Launch Console

Legal · 01

Privacy Policy

Last updated: 19 April 2026

This Privacy Policy explains how Coruscant Capital Holdings ("Coruscant", "we", "us") collects, uses, stores, and discloses personal information and health information processed through the Human Health Operations Platform ("HHOP", "the Platform").

Draft notice: This document is a template scaffold provided as a starting point. It must be reviewed and adapted by qualified legal counsel before being relied upon in production.

1. Who we are

HHOP is operated by Coruscant Capital Holdings, a New Zealand-incorporated company. For data protection purposes, the customer organisation (clinic, hospital, or care provider) is the data controller of patient records. Coruscant acts as a data processor under instruction from that organisation.

2. Information we collect

2.1 Account information

  • Name, email address, organisation, and role of clinical and admin users.
  • Authentication identifiers, session metadata, and IP address.

2.2 Patient and clinical data

  • Patient demographic data (name, MRN, date of birth, sex, conditions).
  • Vital sign telemetry from connected wearables and devices — heart rate, SpO₂, blood pressure, temperature, glucose, and derived signals.
  • Threshold configurations, alert events, interventions, and audit trails.

2.3 Billing data

  • Subscription and usage metadata. Card details are processed by Stripe and are never stored on our servers.

3. How we use information

  • To provide continuous monitoring, alerting, and workflow execution.
  • To maintain audit trails required by clinical governance.
  • To bill organisations and report partner revenue share.
  • To improve security, detect abuse, and meet legal obligations.

HHOP does not diagnose, recommend treatment, or make medical decisions. Decisions remain with the licensed clinician.

4. Legal bases & jurisdictions

4.1 New Zealand — Privacy Act 2020

We comply with the thirteen Information Privacy Principles (IPPs) including purpose limitation, accuracy, security safeguards, and individual access rights. Health information is also handled in accordance with the Health Information Privacy Code 2020 where it applies to the customer organisation.

4.2 European Union / UK — GDPR

Where GDPR or UK GDPR applies, processing is carried out under Article 6(1)(b) (contract), Article 6(1)(c) (legal obligation), or Article 6(1)(f) (legitimate interest). Special-category health data is processed under Article 9(2)(h) (provision of health care) on instruction from the controller. A Data Processing Agreement is available on request.

4.3 United States — HIPAA awareness

HHOP is engineered with HIPAA-aware controls (encryption in transit and at rest, role-based access, immutable audit logging, and BAA-ready infrastructure). HHOP is not, by default, a HIPAA Covered Entity. US-based Covered Entities and Business Associates must execute a Business Associate Agreement before sending Protected Health Information to the Platform.

5. Data sharing

We share data only with:

  • Sub-processors that host or support the Platform (cloud, payments, email).
  • Authorised members of the customer organisation.
  • Authorities where compelled by law or court order.

6. International transfers

Data may be processed in jurisdictions outside your own. Where it leaves the EEA or UK, we rely on Standard Contractual Clauses or an adequacy decision. Data residency options (NZ, EU, US) may be available on enterprise tiers.

7. Retention

Patient records are retained for the period configured by the customer organisation (default seven years, aligned with NZ Health (Retention of Health Information) Regulations 1996). Audit logs are retained for a minimum of seven years. Backups are rotated within 35 days.

8. Your rights

You may request to access, correct, export, or delete your personal data.

  • NZ residents: request via your provider or contact us directly.
  • EU/UK residents: GDPR data subject rights apply.
  • Patients should generally direct requests to the care organisation that uses HHOP, as they are the data controller.

9. Security

  • TLS 1.2+ in transit; AES-256 at rest.
  • Row-level security enforced at the database layer.
  • Mandatory MFA for administrators; least-privilege role model.
  • 24-hour breach notification commitment to controllers.

10. Cookies

We use only strictly necessary cookies for authentication and security. We do not use advertising or third-party tracking cookies.

11. Children

The Platform may process paediatric clinical data only when configured by a licensed care provider. Direct sign-up is restricted to adults aged 18+.

12. Changes to this policy

We will notify customer organisations of material changes by email at least 30 days before they take effect.

13. Contact

Privacy Officer, Coruscant Capital Holdings — privacy@coruscant.co.nz. New Zealand residents may also contact the Office of the Privacy Commissioner at privacy.org.nz.

PrivacyTermsRefund← Home