Privacy Policy

Sahha is our cloud based engine, which, when integrated into a third party mobile app via our software development kits (Third Party App), collects, monitors and analyses a Third Party App ’s end user’s (End User) behavioural and other data. Click here to find out more about Sahha!


This Privacy Policy describes how Sahha Pty Ltd ABN 26 649 986 505 (we, our, us) manages personal information about individuals whose data is collected and processed by us that we receive from Third Party Apps and providers of Third Party Apps (Third Party App Providers).


Sahha provides Third Party Apps with certain functionality that processes End User behavioural data collected from an End User’s mobile phone sensors and/or native software such as Apple HealthKit or Google Fit in order to allow the Third Party App to provide services based on that data (the Services).


WE DO NOT PROVIDE ANY MEDICAL ADVICE, RECOMMENDATIONS OR DIAGNOSES. WE RECOMMEND THAT YOU SEEK ALL NECESSARY MEDICAL ADVICE, RECOMMENDATIONS OR DIAGNOSES FROM YOUR HEALTHCARE PRACTITIONER. WE DO NOT PROVIDE, OR REPRESENT THAT WE PROVIDE, ANY MEDICAL SERVICE AND WE ARE NOT A PARTY TO ANY CONTRACT FOR THE PROVISION OR RECEIPT OF ANY MEDICAL SERVICE. FURTHER, WE DO NOT REPRESENT OR WARRANT THAT SAHHA WILL RESULT IN THE DIAGNOSIS, DETECTION, CURE OR PREVENTION OF ANY BEHAVIOURAL, PSYCHOLOGICAL, MENTAL OR OTHER MEDICAL DISORDER OR ILLNESS.


We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) (each, an APP), the Privacy Act 2020 (New Zealand) (Privacy Act (New Zealand)) and the Information Privacy Principles contained in Part 3 of the Privacy Act (New Zealand (each, IPP). If we decide to change this Privacy Policy, we will post the updated version on this webpage. Our policy is to always be open and transparent about our privacy practices.


Details about how we collect and process personal information collected from our New Zealand End Users is set out at the end of this Privacy Policy.


1    Consent


1.1   Third Party App Providers are required to comply with all applicable privacy laws.


1.2   We rely on Third Party App Providers to obtain the relevant privacy consents and authorisations required by law in order for the personal information that is entered by End Users into Third Party Apps to be collected, disclosed and otherwise processed by us. We provide Third Party App Provider with a template collection notice made under APP 5 for them to issue to their End Users as part of their End Users’ registration of an account with the relevant Third Party App. We do not verify any document signed between the Third Party App and their End User however, we require Third Party Apps to electronically verify that they have obtained their End User’s consent to the collection and processing of End Users’ personal information by us.


1.3   Third Party App Provides may not use personal information that is processed about their End Users via Sahha without obtaining all consents required by applicable law.


1.4   We rely on Third Party Apps to ensure that all information collected from End Users and held by us is accurate, up to date, complete, relevant and not misleading.


1.5   We encourage Third Party Apps to ensure that their End Users are familiar with their privacy policies so that their End Users understand how the Third Party App will collect, use and otherwise process personal information about them, via Sahha or otherwise.


2   The types of personal information we collect and hold about end users


2.1   We collect and hold the following types of personal information:

  • Demographic data, including age, gender, weight, income range and other information inputted by End Users via Third Party Apps, which may include health and other sensitive information;
  • Behavioural data, including GPS, heart rate and steps data collected by the Third Part App via the End User’s mobile device, which may include health and other sensitive information; and
  • personal information, including health information, about the End User generated by Sahha’s algorithms such as information about the End User’s apparent health as determined by those algorithms, which may include health and other sensitive information.

3   How we collect personal information


3.1   Our policy is to not collect personal information by means that are unfair or unreasonably intrusive in the circumstances. We only collect personal information that is necessary to provide the functionality of Sahha and to otherwise operate our business.


3.2   We collect personal information, including health information, about End Users when it is transmitted to us via a Third Party APp in accordance with our obligations pursuant to a contract in place with the Third Party App Provider. This includes personal information entered by the End User into the Third Party App, End User behavioural data made available to the Third Party App by an End User via their mobile device, and when an End User voluntarily discloses personal information to the Third Party App (via the Third Party App, telephone, surveys, e-mail, online forms or otherwise).


3.3   Third Party Apps are responsible for ensuring that all End User consents and authorisations have been obtained or provided by them as required by law for the lawful collection of personal information that we collect from them


3.4   In the first instance, we do not directly collect personal information from End Users. Third Party App Providers are responsible for the lawful collection of their End User’s personal information. We receive an End User’s personal information from the Third Party App via our software development kit integrated into the Third Party App.


