Privacy Policy


This Privacy Policy describes how Loffty Global Limited collects, uses, stores and protects your personal information in connection with the Loffty Website and Loffty Platform. It applies to all users, including casual visitors, End Users, Accredited Loffty Practitioners and Workplace Leaders. By accessing or using the Loffty Platform, you agree to this Privacy Policy. If you have any questions, please contact our Privacy Officer at hello@loffty.com.

About Loffty

Loffty Global Limited (trading as Loffty) delivers a mental health and wellbeing website and platform that enables people to gain insights into their mental health and wellbeing. People complete a Loffty self-assessment and immediately receive their personalised Loffty report, which includes recommendations for further information, products, digital wellbeing solutions and mental health professionals.

Loffty is a self-assessment tool — it is not a diagnostic tool. By using the Loffty Platform, you understand that the Loffty Platform does not provide a final diagnosis and that any final diagnosis remains the responsibility of your mental health professional. Loffty is a decision support tool for mental health professionals who use it to help them arrive at a formal diagnosis, if appropriate, or use the Loffty insights to support them in making treatment or referral decisions.

Loffty is not responsible for the mental health and wellbeing professionals in its provider directory, whether they are currently registered with their professional body, nor whether they are in compliance or conflict with the applicable rules of their professional body.

Loffty helps people feel better faster and supports practitioners to help more people more quickly. Insights from the Loffty Platform can also help workplace people-leaders gain real visibility into wellbeing risks and opportunities.

What This Privacy Policy Means For You — A Plain English Summary

This Privacy Policy explains how we collect, use, store and protect your personal information. Key points:

  • We collect personal and health information to provide our services and personalise your experience.
  • We never sell your personal information to third parties.
  • We never share your information with your employer without your express permission.
  • Your data is stored securely with Amazon Web Services (AWS) in Sydney, Australia.
  • We comply with the NZ Privacy Act 2020, Health Information Privacy Code 2020, Australian Privacy Act 1988, EU GDPR, UK GDPR, and HIPAA.
  • You have rights to access, correct and (where applicable) delete your personal information.
  • For any privacy questions, contact our Privacy Officer at hello@loffty.com.

1. Purpose

This Privacy Policy (Policy) describes how Loffty Global Limited (we, us, our) manages all aspects of privacy in connection with your use of the Loffty Website and Loffty Platform. It is available to all users and is used as the basis on which management decisions regarding privacy are made.

Loffty views privacy as fundamental to its business. We are required to demonstrate at all times that we understand the importance of individual privacy and Personal Information, including Health Information.

This Policy explains what information we collect, why we collect it, how we protect it, who we share it with, under what circumstances, and how you can contact us if you have any questions or concerns.

By accessing the Loffty Website (www.loffty.com) or Loffty Platform, you accept the terms of this Privacy Policy. This Policy forms part of our Terms of Service available on the Loffty Website.


2. Introduction and Applicable Law

Loffty Global Limited maintains a policy of strict confidence concerning your Personal Information and Health Information. This Policy has been developed in accordance with the following legislation (collectively, Privacy Law):

  • New Zealand Privacy Act 2020 (NZ Privacy Act)
  • Health Information Privacy Code 2020 (NZ HIPC)
  • Australian Privacy Act 1988 (Cth), as amended, and the Australian Privacy Principles (APPs)
  • EU General Data Protection Regulation (EU GDPR 2016/679) — for users in the European Economic Area
  • United Kingdom General Data Protection Regulation (UK GDPR) — for users in the United Kingdom
  • United States Health Insurance Portability and Accountability Act 1996 (HIPAA), as amended — for applicable US users
  • Any other applicable data protection or privacy legislation in your jurisdiction

This Policy applies to Personal Information and Health Information collected, stored, protected, used and disclosed by us, whether via the Loffty Website, the Loffty Platform, or any other means.

This Policy does not limit or exclude any of your rights under applicable Privacy Law. If you wish to seek further information on the New Zealand Privacy Act 2020, see www.privacy.org.nz. For GDPR enquiries, contact our Privacy Officer at hello@loffty.com.

Where we hold information about you in accordance with a contract with a third party, we will also endeavour to comply with any additional privacy rules as advised by that contracting party.


3. How We Collect Your Personal Information

We may collect Personal Information about you in a variety of ways, including:

Practitioner Registration

When you register to apply to be an Accredited Loffty Practitioner, we collect your email address, name, phone number, practice name, and licence or provider number.

End User Registration

When you register as an End User to use the Loffty Platform, we collect your email address, name, postcode, date of birth and gender.

