Privacy Policy

1. Data Controller

The data controller responsible for your personal data under the GDPR is:

For the purposes of the New Zealand Privacy Act 2020, the same organisation is an agency in relation to personal information (as defined in that Act) that we collect and hold.

2. New Zealand Privacy Act 2020

Where the Privacy Act 2020 (New Zealand) applies, we handle personal information as an agency under that Act. The Act sets out 13 Information Privacy Principles (IPPs) covering collection limits, purpose, access, correction, accuracy, retention, security, and cross-border disclosure. This Privacy Policy is intended to meet our obligations under the IPPs. Plain-language guidance is available from the Office of the Privacy Commissioner (Te Mana Mātāpono Matatapu).

2.1 Notifiable privacy breaches

Part 6 of the Privacy Act 2020 establishes a notifiable privacy breach regime. If we become aware of a privacy breach that has caused, or is likely to cause, serious harm to an affected individual, we will assess the breach without undue delay, notify the Privacy Commissioner where notification is required, and notify affected individuals in accordance with the Act, unless a statutory exception applies.

2.2 Unsolicited electronic messages (New Zealand)

We do not use contact form information to send unsolicited commercial electronic messages. Any future marketing communications would only be sent with your express consent and in compliance with the Unsolicited Electronic Messages Act 2007.

3. Data We Collect

We collect only the minimum personal data necessary for the purposes described in this policy. The categories of data we may collect include:

3.1 Data You Provide Directly

• Contact form submissions: name, email address, and message content when you contact us via the contact form.
• GDPR consent: a record of your consent to the processing of your submitted data.

3.2 Data Collected Automatically

• Technical data: IP address, browser type, device type, operating system, referring URL, and pages visited — which may be collected via server logs or similar infrastructure when you access the site. We do not currently use third-party analytics platforms on this website.
• Cookie data: consent preferences and session identifiers stored via cookies and localStorage. See our Cookie Policy for full details.

3.3 Data We Do Not Collect

We do not collect sensitive personal data (such as data about ethnicity, religion, or biometric data), financial information, or precise geolocation data. We do not use automated decision-making or profiling processes that produce significant legal effects.

4. Purpose and Legal Basis

We process personal data only for specific, legitimate purposes and on a valid legal basis under GDPR Article 6:

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Contact form data: retained for up to 12 months from the date of submission, then securely deleted.
• Analytics data: anonymised data may be retained for up to 26 months for statistical purposes.
• Cookie consent records: retained for 12 months or until you withdraw consent.
• Server logs: retained for up to 90 days for security and diagnostic purposes.

After the retention period, data is permanently and securely deleted or anonymised so that it can no longer be linked to any individual.

6. Data Sharing

We do not sell, rent, or trade your personal data. We may share data in the following limited circumstances:

• Service providers: third-party processors who assist with hosting, analytics, or email delivery, bound by data processing agreements and GDPR-compliant safeguards.
• Legal obligations: where required by applicable law, regulation, or a court order.
• Business transfers: in the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to equivalent data protection commitments.

Where data is transferred outside the European Economic Area or New Zealand, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or equivalent mechanisms recognised under applicable law. Disclosures to overseas processors are also assessed against IPP 12 of the Privacy Act 2020 (disclosure outside New Zealand).

7. Your Rights

Under the GDPR (where it applies) and the New Zealand Privacy Act 2020 (where it applies), you have the following rights with respect to your personal data or personal information:

• Right of access: you may request a copy of the personal data we hold about you. In New Zealand this aligns with IPP 6 (access to personal information).
• Right to rectification / correction: you may request correction of inaccurate or incomplete data. In New Zealand this aligns with IPP 7 (correction of personal information).
• Right to erasure: you may request deletion of your personal data where there is no compelling reason to continue processing it.
• Right to restrict processing: you may request that we limit how we use your data in certain circumstances.
• Right to data portability: where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.
• Right to object: you may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at infocenter@organzoenew.world. We aim to respond within 30 calendar days. Where the Privacy Act 2020 alone applies, we will respond as soon as reasonably practicable in line with that Act and guidance from the Office of the Privacy Commissioner. You may also lodge a complaint with the Office of the Privacy Commissioner (privacy.org.nz). If you are in the European Economic Area, you may lodge a complaint with your local supervisory authority.

8. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• HTTPS encryption for all data transmitted between your browser and our server.
• Access controls limiting data access to authorised personnel only.
• Regular review of data handling practices and third-party processors.
• No storage of unnecessary personal data.

While we take reasonable precautions, no internet transmission is entirely secure. We encourage you to exercise caution when sharing personal information online.

8.1 Privacy breach response

We maintain internal procedures to detect, assess, and respond to unauthorised access or disclosure of personal information. Where a notifiable privacy breach arises under New Zealand law, we follow Part 6 of the Privacy Act 2020 (including notification to the Privacy Commissioner and affected individuals when required).

9. Cookies

Our website uses cookies and similar technologies. Strictly necessary cookies are used without prior consent; all other cookie categories require your explicit consent, which you can manage via the cookie consent banner or our Cookie Policy. You may withdraw or adjust cookie consent at any time.

10. Children's Privacy

Our website is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it. If you are under 16 and located in New Zealand, please involve a parent or guardian before contacting us.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational procedures. The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically. Continued use of the website after a policy update constitutes acceptance of the revised terms.

12. Contact

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact us: