I am committed to protecting your privacy and handling your health information with the utmost care and integrity. The information you share with me is sensitive. I treat it accordingly.

This Policy is structured in layers. The core sections (1–12) apply to all clients under New Zealand law. Supplementary sections for international clients address obligations under the Australian Privacy Act and PIPEDA (Canadian clients).

1.  Who I Am and How to Contact Me

Data controller and practitioner:

Julie Teetsov, SEP™, PhD, SME

Auckland, New Zealand

Email: [[email protected]]

Phone: [+64 2108110776]

Website: julieteetsov.com

I am the person responsible for all privacy-related matters in my practice. If you have questions about how I handle your information, please contact me directly at the address above.

2.  What Information I Collect

2.1  Health Information

As a Somatic Experiencing Practitioner providing health-related services, I may collect the following personal information which is listed as "health information" under the Health Information Privacy Code 2020 (HIPC):

•       Your name and contact details

•       Emergency contact information

•       Health history, medical background, and presenting concerns as shared at intake

•       Trauma history and relevant personal history as shared in sessions

•       Session notes — observations, body-based responses, progress, themes, and interventions

•       Referral information and correspondence with other practitioners (with your consent)

•       Consent documentation — signed agreements, intake forms, and any specific consents

•       Billing and payment records connected to service provision

2.2  Administrative and Contact Information

I also hold non-health personal information for administrative purposes:

•       Email address and phone number (for appointment scheduling and correspondence)

•       Time zone and location (for online session scheduling and emergency purposes)

•       Payment information (processed via third-party payment systems — I do not store card details)

•       Website enquiry form submissions and related correspondence

2.3  Website Data

If you visit my website, standard web analytics data may be collected (pages visited, browser type, approximate location, time of visit). This is used for website improvement only. My website may use cookies — see Section 11 for details.

3.  How I Collect Your Information

I collect your personal and health information:

•       Directly from you — through intake forms, session discussions, email and phone correspondence, and during sessions themselves.

•       From other health practitioners — only with your explicit consent, very rare.

•       From your website interactions — through contact forms and website analytics

I will always tell you what information I am collecting, why, and what I will use it for. Providing your health information is voluntary.   If you choose not to provide information that I feel is necessary for me to assess your suitability for SE work with me, I may not be able to work with you.

4.  Why I Collect Your Information (Purposes of Use)

I collect and use your personal and health information for the following purposes:

•       Providing Somatic Experiencing sessions — assessing your needs, planning sessions, and delivering therapeutic support

•       Managing bookings and appointments — scheduling, confirming, and rescheduling sessions

•       Billing and financial administration — invoicing, payment processing, and financial records

•       Communicating with you — responding to enquiries, following up after sessions, and sending relevant information

•       Professional supervision — I discuss aspects of client work with my clinical supervisor to maintain ethical, competent practice. This is done in a way that protects your identity unless you have consented to disclosure of identifying details

•       Referrals — where I refer you to another practitioner, with your consent, your relevant health information may be shared

•       Safety — to contact emergency services or your emergency contact if I believe there is a serious and imminent risk to your safety or the safety of others

I do not use your information for marketing, research, or purposes beyond those listed above without your explicit consent.

5.  How I Store and Protect Your Information

5.1  Security Measures

Your health information deserves the highest level of security. I use the following safeguards:

•       All electronic records are stored on encrypted, password-protected systems

•       Strong, unique passwords and two-factor authentication are used on all accounts holding client data (email, video platform, practice management)

•       Access to client records is restricted to me

•       No paper records are left unsecured; physical notes are stored in locked storage

•       Devices holding client data are secured with screen lock and full-disk encryption

•       Regular secure backups are maintained

5.2  Third-Party Technology Providers

To deliver my services, I use the following third-party technology:

Zoom — for online video sessions. Zoom provides end-to-end encryption and is configured with privacy settings appropriate for health consultations. Zoom acts as a data processor on my behalf. Zoom's Privacy Statement is available at zoom.us/privacy.

