1. Overview
1.1 The Privacy Act 2020 (the “Act”) governs how New Zealand entities (and overseas entities carrying on business in New Zealand) collect, store, use and share personal information so as to promote and protect the right of individuals to privacy in respect of their personal information.
1.2 This New Zealand Privacy Policy (“Policy”) sets out how the ARA Group collects, handles, stores, uses and disseminates personal information in accordance with the privacy principles enshrined within the Act.
2. Application
2.1 This Policy applies to:
(a) ARA Group NZ Limited (company number 6042049);
(b) ARA Group Hardware Limited (company number 4359098);
(c) Servcore NZ Limited (company number 5815528);
(d) ARA Security Limited (company number 3242893),
and
(e) any related company (as defined by section 2(3) of the Companies Act 1993) of the entities set out in paragraphs (a) to (d) above; and
(f) any ultimate holding company (as defined by section 94A of the Companies Act 1993) of the entities set out in paragraphs (a) to (e) above,
and
(g) ARA Hardware LP (partnership number 2577401), which carries on its business in New Zealand and is subject to the application of the Act,
(collectively referred to in this Policy as the “ARA Group”).
2.2 For the avoidance of doubt, to the extent any members of the ARA Group are subject to the application of the Australian Privacy Act 1988 (Cth), the ARA Group Australian Privacy Policy shall apply in respect of those members’ operations and conduct in Australia, whether independent of or in addition to this Policy (as applicable).
2.3 In this Policy, the term “Personal Information” shall take the meaning as given to that same term by section 7 of the Act, being any information about an identifiable individual. Personal Information may include (but is not limited to):
(a) an individual’s name:
(b) an individual’s contact details (including phone number(s), home address, and email address(es));
(c) photographs, videos, scans and recordings of an individual which identify that individual (i.e. by displaying their face);
(d) information provided by an individual through surveys, enquiries, message requests or similar mechanisms;
(e) details of goods and services enquired about or requested by an individual or otherwise provided by any members of the ARA Group to an individual;
(f) an individual’s browser session, geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and browsing behaviour;
(g) information about an individual’s access and use of any of the ARA Group’s websites, including through the use of internet cookies, communications with any of the ARA Group’s websites, the types of browser used, the type of operating system used and domain name of the individual’s service provider;
(h) personal information provided to the ARA Group by an individual, whether directly or indirectly, through the use of any of the ARA Group’s websites, applications, social media platforms and accounts from which it permits the ARA Group to collect information;
(i) demographic data of an individual such as web-browsing preferences and interests; and
(j) any other personal or identifiable information requested by the ARA Group and/or provided by an individual to the ARA Group.
3. Collection and use of Personal Information generally
3.1 The ARA Group collects Personal Information in numerous ways, such as through enquiries made on its websites, online or physical forms, surveys, emails, telephone conversations, messaging services, social media platforms, forums, online user-generated content, face-to-face meetings and interviews, market research and so forth.
3.2 All Personal Information collected shall be obtained only from the individual whose Personal Information is concerned, other than where the individual has consented to the ARA Group collecting the Personal Information from a third party, or where the ARA Group has reasonable grounds to believe that:
(a) the collection of that Personal Information from a third party:
(i) would not prejudice the interests of the individual; or
(ii) is necessary:
(1) for the conduct of proceedings (whether commenced or reasonably in contemplation) before a court or tribunal; or
(2) to prevent or reduce a serious threat to the life or health of the individual whose Personal Information is obtained or for any other individual; or
(iii) collecting that Personal Information directly from the individual:
(i) would prejudice the purpose of the collection; or
(ii) is not reasonably practicable in the circumstances; or
(iii) the Personal Information is publicly available; or
(iv) the Personal Information will:
(i) not be used in a way in which identifies the individual whose Personal Information is collected; or
(ii) will be used for the purposes of collating statistics or conducting research, and which will not be published in a way that could reasonably be expected to identify the individual whose Personal Information is collected.
