π Last updated 15 May 2026
Introduction
FingerInk Limited NZ Company No. 3897416 (we, us, our, Finger-Ink) complies with the Privacy Act 1993 (New Zealand) (the NZ Privacy Act) and other applicable laws when dealing with personal information. Personal information is information about an identifiable individual (a natural person).
This policy sets out how we will collect, use, disclose and protect your personal information. This policy should be read in conjunction with our Cookie Policy.
If you are based in the European Union or the United Kingdom and use our website, products and/or services the additional terms in the addendum (GDPR Terms) to this policy apply to you.
This policy does not limit or exclude any of your rights under the NZ Privacy Act and other applicable laws. If you wish to seek further information on the NZ Privacy Act, see www.privacy.org.nz.
Changes to this policy
We may change this policy by uploading a revised policy onto our website (finger-ink.com) (the website). Unless stated otherwise, the change will apply from the date that we upload the revised policy.
What personal information do we collect
We collect, hold and process two categories of personal information
Account and Marketing Data is personal information that we collect about you:
in connection with the creation or administration of a customer account
if you ask to receive information about us or our services and products
when you contact us directly (e.g. telephone call, email, through the user portal or through the app)
when you visit our website.
The Account and Marketing Data we collect may include company/personal names, usernames, phone numbers, email addresses, your location, billing information, information about how you use our website or the Services (for example, traffic volumes, time spent on pages), your IP address and/or other device identifying data, and other information required to provide a service or information you have requested from us.
Where you arrive at our website via an advertising campaign, we also receive the click identifier present in the URL (such as a Google Ads GCLID, a Meta fbclid, a Microsoft Ads msclkid, or a LinkedIn li_fat_id). This identifier is used to attribute your visit to the campaign and is captured only with your cookie consent. See our Cookie Policy for full detail.
Patient or Client Data is personal information about our customers' patients that is input into the Service (as defined in the Finger-Ink Terms of Service). Patient or Client Data may include patientsβ first and last names, titles, dates of birth, photographs, medicare numbers, email addresses, phone numbers, addresses, emergency contacts, and any other information that our customer decides to capture about its patients.
We will not disclose, move, access, process or use Patient or Client Data except as provided in our Terms of Service (including, if applicable, the Finger-Ink Data Processing Addendum) and we require our customers to comply with applicable privacy and data protection laws.
The remainder of this privacy policy sets out how we will collect, use, disclose and protect Account and Marketing Data and does not apply to Patient or Client Data.
To reinforce this carve-out: no third-party tracking technologies β including Google Tag Manager, Google Ads, the Meta pixel, or any other advertising or analytics tag β load on the authenticated portions of our portal where Patient or Client Data is processed. This is part of how we maintain HIPAA compliance as a Business Associate.
Who do we collect your personal information from
We collect personal information about you from:
you, when you provide that personal information to us, including via our website and the Service, through any registration process, through any contact with us (e.g. telephone call, email or through the user dashboard)
third parties where you have authorised this or the information is publicly available.
If possible, we will collect personal information from you directly.
When you visit or use our website or the Service, we may collect information about you through the use of cookies and similar storage technologies. Please refer to our Cookie Policy for further information, including information on how you can disable these technologies.
Some provision of personal information is optional. However, if you do not provide us with certain types of personal information, you may be unable to enjoy the full functionality of our website or the Services.
We may also conduct user surveys to collect information about your preferences. These surveys are optional and if you choose to respond, your responses will be kept anonymous.
How we use your personal information
We will use your personal information:
to verify your identity
to provide services and products to you
to market our services and products to you, including contacting you electronically (e.g. by text or email for this purpose)
to improve the services and products that we provide to you
to bill you and to collect money that you owe us, including authorising and processing credit card transactions
to respond to communications from you, including a complaint
to conduct research and statistical analysis (on an anonymised basis)
to protect and/or enforce our legal rights and interests, including defending any claim
for any other purpose authorised by you, the NZ Privacy Act or other applicable law.
Disclosing your personal information
We may disclose your personal information to:
any other company within our group for the purposes described in this policy
any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products or that assists us with our marketing and customer care activities.
other third parties (for anonymised statistical information)
a person who can require us to supply your personal information (e.g. a regulatory authority)
any other person authorised by the Act or another law (e.g. a law enforcement agency)
any other person authorised by you
any other company in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.
A business that supports our services and products may be located outside New Zealand. This may mean your personal information is held and processed outside New Zealand.
We share certain Account and Marketing Data with the following named third parties.
