Privacy policy.

1. Who we are

Health Economics Consulting NZ Ltd ("HEC", "we", "us") is a New Zealand company based in Auckland. We provide health economics consulting and operate HEX Platform™, a proprietary modelling environment used during client engagements.

2. Scope of this policy

This policy covers personal data we process on the public website at hec.nz and through HEX Platform. Client modelling data (parameters, sources, simulation results) is governed separately by the engagement agreement and any associated data-processing agreement.

3. What we collect

• Newsletter signups — email address, confirmation status, timestamp, source page.
• Contact form submissions — name, email, company (optional), message, timestamp, source page.
• Strategy-call bookings — name, email and meeting metadata via our calendar provider (cal.com). Their privacy policy applies to the booking flow.
• Analytics — when you consent, Google Analytics 4 receives page-view events with an anonymised IP, device class, referrer, and a randomised client identifier. We do not collect demographics or interest data.
• Application use — within HEX Platform, your account email, role assignments, audit-trail attributions on parameter changes and simulation runs.

4. Why we collect it

To respond to enquiries and book calls (contractual / pre-contractual basis), to send the newsletter (consent basis), to operate HEX Platform during an engagement (contract performance), and to understand how the public site is used (legitimate interest, gated by consent for analytics).

5. Cookies and analytics consent

We use a single cookie ("hec-cookie-consent") to remember your analytics consent choice. Until you accept, Google Analytics 4 runs in Consent Mode v2 denied state — no cookies are set, no identifiers stored. If you accept, GA4 is loaded and uses standard cookies (_ga, _ga_*) for the lifetime configured by Google (typically 24 months).

You can change your choice at any time by clearing your browser's localStorage for this site, which re-shows the consent banner.

6. Sub-processors

We use vetted sub-processors for hosting, transactional email, analytics, calendar booking, and operational tooling. The current list is available on request. We use providers with appropriate data-protection commitments and we do not transfer personal data to third parties for marketing or advertising.

7. Retention

• Newsletter subscribers — until unsubscribed; unsubscribe is recorded so we do not contact you again.
• Contact-form messages — three years from the last meaningful interaction, unless an engagement starts (in which case the engagement record retention applies).
• Analytics — Google Analytics default (currently 14 months).
• HEX Platform audit-trail data — for the duration of the engagement plus seven years, to support reproducibility of HTA submissions.

8. Your rights

Under the NZ Privacy Act 2020 you have rights of access, correction, and complaint. Under the GDPR (if applicable to you) you additionally have rights of erasure, portability, restriction, and objection. To exercise any right, email [email protected]. Acknowledgement within two working days; substantive response within thirty days.

9. Security

For technical and organisational measures, see our Security & Compliance page. We will notify affected individuals of any personal-data breach in line with the NZ Privacy Commissioner's requirements (and the GDPR's 72-hour notification rule where applicable).

10. Changes

We will update this policy when our practice changes. The "last updated" date at the top reflects the most recent revision. Material changes affecting active engagements will be notified to the client contact directly.