Platform Usage

Each time you log in to your Account or complete a Loffty assessment, we automatically collect information from your browser or device, including your IP address or unique device identifier, geolocation data, browser type, browser language, device type and operating system, time spent on the Platform, cookies (for web access), login details (for app access), and the pages or screens you visit.

Assessment Data

We collect Personal Information and Health Information that you input into the Loffty self-assessment so that we can offer you a personalised Loffty Platform experience designed to support your mental health and wellbeing.

Newsletter and Content Subscriptions

When you subscribe to our newsletter or request content from us, we collect your name and email address. You may opt out at any time by clicking the unsubscribe link in our emails.

Technical Support

When you contact us for technical support, we collect your email address and any information you share via online chats or telephone calls. We may record support calls to help us improve our services.

Direct Email and Forms

When you email us or complete a form on our Website (such as a 'Book a Call' form), we collect the information you provide, including your name, email address, phone number, company name, number of employees and any additional comments.

Social Media

If you follow Loffty or share Loffty content on Facebook, X (formerly Twitter), LinkedIn, Instagram, TikTok or other social media platforms, we may receive information from those platforms, including your profile information, picture, user ID, friends list, and any other information you permit the platform to share with third parties. The data we receive depends on your privacy settings with the relevant platform. You should regularly review and adjust your privacy settings on third-party social media platforms.

Workplace Platform

When an organisation registers to use the Loffty Workplace Platform, we may collect information about the organisation, which may include employee email addresses for the purpose of inviting employees to participate in the Loffty Platform. Participation by employees is voluntary.

Third-Party Sources

Occasionally, we may collect Personal Information about you from third parties where you have authorised this or the information is publicly available. We will only do so where permitted by applicable Privacy Law.


4. How We Use Your Personal Information

All Personal Information we collect, which may include Health Information, is reasonably necessary for the following purposes:

  • Verifying your identity and granting you access to your personal self-assessment or practitioner secure area.
  • Providing our Services to support End Users and mental health practitioners. Where we provide our Services to Accredited Loffty Practitioners and they collect Health Information, we hold that information on their behalf pursuant to a contract, and comply with the terms of those contractual arrangements.
  • Recommending appropriate mental health practitioners based on your specific needs.
  • Recommending mental health resources and solution providers based on your specific needs.
  • Responding to your communications and providing customer care, including via email messages and push notifications.
  • Communicating information about new developments, products, services and special offers (where you have consented or where permitted by applicable Privacy Law).
  • Providing you with technical support, including account verification, feature updates and security notices.
  • Improving the features, functionality, personalisation and quality of the Loffty Platform and Website.
  • Tracking usage of the Loffty Platform and generating statistics to help us better understand and serve our users.
  • Diagnosing and preventing service or technology problems.
  • Authorising and processing payments, including credit card transactions.
  • Conducting anonymised general mental health and wellbeing research and statistical analysis to advance knowledge in the field, including the efficacy of mental health interventions. No information that could identify you will be included in any published research.
  • Conducting mental health and wellbeing research with third-party research collaboration partners for the advancement of public good academic research. Published results will not include any identifying Personal Information.
  • Generating anonymised, aggregated mental health and wellbeing insights that can be used to improve wellbeing at workplace, industry or national level. Your Personal Information is de-identified before being used in this way — you cannot be identified from the insights.
  • Loffty will never share your Personal Information with your employer without your express permission.
  • Letting you know about changes to this Privacy Policy, our Terms of Service, and the Loffty Platform.
  • For any other purpose authorised by you or permitted by applicable Privacy Law.

Legal Bases for Processing (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your Personal Information on the following legal bases under the EU GDPR or UK GDPR:

  • Consent — where you have given us clear, specific and informed consent (for example, for marketing communications or for processing Health Information).
  • Contract performance — where processing is necessary to fulfil our contract with you or to take steps at your request prior to entering into a contract.
  • Legal obligation — where processing is necessary for us to comply with a legal obligation.
  • Legitimate interests — where processing is necessary for our legitimate interests (such as improving the Loffty Platform and preventing fraud), provided those interests are not overridden by your fundamental rights and freedoms.
  • Vital interests — in rare circumstances, where processing is necessary to protect your vital interests or those of another person.

For the processing of special categories of data (including Health Information), we rely on:

  • Explicit consent — your clear, affirmative agreement to the processing of your Health Information.
  • Substantial public interest — for research and statistical purposes, in accordance with applicable law and with appropriate safeguards.

