting software for invoicing and financial record-keeping, so your basic identifying information and transaction details will be used in that system for lawful accounting purposes.

  • Compliance and Legal Obligations: We may use and retain your information to comply with our legal obligations and professional responsibilities. For example, we maintain records of your care as required by health regulations and may use your information to fulfill reporting duties (such as mandatory reporting of serious risk as required by law) or to cooperate with lawful authorities if needed.

  • Marketing and Updates (Opt-In Only): If you have expressly opted in to receive our newsletter or updates about The Therapy Project, we will use your contact details to send you those. For example, we might share mental health resources, practice news, or upcoming workshops via email. You can unsubscribe from these communications at any time, and we will not send you marketing material without your consent.

We will not use your personal information for any purpose that is incompatible with the reasons it was collected, unless we obtain your consent or are required by law to do so. We do not sell your personal data to third parties for advertising or any other purposes.

Disclosure of Your Information

Your privacy is extremely important to us. We do not disclose your personal or health information to others except in the following circumstances:

  • With Your Consent or at Your Direction: We will share information with third parties (such as a family member, your GP, or another health provider) only if you ask us to or give us permission. For example, if you want us to coordinate care with another therapist or doctor, we would only do so with your signed/written consent specifying what can be shared.

  • Within Our Team: Our practitioners and authorized staff may share information with each other internally on a need-to-know basis. For instance, our practice manager may access your contact or billing details to manage appointments and accounts, and your therapist will have access to your clinical records. All staff members are bound by strict confidentiality agreements and privacy laws to protect your information.

  • Employee Assistance Programs (EAPs) or Referring Agencies: If your sessions are funded or arranged through an EAP or another organization, we may be required to provide that organization with limited information about your engagement. This typically includes attendance or appointment confirmations, and sometimes general progress summaries, as per the service agreement. We will not disclose detailed therapeutic content without your consent. Any information shared with an EAP or referral agency is only what is necessary for them to facilitate or pay for your service, and they are also required to keep your information confidential.

  • Clinical Supervision and Consultation: Our therapists regularly engage in professional supervision or peer consultation to ensure high-quality care. In these discussions, we may talk about client cases in a general or de-identified manner to get guidance. If your case is discussed, we do our best to omit identifying details, and the supervisor or consultant is also bound by confidentiality obligations and privacy laws. This practice is solely for improving the quality of service and is a standard requirement in therapy professions.

  • Service Providers (Third-Party Processors): We use trusted third-party platforms to help us run our practice, and your information may be stored or processed by them on our behalf. Key services we use include:

    • Carepatron: We use Carepatron for managing bookings, storing clinical notes, and (if applicable) conducting secure video or online sessions. Carepatron is a secure practice management platform that complies with New Zealand’s Privacy Act 2020 and international privacy standards (such as GDPR and HIPAA). All information you provide to us is entered into Carepatron, which uses end-to-end encryption and role-based access controls to protect your data. This means your records are stored securely in the cloud, accessible only to authorized personnel (i.e., your therapist and limited staff for admin purposes). Carepatron’s security measures ensure a safe environment for your confidential information.

    • Xero: We use Xero, a reputable cloud-based accounting software, to manage our invoices and payments. This means your name and contact details, along with payment amounts and dates, are recorded in Xero for billing purposes. Xero implements strong security controls (including data encryption) to safeguard financial data, and it complies with relevant privacy and security standards. Your financial transactions with us are handled through this secure system, and we do not store your payment card details on our own servers.

    • Baycorp (Debt Collection): On rare occasions, if an account remains unpaid and standard payment reminders have not been successful, we may engage a debt collection agency such as Baycorp to recover the outstanding fees. In doing so, we would need to share only the necessary personal information with the agency (typically your name, contact information, and the amount owed) to enable them to contact you and resolve the debt. Baycorp is a professional agency and is required to handle your information in confidence and in accordance with privacy laws. This step is only taken as a last resort when other attempts to secure payment have failed.

    • Email and Newsletter Services: If you have subscribed to our newsletter or agreed to receive appointment reminders or resources via email, we may use a third-party email service provider (i.e., a platform like Squarespace, Mailchimp, or a similar service) to manage those communications. In that case, your name and email address will be stored with that provider solely for the purpose of sending you the communications you signed up for. We will ensure any such provider we use has robust privacy and security measures. You can opt out of newsletters at any time, and every marketing email will include an unsubscribe link.