3.5   We collect information about Third Party Apps and their personnel when they voluntarily disclose it to us or when we collect it about them when they use Sahha. We collect personal information about Third Party Apps and their personnel when they enter into a contract with us, when they activate their account on Sahha, complete an online purchase via our online store, contact us for technical support and when they otherwise provide it to us.


4   How we use personal information


4.1   How we use personal information about End Users is set out in the following table:


Category How we use and process personal information that we collect Why we collect personal information
Personal information about End Users
  • To manage, provide and support Sahha and the Services for use by Third Party Apps;
  • In order to store personal information in databases and systems in our hosting environments at third party data centres;
  • To provide technical support services to Third Party Apps that require us to view and/or update personal information about End Users held in Sahha;
  • When backing up and restoring data that includes End User personal information;
  • When conducting research and development of Sahha and the Services;
  • To improve and develop Sahha and the Services and for general product and business development;
  • To carry out security audits, investigate security incidents and implement security processes and procedures that require access to personal information;
  • Backing up and restoring data that includes End Users’ personal information;
  • To handle complaints.
  • Required for Third Party Apps to receive the benefit of Sahha and the Services;
  • In order to store personal information in databases and systems in our hosting environments at third party data centres;
  • Necessary for our legitimate interests, including in order to operate and grow our business, in order to administer and allow the Third Party Apps to operate Sahha, to enable us to operate our IT systems and networks, manage our hosting environments, and ensure the successful delivery of Sahha and the Services;
  • To provide statistical analysis of de-identified Personal Information;
  • For our accounting, billing and other internal administrative purposes;
  • To comply with our legal and statutory obligations;
  • Required in order to determine which privacy law applies to the individual.
Personal information about Third Party Apps and their personne
  • To manage, provide and support Sahha and the Services for use by Third Party Apps and their personnel;
  • In order to store personal information in databases and systems in our hosting environments at third party data centres;
  • To provide technical support services to Third Party Apps that require us to view and/or update personal information about End Users held in Sahha;
  • To send newsletters and other communications to Third Party Apps and their personnel concerning Sahha and the Services, events and education opportunities.
  • To send newsletters and other communications to Third Party Apps and their personnel concerning Sahha and the Services, events and education opportunities.
  • When backing up and restoring data that includes personal information about Third Party Apps and their personnel;
  • When conducting research and development of Sahha and the Services;
  • To improve and develop Sahha and the Services and for general product and business development;
  • To carry out security audits, investigate security incidents and implement security processes and procedures that require access to personal information;
  • Backing up and restoring data that includes personal information about Third Party Apps and their personnel;
  • To handle complaints.
  • Required for Third Party Apps to receive the benefit of Sahha and the Services;
  • Necessary for our legitimate interests, including in order to operate and grow our business, in order to administer and allow the Third Party Apps to operate Sahha, to enable us to operate our IT systems and networks, manage our hosting environments and ensure the successful delivery of Sahha and the Services;
  • For our accounting, billing and other internal administrative purposes;
  • To comply with our legal and statutory obligations;
  • Required in order to determine which privacy law applies to the individual.

5   De-identified data analysis


5.1   Personal Information may also be de-identified by us and used for statistical analysis.


5.2   All such data is not held in a form that could reasonably be expected to identify an individual.


5.3   We use de-identified Personal Information to help us review, enhance and improve Sahha and the Services (for statistical or research purposes) and to develop case studies and marketing material without identifying any individual.


6   How we hold and secure personal information


6.1   We hold and store personal information that we collect in our offices, computer systems and third party owned and operated hosting facilities.


6.2   We take reasonable steps to protect personal information that we hold using such security safeguards as are reasonable in the circumstances to protect against loss, unauthorised access, modification and disclosure and other misuse, and we implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed by us.


6.3   We:

  • only use reputable cloud hosting providers to host personal information;
  • implement passwords and access control procedures, anti-virus, firewall and security controls for email and other applicable computer software and systems;
  • maintain files, in both hardcopy and electronic form, at our offices and other access-controlled premises;
  • operate online records managements systems on secure networks;
  • regularly perform security testing;
  • maintain physical security measures in our buildings and offices such as visitor access management, cabinet locks, surveillance systems and alarms to ensure the security of information systems (electronic or otherwise);
  • require our employees, agents and contractors to comply with privacy and confidentiality provisions in their employment and subcontractor agreements that we enter into with them;
  • use SSL encryption on our systems;
  • have data backup archiving and disaster recovery processes in place;
  • if appropriate in the circumstances taking into account the state of the art, the costs of implementation and the nature, scope, content and purpose of the processing, we will encrypt personal information; and
  • with respect to personal information that we no longer require or where we are otherwise required to destroy it under applicable law, we ensure that such personal information is securely destroyed.

7   Disclosure of personal information


7.1   We will disclose personal information to our employees, officers, advisors, suppliers, agents and/or related entities who assist us in the performance of the Services. We ensure that they are aware of their information security responsibilities, are appropriately trained to meet those responsibilities and have entered into agreements which require them to comply with privacy and confidentiality obligations which apply to personal information that we provide to them.


