Privacy Policy

Last updated: 20 June 2026

This Privacy Policy (privacy statement) explains how Herbaluaflex ("we", "us", "our", "the agency") collects, uses, stores, discloses, and protects personal information when you visit herbaluaflex.world (the "Website").

We are an agency under the Privacy Act 2020 (New Zealand) and handle personal information in accordance with the Act and the Information Privacy Principles (IPPs). Where applicable, we also respect the rights of visitors from the European Economic Area under the General Data Protection Regulation (GDPR).

1. Agency Details and Privacy Contact

Herbaluaflex
8 Lookout Road, Roseneath, Wellington 6011, New Zealand
Email: reach@herbaluaflex.world
Phone: +64 4 974 6830

For any privacy enquiry, access request, correction request, or complaint, contact us using the details above. We will respond as soon as reasonably practicable, and normally within 20 working days.

2. What Personal Information We Collect

In line with IPP 1 (purpose of collection) and IPP 3 (collection from the individual), we may collect:

• Identity and contact details: your name and email address when you submit our contact form.
• Communication content: the message you choose to send us.
• Technical information: IP address, browser type, device type, operating system, pages visited, time spent on pages, and referral source — collected via cookies or similar technologies where you have given consent, or where collection is necessary for site security and basic operation.
• Cookie and consent preferences: your choices about analytics and marketing cookies, stored in your browser's local storage.

We collect personal information directly from you, except for technical data that may be generated automatically when you browse the Website.

Our outdoor visit journal and style quiz operate entirely in your browser. We do not collect, store, or transmit your personal ratings or quiz responses to our servers.

We do not intentionally collect sensitive information (such as health records or financial details) through this Website. Please do not include sensitive personal information in contact form messages unless you choose to do so voluntarily.

3. Why We Collect Personal Information

We collect personal information only for lawful purposes connected with our activities, and where collection is necessary for those purposes (IPP 1). Specific purposes include:

• Responding to enquiries — to read, respond to, and manage messages you send via the contact form.
• Website operation and security — to maintain Website functionality, prevent abuse, and protect against unauthorised access.
• Analytics — to understand how visitors use the Website and improve content and usability (only with your consent).
• Marketing and communications — to measure campaign effectiveness or send relevant updates (only with your consent, and in compliance with the Unsolicited Electronic Messages Act 2007).
• Legal compliance — to meet obligations under New Zealand law, respond to lawful requests from authorities, or establish, exercise, or defend legal claims.

4. What Happens If You Do Not Provide Information

Providing your name, email, and message is voluntary. However, if you do not provide the information marked as required on the contact form, or if you do not tick the GDPR/privacy consent checkbox, we will be unable to process or respond to your enquiry.

You may browse most of the Website without submitting personal information. If you decline non-essential cookies, the Website will still function, but analytics and marketing features will not be activated.

5. Who We Share Personal Information With

We do not sell your personal information. We may disclose personal information to (IPP 11):

• Service providers — such as website hosting, email delivery, or analytics providers, who process information on our behalf under contractual obligations to protect it and use it only for specified purposes.
• Professional advisers — such as lawyers or accountants, where necessary and subject to confidentiality duties.
• Regulators and authorities — where required or authorised by New Zealand law, including the Office of the Privacy Commissioner.

We require third parties to handle personal information in a manner consistent with the Privacy Act 2020.

6. Disclosure of Personal Information Overseas

Under IPP 12, we may only disclose personal information to an overseas recipient if:

• you authorise the disclosure after we have informed you that the recipient may not be required to protect the information to a standard comparable to the Privacy Act 2020;
• we believe on reasonable grounds that the recipient is subject to comparable safeguards; or
• another exception under IPP 12 applies.

Some service providers (for example, cloud hosting or analytics platforms) may store or process data outside New Zealand. Where this occurs, we take reasonable steps to ensure appropriate contractual and technical safeguards are in place.

7. Storage, Security, and Retention

We protect personal information using reasonable safeguards as required by IPP 5, including:

• HTTPS encryption for data in transit;
• access controls limiting who within our organisation can view personal information;
• secure storage and periodic review of our security practices.

We retain personal information only for as long as necessary for the purposes for which it was collected (IPP 9):

• Contact form submissions: up to 24 months, unless a longer period is required for legal or dispute-resolution purposes.
• Analytics data: up to 26 months from collection (if analytics cookies are accepted).
• Cookie consent records: up to 12 months in local storage.

When personal information is no longer needed, we securely delete or anonymise it.

8. Privacy Breaches

Under Part 6 of the Privacy Act 2020, if a privacy breach has caused or is likely to cause serious harm, we are required to notify the Office of the Privacy Commissioner and affected individuals as soon as practicable.

We maintain internal procedures to identify, assess, contain, and respond to privacy breaches. If you believe your personal information has been accessed or disclosed without authorisation, please contact us immediately at reach@herbaluaflex.world.

You may also notify the Office of the Privacy Commissioner directly at www.privacy.org.nz or by calling 0800 803 909 (New Zealand).

9. Your Rights Under the Privacy Act 2020

Under the Privacy Act 2020, you have the right to:

• Access personal information we hold about you (IPP 6);
• Request correction of personal information if you believe it is inaccurate, incomplete, out of date, or misleading (IPP 7);
• Withdraw consent for optional processing (such as analytics or marketing cookies), without affecting the lawfulness of processing before withdrawal;
• Complain to us if you believe we have interfered with your privacy.

To make an access or correction request, email us with sufficient detail to identify you and the information you are seeking. We may need to verify your identity before releasing information.

If we refuse an access or correction request, we will provide written reasons as required by the Privacy Act 2020, and inform you of your right to complain to the Office of the Privacy Commissioner.

10. Additional Rights for EEA Visitors (GDPR)

If you are located in the European Economic Area, you may also have the right to request erasure, restrict processing, data portability, and to object to certain processing. You may lodge a complaint with your local data protection authority. These rights apply in addition to, and do not replace, your rights under the Privacy Act 2020.

11. Complaints

If you have a privacy concern, please contact us first so we can try to resolve it. If you are not satisfied with our response, you may complain to:

Office of the Privacy Commissioner (Te Mana Mātāpono Matatapu)
Website: www.privacy.org.nz
Email: enquiries@privacy.org.nz
Phone: 0800 803 909 (New Zealand)

12. Cookies and Similar Technologies

We use cookies and local storage as described in our Cookie Policy. Where cookies collect personal information, the Privacy Act 2020 applies.

13. Links to Other Websites

The Website may contain links to third-party websites (for example, embedded maps). We are not responsible for the privacy practices of those websites. We encourage you to read their privacy statements before providing personal information.

14. Children's Privacy

The Website is intended for a general audience and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will take steps to delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on this page with a revised "Last updated" date. We encourage you to review this page periodically.

16. Contact

For privacy-related questions, access requests, correction requests, or complaints:
Email: reach@herbaluaflex.world
Address: 8 Lookout Road, Roseneath, Wellington 6011, New Zealand
Phone: +64 4 974 6830