2. Personal Data We Collect

2.1 Data Categories

We collect the following categories of personal data from our Clinic Staff and members of the general public who use our website:

While we act as a data processor within our services for patient data, we do so solely on behalf of our customer (the clinic). The clinic itself remains the data controller. If you have questions about this data processing, please address them to your clinic's administration.

2.2 How We Collect Personal Data

We collect personal data:

• Directly from you when you register for an account or use our services
• Through our website using cookies, tracking pixels and analytics tools
• From publicly available sources (e.g. clinic websites) where relevant

3. Legal Basis for Processing

Under UK GDPR, we must have a legal basis for processing your personal data. The table below shows our legal bases:

4. How We Use Your Personal Data

The processing purposes for which we use your personal data are shown in the table below.

5. Data Processors and International Transfers

We share your personal data with:

We do not sell your personal data to third parties. All third-party processors are bound by data processing agreements that ensure appropriate data protection standards.

6. Data Retention

We retain personal data only as long as necessary for:

• Fulfilling the purposes for which it was collected
• Complying with legal, regulatory, and professional obligations
• Resolving disputes and enforcing agreements

The retention periods are:

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

To exercise these rights, contact us at privacy@bookedsolid.co.uk.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit and at rest, to ensure personal data is secure. We encrypt using TLS1.2 for transit and AES-256 bit encryption for data at rest.
• Access controls and logging to ensure only authorised individuals have access, and regular reviews to ensure access is firmly under control
• Regular penetration testing to ensure our security measures are sufficiently robust to significantly reduce risks of unauthorised access by malicious actors.
• Staff training on data protection to ensure their awareness of our obligations and responsibilities is strong
• Incident response procedures to ensure that confirm, investigate, fix and, if necessary, report to users and authorities about incidents that happen within our business that affect the personal data of users.
• Periodic external audits organised through our external and independent Data Protection Officer.

9. Cookies and Website Analytics

We use cookies and similar technologies on our website to:

• Enable essential website functionality
• Remember your preferences and settings
• Analyse website usage and performance
• Support marketing and advertising activities

You can manage cookie preferences through your browser settings. For more information, see our Cookie Policy or contact us.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the updated policy on our website
• Sending email notifications to account holders
• Updating the effective date at the top of this policy

11. Contact Information and Complaints

Customer Support: privacy@bookedsolid.co.uk

DPO - All Privacy Enquiries can also be handled directly with our Data Protection Officer, contactable via: info@waivern.com

Right to Complain: If you're not satisfied with how we handle your personal data, you have the right to lodge a complaint with:

• UK residents: Information Commissioner's Office (ICO) - www.ico.org.uk

1. Introduction - Australian Privacy Context

Who this Australian section applies to:

• Clinic Users: Healthcare professionals and clinic staff who use our AI receptionist service (BookedSolid is an APP entity for your personal data)
• Members of the General Public: who browse the bookedsolid.co.uk website (BookedSolid is an APP entity for your personal data)
• Patients of Clinics: For patients who interact with our AI receptionist when contacting clinics, the clinic is the APP entity responsible for your personal data and BookedSolid is a service provider APP entity processing data on behalf of the clinic. The clinic's privacy policy governs how your patient data is handled. BookedSolid's obligations regarding patient data are set out in our Data Processing Agreement with each clinic.

2. Personal Information We Collect (as APP Entity)

We collect the following categories of personal information where BookedSolid is the APP entity:

2.1 Account Information

• Name, Job Title, Telephone Number, Email Address
• Clinic payment details and payment history

2.2 Customer Support Information

• Name, Job Title, Telephone Number, Email Address
• Support ticket details and communications

2.3 Behavioural and Analytics Information

• Referral source, click activity, scroll activity, page activity
• Data entry activity, time spent in user sessions

2.4 Technical Information

• Device type, operating system type and version
• Screen resolution, mobile network information, language settings
• Technical events (e.g. clicks, downloads)
• IP address

2.5 Sensitive Information

BookedSolid does not collect sensitive information (as defined in section 6 of the Privacy Act 1988) about clinic users or website visitors.

Note regarding patient health information: When processing patient data on behalf of clinics, we handle health information (sensitive information under the Privacy Act). However, the clinic is the APP entity responsible for this information. See Section 14 below for details.

3. How We Collect Personal Information

We collect personal information:

• Directly from you when you register for an account, use our services, or contact us
• Through our website using cookies, tracking pixels and analytics tools
• From publicly available sources (e.g. clinic websites) where relevant for business purposes
• From your clinic if you are a clinic user whose details are provided to us for account setup

We will only collect personal information by lawful and fair means, and not in an unreasonably intrusive way.

If it is reasonable and practicable to do so, we will collect personal information directly from you. If we collect information from a third party, we will take reasonable steps to ensure you are made aware of this collection.

4. Why We Collect, Hold, Use and Disclose Personal Information

4.1 Primary Purposes

We collect, hold, use and disclose your personal information for the following primary purposes:

4.2 Secondary Purposes

We may also use your personal information for the following secondary purposes (where permitted by law):

4.3 Legal Compliance

We may also use or disclose your personal information where required or authorised by Australian law, including to comply with court orders, subpoenas, or regulatory requirements.

5. Direct Marketing (APP 7)

5.1 Marketing Communications

We may use your personal information to send you direct marketing communications about our services, industry updates, and relevant information. We will only do so:

• Where you have consented to receive marketing, OR
• Where permitted under APP 7 (for example, where we collected the information from you, you would reasonably expect us to use it for marketing similar services, and you have been given a simple means to opt out)

5.2 Opting Out

You may opt out of receiving marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Contacting us at privacy@bookedsolid.co.uk
• Updating your preferences in your account settings

We will process opt-out requests within a reasonable timeframe (usually within 5 business days).

5.3 Permitted Marketing

Even if you opt out of marketing communications, we may still send you:

• Service-related communications (e.g. account updates, billing notices)
• Essential information required by law
• Responses to your specific enquiries

6. Cross-Border Disclosure of Personal Information (APP 8)

6.1 Overseas Disclosure Overview

BookedSolid Ltd is a UK-based company. When you provide personal information to us, that information is transferred to and stored in the United Kingdom. We also use sub-processors located in the European Union/European Economic Area and the United States of America.

Countries to which we disclose personal information:

• United Kingdom
• Ireland (EU/EEA)
• Germany (EU/EEA)
• Estonia (EU/EEA)
• United States of America

6.2 Our Sub-Processors and Their Locations

We disclose personal information to the following overseas entities for the purposes of delivering our services:

6.3 Legal Basis for Overseas Disclosure (APP 8.2(a))

BookedSolid relies on the exception in APP 8.2(a) for overseas disclosures. We have taken reasonable steps to ensure that:

• For transfers to the UK and EU/EEA: The UK General Data Protection Regulation (UK GDPR) and EU GDPR provide protections that are substantially similar to the Australian Privacy Principles. The Office of the Australian Information Commissioner (OAIC) has recognised EU GDPR as substantially similar to the APPs.
• For transfers to the USA: Our UK entity and its sub-processors in the USA are subject to:
  • The UK International Data Transfer Agreement (UK IDTA), which contractually binds US processors to UK GDPR-level protections (equivalent to APPs), OR
  • The UK Extension to the EU-US Data Privacy Framework, providing adequacy status for certified organisations

Enforcement mechanisms available to you: If an overseas recipient breaches the APPs, you can:

• Lodge a complaint with the UK Information Commissioner's Office (ICO) - free and accessible
• Bring legal proceedings in UK courts under UK GDPR Articles 79-82
• Claim compensation for damages
• Contact BookedSolid, which remains accountable for sub-processor compliance

6.4 Transfer Risk Assessments

We have conducted Transfer Risk Assessments for all transfers to the USA, evaluating:

• US privacy and surveillance laws
• Impact on data subject rights
• Supplementary technical measures (encryption, pseudonymisation)
• Contractual protections

These Transfer Risk Assessments are available to clinic clients upon request.

6.5 Accountability

While we take reasonable steps to ensure overseas recipients comply with the APPs, by using our services you acknowledge that:

• If an overseas recipient handles your personal information in breach of the APPs, you may not be able to seek redress under the Privacy Act 1988
• The overseas recipient may not be subject to privacy obligations equivalent to the APPs

However, BookedSolid remains accountable to you under Australian law for compliance with this privacy policy and our obligations as an APP entity

7. Data Quality and Security

7.1 Data Quality (APP 10 and 11)

We take reasonable steps to ensure that the personal information we collect, use, or disclose is:

• Accurate, up-to-date, and complete
• Relevant to the purposes for which it is collected

You can help us maintain accurate information by updating your account details or contacting us if your information changes.

7.2 Data Security (APP 11)

We take reasonable steps to protect your personal information from:

• Misuse, interference, and loss
• Unauthorised access, modification, or disclosure

Our security measures include:

Technical measures:

• Encryption of data in transit using TLS 1.2
• Encryption of data at rest using AES-256 bit encryption
• Multi-factor authentication for staff access
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Anti-malware software

Organisational measures:

• Access controls limiting staff access to personal information on a need-to-know basis
• Regular staff training on privacy and security
• Incident response procedures
• Secure deletion protocols
• Regular external audits through our independent Data Protection Officer

Physical measures:

• Data hosted in secure facilities with restricted physical access
• Environmental controls and monitoring
• Redundancy and backup systems

7.3 Data Retention

We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by law:

• Account information: Duration of active account plus 6 years
• Customer support information: 2 years
• Behavioural and analytics information: 3 years
• Technical information: 2 years

When we no longer need personal information, we take reasonable steps to destroy or de-identify it in a secure manner.

8. Your Rights Under the Privacy Act 1988

8.1 Right of Access (APP 12)

You have the right to request access to the personal information we hold about you. Upon receiving your request, we will:

• Provide you with access to your personal information within a reasonable timeframe (usually within 30 days)
• Provide information in a form that is generally understandable
• If we refuse access, we will provide you with written reasons and inform you of complaint mechanisms

We may charge a reasonable fee for providing access where permitted by law. We will inform you of any charges before processing your request.

We may refuse access in certain circumstances, including where:

• Providing access would be unlawful
• Denying access is required or authorised by law
• Providing access would prejudice enforcement activities
• Providing access would reveal our commercially sensitive decision-making processes
• Providing access would be unreasonable impact on another individual's privacy
• The request is frivolous or vexatious
• Legal proceedings are underway between us

8.2 Right to Correction (APP 13)

You have the right to request correction of personal information we hold about you if you believe it is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

Upon receiving your correction request, we will:

• Take reasonable steps to correct the information within a reasonable timeframe (usually within 30 days)
• If we refuse to correct information, provide you with written reasons
• If you request it, take reasonable steps to associate with the information a statement that you view it as inaccurate, out-of-date, incomplete, irrelevant or misleading

We will not charge you for making a correction request or for correcting your personal information.

8.3 How to Exercise Your Rights

To request access to or correction of your personal information, please contact us at:

• Email: privacy@bookedsolid.co.uk
• Subject line: "APP 12 Access Request" or "APP 13 Correction Request"

Please include:

• Your full name and contact details
• Details of the information you wish to access or correct
• Any supporting documentation to verify your identity

We may need to verify your identity before processing your request.

9. Identifiers (APP 9)

We do not adopt, use, or disclose government-related identifiers (such as Medicare numbers, driver's licence numbers, or passport numbers) unless:

• Required or authorised by Australian law, or
• Reasonably necessary to verify your identity for the purposes of our activities

10. Anonymity and Pseudonymity (APP 2)

Where it is lawful and practicable, you have the option of not identifying yourself or using a pseudonym when dealing with us, including when:

• Making general enquiries via our website
• Browsing our website
• Attending public events or webinars we host

However, for most of our services (including account creation, service delivery, and customer support), it is not practicable for us to deal with you if you do not identify yourself, as we need to be able to communicate with you and manage your account.

11. Unsolicited Personal Information (APP 4)

If we receive personal information we did not solicit, we will determine within a reasonable period whether we could have collected that information under APP 3 (if we had solicited it).

If we determine that we could not have collected the information, and it is lawful and reasonable to do so, we will destroy or de-identify that information as soon as practicable.

12. Cookies and Website Analytics

12.1 Use of Cookies

Our website uses cookies and similar technologies. When you visit our website from Australia, the same cookies described in Section 11 of the main privacy policy apply.

12.2 Managing Cookies

You can manage your cookie preferences through your browser settings. However, disabling certain cookies may affect the functionality of our website.

For detailed information about the cookies we use, please refer to Section 11 of this Privacy Policy or contact us for our Cookie Policy.

13. Complaints Process

13.1 Internal Complaints

If you have a complaint about how we have handled your personal information, please contact us first:

• Email: privacy@bookedsolid.co.uk
• Subject line: "Privacy Complaint"
• Data Protection Officer: info@waivern.com

Your complaint should include:

• Your contact details
• Details of the complaint
• Any supporting documentation

We will:

• Acknowledge your complaint within 5 business days
• Investigate your complaint within a reasonable timeframe (usually within 30 days)
• Provide you with a written response explaining our decision and the reasons for it
• Inform you of your right to complain to the OAIC if you are dissatisfied with our response

13.2 External Complaints - OAIC

If you are not satisfied with our response to your complaint, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Email: enquiries@oaic.gov.au
• Phone: 1300 363 992
• Mail: GPO Box 5218, Sydney NSW 2001

The OAIC can investigate your complaint and may make a determination requiring us to take specific action.

14. Patient Data - Service Provider Relationship

14.1 Our Role as Service Provider

When patients interact with our AI receptionist service (via phone calls, SMS, WhatsApp, or email) to book appointments with clinics, BookedSolid acts as a service provider APP entity processing health information on behalf of the clinic (the APP entity).

In this relationship:

• The clinic is responsible for complying with the Privacy Act 1988 regarding patient data
• The clinic's privacy policy governs how patient data is collected, used, and disclosed
• BookedSolid processes patient data only on the clinic's instructions as set out in our Data Processing Agreement

14.2 What Patient Data We Process

On behalf of clinics, we process:

• Names and contact information
• Appointment requests and scheduling information
• Voice recordings of phone conversations (retained for 30 days)
• Text messages and email content
• Health information disclosed during interactions (to the extent necessary for appointment scheduling)

14.3 Legal Basis

The clinic, as the APP entity, relies on:

• Section 16B of the Privacy Act 1988
• APP 6.1 (collection and use of health information necessary to provide a health service)

14.4 Patients' Rights

If you are a patient and wish to:

• Access your personal information
• Correct your personal information
• Make a complaint about how your information is handled
• Understand how your information is used

You should contact the clinic directly. The clinic is responsible for responding to your requests regarding patient data.

If you contact us directly, we will forward your request to the relevant clinic within 5 business days.

14.5 Patient Data Security

BookedSolid maintains the same high security standards for patient data as described in Section 7.2 above, including:

• Encryption of all patient communications
• Secure storage of appointment data for 7 years
• Voice recordings retained for 30 days only
• Strict access controls
• Regular security assessments

14.6 Cross-Border Disclosure of Patient Data

When processing patient data on behalf of Australian clinics, the same overseas transfers described in Section 6 apply. The clinic remains accountable for these transfers under APP 8, and BookedSolid assists the clinic in meeting its obligations by:

• Ensuring all sub-processors are subject to appropriate contractual protections
• Conducting Transfer Risk Assessments
• Implementing technical and organisational security measures
• Providing documentation to clinics upon request

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make significant changes, we will notify you by:

• Posting the updated policy on our website with a new "Effective Date"
• Sending email notifications to account holders
• Displaying a prominent notice on our website

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information.

16. Contact Information

For any privacy-related enquiries, requests, or complaints:

• Email: privacy@bookedsolid.co.uk
• Data Protection Officer: info@waivern.com
• Website: www.bookedsolid.co.uk

BookedSolid Ltd
UK Company Number: 16019450
Regulated by: Information Commissioner's Office (ICO), UK

1. Introduction - New Zealand Privacy Context

Who this New Zealand section applies to:

• Clinic Users: Healthcare professionals and clinic staff who use our AI receptionist service (BookedSolid is an agency for your personal information)
• Members of the General Public: who browse the bookedsolid.co.uk website (BookedSolid is an agency for your personal information)
• Patients of Clinics: For patients who interact with our AI receptionist when contacting clinics, the clinic is the agency responsible for your personal information and BookedSolid is a secondary agency contracted to perform services on behalf of the clinic under sections 11 and 12 of the Privacy Act 2020. The clinic's privacy statement governs how your patient information is handled. BookedSolid's obligations regarding patient information are set out in our Data Processing Agreement with each clinic.

Key Definitions:

• Agency: An organisation that holds personal information (equivalent to "controller" in other jurisdictions)
• Secondary Agency: A service provider that holds information solely to provide services to another agency (equivalent to "processor")
• Personal information: Information about an identifiable individual
• Health information: Information about an individual's health, disability, or health services provided to them

2. Personal Information We Collect (as Agency)

2.1 Information Collection Principle (IPP 1-4)

We collect the following types of personal information where BookedSolid is the agency:

2.2 Account Information

• Name, Job Title, Telephone Number, Email Address
• Clinic payment details and payment history
• Account login credentials

2.3 Customer Support Information

• Name, Job Title, Telephone Number, Email Address
• Support ticket details and correspondence
• Records of assistance provided

2.4 Behavioural and Analytics Information

• Referral source, click activity, scroll activity, page activity
• Data entry activity, time spent in user sessions
• Feature usage patterns

2.5 Technical Information

• Device type, operating system type and version
• Screen resolution, mobile network information, language settings
• Technical events (e.g. clicks, downloads)
• IP address and connection information

2.6 Health Information

BookedSolid operates as a secondary agency when processing health information. Any health information processed through our platform is collected by and remains under the control of our client (the primary agency – your healthcare clinic). BookedSolid processes this information solely on behalf of clients and in accordance with their instructions, as detailed in our Data Processing Agreement. BookedSolid does not use health information for any independent purposes. See Section 15 below for details.

3. How We Collect Personal Information (IPP 2-4)

3.1 Collection Methods

We collect personal information:

Directly from you (IPP 3) when you:

• Register for an account
• Use our services
• Contact us for support
• Subscribe to communications
• Browse our website

From third parties (IPP 2) including:

• Your clinic when setting up your account
• Publicly available sources (e.g. clinic websites) for business purposes
• Our technology service providers (cookies, analytics)

3.2 Collection Standards (IPP 4)

We collect personal information by lawful and fair means. We will not collect information in a way that:

• Is unlawful
• Is unfair
• Intrudes to an unreasonable extent upon your personal affairs

3.3 Collection from the Individual (IPP 3)

Wherever possible and reasonable, we collect personal information directly from you. Where we collect information from someone else, we will take reasonable steps to ensure you are aware of:

• The fact that we hold information about you
• The purposes for which we hold it
• Your rights to access and correct that information

4. Why We Collect Personal Information (IPP 1, 10, 11)

4.1 Purposes of Collection (IPP 1)

We collect and hold your personal information for the following lawful purposes connected with our functions and activities:

4.2 Direct Marketing (IPP 10 - Secondary Purpose)

We may use your personal information to send you marketing communications about our services. We will only do so:

• With your consent, OR
• Where the marketing relates to our services and you would reasonably expect to receive such communications

You can opt out of marketing communications at any time (see Section 11.3).

4.3 Use and Disclosure Limitations (IPP 10, 11)

We will not use or disclose your personal information for purposes other than those listed above unless:

• You have authorised the use or disclosure, OR
• The use or disclosure is directly related to the purpose of collection and you would reasonably expect it, OR
• The use or disclosure is necessary to prevent or lessen a serious threat to public health or safety, or to the life or health of any individual, OR
• The use or disclosure is required or authorised by law, OR
• Other exceptions under IPP 10 or 11 apply

5. Who We Share Personal Information With (IPP 11)

5.1 Disclosure to Third Parties

We may disclose your personal information to:

Service Providers and Technology Partners: Companies that help us deliver our services, including:

• Cloud hosting providers (Render - Germany/USA)
• Data storage providers (MongoDB, Cloudinary, Pinecone - USA)
• AI processing services (Google, OpenAI, Anthropic, Deepgram, ElevenLabs - USA)
• Communication services (Twilio, WhatsApp Business - USA)
• Payment processors (Stripe - USA)
• Analytics providers (Google - USA/Ireland)
• Customer support tools (Featurebase - Estonia)
• Marketing platforms (Meta - USA/Ireland)

Professional Advisors: Lawyers, accountants, auditors, and consultants who assist us with business operations

Law Enforcement and Regulatory Bodies: When required by law or to protect rights and safety

Business Transactions: In connection with any merger, sale, restructuring, or transfer of our business

5.2 Third Party Obligations

When we share your personal information with third parties, we:

• Require them to protect your information appropriately
• Ensure they use it only for the purposes we specify
• Monitor their compliance with privacy obligations

6. Overseas Disclosure of Personal Information (IPP 12)

6.1 Overseas Disclosure Overview

BookedSolid Ltd is a UK-based company. When you provide personal information to us, that information is transferred to and stored in the United Kingdom. We also use service providers located in the European Union/European Economic Area and the United States of America.

Countries to which we disclose personal information:

• United Kingdom
• Ireland (EU/EEA)
• Germany (EU/EEA)
• Estonia (EU/EEA)
• United States of America

6.2 Our Overseas Service Providers

We disclose personal information to the following overseas entities:

6.3 Comparable Safeguards (IPP 12)

We have taken reasonable steps to ensure that overseas recipients are subject to privacy laws, binding schemes, or contracts that provide protection that is comparable overall to New Zealand privacy law.

• For transfers to the United Kingdom: The UK General Data Protection Regulation (UK GDPR) provides comprehensive privacy protections comparable to the New Zealand Privacy Act 2020. Our assessment shows that UK GDPR addresses all core privacy principles including lawful collection, transparency, security, access rights, correction rights, purpose limitation, and disclosure restrictions.
• For transfers to the EU/EEA: The EU General Data Protection Regulation (GDPR) provides comprehensive privacy protections comparable to the New Zealand Privacy Act 2020, with similar or stronger requirements across all privacy principles.
• For transfers to the USA: Our UK entity and its US service providers are subject to:
  • The UK International Data Transfer Agreement (UK IDTA), which contractually requires US processors to comply with UK GDPR-level protections (comparable to NZ Privacy Act), OR
  • The UK Extension to the EU-US Data Privacy Framework, providing adequacy status for certified organisations

The UK IDTA includes:

• Contractual requirement to process data per UK GDPR principles
• Data subject rights equivalent to UK GDPR
• Appropriate security measures
• Breach notification requirements
• Restrictions on onward transfers
• Third-party beneficiary rights (allowing you to enforce protections directly)

6.4 Transfer Risk Assessments

We have conducted Transfer Risk Assessments for all US transfers, evaluating:

• US privacy and surveillance laws
• Potential impacts on privacy rights
• Technical safeguards (encryption, pseudonymisation)
• Contractual protections

These assessments are available to clinic clients upon request.

6.5 Enforcement Rights

If an overseas recipient mishandles your personal information, you can:

• Lodge a complaint with the UK Information Commissioner's Office
• Bring legal proceedings in UK courts under UK GDPR
• Claim compensation for damages
• Contact BookedSolid, which remains accountable under New Zealand law

7. Storage and Security of Personal Information (IPP 5)

7.1 Security Safeguards

We take reasonable security safeguards to protect your personal information from:

• Loss
• Unauthorised access
• Unauthorised use
• Unauthorised modification
• Unauthorised disclosure
• Other misuse

Our security measures include:

Technical Safeguards:

• Encryption of data in transit using TLS 1.2
• Encryption of data at rest using AES-256 bit encryption
• Multi-factor authentication for employee access
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Anti-malware and anti-virus software
• Secure software development practices
• Regular security patching and updates

Organisational Safeguards:

• Access controls limiting employee access on a need-to-know basis
• Regular privacy and security training for all employees
• Confidentiality obligations in employment contracts
• Incident response procedures
• Regular security audits
• Data breach notification processes
• Secure disposal protocols for data no longer required

Physical Safeguards:

• Data hosted in secure, professionally managed facilities
• Restricted physical access controls
• Environmental monitoring and controls
• Redundancy and backup systems
• Business continuity planning

7.2 Security of Personal Information Held by Others

Where we disclose your personal information to third parties (including overseas recipients), we take reasonable steps to ensure they:

