Privacy Policy

1. Data Controller Information

The data controller responsible for your personal information is:

• Business Name: Gracefuliacartil
• Address: 142 Broadway, Newmarket, Auckland 1023, New Zealand
• Phone: +64 9 912 0888
• Email: hello@gracefuliacartil.world
• Website: gracefuliacartil.world

For any privacy-related inquiries, please contact us using the details above. We aim to respond to all privacy requests within 30 days.

2. Scope of This Policy

This Privacy Policy applies to all personal data collected through our website at gracefuliacartil.world, including contact form submissions, cookie usage, program enrollment processes, and any other interactions where personal information is provided voluntarily.

This policy is designed to comply with the General Data Protection Regulation (GDPR) for visitors from the European Economic Area, the New Zealand Privacy Act 2020, and other applicable international privacy legislation.

3. Types of Personal Data We Collect

3.1 Information You Provide Directly

When you contact us through our website form or by other means, we may collect:

• Full name
• Email address
• Organisation name and role (if provided in your message)
• Content of your message or inquiry
• Consent records related to data processing

3.2 Information Collected Automatically

When you visit our website, we may automatically collect certain technical data, including:

• IP address (anonymised where possible)
• Browser type and version
• Operating system
• Referring URL
• Pages visited and time spent on each page
• Device type and screen resolution
• Date and time of visit

3.3 Program Participation Data

If you enroll in one of our team healthy habit programs through your organisation, we may additionally collect:

• Program attendance records
• Voluntary activity log submissions
• Feedback survey responses
• Communication preferences

We do not collect medical records, clinical diagnoses, body measurements, or mental health assessments as part of our standard programs.

4. Purpose of Data Processing

We process your personal data for the following specific purposes:

• Responding to inquiries: To read, process, and respond to messages submitted through our contact form or received via email and phone.
• Program delivery: To administer team healthy habit programs, including scheduling, material distribution, and attendance tracking.
• Website improvement: To analyse website usage patterns and improve content, navigation, and user experience.
• Legal compliance: To fulfil obligations under applicable laws, regulations, and legal processes.
• Communication: To send program-related updates, resource materials, and administrative notices to enrolled participants and organisational contacts.
• Security: To detect, prevent, and address technical issues, fraud, and unauthorised access.

5. Legal Basis for Processing

Under the GDPR, we rely on the following legal bases for processing personal data:

• Consent (Article 6(1)(a)): When you submit our contact form and check the GDPR consent box, or when you accept analytics or marketing cookies through our cookie banner.
• Contractual necessity (Article 6(1)(b)): When processing is required to deliver programs or services you or your organisation have engaged us to provide.
• Legitimate interests (Article 6(1)(f)): For website analytics, security monitoring, and improving our services, balanced against your privacy rights.
• Legal obligation (Article 6(1)(c)): When processing is necessary to comply with applicable laws and regulatory requirements.

6. Data Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Contact form submissions: Retained for 24 months from the date of submission, unless a business relationship is established.
• Active program data: Retained for the duration of the program plus 12 months following completion.
• Analytics data: Retained for 26 months in anonymised or pseudonymised form.
• Cookie consent records: Retained for 12 months from the date consent was given or updated.
• Financial and contractual records: Retained for 7 years as required by New Zealand tax and commercial law.

After the applicable retention period expires, personal data is securely deleted or anonymised so that it can no longer be associated with an identifiable individual.

7. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to third parties. We may share data with the following categories of recipients when necessary:

• Service providers: Hosting providers, email delivery services, and analytics platforms that process data on our behalf under strict data processing agreements.
• Professional advisors: Legal, accounting, or consulting professionals bound by confidentiality obligations.
• Regulatory authorities: When required by law, court order, or governmental request.

All third-party processors are required to implement appropriate technical and organisational measures to protect personal data and process it only according to our documented instructions.

8. International Data Transfers

Your data is primarily stored and processed in New Zealand. If data is transferred to countries outside the European Economic Area or New Zealand, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or equivalent mechanisms recognised under applicable law.

9. Your Rights Under GDPR and Applicable Law

Depending on your location, you may have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to restrict processing: Request limitation of processing in certain circumstances.
• Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Right to lodge a complaint: File a complaint with a supervisory authority, such as the Office of the Privacy Commissioner in New Zealand or your local data protection authority in the EEA.

To exercise any of these rights, contact us at hello@gracefuliacartil.world with the subject line "Privacy Rights Request." We may need to verify your identity before processing your request.

10. Security Measures

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• HTTPS encryption for all data transmitted through our website
• Access controls limiting personal data access to authorised personnel
• Regular security assessments of our systems and processes
• Secure storage of physical and digital records
• Staff training on data protection principles and procedures
• Incident response procedures for potential data breaches

While we take reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your data.

11. Children's Privacy

Our website and programs are designed for adult workplace audiences. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete that information promptly.

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. Any program recommendations are made by human facilitators based on organisational requirements discussed during consultations.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Last updated" date at the top of this page indicates when the most recent revision was made. We encourage you to review this page periodically. Material changes will be communicated through a notice on our website.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us:

• Gracefuliacartil
• 142 Broadway, Newmarket, Auckland 1023, New Zealand
• Phone: +64 9 912 0888
• Email: hello@gracefuliacartil.world