Privacy Policy
Last updated: 30 May 2026
This Privacy Policy explains how Sproutgreen.ddd ("we", "us", "our") collects, uses, holds, discloses, and protects personal information when you visit our website or contact us.
We are an agency under the Privacy Act 2020 (New Zealand). We comply with the Act's Information Privacy Principles (IPPs), applicable codes of practice issued by the Office of the Privacy Commissioner, and — where relevant — the General Data Protection Regulation (GDPR) for visitors from the European Economic Area (EEA).
Agency Details & Privacy Officer
Agency name: Sproutgreen.ddd
Physical address: 4/2 Reyburn Street, Whangārei 0110, New Zealand
Email: partners@sproutgreen.world
Phone: +64 21 251 9301
We have appointed a Privacy Officer responsible for overseeing compliance with the Privacy Act 2020, handling access and correction requests, and managing notifiable privacy breaches. Contact the Privacy Officer using the details above with "Privacy Officer" in the subject line.
What Is Personal Information?
Under the Privacy Act 2020, personal information means information about an identifiable individual. This includes your name, email address, message content, IP address, and online identifiers collected through cookies or server logs where they can be linked to you.
Information We Collect
Collected directly from you (IPP 3)
- Contact form: Name, email address, message content, and privacy consent confirmation when you submit our contact form (collected under IPP 3, Privacy Act 2020).
- Event registration enquiries: Details you provide when registering interest in group sessions.
Collected automatically or indirectly (IPP 3A)
- Cookie and localStorage data: Cookie consent preferences (localStorage key: nature_outdoor_cookie_consent). See our Cookie Policy.
- Technical data: IP address, browser type, device type, operating system, pages visited, time on page, and referral source — collected through server logs and analytics tools only if you consent to non-essential cookies.
- Embedded content: When you interact with embedded Google Maps on our Contact page, Google may collect data under its own privacy policy.
Where we collect personal information indirectly (for example, through analytics providers or hosting logs), we take reasonable steps under IPP 3A (effective 1 May 2026) to ensure you are aware of the collection, as described in this Policy and our Cookie Policy.
Collection Notice (IPP 3 & IPP 3A)
When we collect personal information from you directly, we inform you of the following before or as soon as practicable after collection:
- Fact of collection: We are collecting your personal information.
- Purpose: To respond to your enquiry, manage event registration, operate and improve the website, and comply with legal obligations.
- Intended recipients: Our staff, hosting providers, and analytics/marketing providers (only where you have consented). We do not sell personal information.
- Voluntary or mandatory: Contact form fields (name, email, message, consent checkbox) are required to submit an enquiry. Without this information, we cannot respond to your message.
- Consequences of not providing information: If you do not provide required contact details, we will be unable to process your enquiry or confirm event registration.
- Your rights: You may request access to and correction of your personal information (see "Your Rights" below).
- Authorising law: Collection is not required by specific legislation; it is based on your consent and our legitimate business purposes under the Privacy Act 2020.
Purposes of Use (IPP 10)
We use personal information only for purposes that are connected to the reason it was collected, or directly related purposes you would reasonably expect:
- Responding to contact form submissions and event enquiries.
- Operating, maintaining, and securing the website.
- Understanding website usage and improving content (with consent).
- Measuring marketing effectiveness (with consent).
- Complying with legal obligations and responding to lawful requests from authorities.
- Defending legal claims or enforcing our Terms of Use.
We will not use your personal information for a new unrelated purpose without notifying you and, where required, obtaining your consent.
Legal Bases (EEA Visitors)
For visitors from the EEA, we rely on: (a) your consent (contact form, analytics, marketing cookies); (b) legitimate interests (website security, responding to enquiries); and (c) legal obligation where applicable.
Disclosure of Personal Information (IPP 11)
We may disclose personal information to:
- Service providers: Website hosting, email delivery, and analytics providers — bound by contractual confidentiality and data handling obligations.
- Legal authorities: Where required or authorised by New Zealand law, including court orders or regulatory requests.
- Professional advisers: Lawyers or accountants where necessary, subject to confidentiality duties.
We do not disclose personal information to third parties for their independent marketing purposes.
