Forme Health Limited is committed to protecting the privacy of your personal and health information. This policy explains what we collect, why we collect it, and how we handle it — in plain language.
Last updated: May 2026
When you create an account or complete an assessment, we collect your name, date of birth, email address, phone number, and delivery address. This information is necessary to verify your identity, contact you, and deliver your treatment.
Our assessment asks about your medical history, current medications, allergies, and the nature and progression of your hair loss. You may also submit photographs. This information is used by your prescribing doctor to assess your suitability for treatment and make an appropriate prescribing decision. Health information is treated as sensitive information under the Privacy Act 2020 and is handled in accordance with the Health Information Privacy Code 2020 (HIPC). As a telehealth service, Forme Health Limited is a health agency under the HIPC and is bound by its 12 information privacy rules governing the collection, storage, use, and disclosure of health information.
Payments are processed by Stripe. We do not store your card number or bank details. Forme holds only a record of your subscription status and payment history sufficient to manage your account.
We may collect information about how you use the Forme platform, including pages visited, device type, and browser. This helps us improve the service. This data is not linked to your health records.
We collect and use your information only for the following purposes:
We do not sell your personal or health information. We do not share your information with third parties for marketing purposes. Forme may send you service-related communications such as prescription reminders, renewal notices, and treatment updates. These communications are necessary for the safe operation of your subscription and cannot be opted out of while your account is active. You can unsubscribe from any optional marketing communications (such as general health content or promotions) at any time by emailing privacy@formehealth.co.nz or using the unsubscribe link in any such email.
Your information is shared only where necessary to provide the service or where required by law.
Your assessment responses and health information are shared with the New Zealand-registered doctor assigned to review your case. They use this information solely to assess your suitability for treatment and make a prescribing decision.
Once a prescription is issued, your name, address, and prescription details are shared with our partner dispensing pharmacy to allow your treatment to be prepared and sent to you.
Payment processing is handled by Stripe. Forme shares only the information necessary for Stripe to process your subscription payments. Stripe's own privacy policy governs how they handle this data.
Forme may be required to share information with regulatory authorities in certain circumstances. In particular, under Section 29 of the Medicines Act 1981, we are obligated to report specified adverse reactions and medicine-related information to the Director-General of Health or Medsafe. We may also be required to disclose information in response to a lawful court order or regulatory request.
We do not share your health or personal information with insurers, employers, or any third parties for commercial purposes.
Your data is stored securely on cloud infrastructure with encryption in transit and at rest. Access to personal and health information is restricted to authorised Forme staff and clinical partners on a need-to-know basis. Forme uses Supabase for data infrastructure. Data may be stored on servers located outside New Zealand (including in the United States). Where data is transferred overseas, Forme takes reasonable steps to ensure it is protected by comparable privacy safeguards.
Health records are retained for a minimum of ten years as required under New Zealand health records legislation. After that period, records are securely deleted unless there is an ongoing legal or clinical reason to retain them.
While we take all reasonable steps to protect your information, no system is completely immune from risk. If we become aware of a notifiable privacy breach — one that poses a serious risk of harm to affected individuals — we will notify both the affected individuals and the Privacy Commissioner as soon as practicable, and no later than 72 hours after becoming aware of the breach, in accordance with our obligations under section 113 of the Privacy Act 2020.
Under the Privacy Act 2020, you have the following rights in relation to the personal information we hold about you:
You can request a copy of the personal and health information Forme holds about you. We will respond within 20 working days.
If any information we hold is inaccurate or out of date, you can ask us to correct it. We will make corrections promptly or explain why we are unable to.
You can ask us to delete your personal information. Where we are able to do so — and where there is no legal or clinical obligation to retain the data — we will. Health records may need to be retained for the minimum period required by law.
If you believe we have interfered with your privacy, you can make a complaint to us first. If you are not satisfied with our response, you have the right to escalate your complaint to the Privacy Commissioner at privacy.org.nz.
To access, correct, or request deletion of your information, or to ask any questions about how your data is handled, contact our privacy team:
Forme Health Limited, New Zealand.
We aim to respond to all privacy requests within 5 working days.