Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
- Overview
Practical Steps And Common Mistakes
- Map your data before you write anything
- Write a notice people can actually understand
- Separate consents instead of bundling everything together
- Check your third party providers carefully
- Align privacy wording with your contracts and internal practice
- Do not overclaim on anonymity or medical status
- Build a process for user rights and incidents
- Key Takeaways
If you are building a health app in New Zealand, your privacy notice and consent flow can create problems long before launch. Founders often make the same mistakes, they copy a generic overseas privacy policy, bundle every permission into one tick box, or collect health information before clearly telling users what will happen to it. Those shortcuts can cause trouble because health data is highly sensitive, and users, investors, commercial partners and regulators will expect more than a vague statement at sign-up.
A strong privacy notice and consent setup for a health app is not just about legal wording. It affects product design, onboarding, marketing claims, customer trust and how you handle data sharing with clinics, coaches, insurers or analytics providers. If your app tracks symptoms, stores lab results, offers telehealth features or collects wellness information that can identify a person, you need to get the basics right early.
This guide explains what New Zealand businesses should cover in a health app privacy notice, when consent is actually needed, how to separate different permissions, and the practical mistakes to avoid before you spend money on setup or sign commercial contracts.
Overview
Health apps in New Zealand usually need both a clear privacy notice and carefully designed consent steps, but they are not the same thing. A privacy notice explains how personal information is collected, used, stored and disclosed, while consent is only one possible legal basis or permission mechanism for particular actions, especially where health information, marketing or optional data sharing is involved.
The main legal reference point is the Privacy Act 2020, including the information privacy principles, and the sensitivity of health information means vague disclosures are a poor fit. Your app terms, contracts with providers and product design should all align with what your notice says.
- Identify exactly what health and personal information your app collects, including device data, account details and inferred health insights.
- Write a privacy notice that matches your actual app features, data flows and third party tools.
- Separate mandatory data collection from optional consents, such as marketing, research participation or sharing with external partners.
- Make sure user-facing consent language is specific, active and easy to understand on mobile screens.
- Check whether any overseas storage, analytics or service providers are involved.
- Align your privacy notice with your terms of use, supplier contracts and internal handling practices.
- Set up a process for access requests, correction requests, complaints and data incidents.
What Privacy Notice Consent Form Health App Means For New Zealand Businesses
For a New Zealand health app business, this issue usually means building a privacy framework that is specific enough for sensitive data and practical enough for real users. The legal risk is rarely just one missing checkbox, it is the gap between what your app actually does and what you have told users.
Privacy notices and consent are different tools
A privacy notice is your explanation to users about how their information is handled. In plain English, it tells them what you collect, why you collect it, who receives it, whether it may go overseas, how long you keep it, and how they can request access or correction.
Consent is narrower. It is a user's agreement to a particular act or set of acts. In a health app context, that might include:
- agreeing to share information with a clinician or support person
- opting in to promotional messages
- agreeing to participate in product research
- authorising integration with a wearable device or another platform
- choosing to upload particularly sensitive records or identifiers
Many founders assume that if a user clicks “I agree” to the privacy policy, everything is covered. That is where businesses often get caught. A general acceptance flow does not automatically make every later use fair, transparent or properly authorised.
Health information needs extra care
Health information is particularly sensitive because it can expose a person's conditions, treatment history, vulnerabilities and habits. Even data that looks like “wellness” information can become health information once it is linked to symptoms, medications, fertility tracking, mental health journals or treatment plans.
That means your app should be especially careful about:
- collecting only what you actually need
- explaining purpose at the point of collection
- avoiding surprise secondary uses
- limiting staff and contractor access
- using secure storage and transfer practices
- checking whether third parties are receiving identifiable information
The Privacy Act 2020 matters from day one
New Zealand's Privacy Act 2020 applies when your business collects, holds, uses or discloses personal information. The information privacy principles shape what a health app should do in practice. For example, users should generally know why information is being collected, who will receive it, and what happens if they do not provide it.
