Privacy Policy / Kaupapahere Tūmataiti

1. About Us / Mō Mātou

MyMate Limited
NZBN: 9429052964442
Registered with the New Zealand Companies Office
Website: www.mylog.co.nz | www.mymate.co.nz
Contact: info@mylog.co.nz | 021 034 8850

Privacy Officer:
Ajit Kumar Nair, Director
Email: info@mylog.co.nz
Phone: 021 034 8850

MyLog is a private online diary platform designed for people with disabilities and their support workers to record daily experiences, preferences, and continuity notes.

2. Our Commitment to Privacy / Tō Mātou Tūmanako ki te Tūmataiti

We are committed to protecting your privacy and complying with:

• Privacy Act 2020 (New Zealand)
• New Zealand Disability Support Services Standards
• Consumer Guarantees Act 1993
• Fair Trading Act 1986

3. Information We Collect / Ngā Mōhiohio e Kohia ana e Mātou

3.1 Account Information

When you register for MyLog, we collect:

• Your name (first name, last name)
• Email address
• Password (encrypted)
• Family/whānau name
• Name of person being supported
• Your role (Family Admin, Family Member, or Caregiver)

3.2 Diary Entry Information

When you create diary entries, we collect:

• Date and time of entry
• Mood observations (e.g., happy, calm, anxious)
• Activities undertaken
• Health observations (strictly non-medical notes)
• Support notes and observations
• Photos uploaded (optional)
• Name of person who created the entry

3.3 Technical Information

We automatically collect:

• IP address
• Browser type and version
• Device information
• Access times and dates
• Pages viewed
• Referring website addresses

3.4 Payment Information

When you subscribe to a paid plan:

• Payment processing is handled by Stripe (a certified PCI-DSS Level 1 payment processor)
• We do NOT store your credit card details
• We receive only: transaction ID, payment amount, date, and subscription status

4. How We Use Your Information / Me Pēhea Mātou e Whakamahi ana i ō Mōhiohio

4.1 Primary Purposes

We use your information to:

• Provide and maintain the MyLog service
• Enable you to create, view, and manage diary entries
• Allow authorized family members and caregivers to access your family’s private diary
• Process payments and manage subscriptions
• Send service-related notifications (e.g., password resets, subscription updates)
• Provide customer support
• Improve and develop our service

4.2 Legal Basis for Processing (Privacy Act 2020)

We process your information based on:

• Consent: You voluntarily provide information when creating an account and entries
• Contract: Processing is necessary to provide the service you’ve subscribed to
• Legal obligation: We must retain certain records for tax and legal compliance

5. Data Sharing and Disclosure / Te Tuhi me te Whakapuaki Raraunga

5.1 Who Can See Your Information

Within Your Family Group:

• All authorized members of your whānau group (Family Admin, Family Members, and invited Caregivers) can view ALL diary entries for your family
• Each entry shows who created it and when
• You control who is invited to your family group

We DO NOT:

• ❌ Share your diary entries with other families
• ❌ Share your information with third parties for marketing
• ❌ Sell your data to anyone
• ❌ Share with government agencies unless legally required

5.2 Service Providers We Use

We share limited information with trusted service providers who help us operate MyLog:

All service providers are bound by confidentiality agreements and data protection requirements.

5.3 Legal Disclosures

We may disclose your information if:

• Required by law (e.g., court order, subpoena)
• Necessary to protect someone’s safety
• To enforce our Terms of Service
• To respond to Privacy Act 2020 requests from authorities

6. Data Security / Te Haumarutanga o ngā Raraunga

6.1 How We Protect Your Information

We implement robust security measures including:

• Encryption: All data transmitted between your device and our servers uses HTTPS/TLS encryption
• Password Protection: Passwords are hashed using industry-standard bcrypt encryption
• Access Controls: Strict family-based access controls ensure data isolation
• Audit Logs: We maintain logs of who accessed what data and when
• Regular Updates: We keep all software up-to-date with security patches
• Secure Hosting: Data is stored on secure VPS infrastructure

