tom-dahm-Tvnfjn4n00I-unsplash

Our Privacy Policy gives you information on our privacy practices for the use of our products and services

Where this Privacy Policy says Qrious, “we” or “us”, it means Qrious Limited (a subsidiary of Spark New Zealand Trading Limited).

Where it says “you”, it means a Qrious customer who we provide products and services to. Our products and services are collectively called “services”.

Personal information is any information that can be used to identify you. For example, your name, address, phone number and email address are all personal information.

This Privacy Policy has two parts:

  • Part A provides details of our general privacy practices for our services.

  • Part B provides details of privacy practices for specific services we may provide you.

We are constantly trying to improve our services, so we may need to change this Privacy Policy from time to time. If you  have any questions or concerns about our Privacy Policy, please contact us at privacy@qrious.co.nz.

 

PART A: GENERAL PRIVACY POLICY

 

We respect your privacy

We may collect your (and your users) personal information as we develop and deliver services to you and other Qrious customers. We value and respect privacy, and manage any personal information that we collect or hold with care.

  • We recognise our responsibility, as an agent, in relation to the storage and processing of the personal information supplied to us.

  • We comply with the Privacy Act 2020 and apply good privacy governance practices. We take a risk-based approach, and where appropriate we will carry out privacy impact assessments.

    The UbiQuity platform is compliant with both ISO 27001 and 27701 standards. To uphold these certifications, we undergo an external audit on an annual basis.

  • We will only use, reproduce, publish, disclose, copy or transit data and materials provided by our customer for the purpose of supplying and developing our services, and as otherwise set out in this Privacy Policy.

  • We follow industry standards to keep your personal information secure.

  • We ensure our staff understand their obligations under the Privacy Act 2020 and this Privacy Policy and will take appropriate action if our staff do not follow these.

  • When we provide services to you, we require you to comply with the Privacy Act 2020, and to have transparent privacy policies and practices that fulfil those policies.

  • You should not take any steps to de-anonymise or de-aggregate any anonymised or aggregated data that we provide you.

  • We respect the privacy commitments that you make to third parties and expect you to honour those commitments when using our services:

    • while we take all reasonable steps to maintain the confidentiality of the personal information we hold, we are not responsible for your activities or actions in connection with such personal information.

    • you are responsible for ensuring that you comply with any privacy or other laws applicable to your data, materials or similar that contain personal information.

Personal information we may collect & ways personal information is used

When you use the service, we may collect and store personal information about you and your users of the services.

This personal information is used to: 

  • enable us (including our related companies, and third-party service providers) to provide our services to you. We use carefully selected and trusted service providers.

  • allow us to bill you and receive payment for services, including recovering and reporting on money owed to us, help prevent fraud, refer debts to debt collection agencies, or enforce our rights.

  • allow us to enforce our rights and obligations under our agreement with you.

  • communicate with you (and your users) in relation to your use of our services, process your transactions and respond to your requests.

  • personalise your experience in using our services.

  • send you information about our services.   

You may receive updates from us on any new features and related communications. You may unsubscribe from these marketing updates at any time through the unsubscribe link at the bottom of all emails, or by contacting us at privacy@qrious.co.nz.

Ways personal information may be shared

We may share your personal information with our related companies, and third-party service providers to provide services to you. We require all service providers acting on our behalf to comply with the Privacy Act 2020.

From time to time, third parties may submit requests to access personal information that may be held by us.

For example:

  • if we are required by any applicable law, court or authority or by any applicable stock exchange listing rules, about you or your users to law enforcement or government agencies.

  • individuals who believe that the information held in respect of your account includes personal information about them (e.g. email addresses of your customers) may request access to their own information.

We may also share personal information with anyone we transfer, sell or assign, all or any part of our business to, in respect of which you are a customer or potential customer. In addition, we may disclose information to third parties that has been converted to a form that cannot be used to identify you or any other individual.

We may also disclose personal information or your use of our services to prevent or lessen a serious threat to public health or safety, or to the life or health of an individual.

Use of aggregated, non-personally identifiable information

We may collect and store data related to your use of our services. We use this information to improve our services for you and our customers generallyAlthough we may publish aggregated information about usage patterns, we do not disclose information about individual persons.

Aggregated, non-personally identifiable information is information that has been converted to a form that cannot be used to identify you, and combined with data from other customers that has been de-identified in the same way. For example, aggregated, non-personally identifiable information may show that X% of customer’s used part of Our Services in January, but only Y% in February. 

We may: 

  • share insights derived from this information publicly – for example, to understand how often and in what ways people use our services and show trends about the services.

  • share this type of information with our third-party service providers, or related companies.

Access and correction of an individual’s personal information

Individuals have the right to request access to personal information we hold about them. Qrious respects this right, and the following will be considered by Qrious when we consider our obligations in this area:

  • there may be instances where we cannot grant individuals access to the personal information we hold about them. For example, if this request interferes with the privacy of others or would result in a breach of confidentiality.

