Privacy Policy

This Privacy Policy describes how Cartilagesievemu ("we", "us", or "our") collects, uses, stores, and protects personal information when you visit our website at cartilagesievemu.world, use our contact forms, participate in our fresh air wellness sessions, or otherwise interact with our services. We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR), the New Zealand Privacy Act 2020, and other applicable international privacy laws.

1. Data Controller Information

The data controller responsible for your personal information is:

Cartilagesievemu
Coastlands Shopping Centre, 2 State Highway 1
Paraparaumu 6010, New Zealand
Phone: +64 4 298 2056
Email: hello@cartilagesievemu.world

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us using the details above.

2. Personal Data We Collect

We may collect and process the following categories of personal data depending on how you interact with our website and services:

2.1 Information You Provide Directly

• Full name and contact details (email address, phone number) submitted through our contact form
• Message content and enquiry details you include in form submissions
• Booking and registration information for wellness sessions and programmes
• Payment-related information processed through our third-party payment providers (we do not store full credit card numbers)
• Activity and scheduling preferences shared during consultations (non-medical, recreational only)
• Consent records, including GDPR consent checkbox confirmations

2.2 Information Collected Automatically

• IP address and approximate geographic location derived from IP
• Browser type, operating system, and device information
• Pages visited, time spent on pages, and navigation paths through our website
• Referring website or source that directed you to our site
• Cookie identifiers and similar tracking technologies (see our Cookie Policy)

2.3 Information from Third Parties

We may receive limited information from third-party analytics providers, payment processors, and advertising platforms where you have consented to such data sharing. We do not purchase personal data from data brokers.

3. Purposes of Data Processing

We process your personal data for the following specific purposes:

• Responding to enquiries: To read, process, and respond to messages submitted through our contact form
• Session administration: To manage bookings, send session confirmations, and provide personalised session plans
• Service delivery: To deliver recreational outdoor walking sessions, educational materials, and programme content you have registered for
• Payment processing: To process transactions for paid sessions and programmes through secure payment providers
• Website improvement: To analyse website usage patterns and improve user experience (with your consent for analytics cookies)
• Legal compliance: To comply with applicable laws, regulations, and legal processes
• Communication: To send service-related notifications, session reminders, and policy updates
• Marketing: To deliver relevant promotional content about our programmes (only with your explicit consent)

4. Legal Basis for Processing

Under the GDPR, we rely on the following legal bases for processing your personal data:

• Consent: When you tick the GDPR consent checkbox on our contact form, accept cookies, or opt in to marketing communications
• Contractual necessity: When processing is required to fulfil a booking or service agreement you have entered into with us
• Legitimate interests: For website security, fraud prevention, and improving our services, balanced against your privacy rights
• Legal obligation: When we are required by law to retain or disclose certain information

Under the New Zealand Privacy Act 2020, we collect personal information only for lawful purposes connected with our functions and only when the collection is necessary for those purposes.

5. Data Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Contact form submissions: Retained for 24 months from the date of submission, then securely deleted
• Booking and session records: Retained for 7 years from the date of the last session for accounting and legal compliance purposes
• Payment records: Retained for 7 years as required by New Zealand tax legislation
• Marketing consent records: Retained for the duration of consent plus 3 years for audit purposes
• Analytics data: Aggregated and anonymised after 26 months; raw data deleted after 14 months
• Cookie data: Retention periods vary by cookie type; see our Cookie Policy for details

When retention periods expire, we securely delete or anonymise your personal data so it can no longer be associated with you.

6. Data Sharing and Third Parties

We do not sell your personal data. We may share your information with the following categories of recipients:

• Payment processors: To securely process payments for sessions and programmes
• Email service providers: To send transactional and service-related emails
• Analytics providers: To understand website usage (only when you consent to analytics cookies)
• Cloud hosting providers: To store website data on secure servers
• Legal authorities: When required by law, court order, or governmental regulation

All third-party processors are bound by data processing agreements that require them to protect your data in accordance with applicable privacy laws. Where data is transferred outside the European Economic Area or New Zealand, we ensure appropriate safeguards such as Standard Contractual Clauses are in place.

7. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• HTTPS encryption for all data transmitted between your browser and our website
• Secure server infrastructure with regular security updates and patches
• Access controls limiting personal data access to authorised personnel only
• Regular review of data collection, storage, and processing practices
• Staff training on data protection responsibilities and privacy best practices
• Incident response procedures for potential data breaches

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

8. Your Rights Under GDPR and New Zealand Law

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete personal data
• Right to erasure: Request deletion of your personal data where there is no compelling reason for continued processing
• Right to restrict processing: Request limitation of how we use your data in certain circumstances
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing
• Right to lodge a complaint: File a complaint with the Office of the Privacy Commissioner in New Zealand or your local supervisory authority in the EU

To exercise any of these rights, contact us at hello@cartilagesievemu.world or +64 4 298 2056. We will respond within 30 days of receiving your request. We may need to verify your identity before processing your request.

9. Children's Privacy

Our website and standard session programmes are not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16 without parental consent. Family sessions during school holidays require parental or guardian registration and consent. If you believe we have collected information from a child without appropriate consent, please contact us immediately and we will take steps to delete such information.

10. International Data Transfers

Your personal data may be processed on servers located outside New Zealand, including in countries that may not provide the same level of data protection as your home jurisdiction. Where we transfer data internationally, we implement appropriate safeguards including Standard Contractual Clauses approved by the European Commission and conduct transfer impact assessments where required.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any personalised session plans are prepared by human facilitators based on information you provide during consultations.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a prominent notice on our website. We encourage you to review this policy periodically.

13. Contact Us

For privacy-related enquiries, data subject requests, or concerns about how we handle your personal information, please contact:

Cartilagesievemu — Privacy Enquiries
Coastlands Shopping Centre, 2 State Highway 1, Paraparaumu 6010, New Zealand
Phone: +64 4 298 2056
Email: hello@cartilagesievemu.world