Privacy Policy
This policy outlines how personal information is collected, used, stored, shared, and protected while providing mortgage advice services, in line with the Privacy Act 2020 and the 13 Information Privacy Principles.
How we handle your personal information
The purpose of this policy is to protect client privacy, maintain trust, and ensure lawful and transparent handling of personal information across its full lifecycle: collection, use, storage, disclosure, retention, and disposal.
- Applies to all personal information handled by the adviser
- Covers clients, prospective clients, and relevant third parties
- Includes both digital and physical records
Our privacy commitments
We manage personal information in line with the following principles:
- Lawfulness and purpose limitation — used only for mortgage advice and related compliance obligations
- Transparency — clients are informed about how their information is used
- Data minimisation and accuracy — only necessary information is collected and kept up to date
- Security — information is protected from loss, unauthorised access, or misuse
- Client rights and accountability — clients may access or correct their information at any time
What we collect and why
Information is collected to provide mortgage advice, assess suitability and affordability, complete lender applications, and meet AML/CFT and regulatory obligations.
We may collect information via online forms, email, phone, SMS, meetings, secure uploads, third‑party verification services, and lenders or product providers (with your consent).
Personal information is used to provide personalised advice, prepare and submit loan applications, verify identity, communicate with you and lenders, and maintain accurate records for audit and regulatory purposes.
Who we share information with
Information may be shared with lenders, AML/CFT verification services, external compliance auditors, regulators (such as the FMA or Police FIU) where legally required, and IT or administrative contractors who support business operations.
All third parties must meet privacy and security standards consistent with New Zealand law, and information is never sold or disclosed for marketing purposes.
Digital records are stored in encrypted cloud systems, devices use MFA and strong passwords, physical documents are kept in locked cabinets, and access is restricted to the adviser unless otherwise authorised. Backups are automated and stored securely.
How long we keep information
Retention periods follow legal and industry requirements (for example, AML/CFT records for at least 5 years and advice files for at least 7 years). Records are reviewed annually to ensure compliance.
When retention periods expire, digital records are securely deleted and physical documents are shredded or securely destroyed, with disposal actions logged for audit evidence.
Your rights and how to raise concerns
You have the right to request access to, or correction of, your personal information, withdraw consent for non‑essential uses, and complain if you believe your privacy has been breached.
In the event of a privacy breach, we will secure systems, assess the impact, notify affected clients where there is a risk of harm, notify the Office of the Privacy Commissioner if required, and document the incident and remediation steps.
If you are not satisfied with our response to any privacy‑related matter, you can contact the Office of the Privacy Commissioner:
PO Box 10‑094, Wellington, New Zealand
Phone: 04 474 7590
Email: enquiries@privacy.org.nz