Disclosure Outside New Zealand (IPP 12)
Some service providers (for example, cloud hosting or analytics) may store or process data outside New Zealand. Before disclosing personal information overseas, we ensure the recipient is subject to comparable privacy safeguards, or you have authorised the disclosure, or another exception under IPP 12 applies. For EEA transfers, we use Standard Contractual Clauses or adequacy decisions where required.
Data Retention (IPP 9)
We retain personal information only for as long as necessary to fulfil the purpose for which it was collected:
- Contact form submissions: Up to 24 months after the enquiry is resolved, then securely deleted or anonymised.
- Event registration records: Up to 12 months after the event date.
- Analytics data: Up to 26 months in aggregated or pseudonymised form (with consent only).
- Cookie consent records: 12 months in your browser localStorage.
- Server logs: Up to 90 days for security monitoring, unless longer retention is required for incident investigation.
When information is no longer needed, we take reasonable steps to destroy or de-identify it.
Data Quality (IPP 8)
We take reasonable steps to ensure personal information is accurate, up to date, complete, relevant, and not misleading before use or disclosure. Please notify us if your details change or if you believe information we hold is incorrect.
Security Safeguards (IPP 5)
We protect personal information against loss, unauthorised access, use, modification, or disclosure by reasonable security safeguards proportionate to the sensitivity of the data, including:
- HTTPS/TLS encryption for data in transit.
- Access controls limiting staff access to personal information on a need-to-know basis.
- Secure hosting infrastructure with regular security updates.
- Periodic review of data handling practices and privacy compliance.
No method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.
Notifiable Privacy Breaches
Under Part 6 of the Privacy Act 2020, if a privacy breach has caused or is likely to cause serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as soon as practicable. If you believe your personal information has been compromised, contact our Privacy Officer immediately.
Unique Identifiers (IPP 13)
We do not assign unique identifiers (such as customer reference numbers) unless necessary. Analytics tools may assign anonymous session identifiers when you consent to analytics cookies; these are not linked to your contact form identity unless you have provided both.
Your Rights Under the Privacy Act 2020
You have the following rights regarding personal information we hold about you:
- Access (IPP 6): Request confirmation of whether we hold your personal information and request a copy. We will respond within 20 working days as required by the Privacy Act 2020, unless an extension applies.
- Correction (IPP 7): Request correction of inaccurate, incomplete, or misleading information. If we disagree with a correction request, you may require a statement of the requested correction to be attached to your record.
- Withdraw consent: Where processing is based on consent (for example, analytics cookies or contact form consent), you may withdraw consent at any time. Withdrawal does not affect prior lawful processing.
- Complain: Lodge a complaint with us or with the Office of the Privacy Commissioner if you believe we have interfered with your privacy.
Additional rights for EEA visitors (GDPR)
- Right to erasure, restriction of processing, data portability, and objection to processing.
- Right to lodge a complaint with your local supervisory authority.
To exercise your rights, email our Privacy Officer at partners@sproutgreen.world. We may need to verify your identity before releasing information.
Complaints
If you have a privacy concern, contact our Privacy Officer first. We will acknowledge your complaint promptly and aim to resolve it within 20 working days.
If you are not satisfied with our response, you may complain to:
Office of the Privacy Commissioner
Website: www.privacy.org.nz
Phone: 0800 803 909 (New Zealand)
Email: enquiries@privacy.org.nz
Marketing Communications
We do not send unsolicited commercial electronic messages. If we ever send marketing emails, they will comply with the Unsolicited Electronic Messages Act 2007 and include a functional unsubscribe mechanism. We will only send marketing communications with your explicit consent.
Children and Young People
Our website is intended for a general audience. We do not knowingly collect personal information from children under 16 without parental or guardian consent. If you believe a child has provided us with personal information, contact our Privacy Officer and we will take steps to delete it.
Links to Other Websites
Our website links to third-party sites (for example, Department of Conservation, MetService, Google Maps). We are not responsible for their privacy practices. Review their privacy policies before providing personal information.
Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. The "Last updated" date at the top indicates the most recent revision. Material changes will be posted on this page. We encourage you to review this Policy periodically.