3.3 The ARA Group may only collect Personal Information as is necessary for lawful purposes connected with any of its functions and activities, such as (without limitation), the provision of goods and services. Where the ARA Group collects Personal Information, such collection will be conducted by lawful and fair means which do not unreasonably interfere with the personal affairs of the individual concerned.
3.4 Where an individual corresponds with the ARA Group (in any format), makes an enquiry with the ARA Group, uses any of the ARA Group’s websites, seeks goods or services from the ARA Group, undertakes to procure the engagement of the ARA Group, or otherwise interacts with the ARA Group in any way, that individual’s Personal Information may be collected. Any individuals undertaking any of the actions captured by this section 3.4 shall be taken to have been made aware of the collection of their Personal Information and the handling, use, storage and dissemination of such Personal Information (as applicable) in accordance with and in the manner set out in this Policy.
3.5 Where Personal Information is collected or required to be collected, the purpose of such collection shall be to allow the ARA Group to (without limitation):
(a) contact and communicate with the individual concerned;
(b) answer queries raised or to provide information requested;
(c) keep and maintain internal records, including for general administrative purposes;
(d) collate analytics, perform market research, and conduct business development;
(e) provide estimates, quotations, orders or tax invoices to that individual (as applicable);
(f) procure and supply goods or to perform services for that individual;
(g) run competitions, offer discounts or benefits;
(h) run advertising and marketing campaigns, and to send promotional information about the ARA Group’s goods and services that may be of interest;
(i) improve the ARA Group’s offering of goods and services;
(j) comply with the ARA Group’s obligations at law and to resolve any disputes it has or which it is party to;
(k) consider the employment application of the individual concerned; and
(l) investigate and respond to queries or complaints made under this Policy.
3.6 Any Personal Information collected shall be received and held by the ARA Group member collecting the Personal Information.
3.7 Notwithstanding section 3.4 of this Policy, unless Personal Information is required by law to be collected (in which instance such will be communicated to the individual concerned), any individual concerned shall be entitled to refuse to provide any Personal Information at any time by communicating this to the ARA Group (whether in writing or verbally), or where Personal Information is collected online through the use of the ARA Group’s websites, by taking the steps referred to in section 5.3 of this Policy.
3.8 Should an individual decline to or ‘opt out’ from providing all or part of any voluntary Personal Information to the ARA Group (being that which is not required by law), this may impair or otherwise impact the ARA Group’s ability to communicate with the individual concerned, respond to queries raised or provide information requested by the individual, provide goods or services, and to do those things which it otherwise would have been able to do had Personal Information being provided to it.
4. Third party collection of Personal Information
4.1 On occasion, the ARA Group may collect Personal Information pertaining to an individual from a third party (in accordance with sections 3.2 and 3.3 of this Policy), such as (without limitation); for the purposes of considering the employment application of an individual, for investigating and responding to complaints made pursuant to this Policy and so forth.
4.2 The third parties from whom Personal Information may be collected from may include (without limitation); the authorised representative of an individual, referees provided by an individual in support of an employment application with the ARA Group, any applicable party to a complaint or investigation pursuant to this Policy and so forth.
4.3 Any Personal Information received by the ARA Group from a third party shall be dealt with and protected in accordance with this Policy.
4.4 Any third party which provides the ARA Group with Personal Information pertaining to an individual should not do so unless it has obtained the consent of that individual. If no such consent is obtained, under no circumstances should a third party provide the ARA Group with the Personal Information of an individual concerned, whether requested or otherwise.
5. Collection of Personal Information through the ARA Group’s websites
5.1 In addition to the provisions of this Policy pertaining to the collection of Personal Information generally as set out at section 3, Personal Information may also be collected through the use of the ARA Group’s websites by way of the cookies, web beacons and web analytics.
5.2 Cookies are small data files which are transferred onto devices by websites for record-keeping and analytic purposes such as to assess web traffic and enhance functionality. Cookies allow web applications to respond to users based on their data so as to tailor those applications to their needs, likes and dislikes.
5.3 Users of any of the ARA Group’s websites may, depending on their web browser of choice, elect whether or not to accept the collection of cookies. Some of the ARA Group’s websites may feature pop ups which allow users to accept or opt out of cookies. Should this function not be available, any user not wishing for cookies to be placed on their devices are encouraged to set their browser preferences to reject cookies before accessing any of the ARA Group’s websites.
5.4 Cookies generated from the ARA Group’s websites may be created by HubSpot, Google Analytics, SiteImprove or other providers, and most commonly start with “_ga”, “_gid”, “_gat”, “_gtag”, “___hssrc”, “__hssc”, “__hstc” and “hubspotuk”. A full list of the types and names of cookies that may be generated through any of the ARA Group’s websites can be obtained on request by emailing itsupport@aragroup.com.au.
5.5 The ARA Group may, from time to time, use web beacons on its websites. Web beacons are small pieces of code placed on a web page to monitor the behaviour of users and to collect data from the viewing of web pages by users, such as the number of users accessing a page at a given time or date.
5.6 The ARA Group uses web analytics tools such as Google Analytics and SiteImprove to collect data about how users interact with its websites, and includes data such as the IP address of a user, their device type, operating system and browser information, geographic information, search terms, pages visited, and the date and time when pages were accessed. This allows the ARA Group to improve the functionality of its websites, such as by way of distributing web traffic to optimise response times.
6. Storage and security
6.1 The ARA Group shall at all times take reasonable measures to ensure that all Personal Information collected or received by it is protected against loss, access, use, misuse, modification or disclosure (other than in the manner permitted by law and this Policy), including by way of ensuring such Personal Information is only stored in its own private cloud servers and digital storage.
6.2 Where for the purposes of providing goods or performing Services, the ARA Group is required to provide access to Personal Information (such as disclosing the address of an individual to an ARA Group employee required to attend that individual’s address for the purposes of performing a service), the ARA Group will take all reasonable steps necessary to prevent the unauthorised use or disclosure of such information.
6.3 Data held by the ARA Group (including Personal Information) may, from time to time, be backed up and/or archived, subject to AES 265bit encryption.
6.4 Notwithstanding the above, while the ARA Group shall take reasonable steps to safeguard Personal Information, the security of any Personal Information which is transmitted by individuals through the internet cannot be guaranteed. Such transmission and the possibility of any unauthorised use or disclosure of Personal Information transmitted through the internet is entirely at the risk of individuals sharing Personal Information through such means.
7. Access to Personal Information
7.1 At any time, a request may be made by an individual as to whether the ARA Group holds any Personal Information of theirs, and if so, to access such Personal Information. All requests for accessing Personal Information can be made by emailing legal@aragroup.com.au.
7.2 As a pre-condition to access to Personal Information, the ARA Group may make reasonable enquiries as to verifying the identity of the individual requesting access so as to ensure such access is only given to the individual to whom the Personal Information correlates to. The ARA Group may refuse to grant access to Personal Information if the individual requesting such fails to comply with any requests by the ARA Group to verify that individual’s identity.
7.3 Upon verification of the identity of the individual requesting access of their Personal Information, the ARA Group shall provide reasonable access to that individual’s Personal Information, such as by providing digital copies of such via email. To the extent permitted by law, the ARA Group reserves its rights to charge its reasonable administrative costs where Personal Information is requested to be accessed in person or by way of dispatching records via post or similar means.
7.4 Notwithstanding the above, to the extent permitted by law, in certain circumstances, the ARA Group may in its discretion elect to withhold access to Personal Information where:
(a) giving access would pose a serious threat to the life, health or safety of a person, or public health or safety generally;
(b) giving access would have an unreasonable impact on the privacy of other individuals;
(c) the request is frivolous or vexatious;
(d) the information requested relates to existing or anticipated legal proceedings and would be accessible through discovery in those proceedings;
(e) giving access would reveal the intentions of any member of the ARA Group in relations to negotiations with that individual in a way that would prejudice those negotiations;
(f) giving access would be unlawful;
(g) a law or an order of a court or tribunal compels the ARA Group to deny access;
(h) there is reason for the ARA Group to suspect that unlawful activity or misconduct of a serious nature relating to its functions or activities has been, is being, or may be engaged in, and giving access would likely prejudice the taking of appropriate action relating to the matter;
(i) giving access would likely prejudice one or more enforcement related activity of an enforcement body; or
(j) giving access would reveal evaluative information generated by the ARA Group in connection with a commercially sensitive decision-making process.