Processors (operating only on our documented instructions under Article 28 GDPR or equivalent contractual terms):
Cybot A/S (Cookiebot) β consent management and preference records.
Plausible Insights ApS β cookieless website analytics.
Stripe, Inc. β payment processing and billing.
Migadu β business email hosting.
Joint and independent controllers (each operating partly on our instructions and partly for their own purposes β see our Cookie Policy):
Google LLC β Google Tag Manager (tag dispatch) and Google Ads (advertising attribution).
Meta Platforms Ireland Ltd β the Meta pixel (advertising attribution).
LinkedIn Ireland Unlimited Company β the LinkedIn Insight Tag (advertising attribution).
When you start a free trial or activate a paid subscription, a conversion event containing the click identifier, an event name, and (for subscriptions) a monetary value is transmitted to Google Ads, Meta, and LinkedIn. We do not transmit your name, email address, phone number, or any other personally identifying information. We do not use Google's Enhanced Conversions feature or any equivalent identity-matching feature on Meta or LinkedIn.
The legal basis for these transfers is your consent (or the equivalent regional mechanism described in our Cookie Policy).
Protecting your personal information
We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse.
β
You can play an important role in keeping your personal information secure by maintaining the confidentiality of any password and accounts used in relation to our products and services. Please do not disclose your password to third parties. Please notify us immediately if there is any unauthorised use of your account or any other breach of security.
Accessing and correcting your personal information
Subject to certain grounds for refusal set out in the NZ Privacy Act or other applicable law, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.
In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.
If you want to exercise either of the above rights, email us at privacy@finger-ink.com. Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting).
Internet use
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
If you follow a link on our website or in the Service to another site, the owner of that site will have its own privacy policy relating to your personal information. We suggest you review that siteβs privacy policy before you provide personal information.
Contact us
If you have any questions about this privacy policy or our privacy practices, you can contact us at privacy@finger-ink.com.
β
GDPR addendum
If you are based in the European Union (EU) or the United Kingdom (UK) and use our website and/or our services, these additional terms (GDPR Addendum) form part of our privacy policy.
The General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR) and the EU GDPR as incorporated into UK law (UK GDPR) regulate the collection, processing and transfer of personal data of individuals in the EU and UK respectively. We are committed to complying with both the EU GDPR and UK GDPR when dealing with Account and Marketing Data about our website visitors and service users based in the EU or UK.
This GDPR Addendum does not provide exhaustive detail of all aspects of our collection and use of personal data. If you require additional information, please contact us at privacy@finger-ink.com.
For the purposes of the GDPR:
we are the data controller (as defined in the GDPR) when processing Account and Marketing Data; and
our customers are the data controller when processing Patient or Client Data (as defined in the privacy policy).
By nature, the Patient or Client data we collect on behalf of our customers may qualify as special categories of personal data under the GDPR. We will not process Patient or Client Data except as provided in our Terms of Service (including, if applicable, the Finger-Ink Data Processing Addendum) and we require our customers to comply with applicable privacy and data protection laws, including complying with additional requirements around special categories of personal data. If we receive any data subject requests relating to Patient or Client Data, such as requests to access personal data, we will forward this request to our relevant customer.
The remainder of this GDPR Addendum applies to Account and Marketing Data only, and does not apply to Patient or Client Data.
Processing personal data
The Account and Marketing Data we may process is described in our privacy policy. This Account and Marketing Data may be processed for the purposes outlined in our privacy policy.
The legal basis for our processing of Account and Marketing Data is your consent and, for certain Account and Marketing Data, processing is necessary for the performance of a contract to which you are a party.
Despite the above, we may process any of your personal data where such processing is necessary for compliance with applicable laws.
You do not have to provide us with your name or contact information to access and use the website. However, you must provide us with your name and contact information when using the Service and some of our other services. The consequence of not providing your name and contact information is that we will not be able to provide all of our services to you.
