1. Open and Transparent Management
We take our obligations under the Privacy Act 1993 (the Act) and the New Zealand Privacy Principles very seriously and have implemented practices, procedures and systems to ensure we comply with those laws. We are committed to maintaining the confidentiality and security of your personal information and managing it in an open and transparent way.
2. Using a pseudonym or being anonymous
Wherever it is lawful and practical, you have the option of using a pseudonym or not identifying yourself when dealing with us. However, by doing so you acknowledge that it may affect our ability to provide our goods and services to you. You will need to provide us with accurate contact details to make a travel booking.
For clarification on circumstances where you must identify yourself, please contact us at email@example.com. You may use a pseudonym or not identify yourself when making such a request.
3. Collection of solicited personal information
3.1 Types of information collected
We collect and use your personal information for the purposes of carrying out our business of providing travel related products and services. In the process of conducting our business, we collect a range of personal information about our current and prospective customers, users, suppliers, agents, service providers, other business associates and the people who run the businesses we deal with. This information can include such things as name, postal address, email address, phone numbers, date of birth, credit card number details, travel details (e.g. flight, hotel, insurance and car hire), travel preferences (e.g. seat selection, meals, favourite destinations) and details about your participation in loyalty or awards programs and applicable membership numbers.
3.2 Personal information (that is not sensitive information)
We will only collect your personal information where:
(a) it is reasonably necessary for us to pursue one or more of our functions or activities; or
(b) we are required to by law.
3.3 Sensitive information
Some personal information (e.g. race, ethnicity, religion, health information etc.) is sensitive and requires a higher level of protection under the Privacy Act. We will only collect your sensitive information when:
(a) we have your consent; and
(b) the collection is reasonably necessary for us to carry out one or more of our functions or activities.
3.4 Exceptions to the need for your consent
We will not need your consent to collect your sensitive information when:
(a) it is required or authorised by law;
(b) a “permitted general situation” exists as defined under the Privacy Act; and
(c) a “permitted health situation” exists as defined under the Privacy Act.
3.5 Collection by lawful and fair means
We will only collect your personal information by lawful and fair means. This includes:
(b) geo-location information. You may disable our collection and use of your location information at any time by turning location services off at the device level; and
(c) Google analytics. You may choose to opt-out of Google Analytics using the Google Analytics Opt-out Browser Add-on.
3.6 Collection from you
(a) communicate with us in person, by email, telephone, facsimile, direct mail or visit our website;
(b) purchase or make enquiries about our products or services;
(c) provide information for a booking (including when you use our online flights, cruise, hotels and events booking engines);
(d) create your travel profile;
(e) subscribe to one of our services;
(f) enter competitions, register for promotions or loyalty programs;
(g) subscribe to receive marketing materials or request brochures or other information from us; and
(h) complete surveys, other research or provide us with feedback.
We will directly collect your personal information unless:
(a) we have your consent to collect it from a third party; or
(b) we are required or authorised by law; or
(c) it is unreasonable or impracticable to do so.
4. Dealing with unsolicited personal information
If we receive your personal information from a third party without having asked you for it, then within a reasonable time, we will determine whether we could have collected it in the ways outlined in paragraph 3 above. If we determine that it could not have been collected in one of those ways and it is lawful and reasonable to do so, then as soon as practicable we will:
(a) destroy the information; or
(b) ensure that it is de-identified.
5. Notification of collection
Before or at the time of collecting your personal information (or as soon as practicable afterwards) we will take reasonable steps to notify you or ensure you are aware of the following:
(a) our identity and contact details;
(b) circumstances where we have collected your personal information from you without your knowledge or from someone other than you;
(c) circumstances where we are required or authorised by law to collect your personal information;
(d) reasons why we have collected your personal information;
(e) what may happen if we do not collect all or some of your personal information;
(f) details of the persons or entities that we usually disclose personal information to;
(g) how you may access and seek correction of your personal information;
(h) how you can lodge a complaint with us;
(i) whether we are likely to disclose your personal information to overseas recipients and if so, details of the likely countries that may receive your personal information.
6. Use or disclosure
6.1 Personal information that is not sensitive
We will only hold your personal information for the purpose of carrying out our business of providing travel related products and services to you (Primary Purpose). We will not use or disclose your personal information (not being sensitive information) for another purpose (Secondary Purpose) unless:
(a) we first obtain your consent; or
(b) you would reasonably expect us to use or disclose it for a Secondary Purpose that is related to the Primary Purpose or – in the case of sensitive information – directly related to the Primary Purpose; or
(c) we are required to by law; or
(d) a permitted general purpose exists; or
(e) a permitted health situation exists; or
(f) we reasonably believe it is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. In this circumstance we will make a note of such disclosure.
