Privacy Policy

Last updated:

1. Data Controller and Agency

The agency responsible for your personal information under the Privacy Act 2020 (New Zealand) is:

Refreshbright
State Highway 6, Punakaiki 7871, New Zealand
Email: managers@refreshbright.world
Phone: +64 21 709 383

2. Scope

This Privacy Policy applies to all personal information collected through the website refreshbright.world and related communication channels operated by Refreshbright.

We are an agency under the Privacy Act 2020 (New Zealand). This policy is designed to meet our obligations under the Act's Information Privacy Principles (IPPs), including collection notice (IPPs 3 and 3A), storage and security (IPP 5), access and correction (IPPs 6 and 7), retention limits (IPP 9), and disclosure outside New Zealand (IPP 12). For visitors from the European Economic Area, we also comply with the General Data Protection Regulation (GDPR) where applicable.

3. Data We Collect

3.1 Information You Provide

When you contact us through the contact form, we collect:

• Your name
• Your email address
• The content of your message
• Your consent to data processing

3.2 Automatically Collected Data

When you visit our website, we may automatically collect:

• IP address (anonymized where possible)
• Browser type and version
• Operating system
• Referring URL
• Pages visited and time spent
• Date and time of access

4. Collection Notice (IPPs 3 and 3A)

When we collect personal information directly from you (for example, through the contact form), we tell you at or before the time of collection:

• That the information is being collected
• The purpose of collection (responding to your inquiry and related communication)
• Who will receive the information (our staff and necessary service providers)
• That providing the information is voluntary, and that we cannot respond without it
• Your rights of access and correction under the Privacy Act 2020

Where we collect personal information indirectly (for example, through server logs or analytics tools), we take reasonable steps under IPP 3A to ensure you are aware of the matters above, including through this Privacy Policy and our Cookie Policy.

5. Purposes of Processing

We process your personal data for the following purposes:

• Responding to your inquiries and communication requests
• Providing educational information about our content
• Improving website functionality and user experience
• Analyzing website usage patterns (with your consent)
• Complying with legal obligations

6. Legal Basis for Processing

6.1 New Zealand (Privacy Act 2020)

We collect and use personal information only where we have a lawful purpose connected with our functions or activities (IPP 1), and we do not use information for unrelated purposes (IPP 10). Our main lawful purposes are responding to inquiries, operating and securing the website, and — with your consent — analytics and marketing measurement.

When you use the contact form, providing your name, email, and message is voluntary. If you choose not to provide this information, we cannot respond to your inquiry but you may still browse the website.

6.2 European Economic Area (GDPR)

Where GDPR applies, we rely on the following legal bases:

• Consent: When you submit the contact form or accept analytics/marketing cookies
• Legitimate interest: For website security, fraud prevention, and strictly necessary site operation
• Contractual necessity: When processing is required to respond to your requests
• Legal obligation: When required by applicable law

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Contact form submissions: up to 24 months after the last communication
• Cookie consent records: up to 12 months
• Server logs: up to 90 days
• Analytics data: up to 26 months (with consent)

After the retention period, data is securely deleted or anonymized.

8. Data Sharing

We do not sell your personal data. We may share data with:

• Service providers who assist in website hosting and email delivery, bound by data processing agreements
• Analytics providers (only with your explicit consent)
• Legal authorities when required by law

9. Disclosure Outside New Zealand

Some service providers we use (such as website hosting, email delivery, analytics, or content delivery networks) may store or process personal information outside New Zealand. Before disclosing personal information overseas, we take reasonable steps to ensure the recipient is subject to privacy safeguards comparable to those under the Privacy Act 2020, as required by IPP 12. This may include contractual protections with our providers.

If personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or adequacy decisions.

10. Notifiable Privacy Breaches

Under the Privacy Act 2020, if a privacy breach has caused or is likely to cause serious harm, we are required to notify the Office of the Privacy Commissioner and affected individuals as soon as practicable. We maintain internal procedures to identify, assess, and respond to suspected breaches, including steps to contain harm and prevent recurrence.

If you believe your personal information held by us has been accessed or disclosed without authorisation, please contact us immediately using the details in Section 1.

11. Your Rights

11.1 Rights under the Privacy Act 2020 (New Zealand)

You have the right to:

• Access personal information we hold about you (IPP 6)
• Request correction of inaccurate, incomplete, or misleading information (IPP 7)
• Withdraw consent for optional processing such as analytics or marketing cookies, without affecting prior lawful processing
• Complain to the Office of the Privacy Commissioner if you believe we have interfered with your privacy

We will respond to access and correction requests within 20 working days, as required under the Privacy Act 2020, unless an extension applies. There is no fee for a standard request, though we may charge a reasonable cost for complex or repeated requests as permitted by law.

To make a complaint to the Privacy Commissioner, visit privacy.org.nz or call 0800 803 909 (New Zealand).

11.2 Additional rights under GDPR (EEA visitors)

Where GDPR applies, you also have the right to:

• Request erasure of your data ("right to be forgotten")
• Restrict processing of your data
• Data portability
• Object to processing based on legitimate interests
• Lodge a complaint with an EU supervisory authority

To exercise any of these rights, contact us at managers@refreshbright.world. GDPR requests will be responded to within 30 days.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• HTTPS encryption for all data transmission
• Access controls limiting data access to authorized personnel
• Regular security assessments of our systems
• Secure storage with encryption at rest where applicable

13. Children

Our website is not directed at individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately so we can delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Where changes materially affect how we handle your personal information, we will take reasonable steps to draw your attention to the update.

15. Contact

For privacy-related inquiries, contact our data controller:

Refreshbright
State Highway 6, Punakaiki 7871, New Zealand
Email: managers@refreshbright.world
Phone: +64 21 709 383