8. Correction of Personal Information
8.1 Any individual whose Personal Information is held by the ARA Group is entitled to request that the ARA Group member holding such information correct it. All requests for correcting Personal Information can be made by emailing legal@aragroup.com.au.
8.2 All correction requests shall be subject to the same verification of identity requirements as set out at section 7.2 of this Policy.
8.3 Where a correction request is made, the ARA Group member holding the Personal Information shall do all things reasonably necessary to correct or update the Personal Information to ensure it is accurate, complete and not misleading, and having regard to the purpose for which it may lawfully be used.
8.4 Further to section 8.1 of this Policy, an individual may, either at the time of making its correction request or subsequently thereafter, issue the ARA Group with a statement of correction as to the Personal Information it seeks to have corrected, and to request that the ARA Group attach the statement to the Personal Information in question should the ARA Group not make the correction sought (“Correction Statement”).
8.5 Where a Correction Statement is issued to the ARA Group pursuant to section 8.4, if the ARA Group does not otherwise implement the correction, it will otherwise take reasonable steps to ensure the Correction Statement is attached to the Personal Information concerned (or the file or record containing such) so as to be read in conjunction with the Personal Information to which it concerns.
8.6 Upon correcting any Personal Information or attaching a Correction Statement to such, the ARA Group shall reasonably inform those persons to whom it has disclosed the Personal Information to (if any) of the correction or the Correction Statement, as appropriate in the circumstances.
9. Use of Personal Information
9.1 As a precondition to using Personal Information, the ARA Group must take all reasonable steps necessary to ensure that the Personal Information it intends to use accurate, up to date, complete, relevant and not misleading.
9.2 Subject to section 9.3 below, Personal Information may be used for any of the purposes for which it was lawfully collected (including for the purposes set out at section 3.5 of this Policy).
9.3 Where Personal Information has been collected for one purpose only, the ARA Group shall not use such Personal Information for another purpose unless it has reasonable grounds to believe:
(a) the purpose for which the Personal Information is intended to be used is directly related to the purpose for which it was collected in the first instance;
(b) that the Personal Information is in a form in which the individual concerned is not identified, or if to be used for statistical or research purposes, will not be published in a manner or form that identifies the individual concerned;
(c) that the use of the Personal Information has been authorised by the individual concerned;
(d) that the Personal Information was obtained from a publicly available source and that it would not be unfair or unreasonable to use it;
(e) that using the Personal Information for the other purpose is necessary for the conduct of proceedings (whether commenced or reasonably anticipated) before a court or tribunal; or
(f) that using the Personal Information for the other purpose is necessary to either prevent or lessen a serious threat to public health or safety, or the life or safety of the individual concerned or that of another individual.
10. Disclosure of Personal Information
10.1 As a precondition to disclosing Personal Information, the ARA Group must take all reasonable steps necessary to ensure that the Personal Information it intends to disclose is accurate, up to date, complete, relevant and not misleading.
10.2 The ARA Group shall only disclose Personal Information to third parties where it has reasonable grounds to believe:
(a) that the disclosure is one of the purposes in connection of which the Personal Information was obtained or otherwise is directly related to the purpose for which the Personal Information was obtained;
(b) that the disclosure is to the individual to whom the Personal Information relates to;
(c) that the disclosure was authorised by the individual to whom the Personal Information relates to;
(d) that the Personal Information was obtained from a publicly available source and that it would not be unfair or unreasonable to disclose it;
(e) that disclosing the Personal Information for the other purpose is necessary for the conduct of proceedings (whether commenced or reasonably anticipated) before a court or tribunal;
(f) that disclosing the Personal Information for the other purpose is necessary to either prevent or lessen a serious threat to public health or safety, or the life or safety of the individual concerned or that of another individual;
(g) that the Personal Information is to be used in a manner in which the individual concerned will not be identified, or if to be used for statistical or research purposes, will not be published in a manner or form that identifies the individual concerned; or
(h) that the disclosure is necessary to facilitate the sale or disposition of any of the ARA Group’s businesses.
10.3 The ARA Group shall only disclose Personal Entities to foreign third parties where that disclosure pertains to the circumstances captured at sections 10.2(a), (c), (e), (f), (g) or (h) providing that:
(a) the individual concerned authorises the ARA Group to make the disclosure to that foreign party after the ARA Group has informed it that the foreign party may not be required by law to protect the Personal Information in the same manner captured by this Policy and the Act;
(b) the foreign party carries on business in New Zealand and in respect of the Personal Information concerned, the ARA Group has reason to believe that foreign entity is subject to the Act;
(c) the ARA Group has reason to believe the foreign party:
(i) is subject to privacy laws in its jurisdiction which are comparable or superior to the Act;
(ii) is a participant to a prescribed binding scheme (as defined by section 213 of the Act);
(iii) is subject to privacy laws of a prescribed country (as defined by section 214 of the Act); or
(iv) is required to protect the Personal Information in a way that is comparable to the manner in which the ARA Group bis required to do the same in accordance with the Act.
10.4 Notwithstanding the above, the ARA Group shall be entitled to disclose Personal Information to a foreign party for the purposes set out in sections 10.2(e) or (f) without having complied with section 10.3 if not reasonably practicable to do so in the circumstances.
11. Tenure of possession of Personal Information
11.1 The ARA Group shall not keep Personal Information for longer than is required for the purposes for which the Personal Information may lawfully be used. The ARA Group shall destroy all Personal Information held once it is no longer necessary for lawful purposes unless the law otherwise permits such Personal Information to be held beyond such time.
11.2 Notwithstanding the above, to the extent permitted by law, the ARA Group may retain Personal Information for seven (7) years past the cessation of the purpose for which that Personal Information was used for, to the extent reasonably necessary for auditing or archiving purposes, or in respect of reasonably anticipated legal proceedings.
12. Links to other websites
12.1 The ARA Group websites may from time to time contain affiliate links and links to websites of other parties. The ARA Group does not have control over websites of third parties and accepts no responsibility for the protection or privacy of any Personal Information provided by individuals visiting websites linked to the ARA Group websites which are not controlled by the ARA Group nor are they governed by this Policy.
13. Unsubscribe
13.1 Any individuals receiving communications from the ARA Group (including marketing communications) may at any time ‘opt out’ by using the unsubscribe features in such communications, or, if none are available, by contacting the ARA Group by emailing legal@aragroup.com.au.
14. Complaints
14.1 Should an individual wish to raise a query or make a complaint as to how the ARA Group has handled its Personal Information, enquiries and complaints can be made at any time by emailing legal@aragroup.com.au.
14.2 The ARA Group may require information from enquirers and complainants for the purposes of responding to any query or investigating privacy complaints received. Any failure by an enquirer or complainant to provide the information requested may impair the ARA Group’s ability to investigate and respond (as applicable).
14.3 The ARA Group will endeavour to investigate privacy complaints and provide written notice of its findings to a complainant within thirty (30) days of receipt of the complaint in question.
14.4 If a complainant is dissatisfied with the ARA Group’s findings in response to a privacy complaint or the ARA Group’s investigation into such, complainants may at their discretion make a complaint to the Privacy Commissioner by:
(a) submitting a complaint online via the Privacy Commissioner’s website, https://www.privacy.org.nz/;
(b) submitting a complaint by mail to PO Box 10 094, Wellington 6143; or
(c) any other means by which the Privacy Commissioner allows privacy complaints to be made.
15. Amendments
15.1 From time to time, the ARA Group may update this Policy. For the avoidance of doubt, the most recent version of this Policy shall apply.
This Privacy Policy is dated 2 November 2022.