5. Disclosing Your Personal Information

We may disclose your Personal Information to third parties in the following circumstances:

  • Service providers and IT support: Any business that supports our services and products, including persons who host or maintain any underlying IT system or data centre we use to provide the Loffty Website and Loffty Platform. All data we collect is stored with Amazon Web Services (AWS) Australia. This means your Personal Information may be held and processed outside New Zealand or your home country. We have contractual arrangements with AWS that require them to protect your Personal Information to a standard that meets applicable Privacy Law. The AWS hosting service fully complies with New Zealand Ministry of Health guidelines.
  • Aggregated, non-identifying statistics: We may share aggregated, non-personally identifiable statistical information with third parties for the purpose of maintaining, operating, providing or improving the Loffty Platform, including sending non-marketing, administrative or customer service communications.
  • Legal protection: To protect and defend our legal rights, interests, property or safety, or that of third parties, or to defend any legal claim, or to investigate, prevent or take action regarding suspected fraud or situations involving threats to physical safety.
  • Business sale: We may sell all or part of Loffty. In such a transaction, Personal Information you have shared with us may be one of the business assets transferred. We will notify you of any such change.
  • Authorised persons: A person who is legally authorised to require us to supply your Personal Information (such as a regulatory authority).
  • Law enforcement: Where a person authorised by applicable law (such as a law enforcement authority) requests information to prevent or lessen a serious threat to public health, public safety, or the life of any person.
  • With your consent: If you authorise such disclosure.

We reserve the right to notify public health authorities, law enforcement, or other persons capable of addressing the situation if we believe that information we hold indicates potential harm to you or others.

We do not disclose any personally identifiable information (including identifiable Health Information) provided by you as a registered End User that you have not made publicly available on the Loffty Platform, without your authorisation, unless required by law.

We do NOT sell, rent or trade your Personal Information with third parties for their promotional purposes.


6. How We Protect Your Personal Information

Maintaining your trust and privacy is extremely important to us. We implement security measures aligned with ISO/IEC 27001 (Information Security Management) and SOC 2 trust service principles. Our key security measures include:

  • Your data is yours — we do not sell any identifiable data to third parties.
  • Encryption at rest: Your data is encrypted using 256-bit Advanced Encryption Standard (AES-256).
  • Encryption in transit: We use Transport Layer Security (TLS/HTTPS) for all communications between your device and our platform.
  • Hosting security: The Loffty Platform is hosted in Amazon Web Services (AWS) data centres in Sydney, Australia, which operate stringent physical and logical security controls.
  • Access controls: We implement role-based access controls and conduct regular access reviews to ensure that only authorised personnel can access your Personal Information.
  • Security audits: We conduct regular security audits, penetration testing and vulnerability assessments.
  • Incident response: We maintain an incident response procedure, including prompt notification to affected users and relevant authorities in the event of a data breach, as required by applicable Privacy Law (see Section 11).
  • Staff training: Our staff and contractors are trained on privacy obligations and information security practices.
  • Legal compliance: We comply with the New Zealand Privacy Act 2020, the Health Information Privacy Code 2020, the Australian Privacy Act 1988 (Cth), and applicable international privacy legislation.

You are also responsible for helping protect the security of your Personal Information. Never share your Login Details with anyone and keep the device on which you access the Loffty Platform secure.

The Loffty Platform is provided under commercially reasonable data security practices to prevent unauthorised access, disclosure, alteration or deletion of information stored in our systems. However, no method of electronic transmission or storage is completely secure. We cannot warrant or guarantee the absolute security of data stored in our systems, and we are not responsible for security breaches in third-party systems (such as ISPs and hosting service providers). If you believe there has been unauthorised use or disclosure of your Personal Information, please contact us at hello@loffty.com.


7. International Data Transfers

Your Personal Information may be transferred to and stored in countries outside your jurisdiction, including New Zealand and Australia. These countries may have different data protection standards from those in your home country.

Where we transfer Personal Information internationally, we implement appropriate safeguards in accordance with applicable Privacy Law to ensure your rights are protected, including:

  • Contractual mechanisms — we enter into data processing agreements with our service providers that require them to protect your Personal Information to an equivalent standard.
  • Adequacy decisions — where applicable, we rely on adequacy decisions made by relevant regulatory authorities (such as the European Commission's adequacy decisions).
  • Standard contractual clauses — where required by GDPR or UK GDPR, we use standard contractual clauses approved by the relevant supervisory authority.

All data collected through the Loffty Platform is stored with Amazon Web Services (AWS) in Sydney, Australia. We have a data processing agreement with AWS and consider it bound to legislation similar to applicable Privacy Law.


