PRIVACY POLICY

This Privacy Policy explains how New Zealand Health Association Limited trading as Sanitarium Health Food Company and its related entities (‘Sanitarium’, ‘we’, ‘us’ or ‘our’), collects, uses, holds and discloses personal information. This policy applies to personal information we collect in connection with our business activities, including our dealings with employees, job applicants, customers, consumers, business partners and suppliers, and through our websites and digital platforms. We manage personal information in accordance with the Privacy Act 2020 (NZ), and other applicable privacy laws.

How We Collect Personal Information

We collect personal information in a range of ways, depending on how you interact with us. This includes:

  • information you provide directly to us
  • information collected automatically when you use our websites or digital services (such as through cookies and similar technologies)
  • information from third parties who support our business activities, including marketing, digital services, recruitment, HR, wellbeing and workplace programs, and insurance or claims management
  • information from other sources, such as referees, recruitment agencies, your employer, or medical and insurance providers (where relevant)

We only collect personal information where it is reasonably necessary for our functions and activities and as permitted by law. We only collect health and other sensitive information with your consent or where otherwise permitted by law.

If we collect personal information about you indirectly (that is, from someone other than you), we will take reasonable steps, as soon as reasonably practicable, to make you aware of that collection unless an exception applies under applicable law. This will include, where required, telling you that we have collected the information, why we collected it, who we may disclose it to, our contact details, any law that authorises or requires the collection, and how you can access or request correction of your information.

The table below provides further detail about the types of information we collect, how we collect it, and why.

Type of personal information

Examples

How we collect this information

Why we collect this information

Contact details

  • Suffix
  • Full name
  • Addresses (street, postal)
  • Email address
  • Phone numbers (home, mobile, business)
  • Directly from you when you contact us
  • When you create an account or enter a promotion
  • When you sign up to receive communications
  • During our employment or business relationship with you
  • To communicate with you and respond to enquiries
  • To provide products and services and manage your account
  • To administer trade promotions (including prizes)
  • To fulfil orders and manage accounts
  • To verify your identity and prevent fraud
  • To comply with legal and regulatory obligations

Identity Information

  • Date of birth

  • Directly from you when you provide it to us (for example, when creating an account or entering a promotion)
  • During our employment or business relationship with you
  • To verify eligibility, including for age-restricted goods and trade promotions
  • To verify your identity and prevent fraud
  • To comply with legal and regulatory obligations

Social media/ profile information

  • Social media handle or profile
  • Information about your interactions with our content on social media platforms (such as likes, comments or shares)
  • Public profile information or content you make available when engaging with our pages or campaigns
  • From social media platforms when you interact with our content, including publicly available profile information, where permitted by the relevant platform settings and applicable law
  • When you engage with us on social media platforms (for example, by commenting, sharing or participating in campaigns)
  • From social media platforms when you interact with our advertising on those platforms, where permitted by law
  • To communicate and engage with you on social media
  • To respond to enquiries and interactions
  • To administer promotions or campaigns conducted via social media
  • To understand how users interact with our content and improve our social media presence
  • To analyse and improve our digital content and marketing
  • To comply with legal and regulatory obligations

Customer and consumer information

  • Purchase history and transaction records
  • Product preferences and dietary interests
  • Feedback, enquiries and complaints
  • Survey and focus group responses
  • Competition and promotion entries
  • Reviews, ratings and other consumer-generated content
  • Items added to online cart or wish list
  • Communication and subscription preferences
  • Directly from you when you interact with us
  • When you purchase products or participate in promotions, surveys or competitions
  • Through customer service interactions (including enquiries, feedback and complaints)
  • When you use our websites, apps or digital services
  • To provide products and services and manage your orders
  • To communicate with you and respond to enquiries, feedback and complaints
  • To administer promotions, competitions
  • To personalise your experience and provide relevant content and recommendations
  • To analyse and improve our products, services and customer experience
  • To understand customer preferences and trends
  • To verify eligibility, including for age-restricted goods and promotions
  • To detect and prevent fraud and misuse
  • To comply with legal and regulatory obligations

Website, digital activity and analytics information

  • IP address
  • Browser type and device information
  • Website and app usage data (including pages viewed, links clicked, search history and browsing activity on our websites)
  • Cart and checkout interactions
  • General location information inferred from IP address or device
  • Email engagement data (such as opens and clicks)
  • Referrer URL (the website visited before arriving at our site)
  • Insights about preferences, interests and behaviours based on your interactions
  • Customer segments based on demographics, purchasing or engagement patterns
  • Profiles used to personalise content, communications and marketing
  • Automatically when you use our websites, apps or digital services
  • Through cookies and similar tracking technologies
  • From third-party providers who support our digital services (such as hosting and analytics providers)
  • From advertising or analytics partners, where permitted by law
  • By analysing and combining information about your interactions with our products, services and communications
  • To operate, maintain and improve our websites, apps and digital services
  • To understand how our digital services are used and improve performance and user experience
  • To personalise content, communications and marketing
  • To analyse trends and measure the effectiveness of marketing and communications
  • To understand customer behaviour and preferences
  • To detect and prevent fraud, errors and security incidents
  • To comply with legal and regulatory obligations

Marketing and communications information

  • Marketing and communication preferences
  • Preferred communication channels (e.g. email, SMS, phone, app notifications)
  • Records of communications sent and your responses (including email engagement such as opens and clicks)
  • Social media interactions and engagement with our content
  • Interactions with influencer or brand content
  • Advertising interactions (including responses to targeted advertising on third-party platforms)
  • Consumer-generated content shared in connection with our brands (such as reviews, photos or comments)
  • Opt-out and unsubscribe records
  • Directly from you when you interact with our marketing communications or update your preferences
  • When you engage with our content on social media or digital platforms
  • From your interactions with advertising on third-party platforms
  • Through digital tracking technologies (such as email tracking tools and similar technologies)
  • From advertising and marketing partners who provide information about your interactions with our campaigns, where permitted by law
  • To manage your communication preferences and ensure communications are relevant and comply with applicable laws
  • To communicate with you about products, services, promotions and campaigns
  • To personalise marketing content and advertising
  • To understand our audiences and improve our marketing and communications
  • To measure and analyse the effectiveness of marketing and advertising campaigns
  • To create audience segments on digital platforms
  • To comply with legal and regulatory requirements (including marketing and consent obligations)

Business Representatives

  • Job title or role
  • Employer or organisation name (where associated with an individual)
  • Business contact details (such as work email address and phone number)
  • Records of communications with us in a professional capacity
  • Directly from you or your organisation (for example, through contracts, correspondence or meetings)
  • When you engage with us as a supplier, service provider or business partner
  • From publicly available sources (such as business websites or professional profiles)
  • To manage our relationships with suppliers, partners and other business contacts
  • To negotiate, enter into and manage contracts
  • To communicate with you in relation to business activities
  • To process payments and manage invoicing
  • To detect and prevent fraud and verify identity
  • To comply with legal and regulatory obligations

Recruitment and employment-related information

  • Work history and employment background
  • Qualifications and professional credentials
  • References
  • Application and interview information
  • Background check results (where applicable)
  • Directly from you during the recruitment process
  • From referees or recruitment agencies
  • From background check providers or publicly available sources (where applicable)
  • From third-party recruitment platforms and job boards
  • To assess your suitability for employment
  • To verify your qualifications, experience and background
  • To manage recruitment processes
  • To identify and select candidates
  • To comply with legal and regulatory obligations

Employment and workplace information

  • Employee ID and personnel records
  • Position and employment details
  • Payroll, superannuation and leave information
  • Performance and training records
  • Attendance and access records
  • Directly from you during your employment
  • Through internal systems and HR processes
  • From third-party service providers supporting HR, payroll, IT and workforce systems
  • To manage the employment relationship
  • To administer pay, benefits and entitlements (including superannuation)
  • To support workforce planning and operations
  • To monitor performance and development
  • To comply with legal and regulatory obligations

