PRIVACY POLICY

The law defines health information broadly

Under the Health Information Privacy Code 2020, "health information" is defined broadly. It includes any information about a person's physical or mental health, any disability, or any health service provided to them. The critical phrase is "in connection with." The law does not require a formal clinical diagnosis or a severe mental health presentation. If information is gathered in the context of a service that relates to someone's mental functioning or wellbeing, even in a performance context, it is captured by that definition.

The information itself is inherently psychological

Even when we are working purely on performance — helping an athlete manage nerves before a game, build focus, or develop a stronger pre-performance routine — the information we record reflects something about that person's psychological state. A psychometric snapshot, a Mental Gym plan, notes about self-talk patterns or emotional responses under pressure: all of these relate to how a person thinks and feels. The fact that the goal is performance rather than treatment does not change what the information actually is.

Performance and mental health sit on a continuum

Performance anxiety, confidence challenges, focus difficulties, and difficulty bouncing back all exist on a continuum. We deliberately limit our scope to moderate challenges and refer on when something falls outside our expertise. Even so, the information we gather along the way still relates to a person's psychological functioning.

Our registration carries its own obligations

Jason and James are registered psychologists. That registration attaches to them as practitioners, not to a specific type of session. When a registered psychologist gathers information about a person in a professional context, the full protections of the Health Information Privacy Code follow.

What this means for you

In practice, any information you share with us in a one-to-one context is handled to the same high standard, whether the session is clinical or performance focused. Group workshops, public events, and general education sessions where we do not collect or retain individual data are different. But any time we are working with you individually, we treat your information as health information, because that is what it is.

5.1 Administrative and contact information

When you make an inquiry or register for a programme, we collect basic details. These are your full name, age bracket, contact phone number, billing information, and the general category of support you are seeking (selected from a dropdown on our inquiry form).

5.2 Clinical and health information

During the course of one-to-one sessions or specialist athlete support, we collect more sensitive information. This may include clinical session notes and assessment results, psychometric snapshots, Mental Gym plans, what you tell us about your mental, emotional, and physical performance, and any relevant history of previous psychological or health support where it is pertinent to your goals.

5.3 Information regarding tamariki and rangatahi

For clients under 18, we collect the contact details of a parent or legal guardian and maintain signed consent records. We respect the developing autonomy of young people, and where appropriate, information may also be collected directly from them in a confidential one-to-one setting. Our approach to consent for young people is described in Section 9.

5.4 Digital and platform data

We collect a small amount of information through our digital platforms to support service delivery. Within our GROW online learning hub, we collect module progress and engagement data. In programme-specific WhatsApp groups (used only with adult programmes, with consent: see Section 8.4), we collect the messages sent within those groups. On our website, we collect anonymised analytics about how visitors use our pages.

5.5 Identifiers

We do not assign you a unique client number beyond what is required by our practice management system. We do not require you to disclose identifiers issued by other agencies (such as your NHI number) unless this is necessary for safe care or required by law. This is consistent with HIPC Rule 12.

6.1 Directly from you

The majority of information we hold comes directly from you, through one of these channels:

• Our website inquiry form, hosted by Tally.so, used for administrative inquiries only.
• Our Carepatron client portal, used for secure intake forms, signed consent, and clinical questionnaires.
• Conversation and interaction during workshops, sport psychology sessions, or kōrero with Jason or James.

6.2 From third parties

Sometimes we collect information about you from a third party, but only with your prior authorisation, or where the HIPC permits it. Third-party sources can include sports clubs, academies, or National Sporting Organisations who have commissioned our services; schools or teachers in charge of athlete development; parents or guardians acting on behalf of a young athlete; and other health practitioners where a coordinated care arrangement is in place.

Accuracy

Before we use or disclose information about you, we take reasonable steps to make sure it is accurate, up to date, complete, relevant, and not misleading. If you tell us something has changed, we will update our records promptly. This commitment reflects HIPC Rule 8.

Marketing

We do not send marketing emails or operate a newsletter. We do publish a blog on our website, but you do not need to give us any personal information to read it.

8.1 Clinical records: Carepatron

All of your clinical notes, psychometric results, and health-related records are stored in Carepatron, a practice management platform built specifically for the health sector. We do not store clinical records on personal devices, in email, on paper, or on Google Drive.

Carepatron is independently certified as compliant with the New Zealand Privacy Act 2020, HIPAA (USA), GDPR (EU), SOC 2 Type 1 and Type 2, ISO 27001, and PIPEDA. Carepatron hosts data on Amazon Web Services, Microsoft Azure, and Google Cloud. Data hosting regions are aligned with applicable local regulatory requirements.

Data is encrypted in transit (TLS) and at rest (AES-256). We use multi-factor authentication on all practitioner accounts, and access to clinical session notes is restricted by role to our registered psychologists. You can review Carepatron's Trust Center at trust.carepatron.com.

8.2 Website inquiry forms: Tally.so

Our website contact form is hosted by Tally.so, a Belgian company whose data is stored on servers within the European Union. Because Tally.so operates under the GDPR (which the Office of the Privacy Commissioner considers comparable to the NZ Privacy Act 2020), this arrangement is consistent with Principle 12. We apply strict data minimisation to these forms: only administrative contact details and a pre-selected support category are collected. Submissions are transferred to our secure Carepatron system and then deleted from the Tally dashboard periodically.

8.3 GROW online learning hub

Access to our GROW online hub is password-protected. Engagement and progress data are kept confidential between the athlete and their psychologist and are not shared with coaches, organisations, or other athletes without explicit consent.

8.4 WhatsApp groups

We use WhatsApp only as a logistical and content-sharing channel, and only for programmes where every participant is aged 18 or over. We do not use WhatsApp for any programme involving young people, and we do not use it for clinical communication of any kind.

Before you join a WhatsApp group, we ask for your consent through your intake form. You can decline, and we will provide an alternative communication channel.

• WhatsApp is operated by Meta Platforms, Inc., and its data is processed on servers in the United States.
• We never share clinical content in WhatsApp. If a clinical or personal disclosure happens in a group, we redirect it to a confidential one-to-one channel within Carepatron.
• You can leave a WhatsApp group at any time without affecting your participation in our services.

8.5 Mobile devices and remote practice

Sport psychology is inherently mobile. Any device we use to access Carepatron, send communications, or hold work-related information is encrypted, password-protected, and configured with remote-wipe capability, in line with the Privacy Commissioner's guidance on mobile health practice.

8.6 Other systems we use

We use Google Drive to store organisational documents, such as signed terms of service with sports clubs and schools. We do not store any individual private health information on Google Drive.

Our website is hosted by Vercel.

9.1 Initial meetings and consent

For any client under 18, we begin by meeting with their parents or legal guardians, either separately or alongside the young person. This is when we explain our approach, walk through this Privacy Policy, and obtain signed consent through our Terms of Service. Only after this conversation do one-to-one sessions begin.

9.2 Legal capacity to consent

Under section 36 of the Care of Children Act 2004, a young person aged 16 or over is legally able to give their own informed consent for psychological services. For those under 16, we typically require written consent from a parent or legal guardian.

That said, NZ courts have recognised the principle of "Gillick competence." A young person under 16 who demonstrates a mature understanding of the nature, purpose, and consequences of the service may, in the practitioner's clinical judgement, be able to consent independently to certain aspects of that support.

9.3 Privacy and confidentiality for young athletes

Parents and whānau are vital partners in a young athlete's growth. They do not, however, have an automatic right to access the content of their child's psychological sessions. The young person is entitled to a confidential therapeutic space.

At the start of our work, we establish a clear and documented agreement with both the young person and their whānau. This agreement sets out what high-level themes may be shared with the home environment, and what specific details will remain strictly between the young person and the psychologist.

9.4 A young person's right to their own information

Under HIPC Rule 6, young people have the right to access information we hold about them, regardless of who paid for the service. If a parent or guardian requests access to a young person's records, we will consider the request in light of the young person's age, maturity, expressed wishes, and best interests, and we will normally seek the young person's input before responding.

9.5 When a young person turns 18

When a young person we are working with turns 18, they are an adult under the law and the rights and obligations under this policy transfer fully to them. In practice, this means:

• From the date of their 18th birthday, we no longer share any information with their parents or guardians without their explicit consent, even if we previously did so by agreement.
• We will have a conversation with the young person before or shortly after their 18th birthday to confirm their preferences for ongoing communication, share-back arrangements, and family involvement.
• We will refresh their consent through Carepatron so that the new arrangements are documented.

This approach reflects both the Code of Ethics for Psychologists and the principle that consent must always belong to the person whose information it is.

10.1 Professional supervision and peer consultation

Jason and James are required by the NZ Psychologists Board to engage in regular clinical supervision. Your case may be discussed within that supervisory or peer consultation context, with identifying information anonymised. Our supervisor is an external registered psychologist who is bound by the same Code of Ethics.

10.2 Team and organisational settings: need-to-know

In high-performance and team environments, such as The Green Standard, our psychologists may work alongside coaches, sport scientists, or other members of a performance team. In these settings, we work on a strict need-to-know basis.

A coach may be told that an athlete is working through a personal issue that affects their availability (the "what"), but specific clinical details (the "why" and "how") remain entirely private unless you give us explicit written consent to share them. Where a third party such as an NSO or sports organisation is the commissioning body for our services, we will explain the limits of confidentiality with you before those services begin.

10.3 Mandatory exceptions

Under HIPC Rule 11 and our professional ethical obligations, there are a small number of circumstances in which we are legally or ethically required to disclose information without your prior consent:

• Where there is a serious and imminent threat to your safety or the safety of an identifiable other person, and disclosure is necessary to prevent that harm.
• Where we hold a genuine concern that a child or vulnerable person is at risk of abuse, neglect, or serious harm.
• Where we are compelled to disclose information by a court order, statutory summons, or other valid legal requirement.

In every case where it is safe and practicable, we will discuss the intended disclosure with you before it is made.

Cookies and analytics

Our website uses Vercel Analytics and Google Analytics to understand how visitors use our site. These tools use cookies and may collect information such as your approximate location, the pages you visit, and the type of device you are using. The data is used in aggregate and does not personally identify you. You can disable cookies through your browser settings at any time, and you can opt out of Google Analytics specifically by installing Google's Analytics Opt-out browser add-on.

We do not use targeted advertising. We do not share your information with advertising networks or data brokers.