Mon – Fri  9AM – 5PM   |

Mo. – Fr.  9AM – 5PM

a

Last updated: 18 August 2025

We respect your privacy and are committed to protecting personal information. This Privacy Statement explains how we collect, use, disclose, store and protect personal information when you visit our website or use our services.

Who we are

ITstuffed Limited (“we”, “us”, “our”)
5/78 Brighton Mall, New Brighton 8061, Christchurch, New Zealand
0800 487 883 · [email protected]

Scope (B2B)

We provide services to businesses only. This statement covers personal information about identifiable individuals connected to those businesses (e.g., staff and authorised contacts), our own staff and contractors, and visitors to our website.

What we collect

Depending on how you interact with us, we may collect:

  • Business contact details: name, role, work email/phone, work address.

  • Support & operations records: support tickets, emails/chats, remote-support session details, device and software identifiers, event and security logs necessary to secure and support your environment.

  • Billing & transactions: invoice details and transaction references (we do not store full card numbers).

  • Website & analytics: cookie data and diagnostics via Google Analytics 4, Google reCAPTCHA, and Microsoft Clarity (see Cookies & analytics below).

  • Call recordings: audio (and, where created, transcripts) of inbound and outbound calls related to our services (see Call recording below).

We may collect information directly from you, automatically from your devices when you use our services, from your employer or authorised representatives, and from service providers we use to deliver our services.

How we use personal information

We use personal information to:

  • deliver, support and secure our services and systems;

  • communicate with you (including service updates and incident notices);

  • bill and manage our commercial relationship;

  • improve service quality (including training, quality assurance and call accuracy);

  • meet legal, regulatory and contractual obligations; and

  • send B2B marketing where consent has been provided (see Direct marketing).

We do not sell personal information.

Our role when we manage a client’s systems

When we support a client’s systems, we often handle personal information on the client’s behalf (for example, staff names, work emails, device identifiers and logs). In those cases, we act under our services agreement and applicable law. We also require our own providers (sub-processors) to protect that information appropriately.

Call recording (inbound & outbound; attached to tickets)

We record all inbound and outbound phone calls for training, quality assurance and accurate records. We tell you at the start of a call that recording is in place. If you prefer not to be recorded, please tell us and we’ll pause recording or offer an alternative (e.g., email).
Call recordings may be attached to related support tickets or referenced in them. You can request a copy of your call recording (audio or transcript), subject to legal restrictions.

Standard retention:

  • Call audio: 6 months (longer only if needed for a dispute or legal obligation).

  • Full, identifiable transcripts (if created): 12 months, then deleted or de-identified.

  • De-identified ticket summaries based on recordings: retained with the ticket record (see Retention).

Using AI and de-identified data

We use AI-assisted services to transcribe and summarise support interactions (including call recordings) and to improve service quality and response times.

  • We minimise personal information in prompts and de-identify data wherever feasible before AI processing.

  • We do not allow AI tools to make decisions that produce legal or similarly significant effects about a person without human review.

  • Vendors & locations: Some AI processing may occur outside New Zealand. Where we use the OpenAI API, inputs/outputs may be retained by OpenAI for up to 30 days for abuse monitoring and are not used to train OpenAI’s models. Where we use Azure OpenAI in Australia, prompts and outputs are processed within Microsoft’s Azure environment in that geography and are not used to train models.

  • We take steps required by Information Privacy Principle 12 (IPP12) to ensure comparable safeguards for any overseas processing.

Direct marketing & consent

When you sign our services agreement, we enrol your nominated business contacts to receive B2B updates about our services (product changes, security advisories, events and offers). Every message clearly identifies us and includes a functional, no-cost unsubscribe you can use at any time; we action unsubscribes promptly.
We currently send email via GoHighLevel and SMTP2GO. You can opt out at any time using the unsubscribe link or by contacting us.

Cookies & analytics

Our website uses cookies and similar technologies to operate the site and improve content.

  • Google Analytics 4 measures usage and performance.

  • Google reCAPTCHA helps prevent spam and abuse.

  • Microsoft Clarity provides session analytics/heatmaps.

These providers may process limited data on their infrastructure, which can include locations outside New Zealand and Australia (for example, the United States for certain services). You can control cookies in your browser settings.
reCAPTCHA notice: The site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Sharing personal information

We share personal information with trusted service providers so they can help us deliver our services (for example: Microsoft 365, HaloPSA, NinjaOne, Huntress, Avanan, DNSFilter, GoHighLevel, SMTP2GO, 3CX, website hosting/CDN/analytics providers, payment processors and couriers). We require them to protect the information and use it only for the purposes disclosed.

We may also disclose information where required or permitted by law, or where necessary to protect rights, property or safety.

Disclosing information outside New Zealand (IPP12)

Our core systems are hosted in New Zealand and Australia. Some processing by third parties (for example, web analytics and certain AI services) may occur outside New Zealand and Australia. Where we disclose personal information overseas, we take reasonable steps to ensure comparable safeguards to the New Zealand Privacy Act 2020 (including contractual protections and vendor assessments). Typical overseas locations may include the United States for some analytics and AI services.

Security

We use technical, organisational and physical safeguards appropriate to the sensitivity of the information, including access controls, encryption in transit, logging/alerting, and staff training. We also require our service providers to implement appropriate security controls.

Retention

We keep personal information only as long as needed for the purposes above and our legal obligations, then securely delete or de-identify it. Our standard retention periods are:

  • Support tickets and de-identified ticket summaries: 7 years

  • Device/operations logs: 12 months

  • Security alerts/incidents: 24 months

  • Call audio: 6 months

  • Full, identifiable transcripts (if created): 12 months, then deleted or de-identified

  • Financial records: 7 years (to meet tax and company law requirements)

Your rights (access & correction)

You have the right to request access to and correction of your personal information. We will respond within 20 working days (or advise if an extension is needed). If we decline a request, we’ll explain why and how to complain.

Notifiable privacy breaches

If a privacy breach is likely to cause serious harm, we will notify affected individuals and the Office of the Privacy Commissioner as soon as practicable (the Commissioner’s expectation is within about 72 hours, where possible).

Contact us (including Privacy Officer)

If you have any questions or concerns about this statement or our handling of personal information, please contact us:

Privacy Officer: Laura Wakefield, Account Management
[email protected] · 0800 487 883
General: [email protected]

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner (privacy.org.nz).

Changes to this statement

We review this statement regularly and when we change our services or data practices. We will post any updates on this page and update the “Last updated” date above.