    • Other Tools: We currently do not use other external tools that access your personal health information. If in the future we introduce additional tools (for example, an online survey tool for feedback or a secure SMS service), we will update this policy and ensure those tools comply with privacy requirements.

  • Law Enforcement or Legal Obligations: We may disclose your information when required by law or when we believe in good faith that such action is necessary to comply with legal processes. For example, if we receive a court order or subpoena requiring release of records, we are obliged to comply. We will attempt to inform you beforehand, if the law allows, to discuss the situation. Additionally, New Zealand law permits us to release personal information without your consent if we believe it is necessary to prevent a serious and imminent threat to your life, health, or safety, or that of another person. This could include situations such as serious risk of self-harm, harm to others, or a medical emergency. In such cases, we would only share information with professionals or authorities who can help (for example, disclosing necessary details to emergency services). We may also disclose information if required to report concerns under specific laws (for instance, if we have concerns about child safety, we may be obligated to notify the appropriate agency). In all cases, we limit any disclosure to what is strictly necessary under the circumstances.

  • Business Transfers: (Currently not applicable, but included for completeness.) If The Therapy Project were ever to be restructured, sold, or merged with another practice, client information might be transferred as part of that process. If that happened, we would ensure the new owner/practice understands they must handle your information in accordance with this Privacy Policy and New Zealand law, and we would notify you of any such change and your options. (Again, we have no plans for this at this time; your information is not being shared in this way.)

Aside from the situations above, we do not share your personal information with any third parties. We do not give or sell client details to marketers or unrelated parties. If you have any questions about a potential information disclosure not listed here, please feel free to ask us.

Data Storage and Security

We take the security of your personal information very seriously. Most, if not all, of your data is stored electronically in secure systems rather than on paper. Our primary system for client records is Carepatron, which is a secure, encrypted cloud-based practice management platform. Carepatron’s servers store our appointment schedules, clinical notes, and related documents. This system employs industry-standard security measures: data is encrypted both in transit (when it's sent over the internet) and at rest (when it's stored on their servers), and access to information is restricted to authorized individuals (for example, your therapist and relevant staff) through role-based permissions. Carepatron’s compliance with privacy regulations ensures that your health information is handled with high confidentiality and security standards.

In addition to Carepatron, some of your information (such as contact details and invoices) is stored in Xero for accounting purposes. Xero is a widely-used platform that also uses strong encryption and security practices to protect data. Access to Xero is password-protected and limited to authorized personnel in our practice (e.g., our practice manager and accountant).

We strive to operate a mostly paperless practice. We do not keep long-term paper files containing your health information. If you provide any information in paper form (such as signing a consent form or filling out a questionnaire), those documents are either scanned into our secure system and then securely destroyed, or stored in a locked file cabinet with restricted access.

Electronic Communications: Please note that while we use secure systems, standard email is not 100% secure. If you communicate with us via email or SMS/text message, be aware there is some inherent risk of interception or unauthorized access in any internet communication. We will use email or text to correspond with you (for appointment reminders, sending resources, etc.) only with your consent, and we take precautions such as password-protecting sensitive attachments (i.e. reports or letters) before sending. If you prefer not to use email for certain communications, let us know and we can arrange alternative methods (such as phone calls or using the secure client portal on Carepatron). For online video sessions, we use Carepatron’s telehealth feature or another secure video conferencing tool, which are encrypted to protect your privacy.

We have implemented various security safeguards to protect your data, including:

  • Unique passwords and access controls for all systems (each authorized user has their own login, and access is limited based on role).

  • Encryption technology to protect data stored in our cloud services and during transfer.

  • Regular software updates and maintenance to ensure we have the latest security patches on all devices and applications we use.

  • Antivirus and firewall protection on our computers.

  • Policies and training for staff on the importance of confidentiality and how to handle personal information securely.

  • If printed documents are ever used (i.e., a printed invoice or letter), we ensure they are not left in public areas and are disposed of by shredding when no longer needed.