7. Direct marketing
7.1 What is direct marketing?
For the purposes of this policy, “direct marketing” is the promotion of goods and services directly to you including through emails, phone calls and the post.
7.2 Adoption of direct marketing laws
How we use your personal information for direct marketing is tightly controlled by the Act. We will follow those laws to ensure you only receive direct marketing in circumstances where you are expecting to. Under the Act we may use your personal information for the purposes of direct marketing if:
(a) we collected the information directly from you; and
(b) you would reasonably expect us to use or disclose your personal information for the
purpose of direct marketing.
7.3 Personal information provided by third parties.
Unless it would be impracticable or unreasonable, we need your consent when:
(a) collecting your personal information from a third party for the purpose of direct marketing; or
(b) you would not reasonably expect to receive the direct marketing. If at any time you want to know who provided us with your personal information, then please send a request to us at firstname.lastname@example.org. We will provide the details of that third party within a reasonable time and without charge.
7.4 Sensitive information
We will not use your sensitive information for the purposes of direct marketing unless you have given us permission in writing.
We will always provide a simple means for you to “opt-out” from receiving direct marketing, which typically involves an “opt-out” or “unsubscribe” link on emails, or through a pop-up on your screen when you provide personal information online. We will not use or disclose your personal information for the purposes of direct marketing material if you have previously told us not to. If at any time in the future you do not want us (or one of our service providers) to send you direct marketing material or you wish to cancel a previous consent, please inform us by contacting us at email@example.com. We will affect the change in a reasonable time and without charge.
8. Cross-border disclosure of personal information
We will always endeavour to store your information on a New Zealand or Australian server. However, in circumstances where this is not possible, we may disclose your personal information to an overseas entity when we:
(a) have taken reasonable steps to ensure that they also treat it in accordance with the Act; or
(b) reasonably believe that the overseas entity is subject to the same or similar laws to that found in the Act and there are ways that you can take action to enforce those overseas laws; or
(c) expressly inform you of your option to consent to that disclosure and you then provide us with informed consent to do so; or
(d) are required or authorised by law; or
(e) a permitted general purpose exists; or
(f) a permitted health situation exists; or
(g) we reasonably believe it is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. In this circumstance we will make a note of such disclosure.
9. Adoption, use or disclosure of government related identifiers
We will not adopt a government related identifier as your identifier unless:
(a) we are required or authorised by law; or
(b) it is reasonably necessary to verify your identity for the purposes of our activities or functions; or
(c) it is reasonably necessary to fulfil our obligations to an agency; or
(d) it is required or authorised by or under a New Zealand law, or a court/tribunal order; or
(e) some (but not all) permitted general situations exist; or
(f) we reasonably believe it is reasonably necessary for enforcement related activities by, or on behalf of, an enforcement body; or
(g) where it is allowed under the regulations.
10. Quality of personal information
We will take such steps (if any) as are reasonable in the circumstances to ensure that your personal information we collect, use or disclose is accurate, up-to-date, complete and relevant.
11. Security of personal information
We will take such steps as are reasonable in the circumstances to protect your personal information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
When we no longer need your personal information for a permitted purpose and we are not required to keep it to comply with any laws, we will take such steps as are reasonable in the circumstances to destroy your personal information or to ensure that the information is de-identified.
12. Access to personal information
Upon your written request we will provide you with a copy of your personal information that we hold unless:
(a) we reasonably believe that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
(b) giving access would have an unreasonable impact on the privacy of other individuals; or
(c) your request for access is frivolous or vexatious; or
(d) the information relates to existing or anticipated legal proceedings between us and you, and would not be accessible by the process of discovery in those proceedings; or
(e) giving access would reveal our intentions in relation to negotiations with you in such a way as to prejudice those negotiations; or
(f) giving access would be unlawful; or
(g) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(h) we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being or may be engaged in and giving you access would be likely to prejudice the taking of appropriate action in relation to those matters; or
(i) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
(j) giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.
13. Correction of personal information
13.1 Correction of personal information
We will take reasonable steps to correct your personal information (at no charge) if we are satisfied that it is inaccurate, out-of-date, incomplete, irrelevant or misleading. This extends to third parties that we have provided your personal information to unless it is impracticable or unlawful to do so.
13.2 Circumstances when we decline to make corrections
In certain circumstances we may decline to correct your personal information. When this occurs we will provide you with a written notice that sets out:
(a) the reasons for the refusal; and
(b) the mechanisms available to complain about the refusal
14. Making a Complaint
If you have a concern or complaint relating to our handling of your personal information or any breaches of the APPs, please notify us at firstname.lastname@example.org by outlining the nature of the complaint. We will endeavour to respond to your complaint within 30 days of receipt. If unresolved, the complaint may be referred to an external complaints resolution entity and finally, if necessary, taken to the Office of the Commerce Commissioner.
This policy was last updated July 2019.