Because we care about your personal information.
STAAH Limited (we, us, our, STAAH) complies with the New Zealand Privacy Act 1993 (NZ Privacy Act) and other applicable privacy and data protection laws when dealing with personal information. Personal information is information about an identifiable individual (a natural person).
If you are based in the European Union and use this website or our services, the additional terms in the addendum to this policy (GDPR Addendum) apply to you.
This policy does not limit or exclude any of your rights under the NZ Privacy Act and other applicable laws. If you wish to seek further information on the NZ Privacy Act, see www.privacy.org.nz.
Changes to this policy
We may change this policy by uploading a revised policy onto the website. The change will apply from the date that we upload the revised policy.
This policy was last updated on 31st May 2018.
WHAT PERSONAL INFORMATION DO WE COLLECT
We collect, hold and process two categories of personal information:
WHO DO WE COLLECT YOUR PERSONAL INFORMATION FROM
We collect personal information about you from:
If possible, we will collect personal information from you directly.
When you visit or use our website or services, we may collect information about you:
How we use your personal information
We may use personal information provided directly by you:
We may use information generated by your access and use of this website or our services:
We may also use your personal information:
Disclosing your personal information
We may disclose your personal information to:
We may also disclose research and statistical analysis on an anonymised basis derived from your personal information to third parties.
We may disclose personal information we hold about you if we believe that such disclosure is necessary to:
TRANSFERS OF personal information
A business that supports our services and products may be located outside New Zealand. This may mean your personal information is held and processed outside New Zealand. Please see the GDPR Addendum for further information about personal data transfers from the European Economic Area.
Protecting your personal information
We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse. We implement appropriate technical and organisational measures to ensure a level of security appropriate to risks inherent in processing personal information. This includes on premise security of STAAH computer software.
We encrypt any sensitive information that is transmitted via our website (such as credit card numbers) using secure socket layer technology (SSL). When credit card details are collected, we simply pass them on in order to be processed as required. We never permanently store complete credit card details.
You can play an important role in keeping your personal information secure by maintaining the confidentiality of any password used in relation to our products and services. Please do not disclose your password to third parties. Please notify us immediately if there is any unauthorised use of your account or any other breach of security.
Accessing and correcting your personal information
Subject to certain grounds for refusal set out in the NZ Privacy Act or other applicable law, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.
In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.
If you want to exercise either of the above rights, email us at firstname.lastname@example.org. Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting).
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
This GDPR Addendum was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal data. However, we are happy to provide any additional information or explanation needed. Any requests for further information should be sent to email@example.com.
For the purposes of the GDPR:
We will not process Customer Data except as provided in our agreements with our customers and we require our customers to comply with applicable privacy and data protection laws. If we receive any data subject requests relating to Customer Data, such as requests to access personal data, we will forward this request to the relevant customer.
The remainder of this GDPR Addendum applies to Account and Marketing Data only, and does not apply to Customer Data.
PROCESSESING PERSONAL DATA
The legal basis for our processing of Account and Marketing Data is your consent and, for certain Account and Marketing Data, processing is necessary for the performance of a contract to which you are a party or for our legitimate interests (except where such interests would be overridden by your fundamental rights and freedoms which require the protection of personal data).
Despite the above, we may process any of your personal data where such processing is necessary for compliance with applicable laws.
You do not have to provide us with your name or contact information to access and use certain parts of the website. You do have to provide us with information that is automatically collected by Google Analytics during your use of the website (location, browser and operating system details), however, this is not personal information. For further information on cookies, please see our Cookies Policy. You must provide us with your name and contact information to access your account or if you wish to contact us. The consequence of not providing your name and contact information is that we will not be able to provide you with an account or contact you.
Your rights in relation to your personal data under the GDPR include:
Where personal data is processed for the purposes of direct marketing, you have the right to object to such processing, including profiling related to direct marketing.
If you would like to exercise any of your above rights, please contact us at firstname.lastname@example.org. If you are not satisfied by the way your query is dealt with by our data protection officer, you may refer your query to your local data protection supervisory authority e.g. in the United Kingdom, this is the Information Commissioner’s Office.
We do not intend to collect personal data from children aged under 16. If you have reason to believe that a child under the age of 16 has provided personal data to us through our website and/or by using our services, please contact us at email@example.com.
International transfer of data
The Account and Marketing Data may be transferred to, and stored in, a country operating outside the European Economic Area (EEA). Under the GDPR, the transfer of personal data to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection. In the absence of an adequacy decision, we may transfer personal data provided appropriate safeguards are in place.
We may transfer Account and Marketing Data from the EEA to STAAH’s entities outside of the EEA.
The STAAH group consists of the following companies:
New Zealand is recognised by the European Commission as a country that ensures an adequate level of data protection and we rely on this decision when transferring personal data from the EEA to New Zealand.
STAAH Pty Limited and STAAH Hotel Software Private Limited have entered into Standard Contractual Clauses as published by the European Commission. The Standard Contractual Clauses provide specific guarantees around transfers of personal data.
Third party processors
The Account and Marketing Data we collect may also be processed by the third parties set out below.
Some of the Account and Marketing Data we collect is processed in New Zealand (where our operations are located). New Zealand is recognised by the European Commission as a country that ensures an adequate level of data protection and we rely on this decision in transferring personal data to New Zealand.
List of third party processors as at 31st May 2018:
|Third party processor||Purpose||Location of processor||Policy pages|
|MailChimp||Email service provider||USA||www.mailchimp.com/legal/privacy|
|GoCardless||Payments provider||United Kingdom||https://instapage.com/privacy-policy|
|Xero||Cloud accounting||New Zealand||https://www.xero.com/nz/about/terms/privacy/|
|LiveChat, Inc.||Customer service||USA||https://www.livechatinc.com/privacy-policy/|
|Twak.to, Inc||Customer service||USA||https://www.tawk.to/privacy-policy/|
|Google, Inc.||Analytics Advertising||USA||https://policies.google.com/privacy?hl=en&gl=nz|
DATA Retention policy
Account and Marketing Data that we collect and process will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer. The criteria we use to determine the period of time for which we keep Account and Marketing Data includes:
The name and contact details of our European GDPR representative are Russell Logan, firstname.lastname@example.org.