6.2 Your Security Responsibilities

You must:

• Keep your password confidential and secure
• Use a strong, unique password
• Not share your login credentials
• Log out when using shared devices
• Notify us immediately if you suspect unauthorized access at info@mylog.co.nz

6.3 Data Breach Response

Notifiable Privacy Breaches:

Under the Privacy Act 2020, we must notify you and the Privacy Commissioner if a privacy breach occurs that has caused, or is likely to cause, serious harm to you.

How We Assess “Serious Harm”:

We determine if a breach is notifiable by considering:

• Sensitivity of the information involved
• Nature of the harm that may result (identity theft, financial loss, emotional distress, loss of dignity)
• Whether unauthorized recipients may misuse the information
• Actions we’ve taken to mitigate harm
• Whether individuals can take protective steps

If a Notifiable Breach Occurs:

• We will notify affected individuals within 72 hours of determining the breach is notifiable
• We will notify the Privacy Commissioner as required
• We will provide:
  • Details of what happened
  • What information was affected
  • What we’re doing to fix it
  • What protective measures you should take
  • How to contact us for more information

7. Your Privacy Rights / Ō Mōtika Tūmataiti

Under the Privacy Act 2020, you have the right to:

7.1 Access Your Information (IPP 6)

• Request a copy of all personal information we hold about you
• We will provide this within 20 working days
• This is provided free of charge (unless the request is manifestly excessive)

7.2 Correct Your Information (IPP 7)

• Request corrections to inaccurate or incomplete information
• You can update most information directly in your Account settings
• Contact us at info@mylog.co.nz for information you cannot update yourself

7.3 Delete Your Information (Right to Erasure)

• Request deletion of your account and all associated data
• We will delete your data within 30 days of your request
• Some information may be retained for legal/tax purposes (see Data Retention)

7.4 Export Your Data (Data Portability)

You can request a complete export of all your diary entries in machine-readable format:

• Full Data Export (CSV): All diary entries with metadata (recommended for backup/transfer)
• Report Format (PDF): Formatted for printing or NASC assessments
• Photos: Provided as a ZIP file of original uploads

Data exports are provided free of charge within 20 working days of your request.

7.5 Object to Processing

• You can object to how we process your information
• Note: This may limit our ability to provide the service

7.6 Lodge a Complaint

If you believe we have breached your privacy:

Step 1: Contact Us First

• Email: info@mylog.co.nz
• Phone: 021 034 8850
• We will acknowledge your complaint within 2 business days
• We will investigate and respond within 20 working days

Step 2: Privacy Commissioner (If Unsatisfied)

• Office of the Privacy Commissioner
• Website: www.privacy.org.nz
• Phone: 0800 803 909
• Email: enquiries@privacy.org.nz

8. Data Retention / Te Pupuri Raraunga

8.1 Active Account Data

• We retain all diary entries while your account is active
• You can delete individual entries at any time
• No automatic deletion of diary entries occurs

8.2 Deleted Account Data

When you delete your account:

• All diary entries are permanently deleted within 30 days
• All photos are permanently deleted within 30 days
• Account information is anonymized
• Backup copies are purged within 90 days

8.3 Legal/Tax Records

We retain for 7 years (as required by NZ tax law):

• Payment records and invoices (if you subscribed to a paid plan)
• Subscription history
• Basic account information (name, email, dates)

8.4 Audit Logs

• Security and access logs are retained for 2 years
• These contain: timestamps, IP addresses, actions taken

9. Children’s Privacy / Te Tūmataiti o ngā Tamariki

MyLog may be used to record information about children and young people with disabilities.

