Givenwell Privacy Policy

Effective date: 1 November 2025
Last updated: 1 June 2024

Introduction

Givenwell Limited ("Givenwell", "we", "us", "our") is committed to protecting the privacy, confidentiality, and security of personal information. We comply with the Privacy Act 2020 ("the Act") and, where applicable, the Health Information Privacy Code 2020 ("HIPC").

This Policy explains how we collect, use, disclose, store, and protect personal information, including information relating to an individual's mental and physical health choices in the course of providing our wellbeing and related services.

By using our services or providing us with personal information, you consent to the practices described in this Policy.

This Privacy Policy is intended to have global application. To the extent that additional legal or regulatory requirements apply in a particular jurisdiction, those requirements are incorporated into this Policy through the relevant Schedule ("Addendum"). Each Addendum is binding and forms an integral part of this Policy with respect to personal information collected in that jurisdiction.

Scope

This Policy applies to all personal information we collect in connection with our services, whether through our online platforms, applications, forms, or direct communications. It applies to individuals aged 18 years or older who engage with Givenwell's wellbeing programmes, digital tools, or related services.

Definitions

• Personal Information: Information about an identifiable individual (Privacy Act 2020, s 7).
• Health Information: Personal information relating to an individual's physical or mental health or disability, their expressed wishes regarding health services, or services provided to them (HIPC Rule 1).
• Agency: Givenwell Limited, as defined under the Act.
• You/Your: Any identifiable individual whose personal information we collect or hold.

1. Information We Collect

We may collect the following categories of personal information:

• Identity and contact details (name, email address, phone number, postal address);
• Health-related information, including choices, preferences, wellbeing goals, and information about mental and physical health;
• Information you provide through surveys, forms, emails, consultations, or participation in wellbeing initiatives;
• Usage and technical data from your interactions with our digital services (e.g. platform or app analytics);
• Payment or billing details where relevant;
• Any other information you choose to provide to us in connection with our services.

2. Sources of Information

We collect information directly from you and, where applicable or authorised, from:

• Your employer or programme funder (e.g., eligibility confirmation, allowance allocation);
• Independent clinicians or wellbeing partners you choose to engage through our programmes, limited to booking/administrative details and high-level outcome data required for funding or eligibility validation (not session notes);
• Service providers supporting our platform (e.g., analytics, hosting, identity management providers);
• Authentication providers you choose to use (e.g., workplace SSO); and
• Publicly available sources where lawful.

From 1 May 2026, where we collect personal information about you indirectly (from someone other than you), we will take reasonable steps to notify you in accordance with new Information Privacy Principle 3A of the Privacy Act 2020, unless an exception applies.

IPP3A: Notification When Information Is Collected Indirectly (effective 1 May 2026)

Where Givenwell collects your personal information from any source other than you, we will take reasonable steps to inform you that:

• your information has been collected;
• the purpose for which it has been collected;
• the intended recipients of the information;
• the name and contact details of the agency collecting and holding the information (Givenwell Limited);
• whether the collection is authorised or required by law, and the relevant legal authority if applicable; and
• your rights to access and correct your information.

Notification may be provided through:

• an in-platform notice;
• an update within your account settings;
• an email or secure communication;
• an onboarding or eligibility confirmation process; or
• any other reasonable step suited to the context and sensitivity of the information collected.

Exceptions

We may rely on an exception under IPP3A where notification would:

• prejudice the purposes of collection;
• pose a serious threat to health or safety;
• involve information that will not be used in a form in which you are identified;
• be impracticable in the circumstances; or
• is otherwise exempt under the Privacy Act 2020 or the Health Information Privacy Code.

Where indirect collection relates to employer-provided eligibility data, wellbeing allowance allocation data, or other administrative information, Givenwell will notify you unless an exception applies.

3. Purpose of Collection and Use

We collect and use your personal information only for lawful purposes connected to our business operations, including:

• Verifying your identity and account details;
• Providing, personalising, and improving our wellbeing services and digital platforms;
• Communicating with you regarding your participation, enquiries, or feedback;
• Conducting research, evaluation, and statistical analysis (using de-identified or aggregated data where possible);
• Maintaining, developing, and securing our digital infrastructure;
• Managing billing and administrative functions;
• Complying with legal or regulatory obligations;
• Protecting our lawful rights, property, and interests;
• Any other purpose authorised by you or permitted under the Act or HIPC.

We will not use your personal information for any purpose unrelated to these unless you have authorised it or such use is permitted by law.

For more information on the information we collect through the Platform, feel free to take a look at our Cookies & Analytics Policy.

