Last updated: April 2026

This Privacy Policy ("Policy") sets out how we collect, store, use, process and disclose your personal information in connection with our website, services and the Clever First Aid web and mobile App(s) ("Apps") (collectively, our "Services").  When we refer to "we", "us" or "our" in this Privacy Policy, we mean Clever First Aid Limited, having its offices at 36 Birmingham Drive, Unit 3 Middleton, Christchurch 8024, New Zealand ("CLEVER") and our related companies (as that term is defined in the Companies Act 1993).  Beyond this Privacy Policy, your use of Apps (and associated services) is also subject to our service terms and conditions ("Terms").

We take our obligations in relation to your personal information seriously.  To the extent that we collect any personal information about you, we are committed to protecting that personal information and to ensuring we comply with all relevant privacy and data protection laws. including the Privacy Act 2020 (New Zealand) and the Privacy Act 1988 (Cth) as amended, including by the Privacy and Other Legislation Amendment Act 2024 (Australia) (collectively, "Applicable  Privacy Laws").  

We collect, use and disclose personal information where this is necessary for our legitimate functions and activities, where it is fair and reasonable in the circumstances, to comply with our legal obligations, or where you have provided consent.  

Where we rely on your consent, you may withdraw your consent at any time by contacting us at support@cleverfirstaid.com. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal but may limit your ability to use certain features of the Services.

We may need to change this Privacy Policy from time to time.  If we make any changes, then we will tell you about them by posting an updated policy on our website.  By continuing to use the Services, you will be agreeing to any changes to the Privacy Policy.  Any changes will take effect from the date we update and post the Privacy Policy, so please check this Privacy Policy when you access our website.  When we make material changes to this Privacy Policy, we will provide you with prominent notice (including by email where you have provided us with an email address) a reasonable period prior to those changes taking effect. 

1. How do we collect your personal information?

We will only collect personal information where it is necessary for our functions and activities, for lawful purposes connected with our Services, and where such collection is fair and reasonable in the circumstances. We take reasonable steps to ensure you are aware of the purposes of collection at or before the time of collection, or as soon as practicable where information is collected indirectly. Information we collect may include:
 
a) Registration and profile information: When you register for our Service or set up our Mobile App on your device you provide us with your email address, and name.  Some Services may require location.

b) Communications: If you contact us directly (e.g. through our Customer Support Team), we may receive information about you such as your name, email address and any other information you choose to provide. 

c) Location Information: We collect location information of Clever Devices through GPS coordinates (e.g., latitude/longitude) available through your mobile device.  We collect and maintain location data on an anonymised basis to provide you the features and functionality of the Services.

d) Device and usage information: We may collect analytics information such as your IP address, web browser type, mobile operating system version, phone carrier and manufacturer and app installations.  To help us understand how you use Services and to help us improve it, we automatically receive information about your interactions with the Services, like the pages or other content you view, your actions within our Apps, and the dates and times of your visits and usage.

e) Other information:  We may collect any other information that you voluntarily provide to us.

f) Device and IoT sensor data: Where our Services involve Internet of Things (IoT) devices, connected cabinets, cameras, or RFID tags deployed at your workplace, we may collect data generated by those devices including interaction data, camera-images, access events, and location data associated with those devices.  This data may be collected indirectly (i.e. from the device rather than directly from you).  Derived information, such as compliance scores and usage patterns, may also be generated from this data.  Where data is collected indirectly, we will take reasonable steps to ensure that affected individuals are made aware of such collection (including through our customers, who are responsible for notifying their employees about data collected via our devices on their premises).  In addition to requiring our customers (You) to notify individuals, we take reasonable steps to support transparency of indirect collection, including: providing customer guidance and making this Privacy Policy publicly available and accessible.

2. Sensitive Information

We do not intentionally collect sensitive personal information (such as health information) unless required for the operation of our Services or provided voluntarily.

