Privacy Policy

Network Solutions Group Limited (New Zealand)

Last updated: May 2026

About this Privacy Policy

This Privacy Policy describes how Network Solutions Group Limited collects, holds, uses, discloses and otherwise processes personal information, and the steps we take to keep that personal information secure. In this Privacy Policy, the terms “we”, “our” and “us” refer to Network Solutions Group Limited (NZBN: 9429052450730), of Level 8, 139 Quay Street, Auckland 1010, New Zealand.

We are committed to handling personal information in accordance with our obligations under the Privacy Act 2020 (including the 13 Information Privacy Principles set out in section 22 of that Act, as amended by the Privacy Amendment Act 2025), and any applicable codes of practice issued by the Office of the Privacy Commissioner.

Where we collect, hold or process personal information that originates in the European Union or European Economic Area, or that otherwise falls within the scope of the EU General Data Protection Regulation (“GDPR”), we will also comply with the GDPR to the extent it applies to that information (“GDPR Data”). New Zealand has been recognised by the European Commission as providing an adequate level of data protection.

If we make changes to this Privacy Policy, we will publish the updated version on this webpage so that you can always see what personal information we collect, how we use it, and to whom we may disclose it.

What is personal information?

In this Privacy Policy, “personal information” has the meaning given in section 7 of the Privacy Act 2020 — namely, information about an identifiable individual.

In relation to GDPR Data, “personal data” has the meaning given in Article 4(1) of the GDPR — namely, any information relating to an identified or identifiable natural person.

The types of personal information we collect

Our policy is to minimise the personal information we collect. We only collect personal information that is reasonably necessary for one or more of our lawful business functions or activities, and only by lawful and fair means. We may also use the personal information we collect for other directly related or compatible purposes (where permitted by law).

Client and supplier contact information

Names, titles, job titles, email addresses, telephone and mobile numbers, postal and physical addresses, occupation, contact preferences, marketing and communication preferences, and feedback or survey responses. We use this information to administer our client and supplier relationships, answer questions about and provide our services, manage our business operations, and enforce our rights and comply with our obligations.

Employee records

Names, titles, contact details, next of kin, IRD numbers, KiwiSaver details, payroll information, employment agreements, qualifications, references, CV information and other records concerning employment with us.

Transactional and financial information

Transactional details about payments to and from clients and suppliers (including direct credits, direct debits, bank account details for payment purposes, receipts, invoices, GST records), the products and services our clients purchase, license, subscribe to or use, and any other financial records that we are required to retain under New Zealand law (including the Tax Administration Act 1994 and the Companies Act 1993).

Managed services technical data

When providing our managed services, we may monitor or access our clients’ computer, network and other equipment remotely or on-site. In doing so, we collect and process information about that equipment and any software and data processed by it. This may include IP addresses, server names, database names, network names, equipment serial numbers, Wi-Fi credentials, computer names, application names, browser history, user access logs, usernames, passwords, technical support tickets, bandwidth used, error messages, social media handles, FTP server addresses and credentials, hostnames, subnet masks, router names, server addresses, and hosting account credentials.

Computer and network usage data

Subject to applicable law, we may carry out monitoring of our employees and contractors when they use our computer equipment, mobile devices and networks, to monitor compliance with company policies. This may include logging emails sent and received, websites visited, content viewed, files uploaded or downloaded, IP addresses, server and device names, equipment serial numbers, Wi-Fi credentials, application names, browser history, user access logs, usernames, technical support tickets, bandwidth used, error messages, and similar technical data. Where this monitoring is conducted, it is done in accordance with our internal policies and applicable employment law.

Website analytics data

We collect analytics data to measure and monitor how our websites are being used and to identify areas for improvement, optimisation and enhancement. This may include IP addresses, cookie data, information about devices accessing our websites (IP address, device type, operating system), the time spent on our websites, and the navigation paths taken. We use this information to monitor and detect unauthorised use of our websites, understand how they are used, and improve them. We often aggregate this data with other data; where the aggregated information remains personal information, we treat it in accordance with this Privacy Policy.

Cookies and other tracking technologies

We use cookies and similar tracking technologies on our websites for functionality, performance and (where consented) advertising purposes. We will not place non-essential tracking technologies on your device without your consent. If you decline non-essential cookies, certain features of our websites may be unavailable or your experience may be impaired.