4. Disclosure of Information

We may disclose your personal information to:

• Service providers who support our operations;
• Professional advisers, contractors, or business partners;
• Regulatory or law-enforcement agencies where required or authorised by law;
• Other third parties where disclosure has been authorised by you or is otherwise lawful;
• In limited circumstances, acquirers or successors of our business in the event of a merger, sale, or reorganisation.

Where disclosure forms part of an indirect collection process (for example, where your employer provides us information about your eligibility), we will notify you as required under IPP3A from 1 May 2026 unless an exception applies (see Clause 2).

When disclosing information, we take reasonable steps to ensure recipients protect it from misuse, unauthorised access, or disclosure.

We may use aggregated and de-identified information to generate insights about programme engagement and wellbeing trends (for example, to help an organisation understand overall uptake). These insights do not identify any individual.

We may use privacy-protective automation to personalise content or measure engagement. We do not use your identifiable personal information to train third-party AI models, and any such tools are subject to our security and access controls.

5. Cross-Border Data Storage and Transfers

Givenwell uses international cloud service providers (for example, AWS or Google Cloud) to store and process data.

Where personal information is transferred or held outside New Zealand, we ensure compliance with Information Privacy Principle 12 of the Privacy Act 2020 and Rule 12 of the HIPC by:

• Using providers with comparable privacy safeguards; and/or
• Implementing contractual and technical protections (such as encryption and access controls); and/or
• Obtaining your authorisation where appropriate after informing you of any material privacy risks.

Where we work with independent clinicians or wellbeing partners, we may share booking and eligibility details needed to deliver the service you request. We do not access or disclose clinician session notes held by those providers.

We may share de-identified, aggregated reports with programme funders/organisations.

All international data transfers are conducted in accordance with New Zealand law and our internal security policies.

6. Storage, Security and Retention

We take reasonable and proportionate steps to protect personal information from loss, misuse, unauthorised access, alteration, or disclosure.

Security measures include:

• Encrypted data storage and transmission;
• Access controls and role-based permissions;
• Secure passwords, multi-factor authentication, and logging;
• Regular security audits and ISO 27001 aligned procedures;
• Staff privacy and security training.

Personal information is retained only as long as necessary for the purposes for which it was collected, or as required by law. Once no longer needed, it is securely deleted, anonymised, or destroyed.

7. Accuracy and Correction

We take reasonable steps to ensure personal information is accurate, complete, and up to date before using or disclosing it.

You may request access to, or correction of, your personal information at any time by contacting us (see Section 11). If we decline to process your request, we will attach a statement noting your request.

We may require proof of identity before releasing information and may charge a reasonable administrative fee where permitted by law.

8. Health Information and Sensitive Data

Givenwell recognises that information about mental or physical health choices is sensitive. We therefore:

• Collect only information reasonably necessary to deliver wellbeing services;
• Obtain it directly from you wherever possible;
• Use or disclose it only for purposes consistent with the original purpose of collection, unless authorised or permitted by law;
• Apply heightened access and security restrictions to protect confidentiality;
• De-identify or anonymise health data before using it for research or statistical analysis;
• Comply with all relevant rules of the Health Information Privacy Code 2020.

Where we collect sensitive information (including health information) directly from you, we will seek your express consent unless another lawful basis applies.

If we reasonably believe there is a serious threat to life, health, or safety, we may use or disclose relevant information without consent where permitted by law in order to reduce or prevent that threat.

If you access services provided by independent clinicians or wellbeing partners through a Givenwell-supported programme, those providers maintain their own clinical records and confidentiality obligations. Givenwell does not access therapy session content or clinical notes.

9. Marketing and Communications

We may send you service updates or marketing communications if you have provided consent or where otherwise permitted. You can withdraw consent or opt out at any time by following the unsubscribe link in our communications or contacting us directly.

10. Privacy Breaches

In accordance with the Privacy Act 2020, Givenwell has established a Privacy Breach Response Plan.

If we become aware of a privacy breach that has caused or is likely to cause serious harm, we will:

• Promptly investigate and contain the breach;
• Notify the Office of the Privacy Commissioner as soon as practicable; and
• Inform affected individuals where required.

We maintain detailed procedures to document and learn from any breach events.

11. Access, Queries and Complaints

If you wish to access or correct your personal information, or have any questions or concerns about this Policy or our privacy practices, please contact:

Privacy Officer
Givenwell Limited
Email: hello@givenwell.co.nz
Postal Address: Givenwell, Clarion Building Level 1/286 Princes Street, Dunedin 9016

We will acknowledge and respond to your enquiry within a reasonable timeframe.

