Privacy Policy
Last updated: 18 August 2025
Who We Are
ITstuffed Limited, located at 5/78 Brighton Mall, New Brighton 8061, Christchurch, New Zealand. Phone: 0800 487 883.
Scope
Our services are provided to businesses only. This policy covers identifiable individuals connected to client businesses, including staff and contractors, as well as website visitors.
What We Collect
- Business contact details (name, role, work email/phone, address)
- Support records: tickets, emails, remote-session details, device identifiers, security logs
- Billing information and transaction references. We do not store full card numbers.
- Website analytics via Google Analytics 4, reCAPTCHA, and Microsoft Clarity
- Call recordings (audio and transcripts where created)
How We Use Personal Information
We use information collected to deliver and secure services, communicate updates, manage billing, improve quality, meet legal obligations, and send B2B marketing where consent exists. We do not sell personal information.
Our Role When Managing Client Systems
When supporting client infrastructure, ITstuffed acts as a data processor under the relevant services agreement. This includes handling staff names, email addresses, device identifiers, and system logs on the client’s behalf.
Call Recording
All inbound and outbound calls are recorded for training and quality assurance purposes. Callers are notified at the start of each call. Recording can be paused on request.
Retention:
- Call audio: 6 months
- Full identifiable transcripts (if created): 12 months, then deleted or de-identified
- De-identified ticket summaries: retained with the ticket
AI and De-identified Data
AI tools are used to transcribe and summarise support interactions. Personal information is minimised before AI processing. No AI-only decisions that produce significant effects on individuals are made without human review.
Vendors used and their data handling:
- OpenAI API: Inputs and outputs are retained up to 30 days for abuse monitoring; not used for model training.
- Azure OpenAI (Australia): Processed within Microsoft’s Australian Azure environment; not used for training.
Steps are taken under IPP12 to ensure comparable safeguards for any overseas processing.
Direct Marketing
Upon signing a services agreement, nominated business contacts are enrolled for B2B updates. Every message includes a functional, no-cost unsubscribe option. Email is sent via GoHighLevel and SMTP2GO.
Cookies & Analytics
This site uses the following analytics tools:
- Google Analytics 4 — usage and performance measurement
- Google reCAPTCHA — spam and abuse prevention
- Microsoft Clarity — session analytics and heatmaps
Some provider data may be processed outside New Zealand and Australia (e.g., the United States). You can control cookies via your browser settings.
Sharing Personal Information
Data is shared with trusted service providers including: Microsoft 365, HaloPSA, NinjaOne, Huntress, Avanan, DNSFilter, GoHighLevel, SMTP2GO, 3CX, hosting/CDN/analytics providers, payment processors, and couriers. Providers are required to protect the data and use it only for disclosed purposes.
Overseas Disclosure (IPP12)
Core systems are hosted in New Zealand and Australia. Third-party processing (analytics, some AI) may occur outside these regions. We take reasonable steps to ensure comparable safeguards in line with the NZ Privacy Act 2020.
Security
We use technical, organisational, and physical safeguards including access controls, encryption in transit, logging and alerting, and staff training. Service providers are also required to implement appropriate security measures.
Retention Periods
| Record Type | Retention |
|---|---|
| Support tickets & de-identified summaries | 7 years |
| Device / operations logs | 12 months |
| Security alerts / incidents | 24 months |
| Call audio | 6 months |
| Full identifiable transcripts | 12 months |
| Financial records | 7 years |
Your Rights
Individuals may request access to or correction of personal information we hold about them. Responses are provided within 20 working days.
Notifiable Privacy Breaches
If a breach is likely to cause serious harm, affected individuals and the Office of the Privacy Commissioner will be notified as soon as practicable (target: approximately 72 hours).
Contact / Privacy Officer
Privacy Officer: Laura Wakefield, Account Management
Email: privacy@itstuffed.co.nz | Phone: 0800 487 883
General: info@itstuffed.co.nz
Complaints can be escalated to the Office of the Privacy Commissioner.
Changes to This Policy
This policy is reviewed regularly. Updates are posted on this page with a revised “Last updated” date.