Cookies are small files transferred to your device for record-keeping purposes. We use both session cookies (which are deleted when you close your browser) and persistent cookies (which remain until they expire or are deleted). Cookies may be set by us or by third-party service providers we engage. They help us recognise return visitors, remember preferences, and provide useful features and statistical insights. A cookie may collect information such as your IP address, browsing pattern, the content you have viewed and your browser type.

Telecommunications data

As a licensed telecommunications service provider, we transmit and route data and voice communications across our network on behalf of our customers. In the ordinary course of operating our network we process information including IP addresses, packet headers, routing data, traffic volumes, session start and end times, called and calling numbers (for voice services), and similar telecommunications metadata. We retain this information only for so long as is necessary for legitimate business purposes such as network operations, billing, fraud prevention, troubleshooting, dispute resolution, and meeting our regulatory obligations.

As a network operator under the Telecommunications (Interception Capability and Security) Act 2013 (TICSA), we are required to maintain the capability to assist surveillance agencies (including the New Zealand Police, the New Zealand Security Intelligence Service, and the Government Communications Security Bureau) when presented with a lawful interception warrant or other lawful authority. We may also be required to disclose customer or communications information in response to a production order, search warrant, or other lawful process under the Search and Surveillance Act 2012, the Crimes Act 1961, the Customs and Excise Act 2018, or other applicable law. Where we are lawfully compelled to disclose information, we will only disclose what is required and we will not notify the affected individual where doing so would be unlawful or would prejudice the maintenance of the law.

Unlike some overseas regimes, New Zealand does not impose a general statutory data-retention obligation on telecommunications providers. We do not retain customer communications content beyond what is necessary for the operation of our services.

Where we collect personal information from someone other than you (IPP3A)

In some cases, we may collect personal information about you from sources other than you directly. Where we do, the Privacy Act 2020 (and in particular Information Privacy Principle 3A, which came into force on 1 May 2026) requires us to take reasonable steps to make you aware of:

the fact that the information has been collected;
the purpose for which it is being collected;
the intended recipients of the information;
our name and address (and the name and address of any other agency that holds the information on our behalf);
whether the collection is authorised or required by law, and which law;
the consequences (if any) for you if the information is not provided; and
your right to access and correct the information.

Examples of indirect collection include: receiving CV or referee information from a recruiter; receiving credit reporting information from a credit reporting body; receiving information about end users from a corporate client we provide services to; receiving billing or technical information from an upstream wholesale carrier; or receiving contact details from a referrer or channel partner. Where we receive personal information from a service provider acting on our behalf, that is treated as direct collection by us.

We will provide the IPP3A information either at the time of collection or as soon as reasonably practicable afterwards, unless an exception in the Privacy Act applies (for example, where you have already been made aware of the matters, where the information will not be used in a form that identifies you, where notification would prejudice the maintenance of the law, or where notification would not affect your interests).

Who we collect personal information about

We collect personal information about:

any person who contacts us with enquiries about our services, whether by email, our website contact forms, in person, or by telephone;
people who download whitepapers and other content from our websites;
our directors, officers, agents, employees and subcontractors;
our clients (and their officers, agents, employees and subcontractors);
end users of services that we provide to our clients;
other parties to a transaction or dispute that we or our clients have entered into, are considering entering into, or are negotiating, and their representatives;
our suppliers (and their officers, agents, employees and subcontractors);
individuals who participate in our surveys;
employees, prospective employees, subcontractors, prospective subcontractors and work-experience applicants;
any person where it is necessary to do so in order to provide the services that we are engaged or instructed by our clients to perform; and
the representatives of other service providers and other third parties who contact us about our clients or who we deal with on behalf of our clients.

How we collect personal information

We collect personal information in the following ways:

when our clients and prospective clients fill out forms (online or in print) with their personal information;
when we take notes during meetings, interviews, telephone calls, conferences and events;
through emails, letters and other correspondence and documents we receive;
when we are contacted online, through social media, instant messaging, video conferencing, online chat, or our website contact forms;
when we receive completed surveys or questionnaires that we distribute;
when people apply for employment or offer to provide goods or services as suppliers and contractors (including through references, CVs and interviews);
when our employees, contractors and suppliers provide us with personal information;
when our distributors, resellers and channel partners provide us with personal information;
when business cards are exchanged;
when our clients send us personal information so that we can provide services to them;
through contracts that we enter into;
through public registers, directories, and the Companies Office and similar searches;
in the course of providing our services and operating our network;
when we obtain databases that our clients ask us to process on their behalf; and
where any person voluntarily discloses personal information to us.