Health, safety and wellbeing information

  • Health or medical information (including injury or illness information)
  • Fitness or wellbeing information (e.g. participation in workplace wellbeing programs such as BetterU, onsite gyms or health initiatives)
  • Employee Assistance Program (EAP) or wellbeing support information
  • Return to work and rehabilitation information
  • Workers’ compensation information (including claims and assessments)
  • Vaccination status and records (where relevant)
  • Directly from you
  • Through workplace health, safety and wellbeing programs and initiatives
  • From third-party providers (such as medical practitioners, wellbeing providers, insurers, claims managers or professional advisers)
  • Where required or permitted by law
  • To manage workplace health, safety and wellbeing
  • To administer employee wellbeing programs (including initiatives such as BetterU)
  • To assess fitness for work and, where relevant, suitability for roles
  • To support return to work, injury management and claims processes
  • To meet legal and regulatory obligations (including work health and safety laws)
  • To meet insurance and workers’ compensation obligations

Other sensitive information

  • Religious belief information (including affiliation or faith-based preferences, where relevant)
  • Directly from you
  • During recruitment or employment processes (where relevant)
  • Where required or permitted by law

We only collect information about religious beliefs where it is reasonably necessary for our functions and activities, with your consent or otherwise as permitted by law, including:

  • To assess suitability for roles, where religious belief is relevant to the inherent requirements of the position
  • To support workplace practices, policies and benefits that reflect our organisational values as a faith-based organisation
  • To support workplace inclusion, wellbeing and employee support initiatives (including accommodating religious practices or preferences, where applicable)
  • To carry out our charitable and organisational activities in accordance with our governing documents
  • To comply with legal and regulatory obligations

Payment and financial information

  • Payment method details (such as credit or debit card information)
  • Billing name and billing address
  • Transaction and payment confirmation details
  • Directly from you when you make a purchase
  • From payment service providers and processors
  • Through our secure payment and e-commerce systems
  • To process and fulfil orders
  • To process payments and provide refunds
  • To detect and prevent payment fraud
  • To comply with financial, taxation and regulatory obligations

Account login and credential information

  • Login ID / email address used to access an account
  • Username or screen name
  • Password (stored in hashed or encrypted form)
  • Security questions and answers
  • Authentication or password reset tokens
  • Directly from you when you create or access an account
  • Through our account management and authentication systems
  • To provide and manage access to your account
  • To authenticate your identity
  • To maintain the security of our accounts and systems
  • To support password reset and account recovery
  • To comply with legal and regulatory obligations

Customer insights, interactions and content

Demographic and preference information

  • Age or age range (including date of birth, where provided)
  • Gender
  • General location (e.g. postcode or region)
  • Household or lifestyle information
  • Interests, hobbies and product preferences
  • Dietary preferences or health-related interests
  • Language preferences

Customer communications and interactions

  • Content of emails, messages or enquiries
  • Call recordings (where applicable)
  • Feedback, complaints and survey responses

Consumer-generated content

  • Reviews, ratings and comments
  • Photos, videos or other content submitted via websites, apps or social media
  • Content submitted through promotions, competitions or campaigns
  • Public content shared on our social media pages
  • Directly from you (for example, through forms, surveys, competitions or when you contact us)
  • Through customer service and support interactions
  • When you engage with our websites, apps or social media platforms
  • Through competitions, promotions and feedback programs
  • By analysing your interactions with our products and services (such as purchase history or browsing behaviour)
  • From third-party data providers (where permitted by law)
  • To communicate with you and respond to enquiries, feedback and complaints
  • To provide relevant products, content and recommendations
  • To understand customer preferences and segment audiences
  • To administer promotions, competitions and campaigns
  • To analyse and improve our products, services and customer experience
  • To support marketing, analytics and business insights
  • To monitor and improve quality, training and customer support
  • To publish or share consumer-generated content in connection with our brands (where permitted by law)
  • To comply with legal and regulatory obligations

