Privacy Policy

How we collect, use, and protect your personal data.

Last updated:

1. Data Controller

The data controller responsible for your personal data is:

Brightbones
Legacy Te Waonui Hotel Franz Josef, 3 Wallace Street
Franz Josef / Waiau 7856, New Zealand
Email: infocenter@brightbones.world
Phone: +64 3 752 0555

2. Scope and Purpose

This Privacy Policy applies to the website brightbones.world and describes how we collect, use, store, and protect personal information in accordance with the Privacy Act 2020 (New Zealand) and its Information Privacy Principles (IPPs). Where applicable, we also comply with the General Data Protection Regulation (GDPR) for visitors in the European Economic Area.

We collect and use personal information only for lawful purposes connected with our functions as an educational website operator, including:

  • Responding to contact form inquiries and correspondence (IPP 1, IPP 10)
  • Operating, maintaining, and improving our informational website (IPP 1)
  • Protecting the security and integrity of our website (IPP 5)
  • Complying with legal obligations under New Zealand law (IPP 1)
  • Analyzing site usage when you consent to analytics cookies (IPP 3)

We will not use your personal information for any other purpose unless permitted by the Privacy Act 2020 or with your authorisation.

3. Data We Collect

3.1 Information You Provide

When you use our contact form, we collect your name, email address, message content, and consent confirmation. This data is provided voluntarily.

3.2 Automatically Collected Data

When you visit our site, we may automatically collect technical data including IP address, browser type, operating system, referring URL, pages visited, and timestamps. This data is collected through cookies and similar technologies only with your consent for non-essential categories.

4. How We Collect Information

Under the Privacy Act 2020, we collect personal information directly from you when you submit our contact form or communicate with us. We may also collect limited technical information automatically when you visit our site, such as IP address, browser type, and pages viewed. Non-essential tracking technologies are used only with your consent.

We take reasonable steps to ensure personal information is accurate, up to date, and complete before use (IPP 8). You may request correction of inaccurate information as described in Section 8.

5. Legal Basis for Processing

5.1 New Zealand (Privacy Act 2020)

Our collection and use of personal information is governed by the IPPs, including:

  • Purpose limitation (IPP 1–2): Information is collected for identified purposes and not used in incompatible ways
  • Transparency (IPP 3): You are informed about collection through this policy and our contact form
  • Security (IPP 5): Reasonable safeguards protect information from loss, misuse, and unauthorised access
  • Access and correction (IPP 6–7): You may request access to or correction of your personal information
  • Overseas disclosure (IPP 12): Information sent outside New Zealand is protected by comparable safeguards where required

5.2 European Economic Area (GDPR)

For visitors in the EEA, we additionally rely on:

  • Consent (Art. 6(1)(a)): Contact form submission, analytics, and marketing cookies
  • Legitimate Interest (Art. 6(1)(f)): Website security, fraud prevention, and basic site functionality
  • Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws and regulations

6. Data Retention

We retain personal data only as long as necessary for the purposes described:

  • Contact form data: up to 24 months after resolution of your inquiry
  • Analytics data: up to 26 months, subject to cookie consent
  • Cookie consent records: up to 12 months
  • Server logs: up to 90 days for security purposes

7. Data Sharing and Overseas Transfers

We do not sell your personal information. We may share information with trusted service providers who assist with website hosting, analytics, or email delivery, and who are required to protect your information and use it only for the services they provide to us.

Some service providers may store or process data outside New Zealand. Where personal information is disclosed overseas, we take reasonable steps to ensure the recipient protects it in a manner consistent with the Privacy Act 2020 (IPP 12). For transfers from the EEA, we use appropriate safeguards such as Standard Contractual Clauses where required.

8. Your Rights

8.1 Rights Under the Privacy Act 2020 (New Zealand)

You have the right to:

  • Access: Request confirmation of whether we hold your personal information and obtain a copy (IPP 6)
  • Correction: Request correction of inaccurate, incomplete, or out-of-date information (IPP 7)
  • Complaint: Lodge a complaint with us if you believe we have interfered with your privacy

We will respond to access and correction requests within 20 working days, as required by the Privacy Act 2020, unless an extension applies. We may need to verify your identity before releasing information.

If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner at www.privacy.org.nz or by calling 0800 803 909 (New Zealand).

8.2 Rights Under GDPR (European Economic Area)

If you are located in the EEA, you also have the following rights:

  • Right of access: Request a copy of your personal data
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your data
  • Right to restrict processing: Request limitation of data use
  • Right to data portability: Receive your data in a structured format
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us using the details in Section 1. EEA residents may also lodge a complaint with their local data protection authority.

9. Privacy Breaches

We maintain procedures to identify and respond to privacy breaches. Where a breach has caused or is likely to cause serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as required under the Privacy Act 2020.

10. Security Measures

We implement appropriate technical and organizational measures to protect your data, including HTTPS encryption, access controls, regular security assessments, and staff training on data protection practices.

11. Children

Our website is not directed at individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us for immediate deletion.

12. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated date. Where changes materially affect how we handle your personal information, we will take reasonable steps to bring those changes to your attention.

13. Contact

For privacy-related inquiries, contact our data controller at infocenter@brightbones.world or write to the address listed in Section 1.