Introduction and Scope

This Privacy Policy describes how Max365 collects, uses, stores, and protects personal information in accordance with the New Zealand Privacy Act 2020. Max365 is committed to protecting the privacy of business clients and enterprises who use our platform. This Policy applies to all personal information collected through the Max365 platform, including user behavior and usage analytics data. The Privacy Act 2020, which came into force on 1 December 2020, establishes 13 Information Privacy Principles (IPPs) that govern how agencies collect, store, use, and share personal information. Max365 operates as an agency under the Act and is subject to its requirements regardless of where personal information is collected or held. This Policy applies to New Zealand agencies using Max365 services and any overseas agencies carrying on business in New Zealand. We collect personal information only for lawful purposes connected with our platform's functions and activities, ensuring the information is necessary for those purposes as required by IPP 1.

Information We Collect: User Behavior and Usage Analytics

Max365 collects user behavior and usage analytics data to improve platform functionality, optimize user experience, and provide insights to business clients and enterprises. Personal information collected includes user interactions such as clicks, page views, session durations, feature usage patterns, and navigation pathways within the platform. We also collect device information including IP addresses, browser types, operating system details, and timestamps of platform access.

Under IPP 2, we collect personal information directly from individuals whenever reasonably practicable. When collecting information, we comply with IPP 3 by taking reasonable steps to ensure individuals are aware of why information is being collected, who will receive it, whether provision is mandatory or voluntary, and consequences of not providing information. Our data collection occurs in a fair and lawful manner that is not unreasonably intrusive, as required by IPP 4.

We employ cookies and similar tracking technologies to collect analytics data, which may constitute personal information under the Privacy Act when combined with other identifiable data. User behavior analytics enables Max365 to identify usage trends, measure platform performance, detect security threats, and enhance service delivery for business clients.

How We Use and Process Your Information

Max365 uses personal information collected for specific, lawful purposes connected with our platform operations. Under IPP 10, we use personal information only for the purposes for which it was collected, or for directly related purposes that the individual would reasonably expect. Primary uses include analyzing user behavior patterns to improve platform features, generating usage reports for business clients, optimizing system performance, ensuring platform security, and providing technical support. We process analytics data to create aggregated insights that help enterprise clients understand how their teams interact with the platform. Before using personal information, we take reasonable steps to ensure it is accurate, up-to-date, complete, relevant, and not misleading, as required by IPP 8. We implement data minimization practices by collecting only information necessary for our stated purposes.

Personal information is processed using automated analytics tools that identify usage patterns, feature adoption rates, and potential usability improvements. We may use anonymized or de-identified data for research and development purposes to enhance platform capabilities. All data processing activities comply with the 13 Information Privacy Principles established under the Privacy Act 2020. When processing involves sensitive information, we apply additional security measures and access controls to protect individual privacy.

Data Storage and Security Measures

Max365 implements comprehensive security safeguards to protect personal information from loss, unauthorized access, use, modification, disclosure, or other misuse, as required by IPP 5. We employ industry-standard security measures including encryption of data in transit and at rest, secure authentication protocols, regular security audits, and access controls that limit data access to authorized personnel only. Our data storage infrastructure utilizes secure servers with redundancy and backup systems to prevent data loss. We maintain physical, technical, and administrative security measures appropriate to the sensitivity of the personal information held. Technical safeguards include firewalls, intrusion detection systems, secure socket layer (SSL) technology, and regular vulnerability assessments. Administrative measures include staff training on privacy obligations, confidentiality agreements, and documented information security policies. We conduct regular reviews of our security practices to ensure they remain effective against evolving threats. Personal information is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by law, in accordance with IPP 9. When personal information is no longer required, we securely delete or destroy it using methods that prevent unauthorized recovery. Our security framework aligns with international best practices and the OECD Guidelines recognized under the Privacy Act 2020.

Individual Rights Under the Privacy Act 2020

The Privacy Act 2020 grants individuals specific rights regarding their personal information held by Max365. Under IPP 6, individuals have the right to access personal information we hold about them, provided the information can be readily retrieved. Individuals may request confirmation of whether we hold their personal information and obtain access to that information. We respond to access requests within 20 working days as required by the Act.

Under IPP 7, individuals have the right to request correction of personal information if they believe it is inaccurate, out of date, incomplete, irrelevant, or misleading. If we agree a correction is necessary, we will make the correction and, if reasonably practicable, notify any third parties to whom we have disclosed the information. If we refuse a correction request, individuals may request that we attach a statement to the information noting that correction was sought but refused.

Individuals also have the right to make complaints to the Privacy Commissioner if they believe their privacy has been interfered with. All New Zealanders regardless of age or circumstance have privacy rights under the Act. We provide assistance to individuals making access or correction requests and ensure our processes are accessible and straightforward. There is generally no charge for making access or correction requests, though exceptions may apply in certain circumstances as permitted by the Act.

Notifiable Privacy Breaches

Max365 has implemented a comprehensive privacy breach response plan in accordance with the mandatory breach notification requirements introduced in the Privacy Act 2020. A privacy breach occurs when personal information is subject to unauthorized or accidental access, disclosure, alteration, loss, or destruction, or when we are prevented from accessing personal information. Under the Act, we must notify the Privacy Commissioner and affected individuals of any notifiable privacy breach as soon as practicable. A breach is notifiable when it has caused, or is likely to cause, serious harm to affected individuals.

Serious harm may include physical harm, financial fraud, identity theft, psychological or emotional harm, employment harm, blackmail, or threats to personal safety. When assessing whether a breach is notifiable, we consider factors including the sensitivity of the information, actions taken to reduce harm, the nature of potential harm, who may have obtained the information, and whether security measures were in place.

If a notifiable breach occurs, we report it to the Privacy Commissioner within 72 hours using the NotifyUs online tool and notify affected individuals, summarizing the breach events, outlining potential impacts, and describing actions we are taking to mitigate risks. Failure to report notifiable privacy breaches is a criminal offense carrying fines up to $10,000 NZD. We maintain detailed incident response procedures including immediate breach containment, impact assessment, root cause analysis, and preventive measures implementation to minimize future breach risks.

Third-Party Disclosures

Max365 limits disclosure of personal information to third parties in accordance with IPP 11. We disclose personal information only when necessary for the purposes for which it was collected, or when individuals would reasonably expect such disclosure in the circumstances. We may disclose personal information to trusted third-party service providers who assist with platform operations, including cloud hosting providers, analytics service vendors, security monitoring services, and technical support contractors. When disclosing information to third parties, we ensure these parties are contractually bound to protect personal information with safeguards comparable to those required under the Privacy Act 2020. Third-party service providers are permitted to use personal information only for the specific purposes for which it was disclosed and are prohibited from using it for their own purposes. We conduct due diligence on third-party providers to verify their data protection practices and security measures. Personal information may be disclosed to business clients who subscribe to Max365 services, specifically usage analytics and behavior data related to their authorized users. We do not sell personal information to third parties for marketing purposes. Disclosure may also occur when required by law, such as in response to valid legal processes, court orders, or to protect the rights, property, or safety of Max365, our clients, or others. We maintain records of third-party disclosures to ensure accountability and enable individuals to exercise their access rights under IPP 6.

International Data Transfers

Max365 complies with Information Privacy Principle 12 (IPP 12), which governs the disclosure of personal information outside New Zealand. IPP 12 was introduced in the Privacy Act 2020 to ensure personal information transferred overseas is adequately protected by safeguards comparable to those in New Zealand. Before disclosing personal information to foreign entities, we ensure at least one of the following conditions is met: the overseas recipient is subject to privacy laws that provide comparable safeguards to the Privacy Act 2020; the overseas recipient is required to protect information through contractual agreements that provide comparable safeguards; the overseas recipient is located in a prescribed country recognized by New Zealand regulations as having comparable privacy protections; or we have obtained express and informed consent from the individual after advising them the overseas recipient may not be required to provide comparable safeguards. We utilize model contract clauses recommended by the Office of the Privacy Commissioner when transferring data to jurisdictions without adequate privacy frameworks. These contractual safeguards establish privacy obligations on overseas recipients comparable to New Zealand's requirements. An exception applies when information is transferred to overseas service providers solely for storage or processing purposes without the provider using the information for its own purposes. However, Max365 remains responsible for ensuring such service providers adhere to Privacy Act safeguards. We conduct regular assessments of international data transfer arrangements to ensure ongoing compliance with IPP 12 requirements and maintain documentation of our reasonable grounds for believing overseas recipients provide adequate protection.

Cookies and Tracking Technologies

Max365 uses cookies and similar tracking technologies to collect user behavior and usage analytics data. Cookies are small text files placed on user devices that enable our platform to recognize users, remember preferences, and analyze usage patterns. While New Zealand does not have cookie-specific legislation like the EU's ePrivacy Directive, our use of cookies must comply with the Privacy Act 2020 when they collect personal information. We implement transparency measures by informing users about cookie usage through this Privacy Policy and, where appropriate, cookie banners or consent mechanisms.

We use several types of cookies: essential cookies necessary for platform functionality, analytics cookies that collect usage statistics to improve our services, functional cookies that remember user preferences, and performance cookies that help us understand how users interact with the platform. Third-party cookies may be used when we integrate services from vendors such as analytics providers, though we carefully assess these partnerships to ensure privacy compliance.

Under IPP 3, we inform users about what information cookies collect, why we collect it, who receives the data, and how users can manage or disable cookies through their browser settings. We provide clear information about cookie duration and data retention periods. Users can manage cookie preferences through browser settings, though disabling certain cookies may affect platform functionality. We regularly review our cookie practices to ensure they align with evolving privacy standards and user expectations.

Analytics data collected through cookies is used solely for improving platform performance, understanding user behavior patterns, and providing better services to business clients. We implement data minimization by collecting only cookie data necessary for stated purposes and ensure appropriate security measures protect information collected through tracking technologies.

Making Access and Correction Requests

Individuals may exercise their rights under IPPs 6 and 7 by submitting access or correction requests to Max365. To request access to personal information, individuals should contact our Privacy Officer using the details provided in the Contact Information section. Requests should specify the information sought and may be made via email or formal letter. We respond within 20 working days as required by the Privacy Act 2020.

Before releasing personal information, we may require proof of identity to ensure information is provided only to authorized individuals. Acceptable identification includes a current or recently expired passport or driver license. We generally do not charge for access or correction requests, though fees may apply in certain circumstances permitted by the Act.

If we refuse an access request, we will provide reasons for the refusal, which may include grounds such as protecting another person's privacy, preventing prejudice to law enforcement, or protecting information subject to legal professional privilege.

For correction requests, individuals should identify the specific information they believe is inaccurate and explain why. If we agree a correction is necessary, we will update the information promptly and notify relevant third parties where practicable. If we decline a correction request, individuals may request that we attach a statement noting that correction was sought but refused.

Individuals who are dissatisfied with our response may complain to the Privacy Commissioner. We are committed to resolving privacy concerns promptly and transparently, and we maintain clear internal procedures for handling access and correction requests to ensure compliance with the Privacy Act 2020.

Data Retention and Deletion

Max365 adheres to Information Privacy Principle 9, which requires that personal information not be kept for longer than necessary for the purposes for which it was collected. We have established data retention schedules that specify retention periods for different categories of personal information based on legal requirements, business needs, and the purposes for which information was collected. User behavior and usage analytics data is typically retained for periods necessary to provide ongoing service improvements, generate historical trend analysis, and fulfill contractual obligations to business clients. We regularly review stored personal information to identify data that is no longer required and implement secure deletion procedures. When personal information reaches the end of its retention period, we either permanently delete it or render it anonymous so that individuals can no longer be identified. Deletion methods include overwriting data, degaussing storage media, or physical destruction of hardware, depending on the storage medium and sensitivity of information. Certain information may be retained longer when required by law, for accounting purposes, to resolve disputes, or to enforce our agreements. We document our data retention practices and ensure staff are trained on proper retention and deletion procedures. Individuals may request deletion of their personal information in certain circumstances, particularly if the information is no longer necessary for the purposes for which it was collected or if they withdraw previously given consent. We will honor deletion requests unless we have legitimate grounds for retaining information, such as legal obligations or pending disputes. Our retention practices balance operational needs with privacy principles to ensure personal information is not kept longer than necessary while maintaining data needed for legitimate business purposes.

Contact Information and Privacy Complaints

Max365 has designated a Privacy Officer responsible for overseeing compliance with the Privacy Act 2020 and handling privacy-related inquiries, access requests, and complaints. Individuals may contact our Privacy Officer for questions about this Privacy Policy, to exercise their rights under the Privacy Act, or to raise privacy concerns.

If individuals believe Max365 has interfered with their privacy or breached the Privacy Act 2020, they may lodge a complaint with our Privacy Officer. We maintain a formal complaint handling process that includes acknowledgment of complaints within 5 working days, investigation of the matter, and response outlining our findings and any corrective actions taken. If individuals are not satisfied with our response to their complaint, they have the right to complain to the Office of the Privacy Commissioner.

The Privacy Commissioner can investigate complaints, issue compliance notices requiring Max365 to take specific actions, and make binding decisions regarding access to personal information. Contact details for the Privacy Commissioner: Office of the Privacy Commissioner, PO Box 10094, Wellington 6143, New Zealand, Phone: 0800 803 909, Website: www.privacy.org.nz, Email: enquiries@privacy.org.nz.

We encourage individuals to contact us first so we may attempt to resolve concerns directly, though individuals have the right to complain directly to the Privacy Commissioner at any time. Max365 takes all privacy complaints seriously and uses them as opportunities to improve our privacy practices and ensure ongoing compliance with New Zealand privacy law.