Google Workspace — for email and document storage. Google processes data on my behalf in accordance with their Data Processing Amendment for Google Workspace customers. Details at workspace.google.com/intl/en/terms/dpa_terms.html.

Payment Processor — for accepting payments. [Stripe]. Payment card data is processed directly by the payment processor and not stored by me. Their privacy policy is available at https://stripe.com/nz/privacy.

These providers act as my agents and process data on my behalf. Under Section 11 of the New Zealand Privacy Act 2020, sending your information to these providers for storage and processing does not constitute a "disclosure" to a third party — I remain responsible for ensuring they maintain appropriate security.

5.3  Where Data Is Stored

Your information is held in New Zealand and may be stored on servers located in other countries (including the United States, where Google and Zoom may host data). These providers are subject to binding data processing agreements with me.

6.  How Long I Keep Your Information

I retain client health records for a minimum of 1 year from the date of the last service provided to you.

After the retention period has passed, your records are permanently and securely deleted or destroyed — digital records are deleted from all systems (including backups), and any paper records are burned.

7.  Who I Share Your Information With

I do not sell, rent, or share your personal or health information for commercial purposes. I share information only in the following circumstances:

•       With your consent — when you ask me to share information with your GP, other treating professionals, or support persons

•       Professional supervision — de-identified discussion with my clinical supervisor

•       Emergency situations — with emergency services or your nominated emergency contact, if I believe there is a serious and imminent risk to life

•       Legal obligation — where required by a court order, law, or regulatory authority

•       Technology providers — as described in Section 5.2, acting as my processors/agents

Where disclosure without your consent is necessary, I will take all reasonable steps to inform you of the disclosure before or as soon as practicable after it occurs (unless doing so would defeat the purpose of the disclosure, for example in emergency situations).

8.  Cross-Border Transfer of Information

As noted in Section 5.3, your data may be stored by technology providers on servers outside New Zealand. When I use Zoom, Google Workspace, or a payment processor, data may transit or be stored in the United States or other countries.

Under Section 11 of the Privacy Act 2020, transferring data to organisations acting as my agents (processors) does not constitute a "disclosure" to an overseas recipient. These providers are contractually required to maintain appropriate security and process data only on my instructions.

Where I share information with overseas recipients in other circumstances (for example, referring you to an overseas practitioner with your consent), I will take reasonable steps to ensure the recipient provides comparable privacy protections, or obtain your express authorised consent.

9.  Your Rights

9.1  Right to Access

You have the right to know whether I hold information about you and to access that information. Submit requests to me in writing at [email protected]. I will respond within 20 working days. There is no charge for accessing your health information.

9.2  Right to Withdraw Consent

Where my processing of your information is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of prior processing. However, withdrawal may mean I am unable to continue providing services to you.

9.3  Right to Complain

If you believe I have breached your privacy rights, you may:

•       Contact me directly to discuss — contact details in Section 1

•       Lodge a complaint with the Office of the Privacy Commissioner: www.privacy.org.nz | 0800 803 909

•       Bring a claim before the Human Rights Review Tribunal

I acknowledge and respond to privacy complaints within 10 working days, and resolve or determine next steps within 20 working days of acknowledgment.

10.  Privacy Breach Notification

A privacy breach occurs when there is unauthorised access to, disclosure, loss, or modification of your personal information. Where a breach is likely to cause serious harm to you, I am required by the Privacy Act 2020 to notify both you and the Office of the Privacy Commissioner as soon as practicable.

In the event of a breach:

•       I will assess the breach and its likely consequences promptly

•       Where the breach is notifiable, I will notify the Office of the Privacy Commissioner as soon as practicable (target: within 72 hours of becoming aware)

•       I will notify you directly if the breach is likely to cause you serious harm

•       I will take all reasonable steps to contain the breach and prevent recurrence

I maintain a breach register recording all privacy incidents regardless of severity.

11.  Website and Cookies

My website (julieteetsov.com) may collect standard analytics information to help me understand how visitors use the site. This may include:

•       Pages visited and time spent on each page

•       Approximate geographic location (country/city level)

•       Device type and browser

•       Referral source (how you found the site)

Cookies may be used by my website platform or analytics tools. You can control cookie settings through your browser. Disabling cookies may affect some website functionality.

