Privacy Policy

The agency responsible for your personal information is:

• Business name: Massage Eden Ltd
• Registered office: 415/2 Beach Road, Auckland Central 1010, New Zealand
• Privacy contact: Jenny, Director, Massage Eden Ltd
• Email: jenny@massageeden.co.nz
• Phone: +64 (0)9 3020 272

We provide services at the following locations:

• Auckland CBD: Suite 415, Level 4, Scene One Apartments, 2 Beach Road, Auckland Central 1010 - +64 (0)9 3020 272
• Parnell: Unit 4, 15 Nicholls Lane, Carlaw Park, Parnell 1052 - +64 (0)9 354 4904
• Rotorua: Pullman Hotel Rotorua, 1135 Arawa Street, Rotorua 3010 - +64 (0)7 343 9760

This policy applies to all three locations.

Contact and booking information

• Name, email address, phone number
• Date of birth (where required)
• Booking dates, times, location, and treatment preferences
• Any messages or notes you send us

Health information (collected during intake and treatment)

• Medical history, injuries, surgeries, and conditions relevant to massage
• Medications, allergies, and pregnancy status
• Pain points, treatment goals, and therapist notes from each session

This is "health information" under the Health Information Privacy Code 2020 and we treat it accordingly.

Payment information

Payments are processed by Stripe and Timely Pay (Timely's integrated payment system, which is built on Stripe infrastructure). Card details are entered directly into the processor's secure system. We do not store full card numbers on our own systems.

CCTV images

• Visual recordings of public areas of our premises (see section 12).

Website information

• IP address, browser type, device type, operating system
• Pages viewed, time on site, referring URL, date and time of visit
• Cookies and similar technologies (see section 7)

We collect information:

• Directly from you when you book, contact us, fill in an intake form, or attend an appointment
• Automatically through CCTV when you enter the public areas of our premises
• From your use of our website
• From third parties only where you have authorised it (for example, an ACC referral or a referring health practitioner)

We use your information to:

• Schedule, deliver, and follow up on your treatments
• Keep accurate clinical records as required for safe massage therapy practice
• Process payments and issue receipts or invoices
• Communicate with you about your bookings (confirmations, reminders, changes)
• Send marketing or promotional emails only if you have opted in - you can unsubscribe at any time
• Maintain the safety and security of our premises (CCTV)
• Improve the website and our services
• Meet our legal obligations (for example, ACC requirements, tax records, health and safety)

We will not use your information for any purpose that is not reasonably connected to the reason it was collected, unless you give us permission or the law allows it.

We share information only when necessary, and only with:

• Our therapists and staff, on a need-to-know basis
• Service providers who help us run the business - including:
  • Timely (online booking, client records, and automated client communications)
  • Stripe and Timely Pay (payment processing)
  • Mailchimp (email marketing campaigns, where you have opted in)
  • Google Analytics (website usage statistics)

  These providers are bound by their own privacy and security obligations.

• ACC, if your treatment is funded by an ACC claim
• Other health practitioners, only with your express consent
• Authorities (including New Zealand Police), where we are legally required to disclose information or where CCTV footage is requested in connection with an investigation

We do not share your client information with Pullman Hotel Rotorua. Booking and treatment data for our Rotorua location is held by us through Timely, in the same way as for our Auckland locations.

We do not sell your personal information.

Some of our service providers store data on servers outside New Zealand:

• Booking system and client records: Timely - Timely is a New Zealand company, but client data is stored on Amazon Web Services (AWS) infrastructure, primarily in Australia. See Timely's privacy policy.
• Email marketing: Timely and Mailchimp - if you have opted in to receive marketing emails, your subscription details may be stored in Timely (on AWS infrastructure, primarily in Australia) and/or Mailchimp (stored in the United States). See Mailchimp's privacy policy.
• Payment processing: Stripe and Timely Pay - payment data is processed and stored by Stripe, primarily in the United States. See Stripe's privacy policy.
• Website analytics: Google Analytics - usage data is processed by Google in the United States and other countries.

CCTV footage is stored only on-site in New Zealand and is not transferred overseas.

