Privacy

Our commitment

Neuroendocrine Cancer New Zealand (“NECNZ”, “we”) respects the privacy and confidentiality of patients, whānau, friends, supporters, donors, volunteers and the clinicians we work with. We are committed to our obligations under the Privacy Act 2020 and the Health Information Privacy Code 2020, and to handling personal and health information with care and transparency.

What this policy covers

This policy explains what information we collect, where we get it from, why we collect it, how we share it, how long we keep it, how we protect it, and the rights you have under New Zealand privacy law. It applies to all NECNZ services, our website, donation processing, the patient support service, our hardship fund, events, newsletters, and the healthcare-professional database.

Information we collect

We only collect what we genuinely need for the purpose at hand, and we tell you upfront on each form. The kinds of information we collect fall into the following categories:

• Identity & contact information. Name, email, phone, postal address, region, and (for some forms) your role or relationship to NETs (patient, whānau, supporter, clinician).
• Donation & financial information. Donation amount, frequency (one-off, monthly, quarterly, annual), the campaign or appeal you’re responding to, and details of the dedication (in memory of, in honour of). We do not store full card numbers – our PCI-DSS compliant payment processor handles that. We retain a payment reference, receipt number and the last four card digits for audit and tax purposes.
• Health & support information. Information you share with us when you ask for support: tumour type, stage, treatments, symptoms, dietary needs, who is providing your care, and what kind of help you’re looking for. You choose what to share – we only ask what we need to support you.
• Hardship fund information. Where you apply to the hardship fund, we collect financial details (income, expenses, the costs you’re seeking support with) and clinical context to assess eligibility. This is the most sensitive information we hold and is treated accordingly (see Data security below).
• Communications & preferences. Topics you’ve told us you’re interested in, regions or events you’ve engaged with, opt-in/opt-out status for marketing, and a log of emails we’ve sent you and which ones you opened or clicked (handled by our email service provider).
• Healthcare-professional information. For our HCP database: name, role, specialty, employer/hospital, region and a public-facing professional email – sourced from public registers, professional bodies, and HCP-submitted forms. We do not record personal contact details for clinicians.
• Technical & site-usage information. Standard server logs (IP address, browser type, referring page, pages visited) and aggregated analytics. We do not use cross-site tracking or advertising cookies.

Where we get information from

Most information comes directly from you when you fill in a form, donate, register for an event or contact us. We may also receive information from:

• Our payment processor – when you donate, the processor shares the payment confirmation, donation amount, name on the card and (if you provided it) email and postal address for receipting.
• Our email service provider – engagement signals (opens, clicks, unsubscribes) on emails we send you, so we don’t keep emailing people who aren’t interested.
• Your healthcare team – only with your explicit consent, e.g. a referral from a nurse or oncologist to our patient support service.
• Public registers and professional bodies – for building the HCP database (Medical Council of New Zealand, hospital websites, conference programmes).
• Other people who refer you – a whānau member or friend may pass on your contact details with your agreement so that we can reach out.

How we use your information

We use your information for the purpose you gave it to us. Specifically:

• To process and acknowledge donations, issue IRD-compliant tax receipts, and (for recurring donors) provide an annual giving summary.
• To provide patient and whānau support – answering your questions, connecting you with our nurse, sending information packs, organising peer connections.
• To assess and administer hardship-fund applications.
• To send you newsletters, event invitations, campaign updates and impact stories – only if you’ve opted in.
• To organise events, webinars, support meetings and fundraising activities.
• To maintain our directory of healthcare professionals working in NETs, so patients can find specialist care.
• To improve our website, services and communications (aggregate analytics, satisfaction signals).
• To meet our legal, audit and accountability obligations – to Inland Revenue, Charities Services, auditors, and (rarely) law enforcement under valid legal process.

We never sell or rent your information, and we never use health information for marketing or fundraising purposes.

Who we share your information with

We share your information only with the trusted service providers we need to run NECNZ, and only for the purposes set out below. Each provider is contractually bound to handle your information in line with this policy and applicable law. A current list of the categories of provider we engage is available on request from the Privacy Officer.

• Payment processing. A PCI-DSS compliant payment processor handles card payments for donations and event registrations. We do not see or store full card numbers.
• Email service provider. Sends our newsletters, campaign emails and donor communications. Holds names, email addresses, preference tags and engagement history.
• Transactional email provider. Delivers receipts, sign-in codes and confirmation emails. Holds the recipient address and the contents of the email sent.
• Hosting & infrastructure. Runs our website, application servers and primary database. Sensitive fields (e.g. hardship-fund applications) are encrypted by NECNZ before storage.
• Supporter relationship management. Our CRM holds contact details, donation history, communication preferences and engagement signals so we can stay in touch appropriately.
• Website analytics. Aggregated, anonymised traffic statistics with IP anonymisation enabled. No cross-site tracking or advertising cookies.
• Your healthcare team. With your explicit consent, we may share relevant health information with the hospital or medical staff treating you, to support your care.

