Privacy Policy
Last updated: 28 May 2026
Contents
- 1. Who This Applies To
- 2. Information We Collect
- 3. How We Use Your Information
- 4. Legal Bases (GDPR)
- 5. Who We Share It With
- 6. Cookies & Local Storage
- 7. Data Retention
- 8. Health & Biometric Information
- 9. Children & Young People
- 10. International Transfers
- 11. Your Rights
- 12. How to Exercise Your Rights
- 13. Changes to This Policy
- 14. Contact & Complaints
RXHAL ("we", "us", "our") is operated by Harsimran Rehal, a sole trader based in Auckland, New Zealand. This Privacy Policy explains how we collect, use, share, and protect your personal information across all RXHAL products and services — including the RXHAL website, the RXHAL mobile app, and the RxBiology, RxDevelopment, RxEducation, RxSupplements, and RxClothing verticals.
We process personal information in accordance with the New Zealand Privacy Act 2020. Where applicable, we also comply with the General Data Protection Regulation (GDPR) for European Union and EEA residents, and the California Consumer Privacy Act (CCPA) for California residents.
1. Who This Applies To
This policy applies to everyone who uses RXHAL — visitors to our website, account holders, members of any vertical, RxDevelopment clients, and users of the RXHAL mobile app. It covers personal information we collect directly from you, automatically through your use of our services, and from the third-party providers that help us run RXHAL.
2. Information We Collect
Information you give us
Account details (name, email address, password), billing information, intake-form responses, messages you send us, and any content you submit as part of a coaching protocol or development project.
Health & biometric information
If you participate in an RxBiology protocol or coaching program, you may provide health-related information such as training data, check-in responses, body measurements, sleep and recovery markers, and similar wellbeing data. We treat this as sensitive information (see Section 8).
Payment information
Payments are processed securely through Stripe. RXHAL does not store your full card details — Stripe handles them under its own terms and privacy policy.
Information collected automatically
Basic usage and device information (such as IP address, browser type, and pages visited) collected through our hosting and security provider for the purpose of running, securing, and improving the service. We do not use advertising or cross-site tracking cookies.
3. How We Use Your Information
We use your information to: create and manage your account; deliver the products and services you purchase; generate and refine your coaching protocols or development deliverables; process payments and manage subscriptions; send you service-related and transactional emails; respond to your enquiries; meet our legal and regulatory obligations; and keep RXHAL secure and functioning.
We do not sell your personal information, and we do not use it for third-party advertising.
4. Legal Bases (GDPR)
Where the GDPR applies, we rely on the following legal bases: performance of a contract (to deliver the services you sign up for); consent (for health and biometric information, which you provide voluntarily); legitimate interests (to secure, maintain, and improve our services); and legal obligation (to comply with applicable law). You may withdraw consent at any time (see Section 11).
5. Who We Share It With
We do not sell your data. We share it only with the trusted service providers ("sub-processors") that we use to operate RXHAL, each bound by their own data-protection terms and used only to deliver the service:
- Supabase — database, authentication, and file storage.
- Stripe — payment processing and subscription management.
- Resend — transactional and service-related email delivery.
- Cloudflare — website hosting, content delivery, and security.
We may also disclose information where required by law, to protect our legal rights, or in connection with a business transfer. We will never share your health information for marketing purposes.
6. Cookies & Local Storage
We use only essential cookies and browser local storage — primarily to keep you signed in (authentication session tokens) and to provide core security. We do not use advertising, analytics-profiling, or cross-site tracking cookies. You can clear this data at any time through your browser settings, though doing so will sign you out.
7. Data Retention
We keep your personal information for as long as your account is active and for as long as needed to provide the service. After you close your account, we delete or anonymise your information unless we are required to retain it to meet legal, accounting, or regulatory obligations. Health-related records may be retained for longer where the law requires (see Section 8).
8. Health & Biometric Information
Where you have provided health or biometric information as part of an RxBiology protocol or coaching program, that information is handled in accordance with the Health Information Privacy Code 2020 (NZ). Retention periods for health-related records may extend beyond the duration of your membership to satisfy our obligations under applicable law. We will inform you of the applicable retention period upon request. This information is never shared for marketing and is accessible only to the people who need it to deliver your protocol.
9. Children & Young People
Some RXHAL coaching services (such as youth combat and self-defence programs) may involve participants under the age of 18. Where a service is provided to a minor, we require a parent or legal guardian to set up and manage the account and to provide consent for the collection and use of the young person's information. We do not knowingly collect personal information directly from children without appropriate guardian consent. If you believe a child has provided us information without consent, contact us and we will delete it.
10. International Transfers
RXHAL relies on service providers that may store and process data outside New Zealand (for example, our database is hosted in the Asia-Pacific region, and payment and email providers operate from the United States). Where personal information is transferred overseas, we take reasonable steps to ensure it receives a comparable level of protection to that required under the New Zealand Privacy Act 2020 and, where applicable, the GDPR.
11. Your Rights
Depending on where you live, you have the right to:
- Access the personal information we hold about you.
- Request correction of inaccurate or incomplete information.
- Request deletion of your information, subject to our legal retention obligations.
- Request a portable copy of information you provided to us.
- Withdraw consent where we rely on it (for example, for health information).
- Object to or restrict certain processing.
- Lodge a complaint with your relevant privacy authority.
12. How to Exercise Your Rights
To make a data access, correction, or deletion request, contact us at harsimran@rxhal.com with the subject line PRIVACY REQUEST. We will acknowledge your request within 5 business days and respond substantively within 30 days. No fee will be charged for reasonable requests.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you. Your continued use of RXHAL after a change takes effect constitutes acceptance of the updated policy.
14. Contact & Complaints
For any privacy question or request, contact harsimran@rxhal.com.
If you are a New Zealand resident and believe we have not handled your personal information in accordance with the Privacy Act 2020, you may contact the Office of the Privacy Commissioner at privacy.org.nz. EU residents may contact their local data protection authority.