7.2   We only disclose personal information that we collect to third parties as follows:

  • Third Party App Providers;
  • data storage and software providers who host Sahha databases and information (e.g. email hosting providers and online CRM providers) on our behalf;
  • when providing information to our legal, accounting or financial advisors/representatives or insurers, or to our debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
  • where a person provides written consent to the disclosure of their personal information;
  • where we become aware that specific personal information needs to be disclosed to protect the safety or vital interests of any person. Please note that while we may monitor personal information entered into, or generated via Sahha from time to time, we do not review all such information and do not represent that we will monitor any person’s use of Sahha or their mental health;
  • if we are contacted by any person who represents to us that they are an End User, Third Party App Provider or their personnel, for security purposes, we will only discuss the personal information that we hold about them with them if they correctly identify themselves as such according to our security measures;
  • to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences;
  • for the enforcement of a law imposing a pecuniary penalty;
  • for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation);
  • to police and other governmental bodies or regulatory authorities; and
  • where required by law.

8   Interacting with us without disclosing personal information


8.1   If you do not provide us with your personal information, you can only have limited interaction with us. For example, you can browse our website without providing us with personal information, such as the pages that generally describe Sahha that we make available, and our Contact Us page. However, when you submit a form on our website or become a Third Party App, we need to collect personal information from you in order to identify who you are, so that we can provide you with the Services, and for the other purposes described in this Privacy Policy.


8.2   You have the option of not identifying yourself or using a pseudonym when contacting us to enquire about Sahha but not if you wish to actually use Sahha, the Services of any part thereof. It is not practical for us to provide you with access and/or use of Sahha or the Services (or any part thereof) if you refuse to provide us with personal information.


9   Offshore disclosure


9.1   We may transfer personal information to our contractors and service providers who assist us with the supply and provision of Sahaa and the Services, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance. We will take reasonable steps to ensure that such recipients do not breach the APPs in relation to personal information or other relevant State and Territory laws (as applicable). At present we transfer your personal information to our interstate contractors and service providers within Australia. We do not currently use offshore contractors and service providers.


10   How to access and correct personal information held by us


10.1   Third Party App Providers and their personnel who wish to access and correct the personal information held by us about them should contact us. Prior to contacting us or submitting a request for access to correct any personal information held about them, Third Party Apps and their personnel can update their personal information by logging into their account on Sahha, where such functionality is available. However, we encourage you to contact us in any event and we would be happy to assist you.


10.2   End Users who wish to access and correct the personal information held by us about them should in the first instance contact the applicable Third Party App.


10.3   It is our policy to retain personal information in a form which permits identification of any person only as long as is necessary for the purposes for which the personal information was collected; and for any other related, directly related or compatible purposes if and where permitted by applicable law. We will only process personal information that you provide to us for the minimum length of time permitted by applicable law and only thereafter for the purposes of deleting or returning that personal information to you (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect your or any other person's vital interests).


10.4   In addition to clause 10.3, we retain personal information in Sahha as follows:

  • (a)  &nbs;pPersonal information about a Third Party App Provider and its personnel will be held while the Third Party App Provider is a Sahha customer and thereafter for a period of 5 years for tax purposes.
  • (b)   An End User’s personal information will be held while the End User is an active user of the applicable Third Party App and thereafter for a period of 12 months, at which time it will be automatically deleted; and
  • (c)   We will only keep personal information (including health information) for longer periods than specified above, where required under applicable law.

10.5   As an alternative to deleting personal information, we may elect to de-identify it where permissible by law. We will de-identify certain types of personal information for the purpose of improving Sahha and for provision to third parties for marketing and research purposes.


10.6   Where you require personal information to be returned, it will be returned to you at that time, and we will thereafter delete all then remaining existing copies of that personal information in our possession or control as soon as reasonably practicable thereafter, unless applicable law requires us to retain the personal information, in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.


10.7   We will handle all requests for access to personal information in accordance with our statutory obligations. You can request to receive a copy of your personal information by emailing [dataprivacy@sahha.ai]. We may require payment of a reasonable fee by any person who requires access to their personal information that we hold, except where such a fee would be contrary to applicable law. We will not charge you for the making of any such request. We will endeavour to provide a response to any request for access to personal information within 72 hours from the time a request is made.


11   Any person who wishes to contact us for any reason regarding our privacy practices or the personal information that we hold about them, or make a privacy complaint, may contact us as follows:


11.1   Any person who wishes to contact us for any reason regarding our privacy practices or the personal information that we hold about them, or make a privacy complaint, may contact us as follows:

   Contact: Privacy Representative/ Data Protection Officer

   Email: [dataprivacy@sahha.ai].