• Apply comparable security safeguards
• Protect information from unauthorised access and misuse
• Comply with contractual security obligations

7.3 Breach Notification

If we become aware of a privacy breach that causes, or is likely to cause, serious harm to you, we will:

• Notify you as soon as practicable
• Notify the Privacy Commissioner as soon as practicable
• Provide details about the breach and steps you can take to protect yourself

8. Data Quality (IPP 8)

We take reasonable steps to ensure that personal information we collect, use, or disclose is:

• Accurate
• Up to date
• Complete
• Relevant
• Not misleading

You can help us maintain accurate information by:

• Updating your account details when your information changes
• Contacting us to correct inaccurate information
• Notifying us of any changes to your contact information

9. Retention of Personal Information (IPP 9)

9.1 Retention Periods

We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by law.

Our retention periods are:

• Account information: Duration of active account plus 6 years (for legal, tax, and accounting purposes)
• Customer support information: 2 years
• Behavioural and analytics information: 3 years
• Technical information: 2 years

9.2 Secure Disposal

When we no longer need to retain personal information, we take reasonable steps to:

• Permanently delete it from our active systems
• Destroy it in a secure manner that prevents reconstruction
• Ensure it is deleted from backup systems within our backup rotation period

10. Unique Identifiers (IPP 13)

10.1 Assignment of Unique Identifiers

We assign unique identifiers (account IDs, customer reference numbers) to individuals to facilitate service delivery and account management.

10.2 Use of Government Identifiers

We do not:

• Assign unique identifiers that are also government agency identifiers (such as IRD numbers, passport numbers, or driver's licence numbers)
• Require you to provide government identifiers as a condition of service
• Use or disclose government identifiers except where required or authorised by law

11. Access to Personal Information (IPP 6)

11.1 Your Right of Access

You have the right to request access to personal information we hold about you. Upon receiving your request, we will:

• Provide you with access to your personal information within a reasonable timeframe (usually within 20 working days)
• Provide the information in a readily understandable form
• Inform you of the sources of the information (if you request it and we still hold that information or can readily retrieve it)
• If we refuse access, provide you with written reasons and information about how to complain

11.2 Grounds for Refusing Access

We may refuse access to personal information in certain circumstances, including where:

• Providing access would be contrary to law
• Providing access would prejudice law enforcement, legal proceedings, or legal professional privilege
• Providing access would disclose confidential commercial information or trade secrets
• Providing access would be likely to endanger the safety of any individual
• Providing access would involve the unwarranted disclosure of another individual's personal information
• The information is trivial or the request is frivolous or vexatious
• The information does not exist or cannot be found
• Providing access would compromise Privacy Commissioner functions

11.3 Making an Access Request

To request access to your personal information, please contact us:

• Email: privacy@bookedsolid.co.uk
• Subject line: "Privacy Act Access Request"

Please include:

• Your full name and contact details
• Description of the information you wish to access
• Preferred format for receiving the information
• Any supporting documentation to verify your identity

11.4 Charges for Access

We will not charge for:

• Making an access request
• Providing access to your personal information

We may charge a reasonable fee for labour and materials if providing access involves substantial time or resources (e.g., collating large volumes of information). We will inform you of any charges before proceeding.

12. Correction of Personal Information (IPP 7)

12.1 Your Right to Correction

You have the right to request correction of personal information we hold about you if you believe it is:

• Incorrect
• Out of date
• Incomplete
• Irrelevant
• Misleading

12.2 Our Correction Obligations

Upon receiving your correction request, we will:

• Correct the information if we are satisfied it meets one of the criteria above (usually within 20 working days)
• Take reasonable steps to notify other agencies to whom we have disclosed the incorrect information (if practicable)
• If we refuse to correct the information, provide you with written reasons
• If you request it, take reasonable steps to attach a statement to the information noting your requested correction

12.3 Making a Correction Request

To request correction of your personal information:

• Email: privacy@bookedsolid.co.uk
• Subject line: "Privacy Act Correction Request"

Please include:

• Your full name and contact details
• Description of the information you believe is incorrect
• The correction you would like made
• Supporting evidence for the correction (if available)

12.4 No Charge for Correction

We do not charge for:

• Making a correction request
• Correcting your personal information
• Attaching a statement to your information if we refuse correction

13. Direct Marketing (IPP 10)

13.1 Marketing Communications

We may use your personal information to send you marketing communications about:

• Our services and new features
• Industry updates and best practices
• Special offers and promotions
• Educational content relevant to healthcare practice management

We will only do so where:

• You have consented to receive marketing communications, OR
• The marketing is directly related to the purposes for which we collected your information and you would reasonably expect it

13.2 Opting Out

You may opt out of receiving marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Contacting us at privacy@bookedsolid.co.uk
• Updating your preferences in your account settings
• Notifying us by phone or in writing

We will process opt-out requests within a reasonable timeframe (usually within 5 working days).

