Privacy Policy

Effective Date: 27 April 2026

1. Introduction

Gestalt Ltd ("Gestalt", "we", "us", or "our") is committed to protecting your privacy in accordance with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical education platform (the "Service").

The Service is offered to users in New Zealand. To deliver the Service we use international service providers — including AI, transcription, and authentication providers — which may process your information in other countries. See Section 4 for the categories of providers we use, and Section 10 for our approach to international transfers. We do not market the Service to users in the United States and do not consent to the application of United States state privacy laws (including but not limited to the California Consumer Privacy Act and the California Privacy Rights Act) to your information.

By using the Service, you acknowledge the data practices described in this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1.1 International Users

The Service is not directed to or intended for users located outside New Zealand. If you access or use the Service from any jurisdiction outside New Zealand, you do so on your own initiative and at your own risk. Your personal information will be handled under the New Zealand Privacy Act 2020 regardless of where you access the Service from, including any international transfers described in Section 10. The data subject rights, transfer restrictions, and notification regimes of jurisdictions other than New Zealand (including but not limited to the EU GDPR, UK GDPR, and United States state privacy laws) do not apply to our processing of your information.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when using the Service:

Account information: Name, email address, profile photo, and authentication credentials (when using third-party sign-in like Google or Microsoft).
Profile information: Medical school or institution, year of study, and learning preferences.
Learning content: Text you enter in chat sessions, OSCE scenarios, practice responses, and notes you create.
Audio data: Voice input or recordings when using speech-to-text features, processed for transcription and related quality, safety, support, and service-improvement purposes.
Feedback and support: Messages you send to our support team and feedback you provide.
Payment information: Billing details if you purchase a subscription (processed by our payment provider).

2.2 Information Collected Automatically

When you use the Service, we automatically collect certain information:

Device information: Device type, operating system, browser type, and screen resolution.
Usage data: Pages viewed, features used, session duration, and interaction patterns.
Log data: IP address, access times, and referring URLs.
Learning analytics: Session completion rates, feedback outcomes, and progress metrics (used to personalise your experience).

2.3 Information from Third Parties

We may receive information from third-party services:

Authentication providers: When you sign in with Google or Microsoft, we receive your name, email, and profile photo.
Analytics providers: Aggregated usage data to help us improve the Service.

2.4 Whether Information Is Required or Optional

You are not legally required to provide your personal information to us. However, some information is needed to use the Service:

Required to create and use an account: An email address, and either a password or an authenticated identity from a third-party sign-in provider (such as Google or Microsoft). Without these, we cannot create or maintain your account.
Required to use specific features: Voice input for transcription features; payment information for paid subscriptions. You can use the rest of the Service without these.
Optional: Profile information (medical school, year of study, learning preferences), notes, and feedback. You can use the Service without providing them, though some personalised features may be unavailable.

3. How We Use Your Information

We use the information we collect for the following purposes, each of which we consider connected to our functions and activities as an educational platform (consistent with IPP 1 and IPP 10):

3.1 Providing the Service

Operate and maintain your account
Deliver personalised learning experiences
Process your requests and transactions
Provide customer support

3.2 Improving the Service

Analyse usage patterns to improve features and user experience
Develop new educational content and learning tools
Use de-identified, aggregated data for research and analytics
Fix bugs and improve performance

3.3 Communication

Send service-related notifications (e.g., account verification, security alerts)
Respond to your inquiries and support requests
Send educational updates and feature announcements (with your consent, in accordance with the Unsolicited Electronic Messages Act 2007)

3.4 Security and Compliance

Protect against unauthorised access, fraud, and abuse
Enforce our Terms of Service
Comply with legal obligations

4. AI Processing and Third-Party Services

4.1 AI and Machine Learning

The Service uses artificial intelligence to provide educational features. When you use these features:

Your inputs may be sent to AI providers (such as Anthropic and OpenAI) to generate responses. These providers handle your data subject to their own published privacy practices and terms.
We do not use your identifiable personal information to train public AI models.
We may use de-identified and aggregated data to improve our internal educational AI capabilities.

4.2 Transcription Services

When you use voice input features, your audio is processed by speech-to-text services. Audio data is:

Transmitted securely and encrypted in transit
Sent to the transcription provider only for the purpose of generating a transcript
Not stored by us by default in the current streaming transcription flow, although we reserve the right to retain audio recordings for the limited period described in Section 6 if recording storage is enabled

The transcription provider's own handling of your audio is governed by that provider's terms and privacy practices.

4.3 Other Third-Party Services

We use third-party services for various functions:

Authentication: Google and Microsoft for secure sign-in
Hosting: Google Cloud Platform / Firebase for infrastructure
Payments: Stripe for subscription billing

5. How We Share Your Information

We do not sell your personal information. We may share your information only in the following circumstances:

5.1 Service Providers

We share information with service providers who help us operate the Service (hosting, analytics, payment processing, AI providers). These providers are subject to their own published privacy practices and terms, and we share only the information necessary for them to provide their services to us.