How we hold and use personal information

We hold personal information at our offices, in our computer systems, and in third-party owned and operated cloud or hosting facilities. We use personal information for the following purposes:

to verify a person’s identity when we are contacted, so we know who we are dealing with;
to communicate with our clients, prospective clients, employees, subcontractors, suppliers and colleagues, by phone, email, post, or otherwise;
to provide, administer, maintain and answer questions about our services;
to send newsletters and other communications about our services, events and business opportunities, in accordance with the Unsolicited Electronic Messages Act 2007;
to send marketing material to people in our newsletter database who we believe may be interested, where we have express, inferred or deemed consent under the Unsolicited Electronic Messages Act 2007;
to enforce our rights and comply with our contractual and other legal obligations;
to issue invoices and process payments, and to enforce payment obligations;
to consider candidates for employment or engagement (for example, by checking references and CVs and arranging interviews), and to pay our employees and contractors;
for publicity and case-study purposes, with consent;
to handle complaints;
to manage employee records and meet employment-related obligations;
to process applications for our services, including (where applicable) carrying out credit checks;
to identify customers and end users when we are contacted with questions or concerns about our products and services;
to configure new services for our customers;
for research and development of our products and services; and
for direct marketing purposes, with consent.

Who we disclose personal information to

We disclose personal information to third parties only as follows:

To suppliers who host our files and databases — we store backup copies of our files, software and databases with hosting providers in their data centres.
To upstream telecommunications suppliers — we use a range of upstream wholesale carriers and capacity providers to deliver our services. Communications sent and received by our clients traverse those networks.
To hosting providers who host our clients’ databases and content — where necessary to provide services to our clients, we hold our clients’ databases and content (including any personal information they contain) on third-party servers in the data centres of hosting providers.
To other parties to a commercial arrangement — for example, where a client authorises us to do so, we may need to provide their personal information to their agents or other professional advisors.
To our resellers, distributors, agents and channel partners — we appoint resellers, distributors, agents and channel partners to sell our services or manage parts of our business. In those relationships, we may share client or prospective-client personal information with them, and they may provide us with personal information they have collected on our behalf.
To our suppliers, subcontractors and corporate group — we may disclose personal information to suppliers and subcontractors who assist us, and to members of our corporate group (including our Australian related entity Network Solutions Group Pty Ltd) for shared business support functions, where appropriate safeguards are in place. For example, we use printing providers, couriers, IT support providers, and shared internal platforms operated by our corporate group.
For publicity campaigns — we may disclose personal information to our marketing suppliers.
For claims, legal disputes and complaints — we may disclose personal information to our insurers, lawyers, accountants and other professional advisors.
For newsletters and direct marketing — we may disclose personal information to our email and newsletter service providers, where consent has been obtained under the Unsolicited Electronic Messages Act 2007.
To identify our customers and end users — when we are contacted with questions or concerns about the services we provide.
To record billing details and process payments — in which case we provide bank account, payment-card and direct-debit details to our bank and payment-services providers.
For professional advice — to our legal, accounting or financial advisors and (where necessary) debt collectors, or where we require their representation in a legal dispute.
On a sale or merger of our business — we may disclose personal information that is the subject of a sale or merger to the purchaser or other entity.
Where you have given written consent to the disclosure.
Where required or authorised by law.

We may also provide personal information to our lawyers, insurers and professional advisors, and to any court, tribunal or regulatory body, for one or more of the following purposes:

to obtain or maintain insurance;
the prevention, detection, investigation, prosecution or punishment of offences or breaches of laws imposing penalties or sanctions;
to protect or enforce our legal rights or to defend claims;
the enforcement of laws relating to the proceeds of crime;
the protection of the public revenue;
the prevention, detection, investigation or remedying of seriously improper conduct;
the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of orders of a court or tribunal; and
where disclosure is required to protect the safety or vital interests of any person, or to protect property.