13.3 Non-Marketing Communications

Even if you opt out of marketing, we may still send you:

• Service-related communications (account updates, system notifications)
• Billing and payment information
• Security alerts and important notices
• Information required by law
• Responses to your specific enquiries

These are not "marketing" communications and cannot be opted out of while you remain a customer.

14. Complaints Process

14.1 Internal Complaints

If you have a complaint about how we have handled your personal information, please contact us first:

• Email: privacy@bookedsolid.co.uk
• Subject line: "Privacy Complaint"
• Data Protection Officer: info@waivern.com

Your complaint should include:

• Your contact details
• Details of the complaint and which information privacy principle(s) you believe we have breached
• What you would like us to do to resolve the complaint
• Any supporting documentation

14.2 Our Complaints Process

We will:

• Acknowledge your complaint within 5 working days
• Investigate your complaint thoroughly
• Respond to your complaint within a reasonable timeframe (usually within 20 working days)
• Provide you with a written response explaining:
  • Our decision
  • The reasons for our decision
  • Any action we will take
  • Your right to complain to the Privacy Commissioner

14.3 External Complaints - Office of the Privacy Commissioner

If you are not satisfied with our response, you have the right to complain to the Privacy Commissioner:

• Website: www.privacy.org.nz
• Email: enquiries@privacy.org.nz
• Phone: 0800 803 909
• Mail: PO Box 10094, The Terrace, Wellington 6143

The Privacy Commissioner can:

• Investigate your complaint
• Attempt to resolve it through mediation
• Issue a compliance notice requiring us to take specific action
• Refer serious cases to the Human Rights Review Tribunal

You must generally complain to us first before complaining to the Privacy Commissioner, unless special circumstances apply.

15. Patient Information - Secondary Agency Relationship

15.1 Our Role as Secondary Agency (Sections 11-12)

When patients interact with our AI receptionist service (via phone calls, SMS, WhatsApp, or email) to manage appointments with clinics, BookedSolid acts as a secondary agency under sections 11 and 12 of the Privacy Act 2020.

Under sections 11-12:

• We hold patient information solely to provide services to the clinic (the primary agency)
• The information is still legally treated as being held by the clinic
• Our processing does not constitute a separate "disclosure" by the clinic
• The clinic retains responsibility for complying with the Privacy Act regarding patient information

15.2 Legal Framework

• Primary legislation: Privacy Act 2020, sections 11-12
• Health-specific legislation: Health Information Privacy Code 2020, particularly:
  • Rule 10 (Limits on use of health information)
  • Rule 11 (Limits on disclosure of health information)
  • Rule 12 (Disclosure of health information outside New Zealand)

The clinic, as the primary agency, has the legal authority to collect and use health information for the purpose of providing health services.

15.3 What Patient Information We Process

On behalf of clinics, we process:

• Names and contact information (phone numbers, email addresses)
• Appointment requests, bookings, cancellations, and rescheduling
• Voice recordings of phone conversations (retained for 30 days for quality purposes)
• Text messages, SMS, and email content
• Health information disclosed during interactions (to the extent necessary for appointment scheduling)
• Appointment history and preferences

15.4 How We Process Patient Information

We process patient information:

• Only on the clinic's instructions
• Only for the purpose of providing appointment management services
• In accordance with our Data Processing Agreement with the clinic
• Subject to the same security safeguards described in Section 7
• In compliance with both Privacy Act 2020 and Health Information Privacy Code 2020

15.5 Patients' Rights

If you are a patient and wish to:

• Access your personal information
• Correct your personal information
• Make a complaint about how your information is handled
• Understand how your information is used or disclosed

You should contact the clinic directly. The clinic, as the primary agency, is responsible for responding to your requests regarding patient information.

If you contact BookedSolid directly, we will:

• Forward your request to the relevant clinic within 5 working days
• Provide the clinic with any information necessary to respond to your request
• Assist the clinic in responding to your request as required

15.6 Patient Information Security

BookedSolid maintains comprehensive security safeguards for patient information:

Encryption:

• All patient communications encrypted in transit (TLS 1.2)
• All stored patient information encrypted at rest (AES-256)

Access Controls:

• Strict need-to-know access for BookedSolid employees
• Multi-factor authentication required
• Regular access reviews and audits

Data Minimisation:

• We process only the minimum patient information necessary
• Voice recordings retained for 30 days only, then permanently deleted
• Appointment data retained for 7 years as required for health records

Technical Measures:

• Regular security testing and penetration testing
• Intrusion detection and prevention
• Anti-malware protection
• Secure software development practices

Organisational Measures:

• Staff training on Privacy Act and Health Information Privacy Code
• Confidentiality obligations in employment contracts
• Incident response procedures
• Regular security audits by external Data Protection Officer

15.7 Overseas Disclosure of Patient Information (IPP 12 / HIPC Rule 12)

When processing patient information on behalf of New Zealand clinics, the same overseas transfers described in Section 6 apply.