5.2 Institutional Partnerships

We may in future offer institutional accounts where your account is managed by or associated with an educational institution (such as a medical school). If we do, we will update this Privacy Policy and notify affected users before any data is shared under such an arrangement. Any institutional sharing would be limited to the categories and purposes disclosed in advance and would require your explicit consent.

5.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to:

Comply with legal obligations
Protect our rights, property, or safety
Protect users or the public from harm
Detect, prevent, or address fraud or security issues

5.4 Business Transfers

If Gestalt Ltd is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

5.5 With Your Consent

We may share your information for other purposes with your explicit consent.

6. Data Retention

We retain your information for as long as necessary to provide the Service and fulfil the purposes described in this Privacy Policy:

Account data: Retained for the duration of your active account plus 12 months after deletion, to comply with legal obligations and allow for account recovery.
Learning content: Retained for the duration of your active account plus 12 months after deletion. You can delete individual sessions or your entire account at any time.
Audio recordings: Not stored by us by default in the current streaming transcription flow. If audio recording storage is enabled for transcription quality, support, safety review, or service improvement, recordings may be retained for up to 90 days, then deleted or anonymised unless a longer period is required by law.
Log data: Retained for up to 90 days for security and troubleshooting purposes.
De-identified data: May be retained indefinitely for analytics and research purposes.

When you delete your account, we will delete or anonymise your personal information within 30 days, except where retention is required by law.

7. Your Rights

Under the NZ Privacy Act 2020, you have the following rights regarding your personal information:

7.1 Access (IPP 6)

You can access your personal information through your account settings. You can also request a copy of your data in a portable format by contacting us.

7.2 Correction (IPP 7)

You can update or correct your account information at any time through your account settings, or by contacting us.

7.3 Deletion

You can delete your account and personal data by contacting us or using the account deletion feature in your settings. Some information may be retained as required by law.

7.4 Opt-Out of Marketing

You can unsubscribe from marketing communications at any time using the link in our emails. To manage cookies, see Section 9.

7.5 Complaints

If you are not satisfied with how we have handled your personal information, you have the right to make a complaint to the Office of the Privacy Commissioner at privacy.org.nz. We encourage you to contact us first so we can try to resolve your concern.

8. Data Security

We take reasonable steps to protect your information:

Encryption in transit: TLS/HTTPS is enforced for all connections to the Service.
Access controls: Authentication, session management, and rate limiting restrict access to personal data.
Authentication: Sign-in is via Google OAuth or email magic link. Where your sign-in provider supports multi-factor authentication, that protection applies through the sign-in flow.
Monitoring: Application logs are reviewed for errors and suspicious behaviour.
Security review: We carry out security reviews and dependency audits as part of our development process. We are continuing to build out our security infrastructure.

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8.1 Notifiable Privacy Breaches

If we become aware of a privacy breach that is likely to cause serious harm to one or more individuals, we will notify the affected individuals and the Office of the Privacy Commissioner as soon as practicable, in accordance with the notifiable privacy breach regime under the New Zealand Privacy Act 2020.

9. Cookies and Tracking Technologies

We use cookies and similar technologies for:

Essential cookies: Required for authentication, security, and core functionality.
Preference cookies: Remember your settings and preferences (e.g., theme, language).
Analytics cookies: Help us understand how you use the Service to improve it.

We do not use cookies for advertising or cross-site tracking. You can manage cookie preferences through your browser settings.

10. International Transfers

Your information may be transferred to and processed in countries other than New Zealand, including countries where our service providers operate. The privacy laws of these countries may differ from, or provide weaker protections than, the New Zealand Privacy Act 2020.

By using the Service, you acknowledge that some of our overseas service providers may not be required to protect your information in a way that, overall, provides safeguards comparable to those required by the New Zealand Privacy Act 2020, and you authorise the transfer of your personal information to those providers for the purpose of operating the Service. The categories of overseas providers we rely on are listed in Section 4.

11. Children's Privacy

The Service is intended for medical students. We do not knowingly collect personal information from children.

If we learn that we have collected personal information from a child, we will delete that information promptly. If you believe we have collected information from a child, please contact us at contact@gestalt.ac.

12. Do Not Enter Real Patient Information

The Service is designed for educational purposes only. You must never enter real patient information, including:

Patient names or identifiers
Medical record numbers
Dates of birth or other demographic information
Diagnoses, test results, or treatment details
Any other protected health information (PHI)

If you inadvertently enter real patient information, please contact us immediately so we can delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Effective Date" at the top of this page
Notify you via email or through the Service for significant changes
Provide reasonable notice before changes take effect

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Gestalt Ltd

Privacy enquiries: contact@gestalt.ac

General support: support@gestalt.ac

To make a complaint about how your personal information has been handled, you may also contact the Office of the Privacy Commissioner at privacy.org.nz.