Scope & acceptance
This Privacy Policy explains how Cyberage NZ (trading name of [Legal company name], “we”, “our”, “us”) collects, uses, stores and discloses personal information in the course of providing IT services, websites, apps, cloud and support services. By using our website or services, or by giving us personal information, you agree to the practices described in this policy in addition to any specific terms you sign with us. This policy is prepared to meet the requirements of the Privacy Act 2020. (legislation.govt.nz)
1. Key principles we follow
We handle personal information in accordance with the Information Privacy Principles (IPPs) under the Privacy Act 2020 — including requirements on collection, purpose, accuracy, storage, access/correction, and overseas disclosure. If you want a short guide to the IPPs, the Office of the Privacy Commissioner provides practical guidance. (privacy.org.nz)
2. What personal information we collect
Depending on the service or interaction, we may collect:
-
Contact & identity: name, business name, postal & email addresses, phone numbers, company registration/GST/IRD where required for billing.
-
Account & authentication: usernames, hashed passwords, two-factor details, login timestamps.
-
Payment & billing: invoicing details, purchase history (we do not store raw card numbers — payments are processed by our payment provider).
-
Service data & support: IP addresses, device/browser details, error logs, crash reports, server/app logs, and support ticket content.
-
Analytics & usage: anonymised or pseudonymised usage metrics via analytics tools.
-
Third-party data: information you give us about your customers (when we provide services on your behalf).
-
Other: any additional information you provide (e.g., CVs for job applications, background-check IDs where required).
We only collect information necessary for a lawful purpose connected to our services. (privacy.org.nz)
3. How and why we use personal information (purpose & lawful basis)
We use personal information to:
-
Provide, operate and maintain our services (hosting, backups, support).
-
Communicate about accounts, invoices, service updates, maintenance windows and security incidents.
-
Process payments and invoices.
-
Improve products and services using aggregated analytics.
-
Support and troubleshoot customer environments (including access to logs and backups where authorised).
-
Meet legal, regulatory or contractual obligations.
Where required by the Privacy Act we will rely on lawful purposes such as legitimate interest, contract performance or your consent for specific processing (for example marketing). We will tell you what basis applies where relevant. (privacy.org.nz)
4. Cookies & tracking technologies
Our website uses cookies and similar technologies for essential functionality, analytics and (where permitted) marketing. You can accept, reject or manage non-essential cookies through our cookie controls. See our Cookie Policy for details about categories, duration and how to opt out.
5. Disclosure to third parties & overseas transfers
We may disclose personal information to:
-
Service providers and subprocessors (cloud platforms, hosting providers, payment processors, analytics, email delivery, support ticket systems).
-
Professional advisers (lawyers, auditors) where needed.
-
Law enforcement, regulators or courts when required by law.
International transfers: The Privacy Act 2020 restricts transfers of personal information outside New Zealand (Information Privacy Principle 12). Before sending personal information overseas we will take steps to ensure the overseas recipient provides comparable safeguards — for example by using model contractual clauses, ensuring the recipient is subject to a comparable privacy law, or obtaining consent where appropriate. We maintain a list of major subprocessors and their locations which we can provide on request. (privacy.org.nz)
6. Security & retention
We use administrative, technical and physical safeguards appropriate to the sensitivity of the information (access controls, encryption in transit and at rest where practical, secure backups, role-based access). IPP 5 requires reasonable safeguards and sets obligations for breach handling; we follow the Office of the Privacy Commissioner’s guidance on security and notification. (privacy.org.nz)
We retain personal information only for as long as necessary to fulfil the purpose it was collected for, meet legal obligations (e.g., tax records), or as otherwise agreed in your contract. Retention periods differ by data type (invoices, logs, backups, support tickets) — contact us for specifics.
7. Data breaches & notification
If there is a notifiable privacy breach (a breach that causes, or is likely to cause, serious harm), we will follow the Privacy Act 2020 obligations to notify the Office of the Privacy Commissioner and affected individuals as soon as practicable. Our incident response plan documents timelines and responsibilities for investigating, containing and reporting breaches. (privacy.org.nz)
8. Your rights and how to exercise them
Under the Privacy Act you have the right to:
-
Request access to the personal information we hold about you.
-
Ask for correction of inaccurate information.
-
Request deletion (subject to our legal and contractual obligations).
-
Ask for information about disclosures (including overseas disclosures).
-
Lodge a complaint with us or directly with the Office of the Privacy Commissioner.
To make a request, contact us (details below). We will respond within the timeframes required by law and may ask for proof of identity to protect privacy. (privacy.org.nz)
9. Children & sensitive information
We do not knowingly collect personal information from children under 16 for marketing purposes. We will only collect sensitive personal information (e.g., health information) where strictly necessary and with explicit consent or lawful justification; such collection will be clearly explained at the point of collection.
10. Service provisioning, development & test environments
When we access or process customer data as part of delivering services (e.g., hosting customer databases, support access, backups), we:
-
Only use data for the agreed purpose.
-
Segregate production and test data; where test or development copies are used we will either anonymise or obtain contractual assurances if real data is required.
-
Require subprocessors to protect data to standards equivalent to ours (contracts, SOC/ISO certifications where available).
11. Links to other sites
Our website may link to third-party sites. This policy only applies to information collected by Cyberage NZ. Where you follow links to other sites you should read their privacy policies.
12. Changes to this policy
We may update this Privacy Policy from time to time (for example to reflect new services, legal changes or subprocessors). We will place the updated policy on our website with a revised “Last updated” date and, where appropriate, notify customers directly.
13. Contact & complaints
If you have questions, want to request access/correction, or want to make a privacy complaint, contact:
Cyberage NZ
Email: info@cyberage.co.nz
Phone: +64 210 825 5262
Address:
If you remain unsatisfied you can contact the Office of the Privacy Commissioner: https://www.privacy.org.nz. (privacy.org.nz)
14. Definitions
-
Personal information — information about an identifiable individual (name, contact details, IP address etc.).
-
Agency — as defined in the Privacy Act (includes businesses and organisations).
-
Subprocessor / service provider — third party engaged to perform services on our behalf.
Notes & compliance sources
This policy is a template tailored for IT service providers operating in New Zealand and references the Privacy Act 2020 and the Office of the Privacy Commissioner’s guidance on the privacy principles, transparency, storage & security, and cross-border disclosure. It is not legal advice — for binding legal guidance please consult a New Zealand lawyer. (legislation.govt.nz)