Privacy Policy
Lipedema Clinic Limited
Last updated: February 2026
1. Introduction
Lipedema Clinic Limited (“we”, “us”, “our”) is committed to protecting your personal information in accordance with the Privacy Act 2020 (New Zealand) and the 13 Information Privacy Principles.
This Privacy Policy explains what personal information we collect, why we collect it, how we use and store it, who we share it with, and what rights you have in relation to your information.
Lipedema Clinic Limited
Care of Lipedema Clinic, 3 Picton Avenue, Addington, Christchurch 8011, New Zealand
Company number: 9274322 · NZBN: 9429052331305
Privacy Officer contact: support@lipedemaclinic.org
This policy applies to all personal information collected through our website at lipedemaclinic.org, our courses, community features, events, and any other services we provide.
2. What Personal Information We Collect
We collect personal information directly from you when you interact with our Services. The types of information we collect include:
2.1 Account Information
When you create an account, we collect:
- —Full name
- —Email address
- —Password (stored in encrypted form — we cannot see your password)
2.2 Profile Information
You may choose to provide additional information on your profile, including:
- —Phone number
- —Physical address (street address, city, state/region, postal code, country)
- —Location and time zone
- —Notification preferences
2.3 Purchase Information
When you make a purchase, we collect:
- —Billing name and address
- —Payment method details (processed and stored securely by Stripe — we do not store your full card number on our servers)
- —Order history, including courses purchased, products ordered, amounts paid, and transaction dates
- —Shipping address (for physical product orders)
2.4 Course and Learning Data
When you use our courses, we collect:
- —Course enrolment records
- —Lesson progress and completion data
- —Event registrations and attendance
2.5 Communications
When you contact us or participate in community features, we collect:
- —Email correspondence
- —Support enquiries
- —Community posts and comments
2.6 Automatically Collected Information
When you visit our Website, we automatically collect:
- —IP address
- —Browser type and version
- —Device type and operating system
- —Pages visited and time spent on each page
- —Referring website or link
- —Cookies and similar tracking technologies (see Section 8)
2.7 Marketing and Quiz Data
If you complete a quiz, enter your email for a webinar or resource, or subscribe to our mailing list, we collect:
- —Email address
- —Name (if provided)
- —Quiz responses
- —Marketing preferences and engagement data (such as email opens and clicks)
3. Why We Collect Your Information
We collect and use your personal information for the following purposes:
| Purpose | Information used | Legal basis |
|---|---|---|
| To create and manage your account | Name, email, password | Necessary for providing our Services |
| To provide courses and track progress | Enrolment, progress, completion data | Necessary for providing our Services |
| To process purchases and payments | Billing details, order history | Necessary for fulfilling your order |
| To deliver physical products | Shipping address, phone number | Necessary for fulfilling your order |
| To provide customer support | Name, email, correspondence | Necessary for providing our Services |
| To send transactional emails | Name, email | Necessary for providing our Services (e.g., purchase receipts, enrolment confirmations, password resets) |
| To send marketing emails | Name, email, preferences | Your consent, which you can withdraw at any time |
| To personalise your experience | Profile data, learning data, quiz responses | To improve our Services |
| To improve our Website and Services | Automatically collected data, usage patterns | Our legitimate interest in improving our platform |
| To comply with legal obligations | As required | Legal requirement |
| To prevent fraud and protect security | Account data, IP address, payment data | Our legitimate interest in protecting our platform |
We will only collect personal information that is necessary for the purposes stated above. We will not collect more information than we need (Information Privacy Principle 1).
4. How We Collect Your Information
We collect personal information:
- —Directly from you — when you create an account, make a purchase, complete a quiz, fill in your profile, contact us, or participate in community features
- —Automatically — through cookies and similar technologies when you browse our Website
- —From third parties — in limited circumstances, such as when a payment processor (Stripe) provides us with transaction confirmation details, or when Google Places provides address data you have selected
Where we collect information from a third party, we will take reasonable steps to ensure you are aware of this collection (Information Privacy Principle 2).
