This policy gives effect to the Information Privacy Principles (IPPs) in schedule 1 of the Privacy Act 2020. Where the EU GDPR also applies, we apply the stricter requirement if there is a conflict.
Scope and intent
This statement explains how we handle personal information when you browse khodraxnquezrion.world, use contact forms, visit the Merivale studio, or purchase services. “Personal information” has the meaning in section 87 of the Privacy Act 2020.
Information privacy principles (summary)
- We collect information only for lawful purposes connected to our functions.
- We collect information directly from you where practicable and tell you why we collect it.
- We store information securely and restrict staff access on a need-to-know basis.
- You may ask whether we hold information about you and request correction of errors.
- We retain information only as long as required for the purpose, then dispose of it safely.
Categories of information collected
We may collect identifiers (name, email address, phone number if you supply it), message content, technical logs generated by hosting (IP address, user agent, timestamps), payment references when you buy paid services, and optional analytics or marketing signals only if you enable those categories in our cookie layer.
Purposes and lawful bases
We process information to respond to enquiries, operate the studio, invoice and meet tax obligations, secure our infrastructure, and—only with your consent—to run analytics or marketing measurements. Contractual necessity, legal obligation, and legitimate interests are assessed under NZ law before we rely on them.
Notifiable privacy breaches
If a privacy breach is likely to cause serious harm to an affected individual, we notify the Office of the Privacy Commissioner and affected people as soon as practicable, unless a limited statutory exception applies. We maintain an internal breach register.
Overseas disclosure
If we use cloud or support providers outside New Zealand, we take reasonable steps under IPP 12—for example contractual safeguards and transfer impact assessment—and can provide a high-level description on request.
Retention
Contact form transcripts remain for twenty-four months unless a longer period is required for unresolved disputes or tax evidence. Server logs rotate after ninety days unless security investigations require an isolated archive. Cookie preference JSON stored in your browser persists until you clear site data or withdraw consent.
Security measures
We enforce HTTPS, role-based access to mailboxes, offline backups encrypted at rest, and periodic review of administrative credentials. No method is flawless; we investigate anomalies and document remedial steps.
Your rights (NZ and GDPR overlap)
You may request access, correction, erasure where applicable, restriction of certain processing, data portability where technically feasible, and withdrawal of consent for consent-based activities. New Zealand residents may complain to the Office of the Privacy Commissioner at privacy.org.nz. EEA residents may also exercise GDPR rights with their supervisory authority.
Children
We do not knowingly collect information from children under sixteen without verified guardian consent. If you believe we received such information, ask us to delete it promptly.
Automated decision-making
We do not make solely automated decisions that significantly affect you without human review.
Updates
Material changes appear on this page with a revised effective date. Where law requires fresh consent, we obtain it before applying the new practice.