To the extent that our Services process data that may relate to workplace safety or first aid events, we treat such information with appropriate safeguards and only use it for safety, compliance, and operational purposes.

You have no obligation to provide any information requested by us, but if you do not, you may not be able to access certain features of the Services. 

3. Cookies and Tracking Technologies  

We collect information through cookies and similar technologies differently across our Services depending on the platform you are using:

a) Portal (Web Application)  Our Portal uses cookies and similar technologies primarily for operational purposes, including:

1. authentication and session management; 
2. security and fraud prevention;
3. maintaining user preferences; and
4. limited analytics to improve system performance. 
   
   These cookies are necessary for the Portal to function and cannot be disabled without impacting usability.
   
   We also collect information through log and usage data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports and hardware settings).

b) Mobile Application (Clever App)

Our mobile applications do not use browser cookies. However, we may use similar technologies such as:

1. 1. device identifiers; 
   2. local storage; and
   3. application-level analytics tools

to support functionality, security, and performance monitoring. These technologies are used solely in connection with the operation of the Services and not for third-party advertising.

c) Marketing Website

Our public-facing website may use cookies and tracking technologies for:

1. 1. website functionality;
   2. analytics and performance measurement; and
   3. marketing and advertising (where applicable). 

Where required by applicable law, we will obtain your consent before using non-essential cookies on our marketing website. You may manage your cookie preferences through your browser settings or any consent tools made available on the website.

d) Managing Cookies and Tracking

You can control or disable cookies through your browser settings. Please note that if you limit the ability for Clever to set cookies and similar technologies, there may be an impact to your overall user experience, and some features and services may not function properly if you disable cookies.

4. How do we use your personal information?

We use your personal information, for purposes directly related to our functions or activities or where we are authorised to under the Applicable Privacy Laws.  In Australia, we will only use or disclose your personal information where such use or disclosure is fair and reasonable in the circumstances (as required by the Privacy Act 1988 (Cth) as amended).  We will not use your personal information in a way that you would not reasonably expect having regard to the purposes for which it was collected.  
We may use your personal information:

a) to provide and operate our Services, including user authentication, device connectivity, and system administration;
b) to monitor device performance, first aid readiness, and stock levels within connected systems;
c) to generate safety alerts, incident notifications, and compliance-related outputs;
d) to produce analytics, reports, and dashboards relating to system usage and compliance;
e) to develop, improve, and maintain our products and services, including troubleshooting and system optimisation;
f) to communicate with you regarding support, service updates, and operational notices;
g) to conduct limited market research and service-related surveys (where appropriate); and
h) to comply with our legal and regulatory obligations.

We will not use personal information for purposes that are unrelated to those described above unless permitted by law or with your consent.

We may de-identify and aggregate personal information so that it no longer reasonably identifies an individual. We may use such de-identified information for analytics, product improvement, and reporting purposes. We take reasonable steps to ensure that de-identification is robust and that such use is fair and reasonable in the circumstances.

5. Who do we give your personal information to?

We will only disclose your personal information where you have authorised such disclosure, where disclosure is connected to one of our functions or activities or where we are able to under the Applicable Privacy Laws.  Examples where we may disclose your personal information are:

a) to our service providers in order to provide the Services to you (including cloud infrastructure providers, messaging platform providers, and support tool providers — a list of our key sub-processors is available online here or on request to support@cleverfirstaid.com);
b) to law enforcement agencies; 
c) to meet our legal obligations;
d) to protect users, ours or other rights, property or safety; and
e) in order for us to sell any of our assets and parts of our business.

6. Storage, Retention and Security of Personal Information 

We retain personal information only for as long as necessary to fulfil the purposes described in this Policy and to comply with legal obligations.

Retention periods vary depending on the type of information, including:

a) account and profile data: retained for the duration of the account and a reasonable period thereafter; 
d)device and IoT telemetry data: retained for operational and analytical purposes for a defined period; 
c)Device photos (for devices fitted with a camera), for a configurable duration by request, otherwise 14 months.
d) system logs and audit records: retained for security, troubleshooting, and compliance purposes; 
e) backup data: retained in accordance with our disaster recovery policies. 