Notifiable privacy breaches

Under Part 6 of the Privacy Act 2020, we are required to notify the Office of the Privacy Commissioner and (where practicable) affected individuals of any privacy breach that has caused, or is likely to cause, serious harm. We will notify the Privacy Commissioner as soon as practicable after we become aware that the breach is a notifiable privacy breach. The Privacy Commissioner’s expectation is that notification will be made within 72 hours of becoming aware of a notifiable breach.

In relation to GDPR Data, we will also report personal data breaches to the relevant supervisory authority, and notify affected individuals, where required by the GDPR.

Automated decision-making

We do not use solely automated decision-making in our business in a way that produces legal effects concerning you or similarly significantly affects you.

Lawful basis of processing (GDPR Data)

Under the GDPR, GDPR Data may only be processed where there is a lawful basis to do so. We will only process GDPR Data where we have such a lawful basis — typically because the processing is necessary for our legitimate interests or those of a third party, necessary to perform a contract with you or to take steps at your request before entering into a contract, necessary to comply with a legal obligation, or with your consent.

Third-party websites and platforms

Our websites may include links to third-party websites and platforms. Linking to those sites does not mean that we endorse them or warrant that their operators comply with applicable privacy laws. You should consider the privacy policies of any third-party websites and platforms before submitting personal information to them.

You may interact with social media platforms via widgets and tools (such as embedded LinkedIn, Facebook, X or YouTube components) on our websites. These widgets may collect your IP address and other personal information. Your interaction with such widgets, and any single sign-on services, is governed by the privacy policies of the relevant third-party operators — please read them so you understand how they handle your personal information.

Security

We take reasonable steps, consistent with Information Privacy Principle 5, to protect personal information that we hold from loss, unauthorised access, modification, disclosure, misuse, interference and other forms of unlawful use. Our safeguards include:

security testing of our systems and websites (including penetration testing), and electronic safeguards such as strong authentication, multi-factor authentication, firewalls, endpoint protection and antivirus software;
physical security measures at our premises, including door and window locks, visitor access management, cabinet locks, surveillance systems and alarms;
contractual privacy and confidentiality obligations on our employees, contractors and subcontractors;
ongoing security audits of our electronic and physical infrastructure;
pseudonymisation and/or encryption of personal information where appropriate, taking into account the state of the art and the nature of the processing;
password and access-control procedures across our systems;
a documented privacy breach response plan; and
data backup, archival and disaster-recovery processes.

Despite these measures, no system can be guaranteed to be completely secure. If you become aware of any suspected unauthorised access to your personal information held by us, please contact our Privacy Officer immediately using the details below.

If you choose not to provide personal information

If you do not provide us with the personal information we ask for, we may only be able to interact with you in limited ways. For example, you can browse general information on our website without providing personal information. However, when you submit a form, become a client, or otherwise enter into a business relationship with us, we generally need to collect personal information so we can identify you and provide our services. You may use a pseudonym when making general enquiries, but we cannot ordinarily provide our services on a pseudonymous basis.

Electronic marketing communications

We comply with the Unsolicited Electronic Messages Act 2007. We will only send commercial electronic messages (including emails and SMS) where we have your express, inferred or deemed consent under that Act. Every commercial electronic message we send will identify us as the sender, include accurate contact information, and contain a functional unsubscribe facility. If you no longer wish to receive marketing communications from us, you can unsubscribe by using the unsubscribe link in any message you receive from us, or by contacting our Privacy Officer using the details below. We will action unsubscribe requests as soon as practicable, and in any event within five working days of receipt.

Disclosure of personal information outside New Zealand

We may disclose personal information to our service providers, contractors, and members of our corporate group who are located outside New Zealand, where it is reasonably necessary to do so for the operation of our business and the delivery of our services.

In accordance with Information Privacy Principle 12 (Disclosure of personal information outside New Zealand), we will only disclose personal information to a recipient outside New Zealand if at least one of the following applies:

the individual concerned authorises the disclosure after being expressly informed that the receiving agency may not be required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act 2020;
the receiving agency is carrying on business in New Zealand and we believe on reasonable grounds that they are subject to the Privacy Act 2020 in relation to the information;
we believe on reasonable grounds that the receiving agency is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act 2020 (for example, by being subject to the laws of a prescribed country, the GDPR, or a binding scheme);
the disclosure is otherwise authorised or required by, or under, an enactment, treaty or international agreement; or
the receiving agency is required to protect the information by contractual or other arrangements that we believe on reasonable grounds will provide comparable safeguards.