Your Rights
Your rights in relation to your personal data under the GDPR include:
right of access- if you ask us, we will confirm whether we are processing your personal data and provide you with a copy of that personal data.
right to rectification- if the personal data we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed. We will take every reasonable step to ensure personal data which is inaccurate is rectified. If we have shared your personal data with any third parties, we will tell them about the rectification where possible.
right to erasure- we delete your personal data when it is no longer needed for the purposes for which you provided it. You may request that we delete your personal data and we will do so if deletion does not contravene any applicable laws. If we have shared your personal data with any third parties, we will take reasonable steps to inform those third parties to delete such personal data.
right to withdraw consent- if the basis of our processing of your personal data is consent, you can withdraw that consent at any time.
right to restrict processing- you may request that we restrict or block the processing of your personal data in certain circumstances. If we have shared your personal data with third parties, we will tell them about this request where possible.
right to object to processing- you may request that we stop processing your personal data at any time and we will do so to the extent required by the GDPR.
right to data portability- you may obtain your personal data from us that you have consented to give us or that is necessary to perform a contract with you. We will provide this personal data in a commonly used, machine-readable and interoperable format to enable data portability to another data controller. Where technically feasible, and at your request, we will transmit your personal data directly to another data controller.
the right to complain to a supervisory authority- you can report any concerns you have about our privacy practices to the relevant data protection supervisory authority.
Where personal data is processed for the purposes of direct marketing, you have the right to object to such processing, including profiling related to direct marketing.
If you would like to exercise any of your above rights, please contact us at privacy@finger-ink.com, or our nominated Representative. If you are not satisfied by the way your query is dealt with by our data protection officer, you may refer your query to your local data protection supervisory authority e.g. in the United Kingdom, this is the Information Commissionerβs Office.
EU/EEA & UK GDPR Representatives (Article 27)
The nominated Representative for data protection matters within the European Union, pursuant to Art. 27 of Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR), is:
EU Representative
Euverify Ltd (Ireland)
Unit 3D North Point House
North Point Business Park
New Mallow Road, Cork
T23 AT2P, Ireland
βgdpr@euverify.com
UK Representative
Euverify Ltd (UK)
3rd Floor, 86-90 Paul Street
London, EC2A 4NE
United Kingdom
To submit a Data Subject Access Request (DSAR), data deletion request, or any other GDPR-related inquiry, please use our secure portal.
Children
We do not intend to collect personal data from children aged under 16. If you have reason to believe that a child under the age of 16 has provided personal data to us through our website and/or by using our services, please contact us at privacy@finger-ink.com.
Please note that the above statement relates only to personal data where we are the data controller (i.e. Account and Marketing Data as defined in our privacy policy). If you or a child under your care uses the Finger-Ink app in connection with a visit to one of our health practitioner customers, our customer is the data controller when processing Patient or Client Data about you (or that child). Please contact the relevant health practitioner if you have any concerns about its processing of Patient or Client Data.
Cookies
We use cookies and similar storage technologies. Please refer to our Cookie Policy for further information, including information on how you can manage your cookie preferences.
International transfer of data
Account and Marketing Data may be transferred to, and stored in, countries outside the European Economic Area (EEA) and the United Kingdom (UK).
Under the EU GDPR and UK GDPR, transfers of personal data to countries outside the EEA or UK may take place where the destination country has been recognised as providing an adequate level of data protection, or where appropriate safeguards are in place.
Transfers to New Zealand
Some Account and Marketing Data is processed in New Zealand, where our registered office is located. New Zealand is recognised by both the European Commission and the UK government as providing an adequate level of data protection. We rely on these adequacy decisions for transfers to New Zealand.
Transfers to the United States
Some Account and Marketing Data is processed by third-party service providers located in the United States, or transferred to them by their European subsidiaries. The recipients include:
HealthcareBlocks, Inc. β cloud infrastructure management
Sentry (Functional Software, Inc.) β error monitoring
Intercom, Inc. β customer support and analytics
Stripe, Inc. β payment processing
Google LLC β Google Tag Manager and Google Ads
Meta Platforms Inc. (via Meta Platforms Ireland Ltd) β Meta pixel
LinkedIn Corporation (via LinkedIn Ireland Unlimited Company) β LinkedIn Insight Tag
These transfers are made using:
the European Commission's Standard Contractual Clauses (SCCs) for EU-based users; and
the UK International Data Transfer Addendum (UK Addendum) to the EU SCCs for UK-based users.
For transfers where Finger-Ink is itself a controller (Account & Marketing Data), we rely on Controller Addendums and Controller-to-Controller / Controller-to-Processor SCCs as applicable to each recipient relationship. For transfers where Finger-Ink is processor on behalf of clinics (Patient & Client Data), Module 3 (Processor-to-Sub-processor) SCCs are in place β see our Data Processing Addendum for detail.
Data retention policy
Account and Marketing Data that we collect and process will be retained as follows:
Account data (e.g., name, email, billing details): retained for the duration of your account and for up to 7 years after account closure to comply with tax, accounting, and legal obligations.
Marketing data (e.g., newsletter subscriptions): retained until you unsubscribe or withdraw consent, after which it is deleted within 30 days.