If your app has users outside New Zealand, or you use offshore providers, you may also need to think about overseas privacy rules and contractual protections. Even if your company is still early stage, those issues matter before you sign with a hosting provider, analytics vendor or white label development team.
Your privacy notice should match your business model
A symptom tracker, a telehealth booking app, a chronic condition management platform and a corporate wellbeing app will not all need the same notice. The wording should reflect whether you are:
- selling directly to consumers
- contracting with clinics, pharmacies or employers
- providing software to health professionals
- combining health services with e-commerce or subscriptions
- using artificial intelligence or automated recommendations
This is also where related legal documents matter. Your terms of use, service agreements, software contracts and marketing claims should not contradict the privacy notice. If your onboarding says “we never share your data” but your backend sends personal information to service providers, that mismatch creates obvious risk.
When This Issue Comes Up
Most health app businesses need to deal with privacy notices and consent earlier than they expect. The practical trigger is usually not a legal review, it is a product or growth decision that changes what data you collect or who sees it.
Before launch
You should sort this out before launch, not after the app is live in the App Store or Google Play. At that stage, your signup screens, product copy and backend tools may already be collecting sensitive information in ways the business has not mapped properly.
Common launch-stage triggers include:
- asking users about symptoms, medications or diagnosis history
- creating user profiles linked to identifiable health outcomes
- offering online consultations or clinician messaging
- processing payments for health related services
- using cookies, SDKs or analytics tools that receive personal information
When adding new features
A privacy notice is not a one-off document. If you add new functions, your disclosures and consent settings may need updating. That often happens when startups grow from a simple wellness tool into a more sophisticated health platform.
Examples include:
- integrating with wearables or Apple Health style data sources
- letting users share records with family members or practitioners
- introducing AI-driven health suggestions
- launching referrals, rewards or affiliate partnerships
- using de-identified or identifiable data for product training and analysis
When dealing with partners and enterprise customers
This issue also comes up when a clinic, insurer, employer or investor asks questions during due diligence. They often want to know exactly what user permissions you rely on, whether your notice is tailored to New Zealand law, and whether your supplier contracts cover data handling properly.
Before you sign a major partnership agreement, check whether the app's privacy position lines up with the promises in your commercial deal. For example, if an enterprise customer expects aggregated reporting, individual data sharing, or white labelled onboarding, your user notice and consent wording need to support that arrangement.
When marketing the app
Marketing can create separate privacy and fair trading issues. If you claim users are “fully anonymous”, “100% private” or “secure by design”, those statements need to be accurate. The Fair Trading Act 1986 can come into play if promotional claims are misleading.
Health app businesses also need care with direct marketing. If you collect user emails during onboarding for service delivery, that does not automatically mean you can send unrelated promotional campaigns without a proper opt-in approach.
Practical Steps And Common Mistakes
The best way to manage a privacy notice and consent issue for a health app is to treat it as a product, legal and operations project at the same time. Founders get the strongest result when the notice reflects the real user journey, not a legal template pasted in at the end.
Map your data before you write anything
Start with a data map. You need a clear record of what the app collects, where it comes from, where it goes and who can access it.
Your map should cover:
- information users type in, such as symptoms, medical history or goals
- account details, payment details and contact information
- device, location and usage data
- information imported from third parties or wearables
- internal staff access and support access
- external processors, hosts, developers and analytics tools
Without this step, most privacy notices become too general and miss important disclosures.
Write a notice people can actually understand
Your notice should be clear, specific and readable on a phone screen. Dense legal wording buried in tiny text is a poor fit for a health app where trust is central.
A well-drafted notice commonly covers:
- what information is collected
- why it is collected
- whether collection is required or optional
- what happens if the user does not provide it
- who receives or can access it
- whether information may be stored or processed overseas
- how users can ask for access or correction
- how to contact your privacy officer or team
If your app is aimed at younger users or people in vulnerable health situations, plain language matters even more.
Separate consents instead of bundling everything together
One of the most common mistakes is using a single checkbox for terms, privacy, marketing, data sharing and research. That approach makes it harder to show users understood what they were agreeing to.