Where we transfer GDPR Data outside the European Economic Area, we will rely on the appropriate transfer mechanisms under the GDPR (including the European Commission’s adequacy decision in respect of New Zealand).

In particular, we share certain personal information with our Australian related entity, Network Solutions Group Pty Ltd, for shared corporate functions including IT, finance, billing, customer support and group reporting. Australia is subject to comparable privacy laws under the Australian Privacy Act 1988 (Cth) and is a recognised destination for cross-border disclosure under IPP12.

Retention and deletion of personal information

It is our policy to retain personal information in identifiable form only for as long as is reasonably necessary for the purposes for which it was collected, and for any other directly related or compatible purposes (where permitted by law). We will retain personal information for the minimum period required by applicable law, and only thereafter for the purposes of deleting or returning it.

Specific retention periods are set by reference to legal, regulatory and operational requirements, including (without limitation):

tax and financial records: at least seven years (Tax Administration Act 1994);
company records: as required by the Companies Act 1993;
employment records: as required by the Employment Relations Act 2000, the Holidays Act 2003, the Wages Protection Act 1983, and related legislation;
customer service and support records: typically retained for the duration of the customer relationship plus a period sufficient to handle disputes, claims and audit requirements; and
network and security logs: typically retained for periods aligned to industry good practice, fraud prevention, incident investigation and dispute resolution.

Where the personal information is not GDPR Data and is held under the Privacy Act 2020, we may, instead of destroying the information, take such steps as are reasonable in the circumstances to de-identify it where we no longer need it for any purpose for which it may be used.

Your rights under the Privacy Act 2020

Under the Privacy Act 2020 you have a number of rights in relation to the personal information we hold about you, including:

the right to ask whether we hold personal information about you, and to obtain access to that information (Information Privacy Principle 6);
the right to request correction of any personal information we hold about you that is inaccurate, out-of-date, incomplete, irrelevant or misleading (Information Privacy Principle 7);
the right to be informed about the matters listed in Information Privacy Principles 3 and 3A when we collect personal information from or about you;
the right to opt out of receiving direct marketing communications at any time; and
the right to make a complaint to us, and (if you are not satisfied with our response) to the Office of the Privacy Commissioner.

We will respond to access and correction requests as soon as reasonably practicable and, in any event, no later than 20 working days after receiving the request, in accordance with section 40 of the Privacy Act 2020. We do not generally charge a fee for processing access or correction requests.

Additional rights for GDPR Data

Where the GDPR applies, you also have the right to:

erasure of your personal data;
restriction of processing;
data portability;
object to processing (including for direct marketing); and
not be subject to a decision based solely on automated processing where that decision produces legal or similarly significant effects.

Please contact our Privacy Officer if you wish to exercise any of these rights. We will handle all such requests in accordance with our legal obligations. If you withdraw consent, object to processing, or request erasure of your personal data, and as a result it is not possible or practical for us to continue providing you with our services, we may need to terminate or suspend our business relationship with you.

Our Privacy Officer and how to contact us

We have appointed a Privacy Officer in accordance with section 201 of the Privacy Act 2020. The Privacy Officer is responsible for ensuring our compliance with the Act, dealing with requests for access to or correction of personal information, working with the Privacy Commissioner in relation to investigations, and otherwise ensuring compliance with this Privacy Policy.

If you wish to contact us regarding our privacy practices, the personal information we hold about you, to make an access or correction request, or to make a complaint, please contact:

Privacy Officer

Network Solutions Group Limited

Level 8, 139 Quay Street

Auckland 1010, New Zealand

Email: [email protected]

Phone: 0800 600 590

Complaints

If you have a privacy concern or complaint, we ask that you raise it with our Privacy Officer in the first instance. We will use our best endeavours to resolve any privacy complaint within ten (10) working days following receipt. This may include working with you on a collaborative basis to resolve the complaint or proposing options for resolution.

If you are not satisfied with the outcome, or you wish to make a complaint about an alleged breach of the Information Privacy Principles, you may refer the complaint to the Office of the Privacy Commissioner:

Office of the Privacy Commissioner

PO Box 10094, Wellington 6143, New Zealand

Phone: 0800 803 909