This policy sets out how Inveya Limited handles personal information. It is issued under the New Zealand Privacy Act 2020 and reflects the thirteen Information Privacy Principles. We treat the careful handling of personal information as a professional obligation, not a formality.
About this policy
Inveya Limited (“we”, “us”, “our”) is a New Zealand limited liability company providing professional advisory services. This policy explains what personal information we collect, why we hold it, how we use and protect it, and the rights you have in relation to it.
It applies to everyone whose personal information we handle — including client contacts, prospective clients, the personnel and customers of our clients, sub-consultants and suppliers, and visitors to our website. “You” means any such individual.
We handle personal information in two distinct capacities. In running our own business we are the agency that decides how information is used. During a client engagement we often process information that our client controls; in that role we act on the client’s instructions, as described in section 6.
Key terms we use
To keep this policy precise, the following terms have the meanings set out below.
| Term | What it means |
|---|---|
| Personal information | Information about an identifiable individual, as defined in the Privacy Act 2020. |
| Sensitive information | Information warranting particular care — such as health, racial or ethnic origin, political or religious belief, or sexual orientation. |
| IPP | One of the thirteen Information Privacy Principles in the Privacy Act 2020. |
| Engagement | A defined piece of advisory work performed under a Statement of Work and our Master Service Agreement (MSA). |
| Service provider | A third party we engage to deliver part of our service, including Software-as-a-Service providers. |
| Software as a Service (SaaS) | Cloud-hosted software, operated by a provider, that we use to process information — for example document storage, email, accounting, or AI tools. |
| Device management | Central management of the devices our personnel use, allowing us to enforce security controls and to lock or wipe a device remotely. |
| De-identified | Modified so that an individual is not, and cannot reasonably be, re-identified. |
| Notifiable privacy breach | A privacy breach that it is reasonable to believe is likely to cause serious harm, and which must be reported under the Privacy Act. |
The information we collect
We collect only the personal information we need for the purposes set out in section 5. The categories we typically hold, and where they come from, are as follows.
| Category | Examples | Usual source |
|---|---|---|
| Identity and contact | Name, job title, employer, work email, work phone, and postal address where needed for invoicing | You, or your employer (our client) |
| Engagement information | Your role and decision rights, the matters you are working through, and notes from meetings and working sessions | You, our client, and notes we create |
| Commercial and billing | Invoicing contact, billing entity, GST number, payment records, and bank account details for receiving payment (we hold no card data) | You, or our client |
| Website and technical | Aggregated IP address, browser and device type, referring URL, pages visited, and the content of any message you send | Automatically via inveya.com |
| Information you provide | Anything you choose to share with us in writing, in person, by phone, or in working documents | You |
We try not to collect sensitive information. Where it appears in materials you share with us, we handle it with the additional care described in section 10.
How we collect it
Directly from you — Most information is collected directly — when you contact us, scope or enter an engagement, or share working materials during our work together.
Through our website — When you visit inveya.com or write to us through it, we collect limited technical information and the content of your message, as set out in sections 3 and 12.
Indirectly (IPP 3A) — Sometimes we receive information about you from someone else — usually a client providing details about its personnel, contractors, customers or partners for an engagement. Where we collect information indirectly, Information Privacy Principle 3A requires us to take reasonable steps to make you aware that we hold it, who we are, what we have collected and why, who else holds it, and your rights of access and correction. This policy is our standing record of those matters, and where we deal with you directly (for example, in a working session) we identify ourselves and the purpose of the work at the outset. Our client is responsible for ensuring it is entitled to share your information with us.
Why we process it
We use personal information only for the following purposes, and for directly related purposes you would reasonably expect, consistent with Information Privacy Principle 10:
- responding to enquiries received through our website or by email;
- assessing fit and scoping a potential engagement;
- entering into and performing Statements of Work and our Master Service Agreement;
- invoicing, receiving payment, and meeting our tax and accounting obligations;
- communicating with you during an engagement;
- developing our frameworks and methodologies using de-identified, aggregated learnings; and
- meeting our legal, regulatory and professional obligations.
We do not use personal information for direct marketing without your consent, we do not run advertising, and we do not sell, rent or trade personal information. We will not adopt a new, unrelated purpose without first obtaining your authorisation, unless the Privacy Act permits it.
How and where we process it
We process personal information within a managed, access-controlled environment rather than on ad-hoc or personal systems. Three features of that environment are central to how we protect your information.
Managed devices — We apply centralised device management across the computers and mobile devices our personnel use for work. This lets us enforce a consistent security baseline — including full-disk encryption, multi-factor authentication, automatic patching, screen-lock and conditional-access policies, and the ability to lock or wipe a lost or compromised device remotely. Personal information is not stored on unmanaged or personal devices.
Software-as-a-Service platforms — Most of the personal information we hold is processed within reputable Software-as-a-Service (SaaS) platforms — cloud-hosted applications for document storage, email and productivity, accounting and invoicing, client-relationship management, and the AI tools described in section 8. We do not operate our own production servers for this purpose. Each SaaS provider is engaged under written terms addressing confidentiality, security, data handling and, where relevant, breach notification, and we select providers with privacy and security as material criteria. Access is granted on a least-privilege basis, so information is available only to those who need it for the purpose for which it was collected.
Processing on behalf of our clients — During an engagement we frequently process personal information that our client controls. In that role we act on the client’s instructions and only for the purposes of that engagement, in accordance with our Master Service Agreement, and we apply the same managed-device and SaaS controls described above.
When we disclose information
We disclose personal information only in these circumstances:
- Our client — information gathered during an engagement is shared with the client for whom the work is performed; our Master Service Agreement governs how the client must in turn protect it.