We take reasonable steps to securely delete, anonymise, or de-identify personal information when it is no longer required.

If you would at any time like to review or change the information in your account, deactivate or delete your account, you can:

a) Log in to your account settings and update or delete the information you have provided us
b) Contact us at support@cleverfirstaid.com to deactivate or delete your account

Upon request to delete your account, we will remove your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

You have the right to ask for a copy of any personal information we hold about you, and to ask for it to be corrected if you think it is wrong. If you’d like to ask for a copy of your information, or to have it corrected, please contact us at support@cleverfirstaid.com. Access to your personal information is generally provided free of charge. In exceptional circumstances, where providing access requires significant resources, we may charge a reasonable fee. We will inform you of any potential fees before processing your request.

We take reasonable steps to ensure that your personal information is protected against loss, unauthorised access, use, disclosure, alteration or destruction.  Our technical and organisational security measures include: encryption of personal information in transit and at rest; role-based access controls (RBAC) to limit access to personal information to those who need it; audit logging of access to and processing of personal information; and secrets management for system credentials.  We conduct regular reviews of our security controls and procedures.  We adopt policies and procedures to protect your personal information, and we review these regularly.

However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, therefore we cannot guarantee that the data may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards by malicious persons or unauthorised third parties. Although we do our best to protect your personal information, transmission of personal information to you and from our Services is at your own risk. You should only access the Services within a secure environment. 
We may allow third parties to monitor our network for security and information assurance purposes.

7. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (‘DNT’) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities tracked. At this stage no uniform technology or industry standard for recognising and implementing DNT signals has been adopted. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this policy.

8. Overseas disclosures

We are a New Zealand company and our primary operations are in New Zealand and Australia.  Some of our service providers and sub-processors may be located outside of New Zealand and Australia, including in the United States and other jurisdictions where sub-processors and Google Cloud Platform infrastructure is located.  Where your personal information is disclosed to an overseas recipient, we will take the following steps to protect it:

a) We will take reasonable steps to ensure the overseas recipient is subject to a privacy law that, overall, provides comparable safeguards to the Applicable Privacy Laws; or
b) We will enter into binding contractual arrangements with the overseas recipient that require them to protect your personal information in a manner comparable to the Applicable Privacy Laws (such as Google’s Data Processing Addendum for GCP services).

In New Zealand, where we disclose your personal information to an overseas recipient and that recipient does not comply with the Information Privacy Principles under the Privacy Act 2020, we remain accountable for that breach as if we had breached the principle ourselves (unless you have authorised the disclosure after being informed that the recipient may not be required to protect the information).  In Australia, by disclosing personal information to overseas recipients, we take on accountability for ensuring those recipients handle it in accordance with the Australian Privacy Principles.

9. Data breach notification

We are committed to handling privacy breaches responsibly and in accordance with our obligations under the Applicable Privacy Laws.  If we become aware of a privacy breach involving your personal information, we will take immediate steps to contain the breach and assess whether it is likely to cause serious harm to you.

In New Zealand, if a privacy breach is likely to cause you serious harm, we are required to notify you and the Privacy Commissioner as soon as reasonably practicable.  Notification will include the nature of the breach, the types of information affected, the steps we have taken or propose to take in response, and contact details for our privacy enquiries.

In Australia, if we have reasonable grounds to believe that a data breach has occurred that is likely to result in serious harm to any individuals whose personal information is involved (an “eligible data breach” under the Notifiable Data Breaches scheme), we will assess the breach within 30 calendar days and, if confirmed, notify the Australian Information Commissioner (OAIC) and all affected individuals as soon as practicable.  Notification will include a description of the breach, the kinds of information involved, and recommendations for steps you can take to reduce the risk of harm.

10. Automated processing and analytics

Our Services use automated systems to process your personal information and generate outputs that may affect you.  These automated processes include:

a) compliance scoring — automated calculation of compliance metrics based on first aid cabinet inspection and access data;
b) incident escalations and safety alerts — automated triggering of notifications or escalations based on detected events or anomalies;
c) replenishment recommendations — automated suggestions for restocking first aid supplies based on usage data; and
d) reporting and analytics — generation of compliance reports and analytics dashboards from aggregated and individual usage data.

Where automated processing produces outputs that have a significant effect on you, you have the right to request that a human review that outcome.  To make such a request, please contact us at support@cleverfirstaid.com.  We will implement further transparency measures in respect of automated decision-making in accordance with Australian requirements under APP 1.8 of the Privacy Act 1988 (Cth) as amended (compliance required by 10 December 2026).

11. Indirect collection of personal information (IoT devices)

Our Services involve the use of IoT-connected devices, including smart first aid cabinets, sensors, and RFID tags, which may capture personal information about individuals who interact with or are in proximity to those devices without those individuals directly providing information to us.  This type of collection is referred to as “indirect collection”.

a) In New Zealand, from 1 May 2026, Information Privacy Principle 3A of the Privacy Act 2020 requires that where personal information is collected from a source other than the individual concerned, we must take reasonable steps to ensure the individual is made aware of the purposes of collection and other relevant matters. We take reasonable steps to support transparency of indirect collection, including:

1. 1. providing customer guidance
   2. making this Privacy Policy publicly available and accessible.

Our customers (such as employers or site operators) are responsible for notifying individuals who interact with our devices about how their information is collected and used.

Data collected indirectly through our devices may include device interaction events, access timestamps, location data associated with device placement, and derived analytics (such as compliance and usage scores).  We apply the same protections to indirectly collected personal information as to directly collected personal information.

12. Marketing communications

If you provide us with your email address, we may contact you using this email address to verify your account and for administration purposes.

Where you have provided your express consent, we may send you service-related communications and, separately, marketing updates via email or text message.  If you give us your permission, we may send you updates or push notifications related to the Services and other information we think you may be interested in.  The messages you receive from us will have instructions for how you can remove yourself from our mailing list.  You may unsubscribe to any email marketing message at any time by following the unsubscribe instructions contained in the message.

13. Access to, correction, modification, deletion and erasure of your information

We take reasonable steps to ensure that the personal information we hold about you is accurate. You have the right at any stage to request us to provide you with access to your personal information. We will respond to any request by you to correct or access your personal information as soon as practicable following receipt of such request (and in any event within 20 working days of your request in New Zealand, as required by the Privacy Act 2020, or within 30 calendar days of your request in Australia, as required by APP 12.3 of the Privacy Act 1988 (Cth)), but there are exceptions under the Applicable Privacy Laws where we may not be able to do so. We will tell you if that is the case.  You may also request that we delete or erase personal information that we hold about you, subject to our legal obligations to retain certain information.  We will consider all deletion or erasure requests and respond to you within 20 working days (New Zealand) or 30 calendar days (Australia).  If we are unable to delete or erase your personal information (for example, because we are required to retain it by law), we will tell you why.  If you believe we have breached the Applicable Privacy Laws in respect of your personal information, you may make a complaint to us in the first instance.  If you are dissatisfied with our response, you may escalate your complaint to the relevant regulator: the Privacy Commissioner in New Zealand (www.privacy.org.nz) or the Office of the Australian Information Commissioner in Australia (www.oaic.gov.au).

14. Contact us

We value your comments, feedback and ideas about all aspects of the Services we provide, as well as any questions or complaints about this privacy policy.

You also have the right to contact the Office of the New Zealand Privacy Commissioner (if you are a New Zealand Resident), or the Office of the Australian Information Commissioner (if you are an Australian Resident).

If you have any feedback or questions about this policy, the practices of our mobile application and Website, or your dealings with Clever First Aid , you can contact us via: support@cleverfirstaid.com