8. Artificial Intelligence and Automated Decision-Making

Loffty uses artificial intelligence and machine learning to generate personalised assessment insights. This section explains how your Personal Information is used in connection with these features.

  • The Loffty Platform uses AI and machine learning to analyse self-assessment responses and generate personalised wellbeing insights and recommendations. These AI-generated outputs are decision support tools for clinical professionals — they are not automated decisions about individuals.
  • We do not use your identifiable Personal Information or Health Information to train our AI models without your separate, explicit consent. We may use fully anonymised and de-identified aggregated data for model training and improvement.
  • AI-generated insights are probabilistic. All clinical decisions, diagnoses, treatment plans and referral decisions remain the sole responsibility of your Accredited Loffty Practitioner or other qualified health professional.
  • If you are located in the EEA or UK, you have the right not to be subject to solely automated decisions that produce legal or similarly significant effects on you. To exercise this right or to request a human review of any AI-generated output, please contact hello@loffty.com.
  • We will notify you of any material changes to our use of automated processing that may affect your Personal Information or Health Information.

9. Your Rights

Depending on your location and applicable Privacy Law, you have some or all of the following rights regarding your Personal Information:

Rights for All Users (NZ Privacy Act 2020/Australian Privacy Act 1988)

  • Right of access: You have the right to request access to Personal Information we hold about you.
  • Right of correction: You have the right to request correction of Personal Information that is inaccurate, incomplete or misleading.

Additional Rights for EEA and UK Users (EU GDPR/UK GDPR)

  • Right to erasure ('right to be forgotten'): You may request that we delete your Personal Information in certain circumstances.
  • Right to restriction of processing: You may request that we restrict the processing of your Personal Information in certain circumstances.
  • Right to data portability: You have the right to receive your Personal Information in a structured, machine-readable format and to transmit that data to another controller.
  • Right to object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right not to be subject to solely automated decision-making: See Section 8.4.
  • Right to lodge a complaint: You have the right to lodge a complaint with your applicable data protection supervisory authority.

Additional Rights for US Users (HIPAA/CCPA)

  • HIPAA rights: If you are a US-based patient and your Accredited Loffty Practitioner is a HIPAA-covered entity, you may have additional rights regarding your protected health information (PHI) under HIPAA, including the right to access, amend and receive an accounting of disclosures of your PHI.
  • California Privacy Rights: If you are a California resident, you may have additional rights under the California Consumer Privacy Act 2018 (as amended by the California Privacy Rights Act 2020 (CPRA)), including the right to know what Personal Information we collect, the right to delete, and the right to opt out of the sale of Personal Information (we do not sell Personal Information).

How to Exercise Your Rights

To exercise any of the above rights, please email our Privacy Officer at hello@loffty.com. Your email should provide evidence of your identity and set out the details of your request. We will respond within 30 days (or within the timeframe required by applicable Privacy Law).

We may charge reasonable costs for providing copies of your Personal Information, where permitted by applicable Privacy Law.

In respect of a request for correction, if we consider the correction is reasonable and we are reasonably able to change the Personal Information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the Personal Information that you requested the correction.


10. Managing Your Personal Information

We take all reasonable steps to ensure that your Personal Information held by us is accurate, up-to-date, complete, relevant and not misleading. If you believe that any of your Personal Information does not meet this standard, please contact us at hello@loffty.com.

Updating Your Information

As an Accredited Loffty Practitioner, you may update your Personal Information directly through your practitioner secure area, including the information that appears on your Loffty Provider Profile (such as name, photo, qualifications, speciality areas, provider number and contact details). End Users can update the content of their Loffty report in consultation with their Accredited Loffty Practitioner.

Marketing Communications

You can stop receiving marketing email communications from us at any time by clicking the unsubscribe link in those communications. We make every effort to promptly process all unsubscribe requests. You may not opt out of service-related communications, including account verification, transactional communications, changes or updates to features of the Loffty Platform, and technical and security notices.

Deleting Your Account

If you wish to delete your Account or request the deletion of your Personal Information (subject to any legal obligations we may have to retain it), please contact us at hello@loffty.com.


11. Data Breach Notification

In the event of a privacy breach that is likely to cause serious harm to you, we will:

  • Notify you and, where required by law, the relevant privacy or data protection authority, as soon as reasonably practicable after becoming aware of the breach.
  • For EU/UK GDPR purposes: notify the relevant supervisory authority within 72 hours of becoming aware of a notifiable breach, and notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  • For NZ Privacy Act 2020 purposes: notify the New Zealand Privacy Commissioner and affected individuals of any privacy breach that has caused, or is likely to cause, serious harm.
  • For HIPAA purposes: notify affected individuals within 60 days of discovery of a breach of unsecured PHI, and report to the US Department of Health and Human Services as required.