- Sub-consultants — engaged only with the client’s prior written consent, and bound by confidentiality obligations no less protective than our own.
- Service providers — the SaaS and other providers described in section 6, who receive only what is reasonably necessary to provide their service.
- Legal and regulatory bodies — where the law requires it, such as the Inland Revenue Department or a lawful court order, to the minimum extent necessary.
- Business transfer — if we sell or transfer substantially all of our business, subject to the buyer agreeing to terms no less protective than this policy.
We do not disclose personal information for advertising, and we do not sell, rent or trade it.
Artificial intelligence tools
We use business-grade generative AI tools, including Claude (Anthropic) and Gemini (Google), to assist with synthesis, drafting, research, modelling and analysis. We use them on contracted, enterprise-configured accounts under which, by contract with the provider:
- our inputs and outputs are not used to train the provider’s AI models; and
- our inputs and outputs are not subject to routine human review by the provider’s personnel.
Personal information and AI. We do not enter personal information into AI tools unless the use of the tool is itself part of the agreed engagement deliverables, the client has given prior written consent, or the information has first been de-identified to a standard reasonably calculated to prevent re-identification.
Human accountability. A practitioner reviews, edits and quality-assures every AI-assisted output before it reaches a client and remains professionally accountable for it. We do not use AI tools to make decisions that produce legal or similarly significant effects on individuals without human judgement. A client may, by written notice, ask us not to use AI tools on its engagement, or to exclude specified categories of information, and we will comply.
Sending information overseas
Some service providers we rely on — notably cloud storage, email and AI tools — are based outside New Zealand and may hold information in other jurisdictions, including the United States.
Under Information Privacy Principle 12, we disclose personal information to an overseas recipient only where the recipient is subject to comparable privacy safeguards (by law or by the contract under which we engage them), where you have expressly authorised the disclosure after being told comparable safeguards may not apply, or where another IPP 12 exception applies. In practice our providers operate under contracts binding them to confidentiality, security and data-handling commitments equivalent to, or stronger than, those required in New Zealand, and we review these arrangements before engaging a new provider.
Keeping information secure
Information Privacy Principle 5 requires us to take reasonable safeguards against loss and against unauthorised access, use, modification or disclosure. Building on the managed environment described in section 6, our safeguards include:
- full-disk encryption on laptops and removable media;
- multi-factor authentication on email, cloud storage and other critical services;
- centralised device management with remote lock and wipe;
- maintained, patched operating systems and applications, and reputable endpoint protection;
- SaaS providers assessed as offering security commensurate with the sensitivity of the information held;
- least-privilege access controls; and
- cyber liability insurance.
No security regime is perfect, and we do not claim otherwise. We work to a standard appropriate to the size of our business and the sensitivity of the information we hold, and we review our controls as our circumstances change.
Retention and disposal
We keep personal information only for as long as it is needed for the purpose for which it was collected, or as the law requires — in particular tax and accounting records, which we retain for at least seven years from the end of the relevant financial year.
At the end of an engagement we return or securely destroy client confidential information, including any personal information held on the client’s behalf, in accordance with our Master Service Agreement, except where we must retain material for legal, regulatory or insurance reasons. We review what we hold periodically and dispose of what is no longer required.
Cookies and our website
inveya.com uses the minimum tracking necessary to operate. We do not use advertising cookies and we do not track visitors across other websites.
- Essential storage — we may use a small amount of local storage to remember your light or dark theme preference; this stays in your browser and is not transmitted to us.
- No advertising or cross-site tracking — we run no advertising and embed no third-party advertising or social-media tracking pixels.
Most browsers let you refuse or delete cookies; doing so will not prevent you from using the site.
Your privacy rights
Under the Privacy Act you may:
- Access — ask for the personal information we hold about you (Information Privacy Principle 6); and
- Correct — ask us to correct information that is inaccurate, incomplete, irrelevant or misleading (Information Privacy Principle 7). If we cannot agree on a correction, you may ask us to attach a statement of correction.
To make a request, write to privacy@inveya.com. We will verify your identity before releasing information and aim to respond within twenty (20) working days; if we cannot, we will tell you in writing and explain why.
The Act lets us withhold information in limited circumstances — for example where disclosure would breach another person’s privacy or the information is legally privileged. Where we withhold information we will give our reason and, where the law requires, tell you of your right to seek a review by the Office of the Privacy Commissioner.
If something goes wrong
A notifiable privacy breach is one that it is reasonable to believe is likely to cause serious harm to an affected individual. If we become aware of an actual or suspected notifiable breach affecting your information, we will:
- notify you (or our client, where the information is held on the client’s behalf) as soon as reasonably practicable;
- notify the Office of the Privacy Commissioner as required by section 114 of the Privacy Act;
- take reasonable steps to contain the breach and limit further harm; and
- cooperate in good faith with any investigation and remediation.
Complaints
If you believe we have not handled your personal information in line with this policy or the Privacy Act, we want to hear from you. Please write to privacy@inveya.com. We will acknowledge your complaint within five (5) working days and aim to give a substantive response within twenty (20) working days.
If we cannot resolve your concern, you may refer it to the Office of the Privacy Commissioner, the independent regulator for the Privacy Act in New Zealand:
Phone: 0800 803 909
Email: enquiries@privacy.org.nz
Web: privacy.org.nz
Governance, contact and changes
Responsibility for this policy and for privacy compliance sits with our Privacy Manager. We review this policy at least annually and whenever our practices or the law change materially; the version and dates above record the current edition. Where we make a material change, we will take reasonable steps to bring it to the attention of clients with an active engagement.
For any question about this policy, or about how we handle personal information, contact:
Privacy Manager
Inveya Limited
7 Airborne Road
Rosedale, Auckland 0632
New Zealand
privacy@inveya.com