Privacy Policy

1. About This Policy

This Privacy Policy explains how Tom Hopkin trading as Calma Practiq ("Calma Practiq", "we", "us", "our") collects, holds, uses, and discloses personal information in connection with our practice management software available at calmapractiq.com (the "Service").

We are committed to protecting your privacy and handling personal information in accordance with the New Zealand Privacy Act 2020 and its Information Privacy Principles (IPPs), as well as the Health Information Privacy Code 2020 where applicable.

By using the Service, you agree to the collection and use of information as described in this policy.

2. Who This Policy Applies To

This policy applies to two categories of people:

• Practitioners — hypnotherapists and other health professionals who create a Calma Practiq account to manage their practice.
• Clients — individuals whose data is entered into Calma Practiq by a Practitioner.

If you are a Client whose information has been entered by your practitioner, please be aware that your practitioner is the primary data controller for that information. You should contact your practitioner directly regarding how they manage your records.

3. Information We Collect

3.1 Information you provide directly

• Account information: name, email address, business name, profile photo, location, bio, and specialties
• Practice configuration: availability, session types, pricing, invoicing preferences, and notification settings
• Client records entered by Practitioners: client names, email addresses, phone numbers, appointment history, session notes, intake form responses, and invoices
• Payment information: billing details processed via our payment provider (Stripe). We do not store full card numbers.

3.2 Information collected automatically

• Log data: IP address, browser type, pages visited, and timestamps
• Authentication tokens and session data necessary to keep you logged in

3.3 Information from third-party integrations

If you connect optional integrations, we receive and store access credentials (OAuth tokens) from:

• Google Calendar — to sync appointments to your calendar
• Zoom — to automatically create meeting links for online sessions
• Stripe Connect — to enable direct payment collection

4. Health Information

Session notes, intake form responses, and other clinical records stored in Calma Practiq may constitute health information under the Health Information Privacy Code 2020. Such information is handled with an elevated level of care.

Practitioners are responsible for ensuring they have obtained appropriate consent from their clients to collect and store health information using a third-party platform, and for meeting their own professional and legal obligations under the Health Information Privacy Code 2020.

We do not access, read, or use client health information for any purpose other than providing and maintaining the Service.

5. How We Use Your Information

We use personal information to:

• Provide, maintain, and improve the Service
• Process subscription payments
• Send transactional emails (booking confirmations, reminders, invoices) on behalf of Practitioners
• Respond to support requests
• Comply with legal obligations
• Detect and prevent fraud or abuse

We do not sell, rent, or trade your personal information or your clients' information to third parties. We do not use client data for marketing or profiling purposes.

6. Third-Party Service Providers

We share information with trusted third-party providers solely to the extent necessary to operate the Service:

• Supabase — database and authentication hosting. Data is stored on servers in the AWS ap-southeast-2 (Sydney) region.
• Stripe — payment processing for Practitioner subscriptions and optional client payment collection.
• Resend — transactional email delivery.
• Twilio — SMS reminders, if configured by the Practitioner using their own Twilio account.
• Google — calendar synchronisation, if connected by the Practitioner.
• Zoom — meeting link generation, if connected by the Practitioner.

Each of these providers has their own privacy policies governing the information they process. We only share the minimum information required for each service to function.

7. Data Storage and Security

All data is stored on servers located in Australia (AWS Sydney region). We implement industry-standard security measures including:

• Encryption in transit (TLS) and at rest
• Row-level security on the database ensuring each Practitioner can only access their own data
• Secure authentication via Supabase Auth
• Access controls limiting which staff can access production systems

While we take reasonable steps to protect your information, no method of transmission over the internet is 100% secure. You are responsible for maintaining the confidentiality of your account password.

8. Data Retention

We retain your personal information for as long as your account is active, or as long as necessary to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal, tax, or fraud prevention purposes.

Stripe may retain payment records independently in accordance with their own policies and applicable financial regulations.

9. Your Rights Under the NZ Privacy Act 2020

Under the Privacy Act 2020, you have the right to:

• Access your personal information held by us
• Correct any inaccurate personal information
• Request deletion of your account and associated data
• Lodge a complaint with the Office of the Privacy Commissioner (privacy.org.nz) if you believe we have breached the Privacy Act

To exercise any of these rights, contact us at tomhopkin.systems@gmail.com. We will respond within 20 working days as required by the Privacy Act.

10. Cookies

We use essential cookies and local storage to maintain your authenticated session. We do not use tracking, advertising, or analytics cookies. You can disable cookies in your browser settings, but doing so will prevent you from logging in to the Service.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the Service. Your continued use of the Service after any change constitutes your acceptance of the updated policy.

12. Contact Us

For any privacy-related questions, requests, or complaints, please contact: