KinsWellPrivacy Policy
Last updated: 26 May 2026
Note: this policy is a working draft written for a New Zealand-based care coordination service. Before going public, have a privacy lawyer review the specifics, especially sections on retention, international data transfer, and compliance with the NZ Privacy Act 2020.
1. Who we are
KinsWell is a care coordination tool for families and care providers. This policy explains what personal information we collect, why we collect it, how we use it, and the choices you have.
KinsWell is the data controller for the personal information you provide to us. You can contact us at privacy@kinswell.nz.
2. Who the data is about, and whose law applies
KinsWell coordinates care across three categories of people, and we treat each category’s data accordingly:
- The person being cared for — typically an ageing parent, an adult with a disability, or someone recovering at home. This person is resident in New Zealand. Their personal information (name, address, daily care, medication reminders, photos, visit notes) is governed primarily by the New Zealand Privacy Act 2020 and the Health Information Privacy Code 2020 where it applies.
- The account holder and other family members — the people who use KinsWell to coordinate that care. They may be located anywhere in the world. Their personal information (email, name, comments, account activity) is governed by the New Zealand Privacy Act, and additionally — where applicable — by the data protection law of the country in which they reside (for example, the UK Data Protection Act for UK residents, the Australian Privacy Act for Australian residents, the General Data Protection Regulation for EEA residents).
- Carers visiting the home — the people who scan the QR code and log visits. Their personal information (name, visit times, notes they leave) is governed by the New Zealand Privacy Act.
If you are a family member outside New Zealand, you can exercise your local data protection rights with respect to your own account data by contacting privacy@kinswell.nz. We may need to verify your identity before responding, and we will do our best to respond within the timeframe required by your local law.
We do not act as the GDPR controller (or equivalent under other extraterritorial frameworks) for the cared-for person’s data, because that person is resident in and receiving care in New Zealand. Their information is governed by New Zealand law.
3. What we collect
We collect the following categories of personal information:
- Account details: your name, email address, password (stored as a hash by our authentication provider).
- Household details: household name, timezone, carer PIN (stored as a bcrypt hash).
- Care data: tasks, medications, schedules, visit records, photos, voice notes, text notes, and comments, recorded by family members and carers to coordinate the care of a loved one.
- Carer records: names of carers who have accessed the QR-code-based checklist.
- Usage data: server logs, including IP address and user agent, retained for security and debugging purposes.
4. Why we collect it
- To provide the KinsWell service to you.
- To let family members, carers, and care providers coordinate care for a shared household.
- To maintain an immutable audit trail of who did what and when, which is core to the product’s value.
- To keep the service secure and prevent abuse.
5. Who we share it with
We do not sell your personal information. We share it only with:
- Supabase (our database and authentication provider).
- Other members of your household who have been invited and accepted an invitation.
- The care provider organisation, if your household is managed by one. Providers who own a household subscription have full visibility into that household’s visit records, free-form notes, photos, comments, and medication details. This is how they coordinate care across their team. When your household is provider-managed, the organisation’s name is shown on your dashboard, and we notify you at the moment you accept an invite.
- Authorised government or legal authorities when we’re required by law to disclose information.
6. How long we keep it
We keep personal data only as long as it serves a purpose, in line with Principle 9 of the New Zealand Privacy Act 2020. After that, we delete it. This keeps the picture we hold about your loved one minimal and reduces the consequences if KinsWell were ever compromised.
Account data
We keep your account data while your account is active. When you delete your account, we remove personally identifying information immediately (your account row is soft-deleted; your name and email are replaced with placeholders). Records you authored (visit comments, tasks created, photos uploaded) remain with the household that owns them so the audit trail isn’t broken, but are attributed to “Deleted user” going forward.
Visit history (tasks, notes, comments, photos)
Visit records age out automatically. The window depends on your plan:
| Plan | Text records | Photos |
|---|---|---|
| Family ($24.99/mo) | 18 months | 12 months |
| Family Plus ($44.99/mo) | 5 years | 18 months |
| Provider Starter ($199/mo) | 5 years | 18 months |
| Provider Growth / Professional | 7 years | 2 years |
| Enterprise | By negotiation | |
Records older than the window are permanently deleted by an automated daily process. Once deleted they cannot be recovered, including by us.
You’ll see a banner on the dashboard 30 days before anything is due for deletion. You can:
- Export records as JSON or PDF from My account → Download my data, before they’re deleted.
- Upgrade to a longer-retention plan to keep them inside KinsWell.
If neither, the records auto-delete on schedule. We don’t email you about it; the banner is the only notice.
Why providers get longer windows
Care providers in New Zealand have statutory record-keeping obligations that often run to five years or more. The provider-tier windows are sized to meet typical compliance requirements; if your contract or funder requires longer, Enterprise plans support extended retention by negotiation.
Aggregated statistics we keep longer
After detailed records are deleted, we may retain aggregated, non-identifying statistics (total visit counts per carer, service dates, plan-level usage metrics) for service operations and to preserve a long-term picture for the household. These cannot be traced back to individual visits, notes, or photos.
Household data
Household data is removed when the household is deleted by its owner.
7. Your rights
Under the New Zealand Privacy Act 2020 and equivalent laws in other jurisdictions, you have the right to:
- Access the personal information we hold about you. You can download a full JSON export from the Account page.
- Correct information that’s inaccurate. Most fields are editable on the Account page directly.
- Delete your account. See the “Delete account” section on the Account page.
- Complain to the Office of the Privacy Commissioner if you believe we’ve handled your information improperly.
8. Security
Data is encrypted at rest by our database provider and transmitted over HTTPS. Household PINs and user passwords are stored as bcrypt hashes; we never see them in plain text. Photos are served through signed, time-limited URLs.
9. Changes to this policy
When we change this policy, we’ll update the “Last updated” date at the top. If changes are material, we’ll notify you by email or by a prominent notice in the app.