We maintain an incident response plan to ensure that breaches are detected, contained and reported promptly. Please contact us at hello@loffty.com if you reasonably believe there has been unauthorised use or disclosure of your Personal Information.


12. How Long We Retain Your Personal Information

We will retain your Personal Information:

  • For as long as you remain registered as an Accredited Loffty Practitioner or End User, and for a reasonable period after your Account is closed to allow us to comply with our legal obligations.
  • For as long as required for research purposes (as described in Section 4). After research has been completed, data will be retained only in fully anonymised form.
  • For as long as necessary to resolve disputes, prevent fraud and comply with our legal obligations.

If we no longer need your Personal Information, or if your registration is terminated, and we are not required by applicable Privacy Law, a court or tribunal order to retain it, we will take reasonable steps to securely destroy or de-identify your Personal Information.

Please note that some Personal Information may be retained in backups for a period after deletion from our active systems, in accordance with our data retention and backup policies.


13. Internet Use, Cookies and Analytics

While we take reasonable steps to maintain secure internet connections, if you provide us with Personal Information over the internet, the provision of that information is at your own risk.

Social Media and Forums

If you post your Personal Information on the Loffty Website's online community forum, or on third-party social media platforms associated with Loffty (such as LinkedIn, Facebook, Instagram or TikTok), your information will be accessible to those platforms and their users, which could result in you receiving unsolicited messages. We encourage you to review the privacy policies and settings of the social media platforms you interact with.

Third-Party Websites

If you follow links on our Website to other websites, those websites are operated by third parties with their own privacy policies. We are not responsible for the content, practices or privacy policies of linked websites. If you decide to provide Personal Information to any site linked to the Loffty Website, we recommend you review that site's privacy policy first.

Cookies

When you visit the Loffty Website, our server may attach a 'cookie' (an alphanumeric identifier) to your computer's memory to help us recognise your browser and store information about how you use the Loffty Website, including which pages are of most interest. Cookies are not linked to any Personal Information you may provide and cannot be used to identify you on their own.

We may use cookies to:

  • Provide you with personalised service;
  • Improve our website, applications and services;
  • Remember your preferences and settings; and
  • Analyse website traffic and usage patterns.

You may disable cookies by adjusting your browser settings. However, doing so may mean that you cannot use all features of the Loffty Website. If you are in the EEA or UK, we will seek your consent before placing non-essential cookies on your device.

Analytics

We use Google Analytics to analyse the audience of the Loffty Website and to improve our content and user experience. Google Analytics does not collect Personal Information that can identify you. For more information on how Google collects and processes data, see Google's Privacy Policy. You may opt out of Google Analytics by installing the Google Analytics opt-out browser add-on.


14. Jurisdiction

This Privacy Policy is governed by the laws of New Zealand. You submit to the jurisdiction of the New Zealand courts in respect of any dispute concerning this Privacy Policy.

Where you are located in the EEA or UK, nothing in this clause prevents you from exercising your rights under EU GDPR or UK GDPR or lodging a complaint with your applicable supervisory authority.

Where you are located in Australia, this Privacy Policy also operates in accordance with the Australian Privacy Act 1988 (Cth) and you may lodge a complaint with the Office of the Australian Information Commissioner.


15. Changes to This Policy

This Privacy Policy is regularly reviewed and updated to ensure it remains relevant to applicable international standards, laws and legislation, Loffty's business aims and objectives, and in the event of the introduction of new or upgraded products or technology.

We may vary this Privacy Policy at any time. We will notify you of material changes by email (to the address you have provided) or by a prominent notice on the Loffty Platform, with a minimum of 30 days' notice before material changes take effect.

You should check this Privacy Policy regularly so you are aware of any changes. Any variations will apply from the date that we upload the revised Policy. Your continued use of the Loffty Website or Loffty Platform following notification of changes constitutes your acceptance of those changes.

For all privacy enquiries, please contact our Privacy Officer at: hello@loffty.com


© Loffty Global Limited 2026 | www.loffty.com | hello@loffty.com

Loffty
HomeIndividualsPractitionersWorkplacesAboutBlog
Privacy policyTerms of service
© 2007-2026 Loffty Global Limited. All rights reserved.
Helping people feel better, one insight at a time.
Loffty HQ
New Zealand
Tel: +64 21 980 797
Email: helpdesk@loffty.com