5. Who We Share Your Information With
We share your personal information only where necessary and with appropriate safeguards. We share information with:
5.1 Service Providers
We use third-party service providers to operate our platform. These providers process your information on our behalf and are contractually obligated to protect your data:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication | Account data, profile data, enrolment data | Cloud-hosted (US/EU data centres) |
| Stripe | Payment processing | Billing name, address, payment method, transaction data | United States |
| Vimeo | Video hosting for courses | Your IP address and viewing data (via embedded player) | United States |
| Klaviyo | Email marketing and automation | Name, email, marketing preferences, engagement data | United States |
| Vercel | Website hosting | IP address, automatically collected browsing data | Global CDN |
| Address autocomplete (Google Places API) | Address data you enter | United States | |
| Shopify | Physical product fulfilment | Shipping name, address, order details | Canada/United States |
5.2 Cross-Border Transfers
Some of our service providers are based outside New Zealand, primarily in the United States. Before transferring personal information overseas, we take reasonable steps to ensure the receiving party is subject to comparable privacy safeguards, in accordance with Information Privacy Principle 12.
All service providers listed above maintain privacy and security practices that we consider comparable to the protections provided by the Privacy Act 2020. Where available, we use contractual protections (such as data processing agreements) to ensure your information is handled appropriately.
5.3 Other Disclosures
We may also disclose your personal information:
- —Where required by law, regulation, or court order
- —To the Privacy Commissioner or other regulatory body in response to a lawful request
- —To protect the rights, property, or safety of Lipedema Clinic Limited, our users, or the public
- —In connection with a merger, acquisition, or sale of all or part of our business (in which case we will notify affected users)
We will never sell your personal information to third parties.
6. How We Store and Protect Your Information
6.1 Security Measures
We take reasonable steps to protect your personal information from unauthorised access, modification, disclosure, or destruction (Information Privacy Principle 5). Our security measures include:
- —Encrypted connections (HTTPS/TLS) for all data transmitted to and from our Website
- —Encrypted password storage (passwords are hashed and cannot be read by us or our staff)
- —Row-level security policies in our database ensuring users can only access their own data
- —Access controls limiting which staff and systems can access personal information
- —Secure payment processing through Stripe (PCI DSS compliant)
- —Regular review of our security practices
6.2 Data Retention
We retain your personal information for as long as your account is active or as needed to provide our Services. Specifically:
- —Account and profile data: Retained while your account is active. If you close your account, we will delete your personal information within 90 days, except where we are required by law to retain it or where we need it to resolve disputes.
- —Purchase and transaction records: Retained for 7 years from the date of the transaction to comply with New Zealand tax and financial record-keeping requirements under the Tax Administration Act 1994.
- —Marketing data: Retained until you unsubscribe or request deletion.
- —Automatically collected data: Retained for up to 24 months for analytics purposes, then anonymised or deleted.
We will not keep your personal information for longer than is necessary for the purposes for which it was collected (Information Privacy Principle 9).
6.3 Data Breaches
If we experience a privacy breach that we believe has caused or is likely to cause serious harm to affected individuals, we will:
- —Notify the Office of the Privacy Commissioner as soon as practicable
- —Notify affected individuals as soon as practicable
- —Take steps to contain and remedy the breach
7. Your Rights
Under the Privacy Act 2020, you have the following rights in relation to your personal information:
7.1 Right to Access
You have the right to request access to the personal information we hold about you (Information Privacy Principle 6). We will respond to your request within 20 working days.
To access your information, you can:
- —View and download your profile information, course progress, and order history by logging into your account
- —Email us at support@lipedemaclinic.org for a copy of all personal information we hold about you
7.2 Right to Correction
You have the right to request correction of any personal information we hold about you that is inaccurate, incomplete, or misleading (Information Privacy Principle 7).
To correct your information, you can:
- —Update your profile directly through the Settings page in your account
- —Email us at support@lipedemaclinic.org to request a correction
If we decline a correction request, we will attach a statement of the correction sought to your information.
7.3 Right to Object to Direct Marketing
You have the right to object to your personal information being used for direct marketing purposes. You can:
- —Unsubscribe from marketing emails at any time using the unsubscribe link in every email
- —Update your notification preferences on your Settings page
- —Email us at support@lipedemaclinic.org to opt out
We will continue to send you transactional emails related to your account and purchases (such as purchase receipts, enrolment confirmations, and security notifications) as these are necessary for providing our Services.
7.4 Right to Deletion
You may request that we delete your personal information by contacting us at support@lipedemaclinic.org. We will action your request within a reasonable time, subject to our legal obligations to retain certain records (such as tax records).
7.5 Right to Complain
If you believe we have breached your privacy, you have the right to make a complaint to:
Office of the Privacy Commissioner
PO Box 10094
Wellington 6143
New Zealand
Phone: 0800 803 909
Website: www.privacy.org.nz
We encourage you to contact us first so we can attempt to resolve your concern directly.
8. Cookies and Tracking Technologies
8.1 What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help the website recognise your device and remember information about your visit.
