PRIVACY POLICY Jay's Medispa Version 3.0 | Effective 13 May 2026 Supersedes all prior versions
1. Introduction
1.1 Jay's Medispa Limited (NZBN 9429050360017), trading as Jay's Medispa ("we", "us", "our"), is a nurse-led aesthetic and wellness clinic located at Level 1/9a Birkenhead Avenue, Birkenhead, Auckland 0626. We are a health agency for the purposes of the Health Information Privacy Code 2020.
1.2 This Privacy Policy ("Policy") explains how we collect, hold, use, and disclose personal information and health information about you ("you", "your") when you engage with our services or our digital channels.
1.3 This Policy applies to all individuals who interact with Jay's Medispa, including prospective clients, current clients, former clients, website visitors, and users of our social media or other digital channels.
1.4 This Policy is governed by the laws of New Zealand. By engaging with our services, you confirm you have read and understood this Policy. Where you do not agree with this Policy, please contact our Privacy Officer (section 18) before providing further information.
2. Defined terms
In this Policy:
Personal information means information about an identifiable individual, as defined in section 7 of the Privacy Act 2020.
Health information means health information as defined in clause 4(1) of the Health Information Privacy Code 2020, including information about your physical or mental health, disability, healthcare services provided to you, and your status as a recipient of healthcare.
Direct collection means collection of personal information directly from you.
Indirect collection means collection of personal information about you from a source other than you.
Marketing communications means electronic messages with a promotional or commercial purpose, as defined in the Unsolicited Electronic Messages Act 2007.
OPC means the Office of the Privacy Commissioner.
3. Legal framework
3.1 We collect and handle your information in accordance with the following:
(a) The Privacy Act 2020, including the thirteen Information Privacy Principles (IPPs), with IPP3A in force from 1 May 2026 in relation to indirect collection of personal information;
(b) The Health Information Privacy Code 2020 as amended (including Amendment No 2 issued in March 2026 to incorporate Rule 3A), which modifies the IPPs for health agencies and applies to all health information we collect, hold, use, and disclose;
(c) The Unsolicited Electronic Messages Act 2007, which governs the sending of commercial electronic messages;
(d) The Health (Retention of Health Information) Regulations 1996, which prescribe minimum retention periods for health records;
(e) Other applicable New Zealand laws, including the Health Act 1956, the Tax Administration Act 1994 (insofar as it relates to financial record retention), and the Health Practitioners Competence Assurance Act 2003.
3.2 Where this Policy is inconsistent with applicable law, the law prevails.
3.3 We acknowledge the importance of te ao Māori perspectives on privacy, including the recognition that health information may carry cultural and whakapapa significance. Where relevant, we will work with clients to handle information in a manner consistent with these perspectives.
4. Information we collect
4.1 We collect the following categories of personal information and health information:
(a) Identity and contact information: full name, preferred name, date of birth, gender (where you choose to provide it), residential or postal address, email address, telephone numbers, and emergency contact details.
(b) Health information: medical and surgical history, current medications and supplements, allergies and adverse reactions, prior aesthetic or cosmetic treatments, skin and scalp assessments, intake questionnaires, signed consent forms, clinical observations, treatment plans and outcomes, aftercare records, and clinical photographs (see section 7).
(c) Service and transaction information: the services you have booked or received, appointment history, products purchased, payment records (excluding full card data, which is processed by our payment provider and not retained by us), gift voucher records, and correspondence with our team.
(d) Digital and analytics information: IP address, device and browser identifiers, operating system, referring URL, pages viewed, time and date of visits, interaction events, and information collected through cookies, pixels, and similar technologies (see section 9).
(e) Marketing preferences: your consent or opt-out status for each channel (email, SMS, voice), the date and source of consent, and your engagement history with our communications.
(f) Photographic and video material: described separately in section 7.
4.2 You are not legally required to provide personal information to us. However, if you choose not to provide information we reasonably require, we may not be able to provide some or all of our services.
5. Sources of information
5.1 Direct collection (IPP3 and HIPC Rule 3). We collect most information directly from you, through online forms, telephone enquiries, in-clinic intake forms, consent forms, treatment notes, and communications with our team.
5.2 Indirect collection (IPP3A and HIPC Rule 3A, in force from 1 May 2026). Where we collect personal information about you from a source other than you, we will take reasonable steps to ensure you are made aware of:
(a) the fact of collection; (b) the purpose for which the information has been collected; (c) the intended recipients of the information; (d) the name and address of Jay's Medispa as the collecting agency; (e) any law under which the collection is authorised or required; (f) the consequences (if any) for you if the information is not provided; and (g) your rights of access and correction under the Privacy Act 2020 and Health Information Privacy Code 2020.
5.3 Indirect collection may occur where, for example:
(a) a referring health provider shares information about you with us with your consent; (b) a family member, partner, or caregiver provides information about you in the course of an enquiry or appointment; (c) we receive information from a previous clinic or practitioner with your authorisation; (d) information is collected through automated technologies on our website (see section 9).
6. How we use information
6.1 We use your information for the following purposes:
(a) to provide, personalise, and improve the services you have requested; (b) to undertake clinical assessment, treatment planning, and continuity of care; (c) to maintain accurate, complete, and contemporaneous clinical records, as required by our professional obligations; (d) to communicate with you about appointments, follow-up care, aftercare instructions, and changes to services; (e) to process payments, refunds, and gift vouchers; (f) to comply with our legal, regulatory, professional, and tax obligations; (g) to respond to your enquiries, requests, complaints, and feedback; (h) to develop, improve, and audit our services, clinical protocols, and staff training (in de-identified or aggregated form where practicable); (i) to send marketing communications, only where permitted under section 8; (j) to defend, establish, or exercise legal claims; and (k) for any other purpose disclosed to you at the time of collection or to which you have consented.
6.2 We will not use your information for any purpose materially different from those listed above without first obtaining your consent or providing notice in accordance with applicable law.
7. Clinical photography and imagery
7.1 We take photographs and may take video recordings of your skin, hair, scalp, body, or treatment areas, in three categories:
(a) Clinical record use. Photographs taken to document baseline condition, progress, and treatment outcomes for inclusion in your clinical record. These are health information under the Health Information Privacy Code 2020 and are stored as part of your file. We do not share clinical record photographs externally except as required for your care, with your consent, or as required by law.
(b) Internal training and quality review. Photographs used internally for clinical training, peer review, or audit. We will only use your photographs for this purpose with your specific written consent. Where used, we will take reasonable steps to de-identify the imagery unless identification is necessary for the training purpose and you have consented.
(c) Marketing and promotional use. Photographs used on our website, social media channels, advertising, or other promotional material. Marketing use requires your separate, specific written consent on a dedicated Photography Consent Form. You may withdraw consent at any time by contacting our Privacy Officer (section 18). On withdrawal, we will remove the imagery from any channel we control within a reasonable period and will use reasonable endeavours to recall imagery from third-party platforms, although we cannot guarantee removal once content has been republished, screenshotted, or downloaded by third parties.
7.2 Biometric processing. We do not currently use automated biometric processing systems (such as facial recognition or automated facial-matching software). Where biometric processing is undertaken in order to provide health services, it is governed by the Health Information Privacy Code 2020, not the Biometric Processing Privacy Code 2025. If we introduce automated biometric processing for any non-health-service purpose (for example, in marketing analytics), we will update this Policy and obtain any required consent before doing so.
8. Marketing communications
8.1 We send marketing communications by email, SMS, and other electronic means only where we have your express consent, or where you have an existing customer relationship with us, in compliance with the Unsolicited Electronic Messages Act 2007.
8.2 Every marketing message we send will:
(a) clearly identify Jay's Medispa as the sender; (b) provide accurate sender information; and (c) include a clear and functional unsubscribe mechanism.
8.3 You may opt out of marketing communications at any time. We will process unsubscribe requests within five working days, in accordance with section 11 of the Unsolicited Electronic Messages Act 2007. Methods to opt out:
(a) the unsubscribe link in any marketing email; (b) replying STOP to any marketing SMS; (c) contacting our Privacy Officer directly (section 18).
8.4 Opting out of marketing does not affect service-related communications (such as appointment confirmations, reminders, aftercare instructions, and clinical follow-up), which are necessary to provide your care.
9. Cookies, analytics, and digital tracking
9.1 Our website uses cookies and similar technologies to enable site functionality, analyse usage, and support marketing.
9.2 We use, or may use, the following categories of third-party tools:
(a) Strictly necessary cookies: required for the website to function (no consent required).
(b) Analytics cookies: such as Google Analytics, used to measure traffic and engagement.
(c) Advertising and marketing cookies: such as Google Ads tags, Meta Pixel (used for advertising on Facebook and Instagram), and similar tools, used to measure advertising performance and to support remarketing.
9.3 Cookies set by third parties (Google, Meta, and other advertising or analytics providers) are subject to those parties' privacy policies. We do not control how those parties subsequently use the information.
9.4 You can manage cookies through your browser settings. You can manage personalised advertising preferences in your Google and Meta account settings. We honour browser-level signals (such as Global Privacy Control) where they are received and supported by our website.
10. Disclosure of information
10.1 We may disclose your information to the following categories of third parties, only where necessary for the purpose, and only under appropriate confidentiality or contractual protections:
(a) clinical and administrative software providers (practice management systems, electronic medical record systems); (b) booking and scheduling platforms; (c) payment processors and merchant providers; (d) email and SMS communication providers; (e) website hosting and IT support providers; (f) marketing platforms and analytics providers (see section 9); (g) other health providers involved in your care, with your consent or as authorised by law (see HIPC Rule 11); (h) professional advisers (legal, accounting, compliance, indemnity); (i) regulatory bodies, professional councils, and law enforcement, where required or permitted by law; (j) any successor business in the event of a sale, merger, or restructure, subject to equivalent privacy protections.
10.2 We do not sell, rent, lease, or otherwise commercially trade your personal information.
10.3 Disclosure of health information is subject to the more stringent rules of the Health Information Privacy Code 2020, particularly Rules 10 and 11.
11. Storage and international transfers
11.1 We hold information in secure electronic systems and, where applicable, in paper records at our clinic premises. Backup copies may be held by our IT or cloud service providers.
11.2 Some service providers we engage (including cloud hosting, marketing platforms, and analytics providers) may store or process information outside New Zealand. Where this occurs, we comply with Information Privacy Principle 12 of the Privacy Act 2020 and Rule 12 of the Health Information Privacy Code 2020, including taking reasonable steps to ensure the receiving party provides protections that are comparable to those required under New Zealand law.
12. Security
12.1 We implement reasonable safeguards to protect your information from loss, misuse, unauthorised access, disclosure, alteration, and destruction, in accordance with IPP5 and HIPC Rule 5. These safeguards include physical security at our premises, technical security in our systems, role-based access controls, authentication requirements, encryption in transit where appropriate, regular backups, and staff training.
12.2 No system can be guaranteed entirely secure. While we apply industry-standard measures, we cannot give an absolute guarantee against unauthorised access.
12.3 Notifiable privacy breaches. If a privacy breach occurs that is reasonably believed to have caused or be likely to cause serious harm, we will:
(a) notify the Office of the Privacy Commissioner as soon as practicable, and in any event in accordance with Part 6 of the Privacy Act 2020; and
(b) notify each affected individual where practicable, or, where individual notification is not practicable, give public notice of the breach.
13. Retention
13.1 We retain health information for a minimum of 10 years from the date of last service provided, in accordance with regulation 6 of the Health (Retention of Health Information) Regulations 1996.
13.2 Other information is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by law:
(a) financial and tax records: at least 7 years, in accordance with the Tax Administration Act 1994; (b) employment-related records: in accordance with the Holidays Act 2003, the Wages Protection Act 1983, and other applicable employment laws; (c) marketing consent and opt-out records: for the duration of your relationship with us, and for a reasonable period afterwards to demonstrate compliance with the Unsolicited Electronic Messages Act 2007.
13.3 Information no longer required is securely destroyed, deleted, or anonymised.
14. Your rights
14.1 You have the following rights under the Privacy Act 2020 and Health Information Privacy Code 2020:
(a) Access (IPP6 / HIPC Rule 6): request access to the personal and health information we hold about you;
(b) Correction (IPP7 / HIPC Rule 7): request correction of inaccurate or incomplete information, or a statement of correction to be attached to your record;
(c) Withdrawal of consent: withdraw any consent you have given (such as for marketing or for use of photographs) at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal;
(d) Deletion: request that information be deleted, subject to our legal retention obligations under section 13;
(e) Complaint: complain about how we have handled your information (see section 15).
14.2 We will respond to requests for access or correction within 20 working days of receipt, in accordance with section 66 of the Privacy Act 2020. In some circumstances we may extend the timeframe or refuse a request as permitted by law. Where this applies, we will tell you and explain the reasons.
14.3 We do not charge a fee for access or correction requests in usual circumstances.
15. Complaints
15.1 If you are concerned about how we have handled your information, please contact our Privacy Officer first (section 18). We will acknowledge your complaint within 5 working days and respond substantively within 20 working days where reasonably possible.
15.2 If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner:
- Phone: 0800 803 909
- Online: www.privacy.org.nz
- Postal: PO Box 10094, Wellington 6143
15.3 For complaints about the standard of clinical care (rather than privacy), you may also contact the Health and Disability Commissioner: 0800 11 22 33 or www.hdc.org.nz.
16. Children and minors
16.1 Some of our services, including appearance medicine services, are not available to individuals under 18 years of age except in limited circumstances and with appropriate parent or guardian consent in accordance with applicable law and clinical guidelines.
16.2 Where we provide services to a minor, we collect and handle information about that minor with the same protections as for adults, with additional safeguards where appropriate (including parent or guardian involvement in consent and communication).
16.3 We do not knowingly direct marketing communications to individuals under 18 years of age.
17. Updates to this Policy
17.1 We may update this Policy from time to time to reflect changes in law, regulation, our practices, or the services we offer.
17.2 The version number and effective date are shown at the top of this Policy. Material changes will be notified through our website. Where required by law, we will obtain fresh consent.
17.3 We encourage you to review this Policy periodically.
18. Contact us
Privacy Officer: Jason Eberhart, Operations Manager
Jay's Medispa Email: [email protected]
Phone: 09 418 0743
Address: Level 1/9a Birkenhead Avenue, Birkenhead, Auckland 0626
19. Severability
19.1 If any provision of this Policy is held to be invalid, unenforceable, or in conflict with applicable law, the remaining provisions continue in full force and effect.
20. Governing law
20.1 This Policy is governed by the laws of New Zealand. Any disputes arising in connection with this Policy are subject to the exclusive jurisdiction of the New Zealand courts.
Effective 13 May 2026