Support communications: retained for up to 3 years for operational and legal purposes, unless you request earlier deletion.
Website analytics: retained in accordance with our service providers' retention policies (typically 14β26 months).
Click identifiers (from advertising campaigns, where applicable): stored by Google Tag Manager in first-party cookies, typically for up to 90 days. Cookies set by LinkedIn's Insight Tag may have different expiry β see the Cookie inventory for exact retention by cookie. We do not retain click identifiers in our own systems.
We may retain data longer where required by applicable law.
Contact us
You can contact us at privacy@finger-ink.com.
California Privacy Rights
If you are a resident of California, you may have certain rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:
The right to know what personal information we collect about you.
The right to request deletion or correction of that personal information.
The right to opt out of the "sale" or "sharing" of your personal information for cross-context behavioural advertising.
The right to non-discrimination for exercising any of these rights.
We share certain limited information with advertising platforms (Google Ads, Meta, and LinkedIn) for the purpose of measuring the effectiveness of our advertising campaigns. Under CPRA, this transmission may be classified as "sharing". California residents may opt out at any time using:
the "Do Not Sell or Share My Personal Information" option in our cookie banner;
the cookie preferences icon in the bottom-left corner of every page; or
the "Manage cookie preferences" link in our website footer.
We do not sell personal information for monetary consideration.
Finger-Ink does not knowingly process the personal information of California minors for the purposes of sale or sharing.
To exercise any other CCPA / CPRA right, contact us at privacy@finger-ink.com. We will respond within 45 days. We will not discriminate against you for exercising your rights.
β
Cookie Policy
When you visit our website or Service, the cookie experience varies based on your location:
EU, UK and EEA visitors: a cookie banner appears on your first visit. Strictly Necessary cookies are set automatically (they don't require consent), but Performance, Functionality and Marketing cookies will not be set until you accept them via the banner.
California (US) visitors: a notice with a "Do Not Sell or Share My Personal Information" option appears, in line with CCPA / CPRA. Non-essential cookies are set unless you opt out.
All other visitors: non-essential cookies are set by default, in accordance with applicable local law.
In all cases you can change or withdraw your consent at any time. The "Manage cookie preferences" link in our website footer and the cookie preferences icon (visible in the bottom-left corner of every page) let you review and change your cookie choices at any time.
Changes to this policy
We may change this policy by uploading a revised policy onto our website (finger-ink.com). Unless stated otherwise, the change will apply from the date that we upload the revised policy.
What are cookies and similar technologies?
Cookies are small text files that a website stores on your browsing device (computer, tablet or smartphone) when you visit. They help websites recognise you on return visits, remember your preferences, understand how the site is used, and β where relevant β measure the effectiveness of advertising campaigns.
In this policy, "cookies" also refers to similar technologies including:
Pixel tags (also called web beacons): small pieces of code, embedded invisibly in web pages, that allow third parties to record that a particular browser visited a particular page. The Meta pixel is an example.
Browser storage (such as localStorage and sessionStorage): areas where a script running on the page can save and retrieve information across page loads or browser sessions.
Device identifiers assigned by tag-management or analytics services to distinguish browsers without storing personally identifying information.
We work with the service providers named below to deploy and analyse these technologies.
What types of cookies does Finger-Ink use?
We use four categories of cookies and similar technologies. Strictly Necessary cookies do not require consent; the other three categories are only set if you consent.
Strictly necessary cookies
Essential for the website and Service to function. They enable navigation, secure-area access, and basic site operation. Examples include session cookies used to keep you signed in to the portal, and the cookie used by our consent management platform to record your cookie preferences. These cookies do not require consent under the ePrivacy Directive and UK PECR.
Performance cookies
Collect information about how visitors use our website and Service β for example, which pages are most visited, how visitors arrived, and whether any pages return errors. We use Plausible Insights ApS (Plausible) for this purpose. Plausible is cookieless and does not collect personally identifying information, so it operates without setting a tracking cookie on your device.
Functionality cookies
Remember the choices you make β language, region, font size, accessibility settings and other preferences β so that we can deliver a more tailored experience on return visits.
Marketing cookies
Used to measure the effectiveness of our advertising campaigns and, where relevant, to show you relevant Finger-Ink advertising on other websites and platforms. We use:
Cybot A/S (Cookiebot) β manages your cookie consent preferences and signals them to the other services listed here.
Google LLC β Google Tag Manager (which dispatches our other marketing tags) and Google Ads (which records when a visit from a Google Ads click results in a free trial or paid subscription).
Meta Platforms Ireland Ltd β the Meta pixel, which records when a visit from a Facebook or Instagram advertisement results in a free trial or paid subscription.
LinkedIn Ireland Unlimited Company β the LinkedIn Insight Tag, which records when a visit from a LinkedIn advertisement results in a free trial or paid subscription.
When you arrive at our website via a Google Ads, Meta or Microsoft Ads campaign, the click identifier in the URL (GCLID, fbclid, msclkid or li_fat_id) is captured by Google Tag Manager. If you start a free trial or activate a paid subscription, a conversion event containing the click identifier, an event name, and (for subscriptions) a monetary value is transmitted to the relevant advertising platform. We do not transmit your name, email address, phone number, or any other personally identifying information. We do not use Google's Enhanced Conversions feature or any equivalent identity-matching feature on Meta or LinkedIn.
The legal basis for setting Marketing cookies is your consent. How that consent is obtained depends on where you are visiting from:
EU, UK or EEA: explicit opt-in consent given via the cookie banner (GDPR Art. 6(1)(a); ePrivacy Directive / UK PECR).
California: consent under CCPA / CPRA, including the right to opt out of "sale or sharing" of personal information, available via the CCPA notice, the cookie preferences icon, and the "Manage cookie preferences" footer link.
Elsewhere: implied or deemed consent under applicable local law, on the basis of clear notice in this policy and an accessible mechanism to opt out at any time.
You can withdraw consent at any time, in any jurisdiction.
Where these cookies are set
Strictly Necessary, Performance, Functionality and Marketing cookies are used on our public marketing website (finger-ink.com) and on the unauthenticated sign-up and account-activation pages of our customer portal (portal.finger-ink.com).
No Marketing cookies, no Google Tag Manager, and no third-party advertising or analytics tags are loaded on the authenticated areas of our portal β that is, anywhere Patient or Client Data is processed. This boundary is part of how we maintain HIPAA compliance and discharge our obligations as a Business Associate to our healthcare-provider customers.
Cookie inventory
A detailed, automatically maintained list of every cookie and similar technology used on our sites is available at finger-ink.com/cookie-declaration.
How long will cookies stay on my browsing device?
The length of time a cookie remains on your device depends on whether it is a session or persistent cookie.
Session cookies are removed when you close your browser.
Persistent cookies remain until they expire or you delete them. Click identifiers captured for advertising attribution (such as
_gcl_awfrom Google Ads,_fbpfrom Meta, and various tracking cookies from LinkedIn's Insight Tag) are stored as first-party cookies. Typical expiry is up to 90 days; see the Cookie inventory for exact retention per cookie.
The Cookie declaration on our website lists the exact expiry of each cookie.
First and third party cookies
First-party cookies are cookies set by Finger-Ink directly. Third-party cookies are set by other organisations through our website or Service. The third parties currently setting cookies (or equivalent technologies) on our sites are listed in the Cookie inventory above and in the "Marketing cookies" section.
How to manage your cookie preferences
You have several ways to manage how cookies are used:
Cookie banner (EU/UK/EEA visitors on first visit). Asks you to accept or decline each category of non-essential cookies. No non-essential cookies are set until you make a choice.
CCPA notice and "Do Not Sell or Share" link (California visitors). Allows you to opt out of the "sale or sharing" of personal information under CPRA.
Cookie preferences icon. A small icon visible in the bottom-left corner of every page where our cookie banner applies. Clicking it opens a preferences panel where you can review what's been set and change your choices at any time, in any jurisdiction.
"Manage cookie preferences" link. Available to all visitors in our website footer. Re-opens the cookie preferences interface so you can update your choices at any time.
Browser settings. Most browsers allow you to block or delete cookies through their settings. Note that disabling Strictly Necessary cookies may prevent parts of our website or Service from working correctly.
Opt-out lists. You can opt out of interest-based advertising more broadly via industry resources such as the European Interactive Digital Advertising Alliance (EU/UK) and the Network Advertising Initiative (US).
Consent withdrawal
Withdrawing consent stops future processing by the affected services. Events already transmitted to advertising platforms (Google Ads, Meta) remain in their systems until deleted. If you would like us to request deletion of events already transmitted, contact us at privacy@finger-ink.com β we will submit a deletion request via Google's Data Deletion API and Meta's Data Deletion API on your behalf.
Third party website cookies
Other websites may use different cookies from those Finger-Ink uses. You acknowledge and agree that Finger-Ink is not responsible for any third-party websites or applications, and you access third-party websites and applications at your own risk. Please review their separate cookie policies.