8.2 Cookies We Use
| Type | Purpose | Examples |
|---|---|---|
| Essential cookies | Required for the Website to function — authentication, security, session management | Supabase auth token, session cookies |
| Analytics cookies | Help us understand how visitors use the Website so we can improve it | Page views, time on site, navigation paths |
| Marketing cookies | Used to deliver relevant content and track the effectiveness of our marketing | Klaviyo tracking, conversion tracking |
8.3 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies may prevent you from using certain features of the Website (such as logging in or making purchases).
8.4 Third-Party Cookies
Some of our service providers may set their own cookies when you interact with their services through our Website (for example, Vimeo’s video player or Stripe’s payment form). These are governed by the respective provider’s cookie and privacy policies.
9. Email Communications
9.1 Transactional Emails
We send transactional emails that are necessary for providing our Services, including:
- —Account registration confirmation
- —Password reset emails
- —Purchase receipts
- —Course enrolment confirmations
- —Event reminders
These are not marketing communications and are sent regardless of your marketing preferences.
9.2 Marketing Emails
With your consent, we may send you marketing emails including:
- —Course recommendations and updates
- —New content and resource announcements
- —Health education content related to lipedema
- —Product announcements and offers
- —Community updates
You can withdraw your consent and unsubscribe from marketing emails at any time by clicking the unsubscribe link in any email or updating your notification preferences in your account Settings.
9.3 Unsolicited Electronic Messages Act 2007
We comply with the Unsolicited Electronic Messages Act 2007. All commercial electronic messages we send will:
- —Clearly identify Lipedema Clinic Limited as the sender
- —Include accurate contact information
- —Contain a functional unsubscribe mechanism
- —Only be sent with your consent or where we have an existing business relationship with you
10. Children’s Privacy
Our Services are not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information as soon as practicable.
11. Links to Third-Party Websites
Our Website may contain links to third-party websites and services (including social media platforms, payment processors, and video hosting services). This Privacy Policy does not apply to those third-party websites. We encourage you to read the privacy policies of any third-party websites you visit.
12. Health Information
12.1 Sensitive Information
We recognise that some information associated with your use of our Services may be considered health-related (for example, your interest in lipedema education may imply a health condition). We treat any health-related information with additional care and sensitivity.
12.2 No Clinical Records
We do not collect or store clinical health records, medical diagnoses, test results, or treatment plans. Our platform is educational, not clinical. Course progress data and quiz responses are educational engagement data, not health records.
12.3 Health Information Privacy Code
While our services are educational and not clinical, we are mindful of the Health Information Privacy Code 2020 and handle any information that could be considered health-related with appropriate care and in accordance with the Privacy Act 2020.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
- —Update the “Last updated” date at the top of this page
- —Make reasonable efforts to notify you (for example, by email or an in-platform notification)
We encourage you to review this page periodically. Your continued use of our Services after changes are posted constitutes your acceptance of the updated policy.
14. Information Privacy Principles — Summary
For transparency, here is how we comply with each of the 13 Information Privacy Principles under the Privacy Act 2020:
| Principle | How we comply |
|---|---|
| 1. Purpose of collection | We only collect information that is necessary for the purposes stated in this policy |
| 2. Source of information | We collect information directly from you wherever possible |
| 3. Collection from the individual | When we collect your information, we tell you what we’re collecting, why, and how it will be used |
| 4. Manner of collection | We collect information by lawful, fair, and non-intrusive means |
| 5. Storage and security | We take reasonable steps to protect your information from loss, unauthorised access, and misuse |
| 6. Access to personal information | You can request access to the information we hold about you at any time |
| 7. Correction of personal information | You can request correction of any inaccurate information |
| 8. Accuracy | We take reasonable steps to ensure information is accurate before using it |
| 9. Retention | We do not keep information longer than necessary |
| 10. Use of information | We only use information for the purpose it was collected, or a directly related purpose |
| 11. Disclosure | We only disclose information as described in this policy |
| 12. Cross-border disclosure | Before sending information overseas, we ensure comparable safeguards are in place |
| 13. Unique identifiers | We do not assign unique identifiers except where necessary for our operations (e.g., account IDs) |
15. Contact Us
If you have any questions about this Privacy Policy, want to exercise your rights, or have a privacy concern, please contact us:
Lipedema Clinic Limited — Privacy Officer
Care of Lipedema Clinic, 3 Picton Avenue
Addington, Christchurch 8011
New Zealand
Email: support@lipedemaclinic.org
We will acknowledge your enquiry within 5 working days and respond substantively within 20 working days.