Privacy Policy

Privacy Policy

Resectaur — Privacy Policy

Last reviewed: 8th March 2026

Introduction

Sectaur Collaborative Limited (NZBN: 9429048822091) ("Resectaur", "we", "our" or "us") respects your right to privacy and understands that protecting your personal information and that of your patients is very important.

We comply with the New Zealand Privacy Act 2020 ("Privacy Act") when handling personal information. Where applicable, we also respect the rights of individuals under the EU General Data Protection Regulation (GDPR) and the Australian Privacy Act 1988.

This Privacy Policy explains how we collect, hold, use, disclose, and protect your personal information. By accessing the Resectaur Site, App, or any other Resectaur service (collectively referred to as the "Platform"), you acknowledge and agree to the uses of information described in this Privacy Policy.

Sectaur Collaborative Limited is the data controller responsible for your personal information.

Information We Collect

Information we collect falls into two categories: "voluntarily provided" information and "automatically collected" information.

Voluntarily provided information includes data you knowingly and actively provide when using the Platform:

User profile data: • Name, salutation, contact details (email address, country of residence) • Position, title, and workplace or institution • Qualifications, level of training, and professional subspecialties • Medical registration number or equivalent professional credentials • Profile photograph

Medical and educational content: • Anonymised DICOM images including embedded metadata • Cases, collections, and educational assets you create or upload • Quiz responses and assessment results • TI-RADS calculator inputs and outputs • Video content uploaded for educational purposes • Slide presentations and associated materials • Conference participation data (attendance, duration) • CME/CPD completion records and certificate data • Learning Pathway progress and completion status • Channel posts, comments, and poll responses

Payment and transaction data: When you make a purchase, our third-party payment processor (Stripe) collects and processes payment information including payment card details, billing address, transaction history, and subscription status. IMPORTANT: Resectaur does not store or have access to your complete payment card details. All payment information is handled securely by Stripe in compliance with PCI DSS standards. We receive only limited information necessary to fulfil your order and manage your subscription.

Automatically collected information includes data sent by your devices when accessing the Platform:

Technical usage data: • URL you are accessing the Platform from, IP address, unique device ID • Network and computer performance, browser type, language, and operating system • Information about your use of the Platform, including pages viewed, search queries, page response times, download errors, length of visits, page interaction information (scrolling, clicks), and methods used to browse away from the page • Video viewing data (play duration, completion rates) collected via Mux • Analytics data collected via PostHog (subject to your opt-in consent)

How We Use Your Information

We only collect and use your personal information when we have a legitimate reason for doing so, and only collect information that is reasonably necessary to provide our services to you.

We may collect, hold, use, and disclose information for the following purposes: • To provide you with our Platform's core features and services • To enable you to customise or personalise your experience • To deliver products and/or services to you • To contact and communicate with you • To generate CME/CPD certificates for completed educational activities • To provide channel hosts and Creators with aggregated (non-personally-identifiable) usage reports • For analytics, market research, and business development, including to operate and improve the Platform • For internal record keeping and administrative purposes • To comply with our legal obligations and resolve any disputes • To attribute content (such as posts and comments) you submit that we publish on the Platform • For security and fraud prevention • For technical assessment, including to operate and improve our Platform

We will not further process personal information in a manner that is incompatible with these purposes.

Legal Basis for Processing

We process your personal information on the following legal bases:

• Contract performance: Processing necessary to provide the Platform services you have signed up for, including account management, content delivery, and subscription management. • Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Platform, preventing fraud, and ensuring security, where these interests are not overridden by your rights. • Consent: Where you have given explicit consent, such as opting in to analytics tracking or marketing communications. You may withdraw consent at any time. • Legal obligations: Processing necessary to comply with applicable laws, regulations, or court orders.

Information We Share

We do not commercially exploit or distribute personal data to any third party for commercial purposes. We may disclose personal information to:

• A parent, subsidiary, or affiliate of our company • Third-party service providers for the purpose of enabling them to provide their services • Our employees, contractors, and/or related entities • Courts, tribunals, regulatory authorities, and law enforcement officers, as required by law • An entity that buys, or to which we transfer all or substantially all of our assets and business

Third-party services we currently use:

• Microsoft Azure: Cloud hosting and data storage (servers in Australia). Includes Azure CosmosDB for application data, Azure Blob Storage for media files, and Azure B2C for authentication and identity management. • Stripe: Payment processing for subscriptions and purchases. Stripe processes payment card details directly and provides us with transaction confirmations and subscription status. • Mux: Video hosting, streaming, and playback. Mux processes video files you upload and collects viewing analytics. • Daily.co: Live video conferencing infrastructure. Daily.co processes audio/video streams during live conferences hosted on the Platform. • PostHog: Product analytics (opt-in). Collects usage data to help us understand how the Platform is used and improve our services. • Postmark: Transactional email delivery. Processes your email address to deliver account notifications, password resets, and other Platform communications.

International Transfers of Personal Information

The personal information we collect is stored and/or processed primarily in Australia and New Zealand, or where we or our partners, affiliates, and third-party providers maintain facilities.

The countries to which we store, process, or transfer your personal information may not have the same data protection laws as the country in which you initially provided the information. If we transfer your personal information to third parties in other countries: (i) we will perform those transfers in accordance with the requirements of applicable law; and (ii) we will protect the transferred personal information in accordance with this Privacy Policy.

For individuals in the European Union (EU), personal data will only be transferred to countries identified as providing adequate protection for EU data (such as New Zealand), or to a third party where we have approved transfer mechanisms in place.

Cookies and Tracking

The Platform uses the following types of cookies:

Essential cookies: Authentication cookies and session management cookies that are necessary for the Platform to function. These cannot be disabled.

