top of page

Infoways Limited Privacy Policy
Last updated: 1 May 2026

 

1. Collection of Personal Information

Infoways Limited collects and stores personal information from or about you. This may include personal information such as your name, contact details, and other identifying information, including business contact details (such as work email address, job title, and organisation).

 

We collect personal information in the following circumstances:

  • When you make an enquiry or request information from us;

  • When you subscribe to receive communications from us;

  • When you create an account on any of our websites or platforms;

  • When you subscribe to our publications;

  • When you attend an event organised by us;

  • When you provide feedback or participate in surveys;

  • During onboarding or service delivery where you or your organisation provides information to us;

  • When you interact with us for support or operational purposes.

 

Indirect Collection

We may also collect your personal information indirectly from third parties. This is common where we provide services to your organisation. Examples include:

  • When a client organisation provides us with information about its employees, contractors, directors, or other stakeholders (for example, to assign responsibilities, manage access, conduct risk assessments, deliver cyber, risk and assurance services, or support audits);

  • When information is received from referrers, professional advisers, screening providers, or other third parties as part of due diligence, vendor risk assessments, or service delivery;

  • When we obtain business contact information from publicly available sources or third-party providers for the purpose of identifying potential business relationships.

 

Notification of Indirect Collection (IPP3A)

Where we collect personal information indirectly, we will take reasonable steps to ensure you are aware of:

  • The fact that the information has been collected;

  • The purpose(s) for which the information has been collected;

  • The intended recipients (or types of recipients) of the information;

  • Our name and contact details as the agency that collected and holds the information;

  • Whether the collection is authorised or required by law; and

  • Your rights to access and correct your personal information.

 

In many cases, we collect personal information from organisations that engage us directly (for example, your employer or a service provider acting on their behalf). In such cases, we may rely on that organisation to notify you that your information will be shared with us for the purposes described in this policy. 

 

We may also notify you directly where appropriate. We may rely on exceptions to notification where permitted under the Privacy Act 2020, including where you have already been made aware of the collection, where notification is impracticable, or where it would prejudice lawful purposes.

 

Consequences of Not Providing Information

If you do not provide personal information that is required, we may be unable to:

  • Provide services to your organisation;

  • Grant access to systems or platforms;

  • Respond effectively to enquiries or support requests;

  • Fulfil contractual or operational obligations.

 

Data Minimisation

We only seek to collect personal information that is reasonably necessary for the services we provide. Where practicable, we encourage organisations providing information to us to limit or redact personal information that is not required.

 

This policy is intended to ensure transparency in accordance with the Information Privacy Principles (including IPP3 and IPP3A) under the Privacy Act 2020.

 

2. Use of Personal Information

Infoways Limited uses personal information in accordance with the Privacy Act 2020.

 

We may use your personal information (whether collected directly or indirectly) for the following purposes:

  • To establish, develop, and maintain our relationship with your organisation and related stakeholders;

  • To create, administer, and manage accounts;

  • To respond to enquiries and requests;

  • To deliver the products and services your organisation has engaged us to provide;

  • To provide support and resolve technical issues;

  • To improve our products and services, including through feedback and analysis;

  • To send communications where permitted by law;

  • To comply with legal and regulatory obligations.

 

2A. Service-Specific Data Collection and Use

In providing governance, risk, compliance, and cyber security services, we may collect and process personal information in the following contexts:

 

Cyber Assurance and Risk Assessments

We may collect contact and role-based information (such as names, job titles, and contact details) to identify stakeholders, assign responsibilities, and coordinate assessment activities.

 

We may also receive documents, records, system outputs, logs, screenshots, or other materials as evidence to support assessments. These materials may contain personal information that is incidental to the purpose of the assessment. We do not seek to collect personal information beyond what is necessary and request that clients minimise or redact personal information where practicable.

 

Such information is used solely for assessing security, risk, and compliance posture.

 

Cyber Security and Managed Services

Where we deploy or manage security solutions, we may have access to limited personal information such as:

  • Names and contact details;

  • User account identifiers;

  • Device information;

  • User activity metadata relevant to security monitoring.

This information is used solely for administering, securing, and supporting client environments. In many cases, this information is stored within third-party platforms operated by trusted service providers.

 

Support, CRM, and Business Operations.

We may collect and maintain personal information for customer relationship management, service delivery, support, and internal business operations.This information may be collected directly from you or indirectly from your organisation or other third-party sources.

 

3. Disclosure of Personal Information

We may disclose your personal information as described in this Privacy Policy or as otherwise notified to you.We may disclose personal information to:

  • Third-party service providers involved in delivering services (such as hosting providers, security platforms, and software systems);

  • Vendors or partners where required to enable the delivery or licensing of services;

  • Contractors or service providers who process information on our behalf and are subject to appropriate confidentiality and data protection obligations;

  • Professional advisers where necessary;

  • Authorities or regulators where required by law;

  • Other parties in connection with a business transaction (such as a merger, acquisition, or sale).

 

Some third-party service providers host or process personal information on our behalf as part of delivering our services. These providers are contractually required to protect personal information and are not permitted to use it for their own unrelated purposes.

 

4. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, including the delivery of services and compliance with legal obligations.

  • For one-off services, information will generally be deleted, destroyed, or returned following completion of the engagement, unless otherwise agreed;

  • For ongoing services, relevant information may be retained as part of the managed service environment;

  • Some information may be retained in backups for a limited period.

 

5. Your Rights Under the Privacy Act 2020

You have the right to:

  • Request access to the personal information we hold about you;

  • Request correction of any inaccurate or incomplete personal information.

 

To exercise these rights, please contact us using the details below. We may request information to verify your identity.

If you are not satisfied with our response, you may make a complaint to the Office of the Privacy Commissioner: Website: www.privacy.org.nz

 

6. Marketing Communications

We may send you marketing or promotional communications where permitted under the Unsolicited Electronic Messages Act 2007. You may opt out of receiving such communications at any time by using the unsubscribe function in our communications or by contacting us directly.

​

7. Compliance with Anti-Spam Laws

Infoways Limited complies with the Unsolicited Electronic Messages Act 2007.

 

8. Overseas Disclosure and Storage

Some of the third-party service providers we use to deliver our services may be located outside New Zealand or may store personal information offshore (for example, cloud hosting providers and software platforms).

​

Where personal information is disclosed or stored outside New Zealand, we take reasonable steps to ensure that such information is protected by safeguards comparable to those required under the Privacy Act 2020. This may include contractual protections or reliance on reputable service providers with appropriate security and privacy standards.

​

By engaging with us or your organisation, you acknowledge that your personal information may be transferred to and processed in jurisdictions outside New Zealand for the purposes described in this policy.

 

9. Security of Personal Information

We take reasonable steps to protect personal information from loss, unauthorised access, use, modification, or disclosure.

These steps include technical, administrative, and contractual safeguards appropriate to the nature of the information we hold.

 

10. Contact Details

If you have any questions about this Privacy Policy or how we handle your personal information, or if you wish to exercise your rights, please contact us:

 

Infoways Limited
Email: security@infoways.co.nz
Address: 38 Kakariki Grove, Waikanae, 5036, New Zealand

bottom of page