Legal

Privacy Policy.

Effective 28 February 2026 · Rev 1.1

This Privacy Policy explains how IwiConnect collects, uses, stores, retains, and protects personal information in connection with the IwiConnect platform.

We comply with the Privacy Act 2020 and its Information Privacy Principles, and we recognise and uphold Māori data sovereignty.

01

Introduction

IwiConnect Limited (“IwiConnect”, “we”, “our”, “us”) operates a secure, auditable engagement platform connecting iwi, hapū, councils, developers, and agencies.

This Privacy Policy explains how we collect, use, store, retain, and protect personal information in connection with the IwiConnect platform.

This Policy must be read alongside:

  • Iwi and Hapū Terms of Use
  • Customer Terms of Use

If there is any inconsistency between this Policy and the applicable Terms of Use, the Terms prevail to the extent of that inconsistency.

We comply with the Privacy Act 2020 and its Information Privacy Principles.

02

Our role

IwiConnect operates as a software as a service platform.

Depending on the context, we may act as:

  • A service provider processing engagement and project information on behalf of customers and iwi
  • An organisation collecting and using account, billing, security, and platform administration information for our own operational purposes

We provide digital infrastructure to enable engagement.

We do not determine iwi decisions, control engagement outcomes, or provide legal, cultural, planning, or professional advice.

Each party remains responsible for the accuracy, lawfulness, and appropriateness of the information it uploads or submits through the platform.

03

Information we collect

We collect only the information necessary to operate, secure, and support the platform.

Account and contact information

  • Names
  • Email addresses
  • Phone numbers
  • Organisation details
  • Role or position within an organisation

Engagement and project information

  • Project descriptions and documentation
  • Notifications and submissions
  • Engagement communications and responses
  • Status updates
  • Audit logs and timestamps

Technical and usage information

  • IP address
  • Device and browser information
  • Login activity
  • System access logs

Information is collected directly from users when accounts are created, projects are submitted, documents are uploaded, or communications occur through the platform.

04

Purpose of collection

We collect and use personal information to:

  • Operate and maintain the IwiConnect platform
  • Enable secure engagement notifications and communications
  • Maintain an auditable record of engagement activity
  • Provide onboarding, training, and support
  • Improve platform performance and security
  • Comply with legal and regulatory obligations

We do not sell personal information.

We do not use engagement data for advertising purposes.

05

Sharing of information

Information submitted through the platform is shared only:

  • With the relevant iwi, hapū, council, developer, or agency involved in the specific engagement
  • With secure third party service providers necessary to operate the platform, such as cloud hosting and payment providers
  • Where required by law

Third party providers operate under their own contractual and legal obligations. We take reasonable steps to ensure appropriate safeguards are in place.

We do not disclose engagement information for unrelated commercial use.

06

Data sovereignty

IwiConnect recognises and upholds Māori data sovereignty.

Iwi and hapū retain ownership and control of responses, assessments, and cultural information they submit.

Iwi intellectual property remains with the iwi or hapū.

Engagement records remain subject to the governance and retention provisions set out in the Iwi and Hapū Terms of Use.

IwiConnect does not claim ownership of iwi generated content.

07

Data retention

Retention differs by category of information and mirrors the applicable Terms of Use.

Engagement records and audit logs

  • Engagement notifications, communications, responses, and associated audit logs form part of the platform’s compliance and evidential record.
  • These records are retained on a long term or indefinite basis to preserve audit integrity and traceability of engagement activity.
  • Retention of engagement records applies regardless of account termination, subject to applicable law.

Customer project data

  • Project documentation and related customer materials are retained in accordance with the Customer Terms of Use.
  • Unless otherwise agreed under an enterprise licence, project data is typically retained for up to 12 months following project completion or account termination.
  • Customers may request export of project data within the timeframe specified in the Customer Terms of Use.

Account, billing, and administrative information

  • Operate the platform
  • Meet contractual obligations
  • Comply with legal, tax, and accounting requirements

Deletion and export requests

  • Iwi may request a full export of their engagement records at any time, as provided in the Iwi and Hapū Terms of Use.
  • Customers may request export of project data within the timeframe specified in the Customer Terms of Use.

Deletion requests may not be possible where retention is required for:

  • Legal obligations
  • Regulatory compliance
  • Audit integrity
  • Contractual commitments

Where deletion cannot occur, information will remain subject to appropriate security safeguards.

08

Security

We implement reasonable and appropriate technical and organisational safeguards, including:

  • Encryption of data in transit and at rest
  • Role based access controls
  • Authentication mechanisms
  • System monitoring and access logging

The platform is hosted on secure cloud infrastructure.

No online platform can guarantee uninterrupted or error free operation or absolute security.

09

Privacy breaches

If a notifiable privacy breach occurs, we will notify affected parties as soon as practicable in accordance with the Privacy Act 2020.

Where required, we will notify the Office of the Privacy Commissioner.

10

Access and correction

Individuals may request access to, or correction of, personal information we hold about them.

Requests should be directed to: info@iwiconnect.com.

Where information forms part of a shared engagement record, requests will be assessed in accordance with contractual, legal, and audit integrity obligations.

11

Cross border storage

The platform uses secure cloud infrastructure which may involve storage or processing outside New Zealand.

Where this occurs, we take reasonable steps to ensure appropriate safeguards consistent with the Privacy Act 2020.

12

Corporate continuity

If IwiConnect undergoes a corporate restructure, merger, assignment, or sale, core data protection and data sovereignty commitments will continue to apply in accordance with the Terms of Use.

13

Updates

We may update this Privacy Policy from time to time.

Where changes are material, we will notify users through the platform.

The latest version will always be available on the IwiConnect website.

IwiConnect Privacy Policy · Rev 1.1 · 28 February 2026