I do not use cookies for advertising, profiling, or cross-site tracking.

12.  Changes to This Policy

I may update this Privacy Policy from time to time to reflect changes in my practice, applicable law, or technology. Where changes are material, I will notify existing clients. The current version of this Policy is always available on my website and will be provided to you on request.

International Client Supplements

The following sections apply to clients located in specific international jurisdictions.

Please note that unless specifically agreed to, I dispose of any notes taken during student/client consultation sessions or personal sessions.  I may on occasion keep notes between sessions, but historic notes are not kept. 

Section 13 — Australian Clients (Privacy Act 1988 — Australian Privacy Principles)

This section applies if you are located in Australia. It supplements the core sections above.

13.1  Application of the Australian Privacy Act

The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to my collection and handling of information relating to Australian clients, as I carry on business in Australia by actively providing services to Australian residents.

Your health information is "sensitive information" under the Privacy Act and is subject to additional protections accordingly.

13.2  Collection and Consent

Consistent with APP 3, I only collect your health information where you have consented and it is reasonably necessary for providing SE services. This consent is obtained at intake.

13.3  Use and Disclosure

Under APP 6, your sensitive health information is only used or disclosed for the primary purpose for which it was collected (providing SE services and related clinical administration), or for directly related secondary purposes, or with your consent.

13.4  Your Information Held in New Zealand

Your personal information is held by me in New Zealand. Under APP 5, I disclose this to you at collection. New Zealand has a strong privacy framework comparable to the APPs.

13.5  Cross-Border Transfers Under APP 8

Where your information is transferred to an overseas recipient (for example, data processed by US-based cloud providers), I take reasonable steps under APP 8 to ensure comparable privacy protections. For cloud providers acting as my agents, I maintain appropriate data processing agreements.

13.6  Access, Correction, and Complaints

You have the right to request access to and correction of your personal information within 30 days of request. If you have a privacy concern, contact me directly at [INSERT EMAIL]. You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC): oaic.gov.au | 1300 363 992.

13.7  Notifiable Data Breaches (NDB Scheme)

In the event of an eligible data breach — one likely to result in serious harm to you — I will notify you and the OAIC as soon as practicable. Given the sensitivity of health information, I treat all incidents seriously regardless of the formal NDB threshold.

Section 14 — Canadian Clients (PIPEDA)

This section applies if you are located in Canada. It supplements the core sections above.

14.1  Application of PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to my collection, use, and disclosure of personal information in the course of providing commercial services to Canadian clients. Your health information is treated as highly sensitive under PIPEDA.

14.2  Accountability

I am accountable for the personal information in my custody and control. I am responsible for information transferred to third-party processors, even where they are located outside Canada.

14.3  Consent

Your express consent is required for the collection, use, and disclosure of your health information. Consent is obtained at intake. You may withdraw consent at any time (subject to legal and contractual restrictions) by contacting me at [INSERT EMAIL].

14.4  Data Held in New Zealand

Your personal information is held in New Zealand. PIPEDA does not restrict cross-border transfers, but I remain accountable for ensuring comparable protections. New Zealand's Privacy Act 2020 provides a framework consistent with PIPEDA's requirements.

14.5  Access and Correction

You have the right to access your personal information held by me and to correct any inaccuracies. I will respond to access requests within 30 days.

14.6  Openness and Complaints

This Privacy Policy is my primary means of transparency under the Openness Principle. Complaints can be directed to me at [INSERT EMAIL] or to the Office of the Privacy Commissioner of Canada (OPC): priv.gc.ca | 1-800-282-1376.

14.7  Breach Notification

I notify the OPC and affected individuals of breaches creating a real risk of significant harm (RROSH) as soon as feasible. A breach record is maintained for a minimum of 24 months.

Note for Canadian clients: If you are located in British Columbia, Alberta, or Quebec, provincial privacy laws may also apply. Please contact me if you have specific questions about how your provincial law intersects with my practice.