Key points for patient information transfers:

• Legal status: Under sections 11-12, BookedSolid holds patient information solely to provide services to the clinic. Our overseas transfers do not constitute a separate "disclosure" by the clinic - the information remains legally held by the clinic.
• Comparable safeguards: BookedSolid ensures all overseas service providers are subject to:
  • UK GDPR (for UK and EU/EEA providers) - provides comparable protection to NZ Privacy Act
  • UK International Data Transfer Agreement (for US providers) - contractually requires UK GDPR-level protections
  • OR UK Extension to EU-US Data Privacy Framework (for certified US providers)
• Clinic's responsibility: The clinic, as primary agency, makes the ultimate decision about whether to use our services involving overseas processing. We provide clinics with:
  • Full disclosure of overseas service providers and their locations
  • Transfer Risk Assessments for all US transfers
  • Documentation of comparable safeguards
  • Contractual commitments in our Data Processing Agreement
• Your rights: If you are concerned about overseas processing of your health information, you should contact the clinic to discuss alternatives or raise concerns.

15.8 Patient Privacy Breaches

If BookedSolid becomes aware of a privacy breach affecting patient information:

We will:

• Notify the affected clinic immediately (within 24 hours)
• Provide full details of the breach, affected patients, and information types
• Assist the clinic in assessing harm and notification requirements
• Take immediate steps to contain and remediate the breach
• Cooperate with any investigation by the clinic or Privacy Commissioner

The clinic, as primary agency, is responsible for:

• Notifying affected patients if the breach causes or is likely to cause serious harm
• Notifying the Privacy Commissioner as required
• Making decisions about remedial action

16. Health Information Privacy Code 2020

16.1 Application to Patient Information

For patient health information processed on behalf of clinics, BookedSolid complies with the Health Information Privacy Code 2020 as a secondary agency.

The Code's 12 Rules apply to health information and are more specific than the general IPPs. Where there is a conflict, the Health Information Privacy Code prevails over the general Privacy Act provisions.

16.2 Our Compliance with Health Information Privacy Code

As a secondary agency holding health information, we:

• Process health information only on the clinic's instructions (Rule 10)
• Disclose health information only as authorised by the clinic (Rule 11)
• Ensure overseas recipients provide comparable safeguards (Rule 12)
• Maintain appropriate security for health information (Rule 5)
• Assist clinics in responding to patient access requests (Rule 6)
• Assist clinics in correcting patient information (Rule 7)
• Retain health information for required timeframes (Rule 9)

The clinic, as the primary health agency, bears ultimate responsibility for compliance with all 12 Rules of the Health Information Privacy Code.

17. Anonymity and Pseudonymity (IPP 2)

17.1 General Website Browsing

You can browse our public website without identifying yourself. We may collect technical information (IP address, browser type) but this does not identify you by name.

17.2 When Identification is Required

For most of our services, it is not practicable to deal with you without identifying yourself, including:

• Creating an account
• Using our AI receptionist services
• Requesting customer support
• Making payments
• Entering into contracts

We require identification in these cases because we need to:

• Communicate with you about your account
• Process your requests and transactions
• Provide personalised services
• Meet our legal obligations (e.g., billing, tax, contract law)

18. Children's Privacy

18.1 Clinic Users

Our services are intended for use by healthcare professionals and clinic staff aged 18 and over. We do not knowingly collect personal information from individuals under 18 for our account and service delivery purposes.

18.2 Patient Information

When acting as a secondary agency, we may process information about child patients on behalf of clinics. This processing is:

• Solely on the clinic's instructions
• Necessary for appointment scheduling
• Subject to the clinic's privacy obligations regarding children
• Governed by the clinic's policies on consent and parental authority

If you believe we have inappropriately collected information about a child, please contact us immediately.

19. Changes to This Privacy Statement

19.1 Updates to Policy

We may update this Privacy Statement from time to time to reflect:

• Changes in our privacy practices
• New technologies or services
• Changes in New Zealand privacy law
• Feedback from the Privacy Commissioner or legal advisors

19.2 Notification of Changes

When we make significant changes, we will notify you by:

• Posting the updated Privacy Statement on our website with a new "Last Updated" date
• Sending email notifications to account holders for material changes
• Displaying a prominent notice on our website
• Other appropriate methods depending on the nature of the change

We encourage you to review this Privacy Statement periodically.

19.3 Continued Use

Your continued use of our services after we post changes constitutes your acceptance of those changes. If you do not agree with changes, you should discontinue use of our services and contact us to discuss account closure.

20. Contact Information

For any privacy-related enquiries, access requests, correction requests, or complaints:

• Email: privacy@bookedsolid.co.uk
• Data Protection Officer: info@waivern.com
• Website: www.bookedsolid.co.uk

BookedSolid Ltd
UK Company Number: 16019450
UK Registered Office: 29 Crossway, Petts Wood, BR5 1PF, United Kingdom

For complaints or enquiries about New Zealand privacy law:

• Website: www.privacy.org.nz
• Email: enquiries@privacy.org.nz
• Phone: 0800 803 909
• Mail: PO Box 10094, The Terrace, Wellington 6143