Important Requirements:

• Only parents/legal guardians can create accounts for children
• Caregivers must be authorized by the family
• We do not knowingly collect information directly from children under 13
• Parents/guardians control all access to their child’s information

Legal Authority Requirements:

For Children Under 16:

• You must be the child’s parent or legal guardian

For Adults Who Lack Capacity:

• You must have legal authority through:
  • Enduring Power of Attorney (Personal Care and Welfare), OR
  • Welfare Guardian appointed under the Protection of Personal and Property Rights Act 1988, OR
  • Other legal authority

For Adults With Capacity:

• You must obtain their informed consent before recording or sharing their information

Documentation:

• We may require you to provide evidence of your legal authority if questions arise

10. International Data Transfers / Ngā Whakawhiti Raraunga ā-Ao

Data Storage Location:

• Primary Storage: Canada (Hostpapa Inc. data centers)
• Payment Processing: United States (Stripe Inc.)
• Your data does NOT leave these jurisdictions except as described

Cross-Border Transfer Safeguards:

Under New Zealand’s Privacy Act 2020 (Information Privacy Principle 12), we ensure that personal information transferred overseas receives comparable privacy protections:

Canada (Hostpapa – Data Storage):

• Canada’s PIPEDA provides comparable safeguards to NZ Privacy Act 2020
• Hostpapa acts solely as our data processor/agent
• Contractual agreements require PIPEDA compliance
• Does not use your data for their own purposes

United States (Stripe – Payments):

• Stripe is PCI-DSS Level 1 certified
• Stripe Privacy Shield and international privacy framework certified
• We do NOT store your credit card information
• Only transaction metadata is retained

Your Consent:

By using MyLog, you consent to these overseas transfers under the safeguards described.

11. Cookies and Tracking / Ngā Pihikete me te Whai

11.1 Essential Cookies

We use cookies that are necessary for the service to function:

• Session cookies: Keep you logged in
• Security cookies: Prevent unauthorized access
• These cannot be disabled without breaking the service

11.2 Analytics

We currently do NOT use analytics or tracking cookies.

If we add analytics in the future, we will:

• Update this policy
• Notify existing users via email
• Provide opt-out options

12. Changes to This Policy / Ngā Panoni ki tēnei Kaupapahere

We may update this Privacy Policy from time to time.

• Changes will be posted on this page
• The “Last Updated” date will be revised
• Material changes will be notified via email at least 30 days in advance
• Continued use of MyLog after changes constitutes acceptance

13. Health-Related Observations

13.1 MyLog’s Status

MyLog is NOT a health agency under the Health Information Privacy Code 2020. We are a personal diary and communication tool for disability support.

13.2 What MyLog Is NOT

• ❌ NOT a medical record system
• ❌ NOT a clinical care management system
• ❌ NOT a replacement for formal disability support documentation
• ❌ NOT intended for medical diagnoses or treatment plans
• ❌ NOT monitored by healthcare professionals or emergency services

13.3 What MyLog IS

• ✅ A personal life log and diary
• ✅ A continuity tool for daily observations
• ✅ A communication tool between family and caregivers
• ✅ A record of preferences and experiences

13.4 Health Observations

While diary entries may contain health-related observations, these are:

• Non-clinical observations made by family and caregivers
• Not formal medical records
• Not subject to the Health Information Privacy Code 2020

We protect all information (including health observations) under the Privacy Act 2020 Information Privacy Principles.

13.5 If You Need Medical Records

For formal medical record systems, consult your GP, specialist, or registered health provider.

14. Disability Support Services Standards

MyLog supports (but does not replace) compliance with NZ Disability Support Services Standards:

• Standard 1 (Governance): Clear accountability and service information
• Standard 2 (Partnership): Person-centered, whānau involvement
• Standard 3 (Safe Environment): Privacy protection, data security

Important: MyLog is a supplementary tool and does not replace formal support documentation required by funders or agencies (e.g., Ministry of Health, ACC, NASC).

15. Contact Us / Whakapā Mai

For privacy-related questions, requests, or concerns: