Privacy Policy

Revision History

 

Version Date Author Description of changes
1.0 25 Nov 2023 COO None
1.1 28 Sept 2024 COO Add Data Subject Definition, Expand Scope, Expand 3.1   on the collection of Personal Information, Expand 3.5 “use and Disclosure”, Add Section 3.6 “Rights of data Subjects”, Expand Section 4 to include “immutable blockchain”, Expand Section 5 to include provision for storage outside New Zealand and authority to use Gmail data.

 

Supporting Documentation / References

The following documents are related to this policy:

  • Privacy Breach Policy
  • Privacy Impact Assessment
  • Information Management Retention Policy and Disposal Schedule
  • Privacy Act Access and Correction Request Process
  • Privacy Complaints Process
  • Third Party Assessment

 

 

DEFINITIONS

‘TradeWindow’ or ‘we’ refers to Trade Window Limited, its subsidiaries and affiliates

‘TradeWindow Users’ are Directors, employees and contractors of TradeWindow, as well as any third parties who process personal information on behalf of TradeWindow. This also includes any agents, representatives, or external service providers acting on behalf of TradeWindow.

Data Subject’ refers to the individual to whom the personal information relates. It includes customers, employees, contractors, and other individuals whose data is processed by TradeWindow.

‘Information Privacy Principles’ are the privacy principles, rules and guidelines TradeWindow adheres to when processing personal information.

‘OPC’ Office of the Privacy Commissioner.

‘Privacy Act’ refers to the Privacy Act 2020 effective from 1 December 2020.

‘Personal Information’ is any information which tells us something about a specific individual. The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address.

‘Privacy Breach’ is an event where personal information is either inappropriately: disclosed, altered, lost, or accessed. Loss includes either the destruction of information or the temporary inability to access information.

TradeWindow’s Privacy Officer’ is the person responsible for all privacy related matters across TradeWindow on behalf of the leadership team, monitoring compliance, acting as the contact for the Office of the Privacy Commissioner for breach notification, complaints and other enquiries and to ensure TradeWindow complies with the provisions of the Privacy Act.

 

1. PURPOSE

Trade Window Limited (“TradeWindow”) considers the protection of privacy to be of utmost importance and this Privacy Policy (“Policy”) is an essential part of ensuring TradeWindow promote an individual’s confidence that their personal information is protected and will be treated properly. Managing personal information is important to TradeWindow in building trust and confidence with individuals while also maintaining compliance with the requirements of the Privacy Act.

The purpose of this policy is to provide a privacy framework, including how TradeWindow will collect, store, use, disclose and dispose of personal information (the “Information Privacy Principles”).

 

2. SCOPE

TradeWindow complies with the New Zealand Privacy Act 2020 and any other privacy and data protection laws where applicable.

This policy applies to all Directors, employees and contractors of TradeWindow, as well as any third parties who process personal information on behalf of TradeWindow (collectively known as “TradeWindow Users”).

This policy covers all personal information regardless of whether it relates to:

  • Customers
  • Employees
  • Contractors
  • Members of the public

This Privacy Policy also applies to personal information provided to TradeWindow through various pathways, including our website, mobile applications, and other TradeWindow systems.

 

3. INFORMATION PRIVACY PRINCIPLES

3.1                Collecting Personal Information

We will only collect the minimum amount of personal information necessary for our intended business purposes. We will not collect information where it is not necessary.

We will endeavour to collect personal information:

  • Directly from the individual it is about
  • In a way that is fair in the circumstances
  • In a way that does not intrude to an unreasonable extent on the personal affairs of the individual whose information is being collected.

We will take reasonable steps to inform individuals about what information we are collecting, why and key details about how we will treat it (in the form of a “Privacy Notice”) prior to collection. The privacy notice will include the consequence for not providing the personal information and information about the individual’s rights to access and correct personal information.

We collect personal information for a variety of purposes necessary for our business operations, including but not limited to:

  • Processing transactions and providing our services to you;
  • Managing and maintaining customer relationships;
  • Responding to your inquiries and requests;
  • Ensuring compliance with legal obligations, including reporting to regulatory authorities where necessary;
  • Enhancing and improving our services through customer feedback and usage data;
  • Managing employment and contractor relationships; and
  • Ensuring the security of our services and preventing unauthorised access or data breaches.

 

3.2                Storage and Retention of Personal Information

TradeWindow’s users must take all reasonable steps to protect personal information from loss, unauthorised access, disclosure, or misuse.

We will not store personal information for longer than is necessary for a lawful or business purpose and will dispose of it when it is no longer needed. Information should be maintained consistently in accordance with our Information Management Retention Policy and Disposal Schedule.

 

3.3                Access to Personal Information

Individuals have the right to access information about themselves. A request can come from a customer, an employee, or any other individual. They do not need to cite the Privacy Act for it to be an appropriate request. Any request for personal information must be notified to TradeWindow’s Privacy Officer as soon as it is received. TradeWindow’s Privacy Officer can guide the request and advise you on appropriate withholding grounds if they apply in accordance with the Privacy Act Access and Correction Request Process.

As a general principle, unless there are valid reasons why we would not disclose that information, we will provide access to personal information we hold about any individual if they request that information.

All employee personal information requests should also be notified to the Human Resources Manager by email at hr@tradewindow.io. If you want to access your own personal information you should make the request to your manager or to the Human Resources Manager at hr@tradewindow.io.

All requests for access must normally be completed within 20 working days unless they are extended by TradeWindow’s Privacy Officer.

 

3.4                Correction of Personal Information

Individuals also have the right to correct personal information about themselves. These requests can be of simple facts (for example, an address) or more complex issues (such as a file note saying a customer was aggressive). In any instance we need to consider the request to correct the information and take appropriate action. If we do not agree that the information is incorrect, we do not need to correct it, but we must clearly note the individual’s view that the information is incorrect prominently next to the contentious information.

All correction requests must be made in accordance with the Privacy Act Access and Correction Request Process.

 

3.5               Use and Disclosure of Personal Information

TradeWindow collects personal information through various channels, including:

  • Direct interactions, such as when you provide information via forms, emails, or phone calls;
  • Automated technologies, such as cookies or analytics tools that track website usage and performance; and
  • Third parties, including business partners, sub-contractors, and publicly available sources where permitted by law.

 

We use personal data for the following purposes, which may differ based on the relationship we have with you:

  • ‘Usage Data’ collected via cookies or tracking technologies to monitor website performance and improve user experience;
  • ‘Account Data’ to manage user accounts and ensure the security of services;
  • ‘Transaction Data’ to process orders, manage payments, and provide transactional records;
  • ‘Communication Data’ to send you updates, newsletters, and notifications, where you have consented to receive these communications.

 

Legal bases for processing personal information include:

  • Contractual necessity (e.g., to process transactions or provide services);
  • Compliance with legal obligations (e.g., for regulatory reporting);
  • Legitimate business interests (e.g., improving our services or ensuring security); and
  • Consent, where applicable, such as for marketing communications or cookies.

 

We will not use personal information without first considering whether it is reasonably accurate, up-to-date, and complete.

We will only use personal information where it is lawful to do so. Primarily this will be where we are using personal information for the reason it was initially collected.

We will not use an individual’s personal information for training or for system testing purposes.

We will not disclose personal information unless we have a reasonable basis for believing doing so is lawful. This will usually be where the disclosure is for the purpose the information was collected or because it is authorised by the individual. Other exceptions apply and if you are uncertain you should discuss these with TradeWindow’s Privacy Officer.

We will not disclose personal information overseas unless it is protected by equivalent safeguards to in New Zealand. For guidance on any overseas disclosure of personal information you should consult with TradeWindow’s Privacy Officer.

Personal information will not be disclosed to third parties unless it is required for the performance of a service, the individual consents, or as required by law. Where applicable, we will ensure that any third-party data processors provide adequate safeguards for the protection of personal information.

 

3.6          Rights of Data Subjects

TradeWindow recognises and respects the rights of individuals regarding their personal information. Data Subjects whose personal information is processed by TradeWindow have the following rights under the Privacy Act 2020:

  • Right to Access:
    Individuals have the right to request access to their personal information held by TradeWindow. Upon receiving a request, we will provide the individual with access to their data, subject to any lawful grounds for withholding.
  • Right to Correction:
    Individuals can request the correction of any personal information that they believe is inaccurate or incomplete. TradeWindow will make the necessary corrections or, if not agreed, will note the individual’s disagreement with the information.
  • Right to Erasure (Right to be Forgotten):
    In certain circumstances, individuals may request that TradeWindow delete their personal information. Requests for erasure will be considered in accordance with the Privacy Act and applicable retention laws.
  • Right to Restriction of Processing:
    Individuals may request that TradeWindow restricts the processing of their personal information in situations where they contest the accuracy of the data or object to the processing.
  • Right to Object to Processing:
    Individuals have the right to object to the processing of their personal information for certain purposes, such as direct marketing or automated decision-making.
  • Right to Data Portability:
    Where applicable, individuals can request that TradeWindow provides them with their personal information in a structured, commonly used format, and that it be transferred to another service provider if technically feasible.

To exercise any of these rights, individuals can contact TradeWindow’s Privacy Officer at privacy@tradewindow.io. Requests will be processed in accordance with the Privacy Act 2020 and applicable regulations.

 

4. PRIVACY BREACHES

We have clear, consistent processes for reporting, managing and escalating privacy incidents. For any suspected privacy breach, you must immediately follow the Privacy Breach Process.

A privacy breach is when personal information is either inappropriately: disclosed, altered, lost, or accessed. Loss includes either the destruction of information or the temporary inability to access information.

You must report any suspected privacy breach to the Privacy Officer. TradeWindow’s Privacy Officer will confirm that there has been a privacy breach, and if they believe it may have caused or could cause serious harm.

All privacy breaches or suspected privacy breaches must be recorded in a central privacy breach log.

If a breach involves data stored on blockchain technology, TradeWindow may not be able to delete the data due to the immutable nature of blockchain. In such cases, affected individuals will be informed, and TradeWindow will take reasonable steps to mitigate the risks.

 

5. THIRD PARTIES

Where we contract with a third-party to outsource the processing of personal information we  must ensure that the personal information is protected by equivalent safeguards to when it was managed by us.

Agreements must require the contracted party to meet our privacy requirements for example:

  • Notify us of any privacy breach
  • Notify us of any privacy act access or correction requests made by an individual
  • Maintain security safeguards
  • Only retain information for a specified period.

Not sub-contract the processing to a lower standard than is agreed in the contract.

Where TradeWindow transfers personal information to third-party service providers located outside New Zealand, we will ensure that appropriate contractual and technical safeguards are in place to provide equivalent protection as required by New Zealand law.

Some TradeWindow products or services allow a customer to send or receive email using Gmail.  In these instances, the customer consents that TradeWindow may collect, process and retain the customer’s Gmail Account email address as well as read, compose, send, and permanently delete all your email from Gmail. This information is used solely for the purpose of providing the email functionality.

The Third-Party Assessment Policy details how we assess and manage third parties from a privacy perspective.

 

6. CUSTOMER MANAGEMENT

Where we are acting as a third-party or service provider for a customer, it is still the customer’s responsibility to ensure personal information is protected by equivalent safeguards to when it is managed by themselves. Therefore, where TradeWindow holds or processes personal information on behalf of its customers we must ensure that personal information is protected in accordance with the customers agreement.

Customers are also responsible for the likes of notifying the Office of the Privacy Commissioner and individuals affected in the event the privacy breach is ‘notifiable’ and responding to an individual’s Privacy Act access or correction request. It is vital we inform customers as soon as practically possible of breaches, individual’s requests, or other privacy related matters.

All customer agreements should include the following privacy requirements at minimum:

  • Notifying the customer of any privacy breaches involving personal information
  • Transfer of privacy act access or correction requests
  • Maintain security safeguards
  • Only retain information for a specified period.

The Privacy Officer is responsible for communicating privacy related matters to customers unless otherwise agreed or stated in the customer agreement.

 

7. COMPLAINTS

When you become aware of a complaint about privacy or the management of personal information you must immediately notify TradeWindow’s Privacy Officer in accordance with the Privacy Complaints Process.

 

8. PRIVACY IMPACT ASSESSMENTS

If you are considering a new process, policy, product, service, or system that changes how we collect, use, store, disclose or dispose of personal information you must consider the privacy impacts and risk.

To initiate this, you should contact TradeWindow’s Privacy Officer outlining the proposal and any anticipated risks. TradeWindow’s Privacy Officer may ask that you undertake a Privacy Impact Assessment.

If a Privacy Impact Assessment is required, it must be signed off by the relevant business owner and TradeWindow’ Privacy Officer before the process, policy or system is brought into effect.

 

9. TRAINING AND EDUCATION

We will train those employees and contractors working with personal information as well as ensuring that all employees undertake regular training on privacy risk areas specific to their business area, as well as broader privacy best practices.

 

10. PROCESS REVIEW

We commit to retaining up to date privacy processes. Our business processes relating to the collection, access and correction, use and disclosure, storage and disposal of personal information will be regularly reviewed, at least annually.

 

11. ACCOUNTABILITIES AND RESPONSIBILITIES

The Board is committed to managing personal information by:

  • Setting clear expectations regarding privacy and protection of personal information, and communicating them to the leadership team
  • Holding the leadership team accountable for meeting those expectations
  • Ensuring that effective privacy risk management is fully embedded within TradeWindow’s overall risk management activities
  • Employing high-quality monitoring and information management practices.

 

TradeWindow’ Privacy Officer, on behalf of the leadership team, is accountable for:

  • Promoting privacy and proactively assessing and manage privacy risk within TradeWindow
  • Monitoring compliance and to assist with access and correction requests
  • Monitoring and advising on Privacy Impact Assessments
  • Being the point of contact for the Office of the Privacy Commissioner for breach notification, complaints and other enquiries
  • Responsible for privacy breaches or any complaints raised about privacy
  • Ensuring that TradeWindow complies with the provisions of the Privacy Act
  • Ensure employees are aware of and recognise the importance of their role in privacy, are compliant with the Privacy Policy and the Privacy Act
  • Ensure new employee induction includes privacy training.

 

TradeWindow Users have individual responsibility to:

  • Maintain best practice privacy behaviours
  • Report all privacy breaches and near misses to the Privacy Officer
  • Promote privacy at work
  • Comply with all privacy policies and guidelines
  • Actively participate in privacy training
  • Identify privacy risks.

 

12. MONITORING AND GOVERNANCE

Our privacy policies and guidelines have been established to comply with the Privacy Act 2020. The monitoring and oversight of privacy follows a three lines of defence model to provide assurance that privacy risks are being managed effectively under different situations:

  • The first line of defence is formed by managers and employee responsible for identifying and managing risks as part of their duties.
  • The second line of defence is formed by privacy and internal governance policies, frameworks, tools and techniques to support privacy to be maintained.
  • The third line of defence is formed by internal and external audits ensuring that the first two lines of defence are operating effectively and identifying opportunities for improvement.

 

13. NON-COMPLIANCE

Non-compliance of the terms of this policy may result in disciplinary action or dismissal.

 

14. CONTACT

Any privacy related concerns or requests for information should be initially directed to your manager.

Where required you can also contact TradeWindow’s Privacy Officer, at privacy@tradewindow.io.

 

15. APPROVAL

This Privacy Policy has been approved by the Board of Directors of TradeWindow on 25 November 2020:

Signed
CEO/Director
Date 25/11/2020

 

16. REVIEW OF POLICY

TradeWindow’s Privacy Officer is responsible for maintaining this policy.
This policy is reviewed annually and is approved by the Board.

Date of this Policy:                      28 September 2024
Next Review of this Policy:         25 November 2025