Privacy Policy

Last updated: 7 January 2026

Quick Summary

This Service helps you access free mental health and crisis support resources. It is operated by ThroughLine Limited and licensed to a Platform Partner.

To understand usage and improve the Service, we collect minimal Personal Data (IP addresses, device and browser details, city-level location) which is immediately anonymized before storage. We use Cookieless Analytics that do not track individual users.

We recognize that accessing mental health resources is sensitive and apply enhanced protections. External Resources have their own privacy policies.

1. About This Policy

This Privacy Policy explains how data is handled when you use the Service.

• The Service is operated by ThroughLine Limited and licensed to a Platform Partner.
• This policy applies only to data collected by ThroughLine through the Service.
• The Platform Partner may maintain its own privacy policy for its platform.
• Linked External Resources are not governed by this policy.
• We may update this policy from time to time. The most current version will be posted here.

2. What We Collect

Data We Collect (and process before Anonymization)

To operate the Service securely and improve it, we collect the following Personal Data:

• IP addresses (processed for routing and security, then immediately anonymized by removing the most identifying portions)
• Device, operating system and browser details (stored for analytics)
• Location data (city-level, derived from IP address before Anonymization)
• User interactions, pages visited and resources accessed
• Time and date of access

Technical note: Full IP addresses are received and temporarily processed as part of standard internet communication (routing your requests to and from our servers and security filtering). This receipt is unavoidable for service delivery. Before any storage occurs, IP addresses are anonymized by removing the two most significant bytes. This anonymized data cannot identify you personally. No full IP addresses are retained.

Data We Don't Collect

We do not collect or store:

• Your name, email address, phone number, or contact details
• Any user-submitted content or messages
• Registration, account, or login data
• Persistent identifiers or tracking cookies
• Cross-site or cross-session data

3. Legal Basis for Processing

We process limited Personal Data based on our Legitimate Interests, balanced against user privacy rights. The table below details each data element:

Data Element	Purpose	Legal Basis	Duration	Storage Destination
Full IP Address	Service delivery (unavoidable for routing) and city-level location for analytics and content localization	Legitimate Interest	<1 second	Not stored; anonymized immediately
Device Type & OS	Analyze browser compatibility; optimize performance	Legitimate Interest	Stored as anonymized	Matomo, BigQuery, Rollbar
Browser Version	Detect browser-specific bugs and compatibility issues	Legitimate Interest	Stored as anonymized	Matomo, BigQuery, Rollbar
Page/Resource Visited	Understand which resources are most helpful to users	Legitimate Interest	Stored as anonymized	Matomo, BigQuery, Rollbar
Time/Date of Access	Identify usage patterns; detect service anomalies	Legitimate Interest	Stored as anonymized	Matomo, BigQuery, Rollbar, New Relic
City-Level Location	Geographic analytics; understanding access from different regions	Legitimate Interest	Stored as anonymized (derived from truncated IP)	Matomo, BigQuery

Legitimate Interest Justification

We rely on Legitimate Interest for this processing because:

• Processing is necessary to provide the Service to Platform Partners and to you.
• We have implemented strong privacy safeguards (Anonymization, no tracking cookies)
• Users' interests are protected through our privacy controls
• Processing is not used for purposes incompatible with user expectations

4. Data Processors and Third-Party Services

We work with external organizations who process data on our behalf.

Processor	What They Do	What Data They Receive	How Long They Keep It	Security Measures
Cloudflare	Protects against cyber attacks, speeds up content delivery	Your IP address, browser and operating system name/version (temporarily during your visit)	During your request only	TLS encryption in transit; Cloudflare network security architecture
Vercel	Delivers the website content to your browser	Your IP address, browser and operating system name/version (temporarily during your visit)	During your request only	TLS encryption in transit
Matomo	Stores and analyzes anonymous usage patterns to help us improve the service	Your IP address, device, browser and operating system name/version, pages visited. IP address is anonymized before storage and cannot identify you.	2 years	AES encryption at rest; TLS encryption in transit; access controls
Google BigQuery	Stores long-term analytics for trend analysis	Fully anonymized data only (no individual user information)	2 years	Google-managed AES encryption; TLS encryption in transit; access controls
Rollbar	Monitors the Service for errors so we can find and fix bugs as soon as they occur.	Your IP address, device, browser and operating system name/version, pages visited. IP address is not stored.	7 days	AES encryption at rest; TLS encryption in transit; access controls
New Relic	Monitors the Service performance so we can improve the experience in places that need it most.	Your IP address, browser and operating system name/version (temporarily during your visit)	During your request only	TLS encryption in transit

All processors have Data Processing Agreements in place confirming they protect your data with encryption and access controls.

