Privacy Policy

Last updated: 1 April 2026

1. Who we are

Good Practice Hub is operated by The Policy Place (New Zealand). In this policy, “we”, “us” and “our” refer to The Policy Place. Good Practice Hub provides online practice quizzes and evidence tools for health and community service organisations across Aotearoa New Zealand and Australia.

2. Information we collect

We collect the following personal information when you use Good Practice Hub:

  • Account information — name, email address, organisation, staff role, and region when you create an account or are invited by an organisation.
  • Quiz and practice data — your quiz attempts, scores, answers to individual questions, concept mastery, and completion timestamps.
  • Organisation membership — if you are added to an organisation’s team, we store your membership details (role, invite date, deadline, completion progress).
  • Payment information — if you or your organisation subscribes, payment is processed by Stripe. We store your Stripe customer ID and subscription status but never your card details.
  • Lead capture — if you try a free quiz preview before creating an account, we collect your name and email address to provide access and may follow up about the service.
  • Platform integration data — if your organisation uses The Policy Place platform, we receive your name, email, and an external identifier to link your accounts across both services.
  • Technical data — browser type, IP address, and usage analytics collected automatically to maintain and improve the service.

3. How we use your information

We use your personal information to:

  • Provide and personalise the Good Practice Hub service, including role-relevant quizzes and your PracticeLab dashboard.
  • Generate your ProofKit (evidence of practice) for you and, where applicable, for your organisation’s compliance records.
  • Send transactional emails (sign-in codes, staff invitations, deadline reminders, completion celebrations).
  • Send marketing communications about new content and services — only if you have opted in.
  • Process payments and manage subscriptions.
  • Improve the service through aggregated, anonymised analytics.

4. Organisation access

If an organisation adds you to their team, that organisation’s administrators can see your name, email, staff role, quiz completion status, and scores on their Team Dashboard. This enables them to track induction progress and meet compliance obligations.

Your account and practice history belong to you. If you leave an organisation or are removed from their team, your personal PracticeLab and ProofKit remain yours.

When you leave or are removed from an organisation, the organisation retains historical records of your quiz progress and completion data from your time with them. This data supports their ongoing compliance and audit requirements. Your personal account, practice history, and ProofKit are not affected.

5. Data sharing

We do not sell your personal information. We share data only with:

  • Your organisation — as described in section 4, if you are part of a team.
  • The Policy Place platform — if your organisation uses The Policy Place for policy management, we share account linking information (name, email, external identifiers) to enable single sign-on and staff provisioning between the two services.
  • Service providers — we use the following third-party services to operate Good Practice Hub:
    • Supabase (database hosting, Sydney region) — stores all application data.
    • Vercel (application hosting and analytics) — hosts the application and collects anonymised performance metrics.
    • Stripe (payment processing) — processes subscription payments securely.
    • MailerSend (email delivery) — sends transactional and marketing emails on our behalf.
    • Sentry (error monitoring) — captures application errors to help us fix issues. Error reports may include technical context but are not used to identify individual users.
    • Cloudflare Turnstile (bot prevention) — verifies that quiz preview requests come from real people, not automated scripts. Processes IP address data.
    • Google (authentication) — if you choose to sign in with Google, your Google account profile is used for authentication only.
  • AI content generation — we use Anthropic’s Claude AI to help generate quiz content for administrators. No user personal data is sent to this service.
  • Legal requirements — if required by law or to protect the rights and safety of our users.

6. Data storage and security

Your data is stored in Supabase (Sydney, Australia) and served via Vercel’s global CDN. We use encryption in transit (TLS) and at rest. Access to production systems is restricted to authorised personnel only.

7. Your rights

Under the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your account and personal data.
  • Withdraw marketing consent at any time via your profile settings.
  • Download your ProofKit as a portable record of your practice evidence.

To exercise these rights, contact us at hello@policy-place.com.

8. Cookies and local storage

We use essential cookies for authentication (session management via NextAuth.js). We use browser local storage to remember your preferences (e.g., quizzes on hold, quiz progress so you can resume where you left off, and dashboard display settings). We do not use third-party advertising or tracking cookies.

9. Marketing communications

We only send marketing emails if you have explicitly opted in during profile setup. You can change your preference at any time from your profile page. Transactional emails (sign-in codes, deadline reminders, team invitations) are not marketing and will be sent regardless of your marketing preference.

10. Data retention

We retain your account and practice data for as long as your account is active.

  • Active accounts — all data retained while your account exists.
  • Organisation removal — if you leave or are removed from an organisation, your membership is marked as inactive. The organisation retains historical records of your quiz progress from your time with them for compliance purposes. Your personal account is not affected.
  • Account deletion — when you delete your account, all personal data is permanently removed, including quiz attempts, certificates, enrolment records, and email addresses. Active subscriptions are cancelled. Anonymised, aggregate analytics data (with all personal information removed) may be retained.
  • Dormant accounts — free accounts with no activity for 24 months may be anonymised after prior notification by email.

11. Children

Good Practice Hub is designed for adult professionals in health and community services. We do not knowingly collect information from anyone under 16 years of age.

12. Changes to this policy

We may update this privacy policy from time to time. We will notify registered users of material changes via email. The “last updated” date at the top of this page indicates when the policy was last revised.

13. Contact us

If you have questions about this privacy policy or how we handle your data, contact us at:

The Policy Place
Email: hello@policy-place.com
NZ: 0224066554
AU: 1300 328 010