Where we send personal information overseas, we take reasonable steps to ensure it is protected to a standard comparable to the Privacy Act 2020.

Our website uses cookies and similar technologies to:

• Remember your preferences
• Understand how visitors use the site
• Improve site performance

We use Google Analytics to collect anonymous usage statistics. Google Analytics uses cookies to track how you interact with our site. The information collected is aggregated and not linked to your personal identity.

You can:

• Disable cookies in your browser settings (some parts of the site may not work correctly)
• Opt out of Google Analytics specifically by installing the Google Analytics opt-out browser add-on

We do not run third-party advertising on our website.

• Health and treatment records: retained for at least 10 years after your last appointment, in line with standard health record retention practice in New Zealand.
• Booking and contact records: retained for 7 years after your last interaction with us, to align with our tax record retention obligations.
• Marketing consents: retained until you unsubscribe.
• Financial records: retained for 7 years, as required by the Inland Revenue Department.
• CCTV footage: automatically overwritten after 30 days, unless retained for a specific incident.

After these periods, we securely delete or de-identify the information.

We take reasonable steps to protect your information from loss, misuse, and unauthorised access. These include:

• Restricted access to client records
• Secure passwords and (where available) two-factor authentication on our systems
• Encrypted connections on our website (HTTPS)
• Restricted access to CCTV footage and the on-site recording system at each location
• Vetting of service providers we use

No system is completely secure. If a privacy breach occurs that is likely to cause serious harm, we will notify you and the Office of the Privacy Commissioner as required by the Privacy Act 2020.

Under the Privacy Act 2020 and the Health Information Privacy Code 2020, you have the right to:

• Access the personal information we hold about you (including any CCTV footage that identifies you)
• Correct information you believe is wrong or incomplete
• Withdraw consent to marketing communications at any time
• Make a complaint if you think we have mishandled your information

To exercise these rights, contact us using the details in section 1. We will respond within 20 working days. There is normally no charge.

If you are not satisfied with our response, you can contact:

We do not knowingly collect information from children without parental or guardian consent. Where a child is a client, intake forms must be completed by a parent or legal guardian, who is also responsible for providing consent to treatment.

We operate closed-circuit television (CCTV) at all three of our locations for the safety and security of clients, staff, and property, and to help resolve any incidents or disputes that may arise.

Where our cameras operate (at all three sites):

• Reception areas
• Corridors and other public/common areas within our premises

Where our cameras DO NOT operate (at any site):

• Therapy rooms
• Changing areas
• Bathrooms

We do not film, record, or monitor any space in which a client undresses or receives treatment. Your privacy during therapy is absolute.

• What is recorded: Visual images only. We do not record audio.
• Retention: Footage is automatically overwritten after 30 days, unless it is retained longer in connection with a specific incident (for example, a security event, accident, or matter involving the Police).
• Storage: Footage is stored on a secure on-site recorder at each location. CCTV footage is not stored in the cloud or transferred overseas.
• Access: CCTV footage can be viewed by the Director of Massage Eden Ltd and by authorised reception staff at the relevant location, on a need-to-know basis. Footage is only accessed when there is a legitimate reason - for example, to investigate an incident, respond to a complaint, or assist authorities - and is not viewed for any other purpose.
• Signage: CCTV signage is displayed at the entrance to each of our premises so that visitors are notified before entering.

Pullman Hotel CCTV (Rotorua location only): Our Rotorua premises are inside Pullman Hotel Rotorua. Pullman operates its own separate CCTV in the hotel's shared and public spaces (such as the hotel lobby, hotel corridors, and entrances). That footage is collected and held by Pullman, not by us, and is governed by Pullman's own privacy practices. If you have questions about Pullman's CCTV, contact Pullman Hotel Rotorua directly.

You can request access to footage that includes you under section 10 (Your rights).

We may update this policy from time to time. The 'Last updated' date at the top shows when it was last changed. Material changes will be notified on our website.

If you have questions about this policy or how we handle your information, please contact us at jenny@massageeden.co.nz or +64 (0)9 3020 272.