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner:

• Website: https://www.privacy.org.nz
• Freephone (NZ): 0800 803 909

12. Changes to This Policy

We may update this Policy from time to time to reflect changes in legislation, regulation, or our business operations. Updates will be published on our website and will take effect from the date of posting.

Please check this page periodically for the most current version.

13. Governance and Accountability

Givenwell has appointed a Privacy Officer in accordance with the Privacy Act 2020. The Privacy Officer is responsible for ensuring compliance, staff awareness, and continuous improvement of privacy practices.

We periodically review our privacy management framework, risk assessments, and security controls to maintain alignment with New Zealand law and industry best practice (including ISO 27001).

Schedule 1: Australia Privacy Addendum

Effective Date: 1 November 2025
Applies to: Individuals in Australia using Givenwell Limited's services

1. Purpose and Application

1.1 This Addendum applies where Givenwell Limited ("Givenwell", "we", "us", "our") collects, holds, uses or discloses personal information about individuals located in Australia.

1.2 For Australian residents, Givenwell complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) set out in Schedule 1 of that Act.

1.3 This Addendum supplements Givenwell's main Privacy Policy and prevails to the extent of any inconsistency for individuals in Australia.

2. Collection of Personal and Sensitive Information

2.1 We only collect personal information that is reasonably necessary for our functions or activities (APP 3).

2.2 We may collect "sensitive information" (including health and wellbeing information) with your consent or where authorised by law.

2.3 Sensitive information includes data relating to your mental or physical health, disability, wellbeing choices, or participation in our programmes.

2.4 At or before collection we will take reasonable steps to inform you of:

• The purpose of collection;
• How the information will be used and disclosed;
• The consequences if you do not provide it; and
• Your rights of access and correction.

3. Use and Disclosure

3.1 We use and disclose personal information for the same purposes outlined in our main Privacy Policy and only where authorised by law or with your consent (APP 6).

3.2 We may also use personal information to communicate with you about our services or to send marketing materials (APP 7). You can opt out at any time by following the unsubscribe link or contacting us.

3.3 We may provide aggregated, de-identified insights or reports that do not identify individuals, consistent with APPs and this Addendum.

4. Cross-Border Disclosure of Information

4.1 Givenwell uses international cloud service providers (such as AWS or Google Cloud) for data storage and processing. These servers may be located outside Australia and New Zealand.

4.2 When transferring personal information overseas we take reasonable steps to ensure that the recipient:

• Is subject to privacy obligations substantially similar to those under the APPs; or
• Is bound by contract to protect your information to an equivalent standard; or
• You have consented to the transfer after being informed of any material risks.

4.3 Givenwell remains accountable under the Privacy Act 1988 (Cth) for personal information it discloses overseas (APP 8 and s 16C).

5. Data Security and Retention

5.1 We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure (APP 11).

5.2 Security measures include encryption, multi-factor authentication, access controls, secure backups, and regular audits aligned with ISO 27001 standards.

5.3 We retain personal information only for as long as necessary for the purposes for which it was collected or as required by law, after which it is securely deleted or de-identified.

6. Access and Correction

6.1 You may request access to or correction of the personal information we hold about you (APPs 12 and 13) by contacting our Privacy Officer at hello@givenwell.co.nz

6.2 We may require proof of identity and may charge a reasonable fee for access where lawful.

6.3 If we refuse a request, we will notify you in writing with our reasons and information on how to lodge a complaint for your information.

7. Notifiable Data Breaches

7.1 Givenwell complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

7.2 If a data breach is likely to result in serious harm, we will promptly:

• Contain and investigate the incident;
• Notify affected individuals and the Office of the Australian Information Commissioner (OAIC); and
• Take remedial steps to prevent recurrence.

8. Complaints and Contact Details

8.1 If you have a concern about how we handle your personal information, please contact us first so we can resolve it:

Privacy Officer
Givenwell Limited
Email: hello@givenwell.co.nz
Postal Address: Givenwell, Clarion Building Level 1/286 Princes Street, Dunedin 9016

8.2 We will acknowledge your complaint and respond within a reasonable time (usually within 30 days).

8.3 If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Telephone: 1300 363 992
• Email: enquiries@oaic.gov.au
• Postal address: GPO Box 5218, Sydney NSW 2001

9. Updates to this Addendum

9.1 We may update this Addendum to reflect legislative or operational changes. Any updates will be published on our website and take effect from the date posted.

©2025 Givenwell Limited. Your wellbeing, your privacy.

Read our Privacy Policy and Cookies Notice.