Privacy Policy

Last updated on May 4, 2026.

Addison ("Addison," "we," "us," or "our") is a booking and practice management platform for mental health practitioners in New Zealand and Australia. We are committed to protecting personal information in accordance with the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs).

This Privacy Policy explains how we collect, use, store, and disclose personal information when you use Addison. By using Addison, you agree to the practices described in this policy.

What Information We Collect

Addison is a scheduling and practice management tool. We do not store clinical notes, session recordings, or diagnostic information. However, we recognise that in a mental health context, even scheduling data — such as client names, contact details, and appointment dates and times — can be sensitive, as it may indicate that a person is accessing mental health support. We treat all client information accordingly and limit what we collect to what is strictly necessary to operate the platform.

Practitioner Account Information

  • Name, email address, and contact details
  • Professional registration details (e.g. NZPB, AHPRA registration numbers)
  • Billing information (processed by Stripe — we do not store card details)
  • Platform usage data and preferences

Client Booking Information

  • Client names and contact details entered by the practitioner
  • Appointment scheduling data and session history
  • ACC, EAP, and private funding allocation records

Usage and Technical Data

  • Log data, IP addresses, and browser/device information
  • Feature usage patterns to support platform improvement

Why We Collect This Information

  • To provide and operate the Addison platform
  • To manage appointment scheduling and allocation tracking
  • To process subscription payments via Stripe
  • To provide customer support and respond to enquiries
  • To improve the platform and develop new features
  • To comply with legal and regulatory obligations
  • To protect against fraudulent or unauthorised activity

How We Collect Information

  • Direct input: information you provide when registering an account or managing client profiles and appointments
  • Automated technologies: cookies and similar technologies used to support platform functionality and analyse usage

How Long We Keep Information

  • Account information: Retained for the duration of your active subscription. Following account closure, account data is deleted within 90 days unless retention is required by law.
  • Client booking records: Retained for as long as your account is active. You may delete client records at any time from within the platform.
  • Usage and technical data: Retained for up to 24 months to support platform improvement and security monitoring.

Your Rights

New Zealand

Under the New Zealand Privacy Act 2020, you have the right to:

  • Access personal information we hold about you
  • Request correction of inaccurate or incomplete information
  • Be notified of how your information is collected and used
  • Complain to the Office of the Privacy Commissioner if you believe we have breached the Act

Australia

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

  • Access personal information we hold about you
  • Request correction of inaccurate, out-of-date, incomplete, irrelevant or misleading information
  • Opt out of direct marketing
  • Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs

To exercise any of these rights, contact us at privacy@withaddison.com. We will respond within 30 days.

Data Security

We implement appropriate technical and organisational measures to protect personal information from unauthorised access, loss, or disclosure. Our measures include:

  • Encryption of data in transit (TLS) and at rest
  • Data stored in AWS ap-southeast-2 (Sydney, Australia)
  • Access controls and authentication requirements for all platform access
  • Regular security reviews and vulnerability assessments
  • Staff and contractor access limited to what is necessary for their role

While we take reasonable precautions, no system is completely secure. In the event of a privacy breach that is likely to cause serious harm, we will notify affected individuals and the relevant Privacy Commissioner as required by law.

Our Subprocessors

We work with the following third-party service providers who may process personal information on our behalf. All subprocessors are bound by data processing agreements consistent with applicable privacy laws.

  • Supabase — Database and authentication (hosted on AWS ap-southeast-2)
  • Amazon Web Services (AWS) — Cloud infrastructure and file storage (ap-southeast-2 / Sydney region)
  • Vercel — Application hosting and deployment
  • Stripe — Payment processing (card data is never transmitted to or stored by Addison)

International Data Transfers

The majority of your data is stored within Australia (AWS ap-southeast-2, Sydney). Some subprocessors, including Vercel, may process data in other jurisdictions including the United States. Where data is transferred internationally, we ensure subprocessors maintain privacy standards consistent with NZ and Australian law through contractual protections and adherence to the applicable Privacy Principles.

Practitioner Responsibilities

Addison provides scheduling and practice management tools to practitioners. We do not have a direct relationship with your clients. As the practitioner, you are responsible for:

  • Obtaining appropriate informed consent from clients for the use of digital booking and practice management tools
  • Ensuring your use of Addison complies with your professional obligations under applicable codes of ethics and registration standards
  • Notifying clients of any relevant data practices as required by your professional body or applicable privacy law

Children's Privacy

Addison is designed for use by registered mental health practitioners and is not directed to individuals under 18. We do not knowingly collect personal information directly from minors.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the updated policy on our website and updating the "Last updated" date above. For material changes, we will provide notice by email to the address associated with your account.

Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

Addison
Email: privacy@withaddison.com
Website: withaddison.com

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner (New Zealand) or the Office of the Australian Information Commissioner (Australia).