Privacy Policy

At Changeable, we build trust through transparency. Your data is treated with respect, protected with care, and handled responsibly under New Zealand’s Privacy Act — so you can focus on innovation with confidence.

Changeable Privacy Policy

Last updated: 10 September 2025 (NZST)

Changeable Limited ("Changeable", "we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit changeable.co.nz or engage our consulting and AI/automation services in New Zealand.

Quick summary
• We collect only what we need to deliver services, improve the site, and communicate with you.
• We follow the New Zealand Privacy Act 2020 and Information Privacy Principles (IPPs).
• We don’t sell personal information. We won’t use your confidential client data to train third‑party AI models without your written consent.
• You can ask for access to or correction of your information.
• If a notifiable privacy breach occurs, we will notify affected people and the Office of the Privacy Commissioner (OPC) where required.

1. Who we are & how to contact us

2. Scope

This Policy covers personal information we handle in New Zealand when you:

  • visit or interact with our website(s), forms, or chat widgets;

  • contact us, download content, book workshops or meetings;

  • engage our services (e.g., AI readiness, workflow automation, training, governance); or

  • receive our emails, ads, or surveys.

This Policy does not apply to third‑party websites or platforms that we don’t control. Their privacy practices are their own.

3. The information we collect

3.1 Information you provide directly

  • Contact and business details (name, email, phone, company, role, region)

  • Enquiry and project information (your goals, pain points, requirements, and any files or data you share)

  • Workshop/training registrations (attendee names, dietary/access needs you choose to provide)

  • Billing (billing contact, company details; if payments are taken, high‑level transaction details via a payment provider—no card numbers stored by us)

  • Consent preferences (opt‑in/opt‑out choices)

3.2 Information we collect automatically

  • Device & usage data (IP address, browser type, pages viewed, time on page, links clicked)

  • Cookies/trackers (see Section 8)

  • Error and performance logs (site performance and security events)

3.3 Information from third parties

  • Analytics/ads platforms (aggregated site metrics, campaign performance)

  • Public/professional sources (LinkedIn/company sites to verify business details)

  • Referrers/partners (where you have engaged through them)

We collect the minimum information necessary for the purposes set out below.

4. Why we collect and how we use your information

We handle personal information in line with the NZ Privacy Act 2020 and the IPPs, for purposes including:

  • Providing services (scoping, delivery, support, invoicing)

  • Responding to enquiries and sending requested information

  • Scheduling meetings, workshops, and training

  • Improving our site and services (analytics, diagnostics, quality assurance)

  • Communications and updates you choose to receive (newsletters, event invites)

  • Legal/compliance (record‑keeping, preventing fraud, managing risk)

  • Security (detecting and responding to threats to our systems or users)

We do not sell your personal information. We may create de‑identified or aggregated insights that no longer identify you.

5. AI, data handling and model usage

Because we specialise in AI, we want to be clear about how we handle data in AI contexts:

  • No training on your confidential data without consent. We will not use your confidential client or operational data to train third‑party foundation models without your explicit written approval.

  • Human‑in‑the‑loop. Where AI is used in our delivery (e.g., drafting, summarisation, workflow automation), we maintain human oversight for quality and safety.

  • Data minimisation. We use the least data necessary to achieve the purpose; we prefer redaction, pseudonymisation, and sandboxing where feasible.

  • Secure environments. We use vetted platforms and access controls. If using third‑party AI tools, we assess their terms, privacy, and security posture.

  • Customer‑controlled options. Where possible, we can configure AI tooling to keep data out of model training or to use on‑prem/private endpoints.

If you would like us to avoid using any AI tools with your data, tell us—many services can be delivered using traditional workflows.

6. Disclosures and international transfers

We may share personal information with:

  • Service providers/contractors (e.g., website hosting, email, calendar, CRM, analytics, marketing tools, security, accountancy) strictly for work they perform for us and under confidentiality obligations.

  • Professional advisers (legal, accounting, insurance) as needed.

  • Authorities where required by law or to protect rights, safety, or security.

  • Successors in the event of restructuring or a transfer of our business.

Some providers may be located or store data outside New Zealand (e.g., Australia, EU/UK, United States). Where information is transferred overseas, we take reasonable steps to ensure it is protected by comparable safeguards to New Zealand law (e.g., contractual protections, reputable vendors with robust security practices).

We do not permit providers to sell your data.

7. Retention

We keep personal information only as long as needed for the purposes above or to meet legal/contractual obligations. Typical retention periods:

  • Sales/marketing leads: up to 24 months from last meaningful interaction (unless you opt out earlier).

  • Client/project files: generally 7 years after project close for legal and tax reasons (unless otherwise agreed or required).

  • Operational logs/analytics: typically 6–24 months in aggregated or de‑identified form.

When information is no longer required, we take reasonable steps to securely delete or anonymise it.

8. Cookies & similar technologies

We use cookies and similar technologies to operate and improve our website.

Types of cookies

  • Strictly necessary: site security, load balancing, session management.

  • Performance/analytics: understanding site usage (e.g., page views, dwell time).

  • Functionality: remembering your preferences.

  • Advertising/retargeting (if enabled): measuring campaigns and showing relevant content.

Your choices

  • You can manage cookies in your browser settings and (where provided) via our on‑site cookie controls.

  • Blocking some cookies may affect site functionality.

  • To opt out of marketing emails, use the unsubscribe link or contact us.

9. Your rights

Under the NZ Privacy Act 2020, you can:

  • Request access to personal information we hold about you; and

  • Request correction if you believe it is inaccurate or incomplete.

We aim to respond within 20 working days. To exercise your rights, email hello@changeable.co.nz (subject line: Privacy Request). We may need to verify your identity. If we refuse a request (for example, where a lawful exception applies), we’ll tell you why and how to complain.

10. Security

We take reasonable steps to protect personal information against loss, unauthorised access, modification, or disclosure, including:

  • access controls and least‑privilege practices;

  • secure passwords, MFA where appropriate;

  • vetted vendors and encrypted transport;

  • standard backup and recovery processes; and

  • staff/contractor confidentiality obligations.

No method is 100% secure. If you suspect a security issue, contact us immediately at hello@changeable.co.nz.

11. Notifiable privacy breaches

If a privacy breach occurs that is likely to cause serious harm, we will notify affected individuals and the Office of the Privacy Commissioner (OPC) as required by the Privacy Act 2020. Learn more at https://www.privacy.org.nz/.

12. Children

Our services are aimed at businesses and adult professionals. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, please contact us to request deletion.

13. Direct marketing

We will send you marketing communications only where permitted by law (e.g., with consent or soft‑opt‑in) and you can opt out at any time using the unsubscribe link or by contacting hello@changeable.co.nz.

14. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top shows the latest version. Significant changes will be highlighted on our website or communicated to you directly where appropriate.

15. Making a complaint

If you have concerns about how we handle your personal information, please contact us first so we can try to resolve it. If you’re not satisfied, you can complain to the Office of the Privacy Commissioner (New Zealand):
Website: https://www.privacy.org.nz/
Phone (NZ): 0800 803 909

16. Definitions (plain language)

  • Personal information: information about an identifiable individual.

  • De‑identified: information that does not identify an individual and cannot reasonably be re‑identified.

  • Cookies: small files stored on your device that help a site function and measure usage.

  • Notifiable privacy breach: a breach that is likely to cause serious harm to affected individuals (as defined in the Privacy Act 2020).

Scroll