While we work hard to safeguard your information, it is important to understand that no method of electronic storage or transmission is completely infallible. However, we continually review our security practices to mitigate risks. In the unlikely event of a data breach that could affect your privacy, we will follow the procedures required by the Privacy Act 2020, which include notifying the Office of the Privacy Commissioner and, if appropriate, informing you of what occurred and any steps you should take.

Data Retention

We will retain your personal information only for as long as it is needed to fulfill the purposes for which it was collected, or as required by New Zealand law, whichever is longer. Specifically for health records (like your therapy case notes and related documents), New Zealand law requires health agencies to keep client records for a minimum of 10 years from the last date of service. In compliance with this requirement, The Therapy Project securely retains your clinical records for at least ten (10) years after your last session or contact with us. This retention period is in line with the Health (Retention of Health Information) Regulations 1996, which are designed to ensure that important health information remains available for a reasonable time in case it’s needed for your ongoing care or for legal reasons.

After 10 years have passed since your last interaction with us, we will review the information. If there is no ongoing reason (clinical, legal, or otherwise) to keep it, we will securely dispose of or delete the records. “Secure disposal” means shredding or incinerating physical documents and permanently deleting electronic files in a way that they cannot be recovered. If we determine there is a good reason to keep the records longer (for example, if you return for services, or if a legal issue is outstanding), we may retain them for a longer period, but we will not keep personal information indefinitely without cause.

For financial records (like invoices and payment records), we generally keep those for at least 7 years, as this is required for tax and accounting purposes under New Zealand law. They may be retained securely within Xero for that duration.

If you have subscribed to any newsletter or mailing list, we will retain your contact information on that mailing list until you unsubscribe or until we discontinue the newsletter service, whichever comes first. If you unsubscribe, we will remove your email from the mailing list promptly. We may keep a record that you had opted in or out (for compliance record-keeping), but we won't continue to send you communications once you've opted out.

Please note that if you request us to transfer your records to another provider or to yourself, we can do so (with proper authorization and identity verification). After transferring, if you want us to no longer hold any copies, you can discuss this with us – however, we may need to retain certain information to fulfill the 10-year legal requirement or to document that the transfer took place.

We regularly review the information we hold. Any personal information that we determine is no longer needed for any of the purposes outlined in this policy, and which we are not required by law to keep, will be securely deleted or destroyed.

Your Rights and Choices

Under the Privacy Act 2020 and the Health Information Privacy Code, you have important rights regarding your personal information:

  • Access to Your Information: You have the right to request access to the personal information we hold about you. This includes your therapy records, contact information, and any other details we have on file. You can make a request by contacting us at hello@thetherapyproject.co.nz. We will respond to your request as soon as practicable, and within the timeframes required by law. We may ask you to verify your identity before releasing information to ensure we don't inadvertently give your data to an unauthorized person. In most cases, we will provide you with a copy of your information. There is no charge for making an access request. If the request is complex or you request multiple copies, we will let you know in advance if any administrative fee might apply, but ordinarily requesting your own information is free of charge.

  • Correction of Your Information: If you believe any information we hold about you is inaccurate, out-of-date, or incomplete, you have the right to ask us to correct it. We encourage you to keep us updated about any changes (for example, new address or phone number, or corrections to your medical history). If you request a correction, we will take reasonable steps to verify and amend the information. In situations where we cannot change the information (for instance, if we believe the information is correct, or it’s an opinion in a clinical note that we need to retain), we will discuss this with you. You also have the right to provide a statement of correction to attach to your records, so your viewpoint is noted if a change isn’t made.

  • Limitations on Access/Correction: In rare cases, we might need to refuse access to certain information or refuse a requested correction, but this is only permitted in specific circumstances. For example, we might decline to release information that includes details about another person who has not consented (to avoid breaching their privacy), or if giving you certain information would be likely to pose a serious threat to someone’s safety. Another example is if the information is protected by legal privilege or was provided in confidence by someone else. If we have to refuse any part of your request, we will give you a written explanation of the reasons (unless there’s a legal reason that we cannot disclose those reasons). We will also let you know about any further options you have (such as complaining to the Privacy Commissioner).

