Effect is committed to protecting your privacy. When you give us Personal Information, we only use it for the purpose for which it was collected, and we treat it according to the Privacy Policy laid out below.

This Privacy Policy explains how we collect, use, protect, and handle Personal Information in accordance with the New Zealand Privacy Act 2020 and its 13 Information Privacy Principles.

Scope and Application

This Privacy Policy applies to:

  • Information collected through our website: effect - crafting technology that matters

  • Information we process in providing services to our clients

  • Information we handle as a Service Provider for websites we host on behalf of clients.

This policy distinguishes between:

  • Direct collection: Information we collect for our own business purposes

  • Service Provider role: Information we process on behalf of clients whose websites we host.

Definitions

Personal Information: Information about an identifiable individual, including but not limited to name, email address, phone number, occupation, IP address when linked to other identifiers, and any other information that can identify a person.

Data Controller: The entity that determines how and why Personal Information is processed (usually our clients for hosted websites).

Service Provider: Our role when hosting and maintaining websites for clients.

Information we Collect Directly

Activity History

We collect server logs including:

  • Timestamps and pages visited

  • IP addresses and browser information

  • Download activity

  • Session duration.

This data helps us improve website performance and security. While not personally identifiable alone, it may be linked to Personal Information if you complete a form on our website.

Contact Forms and Enquiries

When you contact us or subscribe to content, we collect:

  • Contact details (name, email, phone)

  • Organisation and role

  • Enquiry content

  • Marketing preferences

  • Country of residence

Cookies and Tracking Technologies

We use the following categories of cookies:

  • Essential: Required for website functionality

  • Functional: Remember your preferences

  • Analytics: Understand site usage (Google Analytics, Crazy Egg)

You can manage cookie preferences through your browser settings. Disabling essential cookies may limit website functionality, but normal website functionality will be unaffected by rejecting non-essential cookies.

Legal Basis for Processing

We process Personal Information based on:

  • Consent: For marketing communications and optional services

  • Contract performance: To deliver requested services

  • Legal obligations: To comply with NZ law, tax requirements, and government contracts

  • Legitimate interests: For security, fraud prevention, and service improvement.

Use of Personal Information

We use Personal Information to:

  • Respond to enquiries and provide customer support

  • Deliver contracted services and products

  • Send requested information and relevant updates

  • Provide marketing communications (with consent)

  • Determine if you have other needs we can respond to

  • Maintain security and prevent fraud

  • Comply with legal obligations

  • Improve our services.

Information Retention

We retain Personal Information for specified periods:

  • Contact form enquiries: 12 months from last interaction

  • Client records: 7 years after contract ends

  • Server logs: 12 months

  • Financial records: 7 years (per tax requirements)

  • Marketing contacts: Until consent withdrawn

  • Government project data: As specified in contracts

Information is securely deleted after retention periods expire unless legal obligations require longer retention.

Information Sharing and Disclosure

We do not sell or rent Personal Information. We only share it with:

Service Providers

  • Trusted third parties bound by confidentiality agreements:

  • Microsoft Azure (hosting infrastructure)

  • Umbraco Cloud (infrastructure)

  • Amazon Web Services (additional hosting)

  • Google Analytics (anonymised analytics)

  • Atlassian - Jira (customer support)

  • Accounting and legal advisors.

Legal Requirements

When required by law, court order, or to:

  • Protect rights, property, or safety

  • Investigate suspected fraud or security issues

  • Respond to government requests.

With Consent

Other parties where you have explicitly consented, including information you choose to publish on our website or community forums.

Privacy for Client Hosted Websites

Our Role and Responsibilities

When hosting client websites:

  • Effect acts as a Service Provider, not the Data Controller

  • Clients remain responsible for their privacy policy and compliance

  • We process data only according to client instructions and agreements

  • We implement appropriate technical and security measures.

Client Obligations

Clients must:

  • Maintain their own privacy policy

  • Obtain necessary consents from their users

  • Comply with applicable privacy laws

  • Notify us of any specific compliance requirements

  • Report suspected breaches immediately.

Subprocessors

We use the following subprocessors for hosting services:

  • Microsoft Azure (infrastructure)

  • Umbraco Cloud (infrastructure)

  • Amazon Web Services (infrastructure)

  • Raygun (Error logs)

  • Google Analytics

  • Mandril (Email SMTP)

We notify clients of subprocessor changes with 30 days notice.

Data Location and Sovereignty

Default hosting: Sydney, Australia (Azure Australia East)
Backup location: Melbourne, Australia (Azure Australia South East)
NZ-only option: Available for sensitive data upon request.

Security Measures

We implement appropriate safeguards including:

  • Encryption in transit and at rest

  • Access controls and authentication

  • Regular security updates and patching

  • Security monitoring and intrusion detection

  • Staff security training and confidentiality agreements

  • Regular security assessments

  • Limited access to Personal Information (only staff who require it).

While we use industry-standard security measures, no transmission or storage method is 100% secure.

Data Breach Response

Our Breach Process

In case of a breach, we will:

  • Contain and assess the breach immediately

  • Determine harm risk within 24 hours

  • Notify affected individuals and the Privacy Commissioner without undue delay (within 72 hours where feasible) if the breach is likely to cause serious harm

  • Document all breaches in our breach register

  • Implement measures to prevent recurrence.

Client Website Breaches

For breaches affecting hosted client websites:

  • Immediate notification to client contact

  • Assistance with breach assessment

  • Coordination of response efforts

  • Provision of necessary logs and evidence

  • Support for client's notification obligations.

Breach Reporting

Report breaches to: security@effect.nz.

International Data Transfers

When data leaves New Zealand:

  • We ensure appropriate safeguards through contractual clauses

  • We assess the privacy laws of receiving countries

  • Government data remains in New Zealand unless explicitly authorized

  • You may request details of specific safeguards.

Children's Privacy

  • We do not knowingly collect information from children under 16

  • Client websites involving children must implement appropriate protections

  • If we discover unauthorised children's data, we delete it immediately.

Your Rights

Under the Privacy Act 2020, you have the right to:

  • Access your Personal Information we hold

  • Correct inaccurate or incomplete information

  • Object to certain processing

  • Withdraw consent for marketing at any time

  • Request deletion where legally permitted

  • Data portability in machine-readable format.

To exercise these rights, contact: privacy@effect.nz
Response timeframe: Within 20 working days.

Automated Decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Complaints and Disputes

Internal process

  1. Contact our Privacy Officer: privacy@effect.nz

  2. We acknowledge complaints within 2 working days

  3. We investigate and respond within 20 working days

  4. If unresolved, escalation to management team.

External Complaints

You may complain to: Office of the Privacy Commissioner, PO Box 10094, Wellington 6143

Third-party Links

Our website contains links to third-party sites. We are not responsible for their privacy practices. Please review their privacy policies before providing personal information.

Policy Updates

We may update this policy to reflect changes in law or our practices. Material changes will be notified via:

  • Website notice for at least 30 days

  • Email to registered users and clients

  • Direct notification for significant changes affecting government clients.

Contact Information

Privacy Officer: Pete Lister

📧 privacy@effect.nz
📧 General: hello@effect.nz
📍 Level 2, 45 Courtenay Place, Wellington
📞 021 0840 9989

For security incidents: security@effect.nz