Fraud, security and identity verification information

  • Identity verification information (such as government-issued identification details, where required)
  • Information relating to suspected or actual fraud, security incidents or misuse
  • Records of identity verification checks and outcomes
  • Directly from you when identity verification is required
  • From financial institutions and fraud prevention organisations
  • From law enforcement or other authorities, where permitted by law
  • From our security and fraud detection systems
  • To verify your identity
  • To detect, prevent and investigate fraud and suspicious activity
  • To maintain the security of our systems, customers and operations
  • To comply with legal and regulatory obligations

Information relating to corporate transactions 

  • Personal information relevant to a proposed or completed merger, acquisition, restructuring or sale of assets
  • Personal information transferred to or from a third party as part of a business transaction
  • In the course of due diligence or corporate transaction processes
  • From third parties involved in the transaction (such as acquirers, advisers or counterparties)
  • To assess, facilitate and complete a corporate transaction
  • To enable a potential or actual acquirer or successor entity to continue business operations
  • To comply with legal and regulatory obligations

WHO WE DISCLOSE PERSONAL INFORMATION TO

We may disclose personal information to third parties who support our business activities or where required or permitted by law. This may include:

  • service providers who support our operations, including IT systems, digital platforms, marketing services, HR, payroll and recruitment;
  • providers supporting workplace health, safety and wellbeing activities, including medical practitioners, wellbeing program providers and insurers;
  • third parties involved in managing insurance or workers compensation claims;
  • suppliers, business partners and professional advisers (such as legal, accounting and audit advisers);
  • our related entities or affiliates (where applicable); and
  • government authorities, regulators or other parties where required or authorised by law.

Some of these recipients may be located outside New Zealand, including in jurisdictions where our service providers operate.

We take reasonable steps to ensure that third parties handle personal information in accordance with applicable privacy laws.

Where we collect personal information about you indirectly, we will take reasonable steps to notify you of that collection and these disclosures in accordance with applicable law.

The table above provides further detail about the types of personal information we disclose and the purposes for which it is disclosed.

DISCLOSURE OF PERSONAL INFORMATION OVERSEAS

We may disclose personal information to overseas recipients where this is reasonably necessary for our functions and activities. This may include disclosure to:

  • providers supporting our IT systems, digital platforms and cloud-hosting services
  • providers supporting our marketing, communications and digital services
  • providers supporting HR, payroll and workforce management systems
  • providers supporting workplace health, safety, wellbeing and insurance activities

These recipients may be located in countries where our service providers and, in some cases, our related entities or affiliates (where applicable), operate, including:

  • Australia;
  • the United States;
  • the United Kingdom;
  • China;
  • India; and
  • other countries in which our service providers, related entities, affiliates or their contractors operate (where applicable).

It is not always practicable to specify the exact location of every service provider we use from time to time.

Where we disclose personal information to overseas recipients, we take reasonable steps to ensure that those recipients handle personal information in accordance with applicable privacy laws.

Where we collect personal information about you indirectly, we will take reasonable steps to notify you of these disclosures in accordance with applicable law.

DIRECT MARKETING

We may use your personal information to send you marketing communications about our products, services or activities.

You can opt out of receiving marketing communications from us at any time by:

We will take reasonable steps to give effect to your request as soon as practicable.

DATA SECURITY AND RETENTION

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. These steps include:

  • using physical, technical and administrative security measures
  • restricting access to personal information on a need-to-know basis
  • using secure systems and processes to store and manage information
  • engaging service providers who are required to protect personal information

We hold personal information to support our business operations, including maintaining records, managing relationships, complying with legal and regulatory requirements, and as otherwise described in this policy.

We may store personal information in electronic systems (including cloud-based systems) and, in some cases, in paper records. These systems may be operated by us or by third-party service providers that store and process personal information on our behalf.

Our systems and service providers may be located in Australia and overseas, including in countries referred to in the “Disclosure of personal information overseas” section of this policy.

While we take reasonable steps to protect personal information, no method of transmission over the internet or electronic storage is completely secure.

RETENTION OF PERSONAL INFORMATION

We retain personal information only for as long as it is reasonably necessary for our business activities or as required by law.