5. How We Use Personal Data

We use anonymized Personal Data to:

• Understand user interactions with the Service
• Improve functionality, reliability, speed, and usability
• Identify the most accessed resources
• Share aggregated, non-identifiable insights with Platform Partners

We do not:

• Build user profiles from usage data
• Track users across sessions or websites
• Combine data in ways that could identify individuals
• Sell Personal Data to third parties

Data is retained only as long as necessary for these limited purposes.

6. Security Measures

We implement industry-standard security measures designed to protect Personal Data throughout its lifecycle:

• Anonymization of IP addresses before storage
• Encryption in transit: TLS
• Encryption at rest: AES (Matomo, BigQuery, Rollbar)
• Limitations on who can access data
• Use of privacy-vetted service providers
• Access controls and staff training

7. External Resources

The Service links to helplines, mental health services, and other third-party support resources. These are not operated or controlled by ThroughLine or the Platform Partner.

• Each service has its own privacy policy
• They may collect Personal Data when you contact them
• Review their privacy policies before sharing any Personal Data

8. Your Privacy Rights

Data Anonymization as privacy protection

We minimize the Personal Data we collect and anonymize it immediately (within the same request). Once anonymized, your data cannot be identified as belonging to you or linked back to your device.

Your rights regarding Personal Data

Since Personal Data is stored in anonymized form with no way to isolate individual users, standard data access and deletion rights do not apply. Your privacy is protected through the Anonymization process itself and our technical architecture, which prevents re-identification.

Your right to object

You may object to our collection and processing of data. To do so, contact us at [email protected]. You may also contact your local data protection authority.

Your rights regarding data processors

We use external service providers (Cloudflare, Vercel, Matomo, Google BigQuery, Rollbar, New Relic) to process data. You have the right to:

• Know who these service providers are (see Section 4: Data Processors)
• Understand how your data is protected (see Section 6: Security Measures)
• Request information about how your data is handled

9. Legal Information and Contact

Governing Law: This Privacy Policy is governed by New Zealand law.

Compliance: ThroughLine complies with the New Zealand Privacy Act 2020, the EU General Data Protection Regulation (GDPR), and other applicable international privacy standards.

Contact us: [email protected]

10. Definitions

Anonymization means processing Personal Data so it cannot be attributed to a specific individual without additional information, which we do not possess or maintain.

Cookieless Analytics means a privacy-focused method for measuring usage patterns without tracking cookies, persistent identifiers, or cross-site tracking.

Data Processing Agreement means a contract between ThroughLine and external service providers (data processors) that confirms they will process Personal Data only according to our instructions, maintain appropriate security measures, and comply with applicable privacy laws.

External Resources means third-party helplines or mental health services linked from the Service but not operated by ThroughLine or the Platform Partner.

Legitimate Interest means a legal basis under privacy laws for processing Personal Data when necessary to operate the Service, balanced against privacy rights and subject to strong privacy safeguards.

Personal Data means any information relating to an identified or identifiable natural person. This includes direct identifiers (names, email addresses, full IP addresses) and quasi-identifiers (when combined, device type, browser, location data, pages visited, and time of access can create a unique fingerprint that could reasonably identify an individual). We apply a conservative approach: if information could potentially identify someone when combined with other data sources, we treat it as Personal Data.

Platform Partner means the organization licensed to offer the Service to its users.

Service means the mental health resource directory and support tool developed and owned by ThroughLine Limited.

ThroughLine Limited means a New Zealand-based company that develops and licenses technologies that connect people with mental health and crisis support services.