Instead, consider separate user actions for:
- accepting the app terms of use
- acknowledging the privacy notice
- opting in to marketing communications
- agreeing to optional sharing with clinicians, employers or support persons
- consenting to research or product improvement uses where relevant
Consent should be active and specific. Pre-ticked boxes or vague “continue to agree” wording can create problems, especially for sensitive information.
Check your third party providers carefully
Many apps rely on offshore hosting, push notification tools, customer support software, crash reporting services and analytics products. Each provider may affect what you need to disclose and how you contract.
Before you spend money on setup, check:
- what personal information each provider receives
- whether any health information is involved
- where data is stored or accessed
- what security commitments the provider gives
- whether your contract says how incidents, deletion and access requests are handled
If a developer has inserted third party SDKs without clear review, your notice may be inaccurate from day one.
Align privacy wording with your contracts and internal practice
Your privacy notice should not sit alone. It should work with your internal policies and external contracts.
For many businesses, that means checking consistency across:
- terms of use for end users
- service agreements with clinics or enterprise customers
- software development agreements
- contractor and employee confidentiality obligations
- data handling procedures for support teams
If your app is operated through a company, your company setup, founder responsibilities and ownership of software and data rights should also be cleanly documented. These issues often sit in the background until a fundraising round or acquisition process exposes them.
Do not overclaim on anonymity or medical status
Some health apps are wellness products, not regulated medical devices or clinical services. Others sit closer to healthcare delivery. Your privacy notice should not imply a level of clinical oversight, anonymity or security that the product does not actually provide.
Common problem statements include:
- claiming data is anonymous when it can still be linked back to a person
- saying information is never shared when service providers can access it
- implying users have given broad consent when the screen flow did not explain the point properly
- calling the product “medical advice” or “diagnosis” without appropriate basis
That is partly a privacy issue and partly a consumer law and regulatory positioning issue.
Build a process for user rights and incidents
A notice is only credible if your business can act on it. Users may ask for access to their data, request corrections or complain about use of their information.
You should have a workable process for:
- verifying the requester
- finding the relevant records
- responding within a reasonable timeframe
- correcting inaccurate information where appropriate
- escalating privacy complaints internally
- managing suspected privacy breaches
Small startups often focus on launch and forget these operational pieces. The main risk is that your policy says one thing, but your team cannot actually deliver it.
FAQs
Does a New Zealand health app always need user consent?
No. Consent is not the answer to every privacy question. You still need a clear privacy notice, and some collection or use may be justified because it is necessary to provide the service. Consent is most relevant where a use is optional, sensitive, separate from core service delivery, or likely to surprise the user.
What should a health app privacy notice include?
It should explain what information is collected, why it is collected, who receives it, whether overseas providers are involved, what happens if information is not provided, and how users can request access or correction. It should also identify who to contact about privacy issues.
Can I copy a privacy policy from an overseas app?
No, that is risky. Overseas templates often refer to different legal rules, different user rights and different data practices. A New Zealand health app notice should reflect your actual product, your providers and the Privacy Act 2020 context.
Do I need separate consent for marketing messages?
Usually, yes, that is the safer approach. If users give you their contact details to use the app, that does not automatically mean they expect promotional messages. A clear opt-in for direct marketing helps reduce confusion and complaints.
What if my app stores data overseas?
You should disclose that clearly and check your provider arrangements carefully. Overseas storage or access can affect privacy compliance, customer expectations and enterprise due diligence, especially where sensitive health information is involved.
Key Takeaways
- A privacy notice and user consent serve different purposes, and a health app often needs both.
- Health information is sensitive, so generic templates and vague sign-up wording are a poor fit.
- Your notice should match the app's real data flows, third party tools, marketing practices and contracts.
- Separate optional consents, such as marketing or external sharing, instead of bundling everything into one acceptance step.
- Check overseas providers, internal handling processes and user request procedures before launch and again when features change.
- Keep your privacy wording aligned with your terms of use, partner agreements and actual product behaviour.
If your business is dealing with privacy notice consent form health app and wants help with privacy notices, app terms and conditions, data sharing arrangements, and supplier contracts, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.