We may also share information where required by law (e.g. an Inland Revenue audit, a court order, or a serious-harm threshold under the Privacy Act 2020).

Sending information overseas

Several of the providers above store or process information outside New Zealand – mostly in the United States, European Union, or Australia. Where this happens, we choose providers that operate under privacy frameworks comparable to the Privacy Act 2020 (such as the EU GDPR, the EU–US Data Privacy Framework, or the Australian Privacy Act 1988), or otherwise put reasonable contractual safeguards in place, as required by Information Privacy Principle 12.

How long we keep your information

We keep information only for as long as we need it, or as required by law. Retention periods vary by category:

• Donation records. At least 7 years – Inland Revenue audit requirement for donee organisations.
• Hardship-fund applications. 7 years from the date of decision, for audit and accountability. Decrypted on request only.
• Patient & whānau support records. Up to 10 years from last contact, then reviewed. You can ask for earlier deletion at any time.
• Newsletter & marketing data. Until you unsubscribe, after which we keep a suppression record (your email only) so we don’t accidentally re-add you.
• Event registrations. 3 years from the event date, then aggregated and deleted.
• HCP database entries. Maintained on a rolling basis; entries removed when the clinician retires, moves out of NETs care, or asks to be removed.
• Website analytics. 26 months in our analytics provider, then automatically deleted.
• Server logs. 30 days, then deleted.

Data security

We protect your personal information from unauthorised access, use, modification, disclosure or loss with a combination of technical, organisational and physical measures:

• TLS encryption on all data in transit between your browser and our servers.
• Database encryption at rest, with additional application-layer encryption for hardship-fund applications (sensitive financial and clinical information).
• Phishing-resistant passkey authentication for admin access – see our /admin sign-in flow. Email-code fallback uses time-limited one-time codes.
• An audit log of all administrative actions, hash-chained so any tampering would be detectable.
• Strict access controls – only the small number of staff and volunteers who need information to do their work can see it. Hardship-fund applications are restricted to the review team only and are never emailed.
• Background and confidentiality agreements for staff, contractors and volunteers as a condition of engagement.
• Annual review of our security practices, sub-processors and data inventory.

Marketing & unsubscribing

We send marketing communications – newsletters, campaign updates, event invitations and appeals – only to people who have opted in. Every marketing email includes a one-click unsubscribe link, and you can also email info@neuroendocrinecancer.org.nz to be removed from the marketing list. Transactional and service emails (donation receipts, sign-in codes, hardship-fund decisions, follow-ups to a support request, anything else you have specifically asked us to do) are not marketing and will keep arriving as long as we need to reach you about them.

Children & young people

Our services are intended for adults aged 16+. If you are under 16 and would like to engage with us, please ask a parent, guardian or healthcare professional to do so on your behalf. If we become aware that we hold information about a child without appropriate consent, we will remove or anonymise it promptly.

Cookies & analytics

We use a small number of cookies and similar technologies. Most are strictly necessary (e.g. to keep you signed in to the admin area, or to remember whether you’ve dismissed a banner). For analytics, we use a privacy-friendly analytics provider with IP anonymisation enabled – this gives us aggregated traffic statistics without identifying individual visitors. We do not use cross-site tracking cookies, advertising cookies, or third-party trackers. You can disable cookies in your browser settings; the public site will continue to work normally.

Notifiable privacy breaches

If we have a privacy breach that has caused, or is likely to cause, serious harm to anyone affected, we will notify those individuals and the Office of the Privacy Commissioner as required by the Privacy Act 2020. We maintain a written incident-response procedure and review every reportable incident with our board.

Your rights

Under the Privacy Act 2020 you have the right to:

• Ask us what information we hold about you (right of access).
• Ask us to correct any information that is wrong or out of date (right of correction).
• Ask us to delete information, subject to any legal retention obligations.
• Withdraw consent to receive marketing communications at any time.
• Complain to us, or to the Office of the Privacy Commissioner, about how we’ve handled your information.

To exercise any of these rights, email info@neuroendocrinecancer.org.nz with what you’d like to do. We’ll respond within 20 working days as required by the Act. There is no charge for a routine access or correction request.

Privacy Officer & complaints

Our Privacy Officer is contactable at info@neuroendocrinecancer.org.nz. Please put “Privacy” in the subject line so the message is routed promptly. If you’re not satisfied with our response, you can take the matter to the Office of the Privacy Commissioner:

• Web. privacy.org.nz
• Phone. 0800 803 909 (free within New Zealand)
• Post. PO Box 10094, Wellington 6143

Updates to this policy

We review this policy at least annually and whenever we materially change the way we collect, use or share information. Material changes will be announced by email to newsletter subscribers and posted as a banner at the top of the site for 30 days. The “last updated” date below always reflects the most recent revision.