Analytics cookies: We use PostHog for product analytics. Analytics cookies are only set with your explicit consent (opt-in). You can manage your analytics preferences at any time through your account settings.

We do not use advertising or retargeting cookies. We do not use Google Analytics, Facebook Pixel, or any similar advertising tracking technologies.

You can block cookies by activating the setting on your browser that allows you to refuse cookies. However, if you block essential cookies, you may not be able to access the Platform.

Data Storage and Security

When we collect and process personal information, and while we retain this information, we protect it within commercially acceptable means to prevent loss and theft, as well as unauthorised access, disclosure, copying, use, or modification.

Security measures include: • Encrypted data transmission (HTTPS/TLS) • Secure authentication via Azure B2C • Client-side encryption for personal notes (PIN-protected, using a user-defined encryption salt — Resectaur cannot decrypt your notes) • HMAC validation for API communications • SAS URLs with time-limited access for media files • JWT tokens with 2-hour expiration

Although we will do our best to protect the personal information you provide to us, no method of electronic transmission or storage is 100% secure and no one can guarantee absolute data security. In the unlikely event of a breach, we will comply with applicable laws, including notifying affected users and the New Zealand Privacy Commissioner as required.

You are responsible for selecting any password and its overall security strength, and for ensuring the security of your own information within the bounds of our services.

Data Retention

We keep your personal information only for as long as we need to. This time period may depend on what we are using your information for, in accordance with this Privacy Policy.

• Account data: Retained for the duration your account exists on our system. If you request account deletion, we will delete your personal data within 30 days, except where retention is required by law. • Educational content: Cases, presentations, and other content you created may be retained beyond account deletion where they have been incorporated into educational materials (per the license granted in our Terms of Service). • Payment records: Transaction records are retained for the period required by applicable tax and financial reporting laws. • Analytics data: Aggregated and anonymised analytics data may be retained indefinitely. • CME/CPD records: Completion records and certificates are retained for a minimum of 7 years to support professional development record-keeping.

If your personal information is no longer required, we will delete it or make it anonymous by removing all details that identify you.

Your Rights

You have the following rights regarding your personal information:

• Access: You may request access to the personal information we hold about you. • Correction: You may request correction of any inaccurate, out-of-date, incomplete, irrelevant, or misleading information. • Objection: You have the right to object to processing of your personal information based on our legitimate interests. • Restriction: You have the right, under certain circumstances, to restrict the processing of your data. • Portability: You may request a copy of your personal information in a machine-readable format. Where possible, we will provide this in CSV format. • Deletion: You may request that we delete the personal information we hold about you. There may be exceptions for specific legal reasons. • Withdrawal of consent: You may withdraw your consent at any time for processing based on consent (such as analytics tracking). • Complaint: You have the right to lodge a complaint with the New Zealand Privacy Commissioner (privacy.org.nz) or the relevant data protection authority in your jurisdiction.

To exercise any of these rights, please contact us using the details provided below. We will respond to your request within 30 days.

We may need to request specific information from you to help us confirm your identity before processing your request.

Patient Confidentiality and Medical Imaging Data

It is a requirement of our Terms of Service that all patient cases uploaded to the Platform are de-identified such that the identity of each patient is not identifiable or reasonably identifiable. This applies to all images, videos, slides, diagrams, and any other content uploaded to the Platform.

Information that must NOT appear on any content uploaded to the Platform includes, but is not limited to: • Name or initials • Date of birth • Address, including full or partial postal code • Telephone or fax numbers or contact information • Email addresses • Unique identifying numbers (e.g., NHI, Medicare number) • Medical device identifiers (e.g., serial numbers) • Web or internet protocol addresses containing any link to the patient • Biometric data • Facial photograph or comparable image • Names of relatives • Date of the study

If a case is unique in such a way that could lead to the identification of an individual from the images alone (for example, a case featured in the media or unusually rare in diagnosis), it should not be uploaded without informed patient consent. Similarly, textual information accompanying cases should be devoid of identifying information.

If you practice in a small community, even relatively common conditions may be identifiable. We urge you to err on the side of caution and obtain informed consent when in doubt. If you do obtain consent, please send a copy to info@resectaur.org.

IMPORTANT: Our Privacy Policy does not override the individual policies of institutions. Users must ensure they are using images within their local institutional guidelines. We take patient privacy very seriously. If you upload a case containing patient information, or from which a person is otherwise reasonably identifiable, your case will be deleted immediately upon our becoming aware, and we may take action against your account as permitted under the Terms of Service.

If you become aware of any content from which you (as a patient) or another person is reasonably identifiable, please contact us immediately at info@resectaur.org.

Children's Privacy

The Resectaur Platform is designed for use by medical professionals aged 18 and over. We do not aim any of our products or services at children and we do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information.

Business Transfers

If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, personal information would be included among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may, to the extent permitted by applicable law, continue to use your personal information according to this policy.

Changes to This Privacy Policy

We reserve the right to change this Privacy Policy from time to time to reflect changes in the law or expansion of the functionality of our services. Each version will be identified by a version number and effective date.

When we publish updated Privacy Policy versions, you may be asked to review and accept the new version. You should also review this Privacy Policy regularly to stay informed about how we protect your data.

Contact Us

For any questions or concerns regarding your privacy, or to exercise any of your rights described in this policy, please contact us:

Sectaur Collaborative Limited NZBN: 9429048822091 Email: info@resectaur.org Website: https://www.resectaur.org

If you are not satisfied with our response, you may contact the New Zealand Privacy Commissioner at privacy.org.nz.