11.2   We endeavour to resolve any privacy complaint with the complainant within a reasonable time frame given the circumstances. This may include working with the complainant on a collaborative basis or otherwise resolving the complaint.


11.3   If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of the Australian Privacy Principles, they may refer the complaint to the Office of the Australian Information Commissioner who can be contacted using the following details:


Telephone:   1300 363 992

Email:   enquiries@oaic.gov.au

Address:   GPO Box 5218, Sydney NSW 2001


12   NEW ZEALAND CUSTOMERS AND DATA SUBJECTS


12.1   This section of our Privacy Policy applies to personal information about individuals whose data is collected and processed by us for the provision of Sahha and the Services that is governed by the Privacy Act 2020 (New Zealand).


13   Collection of personal information


13.1   We rely on Third Party Apps to only collect personal information for a lawful purpose which is connected to a function or activity of our businesses to the extent that it is necessary for such purpose.


13.2   We will only collect personal information about an End User from the Third Party App of which they are an end user.


13.3   We rely on Third Party App Providers to ensure that before we collect personal information from an individual or as soon as it becomes practicable to do so, the Third Party App Provider will disclose to the individual:

  • The fact that the information is being collected;
  • The purpose for which the information is being collected;
  • The intended recipient of the information, being us;
  • The consequences for that individual if all or part of the requested information is not provided; and
  • The rights of access to, and correction of information provided by the IPPs.

14   Provision of personal information to third parties


14.1   Where it is necessary for personal information to be given to a third party in connection with the provision of services that they provide to us, we will do everything reasonably within our power to prevent unauthorised use or unauthorised disclosure of the information by them.


14.2   The specific personal information that we collect, how we collect it, how we use it and who we disclose it to, is set out above in this Privacy Policy.


15   Storage and security of personal information


15.1   If we hold personal information about you, we will ensure that the information is protected by such security safeguards as are reasonable in the circumstances to take against loss, access, use, modification, unauthorised disclosure and other misuse.


15.2   If it is necessary for the information to be given to a person in connection with the provision of a service to us, everything reasonably within our power is done to prevent unauthorised use or unauthorised disclosure of the information.


16   Requests for access to and correction of personal information


16.1   Individuals whose personal information is governed by the Privacy Act (New Zealand) are entitled to seek access to and correction of it in accordance with that legislation.


16.2   Third Party App Providers and their personnel who wish to access and correct the personal information held by us about them should contact us. Prior to contacting us or submitting a request for access to correct any personal information held about them, Third Party App Providers and their personnel can update their personal information by logging into their account on Sahha, where such functionality is available. However, we encourage you to contact us in any event and we would be happy to assist you.


16.3   We rely on Third Party App Providers to ensure that all personal information collected by them from End Users and held by us is accurate, up to date, complete, relevant and not misleading.


16.4   End Users who wish to access and correct the personal information held by us about them should at first instance contact the Third Party App Provider with which they are an end user.


16.5   You may request urgent access to your personal information in accordance with section 41 of the Privacy Act (New Zealand) and state why the request should be treated as urgent. We will on receipt of such request, consider the request and reasons, determine the priority given to it and ensure that we provide reasonable assistance to a person who makes such a request.


16.6   In the event that a person wishes to access their personal information and it is readily retrievable by us, they can also request from us either of the following: (a) to obtain confirmation from us as to whether or not we hold such personal information; (b) access to the personal information; and (c) be advised if they are able to correct such personal information.


16.7   We will as soon as possible and in any event no later than 20 working days from the date on which the request is made, decide to grant or refuse the request and provide the person who made the request with or post to them, our decision. We may in our discretion charge a reasonable fee for making information available in compliance with the request or for correcting any information in compliance with a request (in whole or in part) or for attaching a statement of any correction sought but not made, subject to our compliance with the IPPs.


16.8   If a person submits a request to access their personal information to us, we may refuse their request on one or more of the grounds set out in the Privacy Act (New Zealand). If we refuse to comply with a request to access their personal information, we will provide the individual who made the request with our reasons for our denial and an opportunity to file a complaint with the Commissioner, to seek an investigation and a review of the refusal.


16.9   Where we hold personal information governed by the Privacy Act (New Zealand) about an individual, they are entitled to request correction of the information and request that there be attached to the information a statement of the correction sought but not made.


16.10   We will only hold personal information for as long as is required for the purposes for which the information may lawfully be used.


17   Complaints


17.1   If you are not satisfied with our response to any privacy-related concern that you may have, you can contact the Privacy Commissioner


Office of the Privacy Commissioner

PO Box 10-094, Wellington, New Zealand

Phone: 04 474 7590 / Fax: 04 474 7595

Enquiries Line (from Auckland): 302 8655 / Enquiries Line (from outside Auckland): 0800 803 909

Email: enquiries@privacy.org.nz