  • Withdrawal of Consent: If you have given consent for us to use certain information in a particular way, you generally have the right to withdraw that consent at any time. For instance, if you signed up for our newsletter and no longer wish to receive it, you can unsubscribe. In the context of therapy, you consent to us collecting and using your health information for treatment when you engage our services; you can’t retroactively withdraw consent to uses that already happened (i.e., past sessions’ notes), but you can discontinue therapy at any time, and we will then stop collecting new information. Do note that even if you end services or withdraw consent for future use, we may still need to retain your past records for the retention period as described above, but we will not use them for new purposes without your agreement.

  • Complaints: You have the right to complain if you believe we have mishandled your personal information or breached your privacy. We encourage you to contact us first so we can try to resolve your concerns. We take all privacy complaints seriously and will investigate your complaint and respond to you. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner of New Zealand. The Privacy Commissioner’s office can be contacted at https://privacy.org.nz or by phone at 0800 803 909. They can provide guidance and may investigate the issue independently.

  • Refusal to Provide Information: You have the choice not to provide certain information or to use an alias; however, because of the nature of therapy services, it may be impractical for us to work with you without your real name or contact information, and we might not be able to offer services if we cannot collect essential details. We will explain the implications if you choose not to share something critical to your care.

We support your rights and will assist you in exercising them. For any requests or concerns about your personal information, please reach out to us at hello@thetherapyproject.co.nz.

Cookies and Website Usage

When you visit our website, we want you to know how we handle data related to your site usage:

  • Cookies: Our website may use "cookies," which are small text files stored on your device, to enhance your browsing experience. For example, cookies might remember your preferences or help us analyze how visitors navigate our site. The cookies we use do not collect personally identifiable information about you; they might collect general information like your browser type, pages visited, and time spent on the site. This information helps us improve our website’s functionality and content. You have the option to disable cookies in your web browser’s settings if you prefer not to accept them. However, note that some features of the site (such as logging in to a client portal, if applicable) may not function properly without cookies enabled.

  • Analytics: We may use web analytics tools (such as Google Analytics or similar) to collect standard internet log information and details of visitor behavior patterns. This is about how the site is used in aggregate – for example, which pages are most frequently visited. This analytics data is generally anonymized. It helps us understand user interests and improve our website. You can opt out of Google Analytics data collection with a browser add-on if you wish.

  • Third-Party Links: Our website might include links to third-party websites or services for your convenience or reference (for example, an online booking system link to Carepatron, or resources to external articles). If you follow a link to any external site, please be aware those sites have their own privacy policies, and we do not accept responsibility for their practices. We encourage you to read the privacy statements of any other sites you visit.

We do not use web advertising or third-party tracking cookies for advertising purposes at this time. If this changes in the future, we will update this policy and provide you with options to consent or opt out of such uses.

By using our website, you consent to the use of cookies and analytics as described above (unless you disable them via your browser).

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or to ensure compliance with new laws or regulations. When we make changes, we will update the "Effective Date" at the top of the policy (or indicate the last revision date). For significant changes, we may also notify our clients directly via email or by posting a notice on our website. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Your continued use of our services or our website after any modifications to the policy will constitute your acknowledgment of the changes and your agreement to abide by the updated policy. Of course, if the changes are substantial and retroactive, we would seek your consent as required by law.

Contact Us (Privacy Questions or Concerns)

If you have any questions about this Privacy Policy, or about how your information is collected, used, or protected, please contact us. We are here to help and address any concerns you might have about your privacy.

  • Privacy Officer: We have appointed our Practice Manager to act as our Privacy Officer. This person is responsible for overseeing privacy matters at The Therapy Project and ensuring compliance with applicable laws.

  • Contact Information: You can reach out to us by email at hello@thetherapyproject.co.nz or by phone at 022 474 8048. You may also send mail to 193 Glenda Drive, Unit 6, Frankton, Queenstown (Attn: Privacy Officer, Kelsey Powell).

  • Office of the Privacy Commissioner: If you need further guidance or wish to lodge a formal complaint, you can contact the NZ Privacy Commissioner’s office at 0800 803 909 or visit their website privacy.org.nz for more information.

We value your trust in us as your therapy provider. Protecting your personal information is fundamental to that trust. If there is anything you are unsure about in this policy or you need more detail, please do not hesitate to ask. We will gladly explain our privacy practices in person or provide additional information.

Thank you for taking the time to read our Privacy Policy. We are dedicated to maintaining the privacy and security of your information while providing you with effective counseling and coaching services.