The length of time we keep personal information will depend on the purpose for which it was collected, including:

  • to provide products and services
  • to manage our business and employment relationships
  • to meet legal, regulatory, tax or reporting obligations
  • to manage claims, disputes or complaints

When personal information is no longer required, we take reasonable steps to:

  • destroy the information, or
  • de-identify the information

COOKIES AND SIMILAR TECHNOLOGIES

We use cookies and similar technologies on our websites and digital platforms to collect information about how you use them. Cookies are small text files that are stored on your device when you visit a website. We use cookies and similar technologies to:

  • operate and maintain our websites and systems;
  • understand how our websites and digital services are used;
  • improve functionality and user experience; and
  • support our marketing and advertising activities, including helping us deliver content that is more relevant to you.

This may include information such as your IP address, browser type, the pages you visit and the time and duration of your visit. We may also use third-party service providers to assist us with these activities, including providers of:

  • website analytics;
  • digital platform support; and
  • marketing and advertising services.

These providers may collect or receive information about your interactions with our websites and online content. You can manage or disable cookies through your browser settings. If you choose to disable cookies, some parts of our websites or services may not function properly.

LINKS TO OTHER SITES

Our websites may contain links to third-party websites.

If you follow these links, you leave our website. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies.

HOW YOU CAN ACCESS AND CORRECT YOUR PERSONAL INFORMATION

You have the right to request access to the personal information we hold about you and to request that it be corrected if it is inaccurate, out of date, incomplete, irrelevant or misleading. To request access to, or correction of, your personal information, please contact us:

Attention: Privacy Officer

Email: consumer.services@sanitarium.co.nz (please use the subject line “Privacy”)

Telephone: 0800 100 257

Postal address: 124 Pah Road, Royal Oak, Auckland, 1023, New Zealand

Please include:

  • your name and contact details;
  • details of the information you would like to access or correct; and
  • any supporting information (if you are requesting a correction).

HOW WE WILL RESPOND TO ACCESS AND CORRECTION REQUESTS

We will:

  • acknowledge your request as soon as practicable
  • take reasonable steps to verify your identity
  • respond within a reasonable timeframe
  • provide access to your personal information unless an exception under applicable privacy laws applies
  • take reasonable steps to correct your personal information if it is inaccurate, out of date, incomplete, irrelevant or misleading

In some circumstances, we may refuse access or correction requests where permitted by law. If this happens, we will provide you with our reasons (unless we are not required to do so) and information about how you can make a complaint.

ANONYMITY AND USE OF PSEUDONYMS

Where it is lawful and practicable to do so, you may choose not to identify yourself or to use a pseudonym when dealing with us.

In many cases, we may need to collect personal information to provide our services, manage employment or workplace matters, or comply with legal obligations.

HOW YOU CAN MAKE A COMPLAINT ABOUT A BREACH OF PRIVACY

If you believe that we have not complied with applicable privacy laws or a registered binding privacy code, you can make a complaint by contacting us using the details set out above. Please include:

  • your name and contact details
  • details of your complaint
  • any supporting information you would like us to consider.

HOW WE HANDLE PRIVACY COMPLAINTS

We take privacy complaints seriously and will respond in a timely manner. When we receive a complaint, we will:

  • acknowledge your complaint as soon as practicable;
  • consider and investigate the issues raised;
  • request further information from you if needed;
  • work with you in good faith to resolve the complaint, including through informal resolution or mediation where appropriate;
  • respond to you in writing with the outcome of our investigation.

We will aim to respond to you within 30 days of receiving your complaint.

If your complaint relates to our service providers or third parties, we may need to consult with them as part of our investigation.

IF YOU ARE NOT SATISFIED

If you are not satisfied with our response, you may contact an external dispute resolution body (if available) or the relevant privacy regulator, the Office of the Privacy Commissioner (https://www.privacy.org.nz/). 

VARIATION OF THE PRIVACY POLICY

We may update this Privacy Policy from time to time. The updated version will be available on our website. We encourage you to review this policy periodically.

Last updated: June 2026