  • if the personal information we hold about an individual is not accurate or complete, then they may ask us to correct it.

  • individuals may also request we delete any personal information we hold in relation to them.

  • however, if you use the UbiQuity Platform or the CUE solution, requests by an individual relating to their personal information will be directed by us to you for you to manage such requests. Please see below for further details.

Services with passwords

For services with passwords, this process forms part of our security measures to protect the loss, misuse, and alteration of personal information when you enter, submit, or access your instance of the relevant service.

It is important that you and your users:

  • select strong password(s) and unique pin number(s), and ensure these are changed regularly.

  • protect password and/or other sign-on mechanism appropriately.

  • limit access from computer or device and browser application by signing out after you have finished accessing your account.

  • actively manage on a regular basis who you have granted system access to and what privileges you assigned them to ensure that these are still valid and appropriate for you.

Mandatory privacy breach notification

We will notify you if we are aware of a notifiable privacy breach that affects any information you have provided to us and the Privacy Act 2020 requires individuals and/or the Privacy Commissioner to be notified. We will co-ordinate and consult with you on the contents of any such notification(s). Where we consider it necessary, we may notify individuals and/or the Privacy Commissioner directly.

PART B: SPECIFIC PRIVACY POLICIES FOR SERVICES WE MAY PROVIDE YOU

 

Additional privacy information about specific services that we may deliver to you are set out below.

The UbiQuity Platform
  • The UbiQuity platform holds and processes a range of personal information about individuals on behalf of you and other customers. Personal information provided by customers may include, but is not restricted to, name, email address, contact preferences, and transactions. The information that you provide to us is only held and processed in accordance with your requests. It is not combined with or added to any other data or data set without your instruction (which must be provided in compliance with the Privacy Act 2020).

  • As a UbiQuity customer, you must ensure that you have obtained proper consent from your customers in relation to the collection, holding, use, processing and disclosure of their personal information in relation to the UbiQuity platform, and relevant consents to send emails (in compliance with the Privacy Act 2020 and the Unsolicited Electronic Messages Act 2007).

  • We will only process, disclose, adjust or purge data in line with a request by you, unless required to do so by law. Once UbiQuity data is purged, there will be a 30-day period where this data can be retrieved through a data backup. Once 30 days have expired, this data will be irretrievable. We reserve the right delete your data if we have reason to believe that the data is, or is alleged to be, defamatory, illegal, or not appropriate. We will consult with you and provide reasonable notice where possible before doing so.

  • We use CCL (a Spark subsidiary), located in Auckland, New Zealand, and AWS Sydney (Australia) for hosting the UbiQuity application and data, as well as Azure Sydney for data related to UbiQuity Web Tracking, UbiQuity Web Hooks, CDN and Email Rendering.

  • The data in the UbiQuity Platform is controlled and managed by you. In the first instance we will direct such enquiries to you in relation to your users (including your customers), where permitted by law. This applies in circumstances where individuals make requests in relation to their personal information under the Privacy Act 2020.

CUE: Spark Public WiFi and On-Site WiFi
  • CUE is a Qrious service that uses real time WiFi data to provide our customers with customer insights while helping you to deliver relevant messaging and digital experiences, through online captive portals and on-site digital signage.

  • A third party service provider processes Spark WiFi usage data, and your on-site WiFi usage data for your users who visit a location and log in to the available WiFi. This data is hosted in Azure Sydney and is used to provide aggregated, anonymised insights on customer movement patterns and site optimisation insights.

  • As a CUE customer, you are responsible for ensuring you have received appropriate consent for data collection and usage from your users (including your customers). While we have put in place processes to limit the risk of individuals being identified through the CUE service, we expect you not to use CUE for this purpose or in a way that will allow individuals to be identified.

  • The third party service provider may publish aggregated information relating to the use of the services, such as aggregated customer movement patterns. However, information is not disclosed in a form that could reasonably be expected to identify WiFi users.

  • The third party service provider will sometimes leverage statistical demographic data to assign attributes to these data sets.

  • If you are a Spark Public WiFi customer and would like to learn more click here.

Insights from anonymised location data
  • We provide customers with insights based on anonymised network usage data provided by Spark New Zealand that tells us where mobile devices use the Spark network:

    • this data is anonymised and aggregated and used to understand movement patterns within New Zealand.

    • we will sometimes leverage statistical demographic data to assign attributes to the data sets.

  • As part of our services, this data is used to help New Zealand organisations improve infrastructure and services:

    • examples include: improving transport decisions, helping organisations better understand their customers, and supporting tourism in regional New Zealand.

  • Location data is hosted in AWS Sydney, as well as a Cloudera environment hosted in NZ .

  • Spark is responsible for ensuring it has received appropriate customer consent for data collection and usage.

    • If you are a Spark customer and would like to learn more, click here (in the “Sharing anonymised, aggregated mobile location data with Qrious” section)

    • If you would like to opt-out of your information being used by Spark and Qrious for this purpose, or if you have any queries or concerns, please email privacy@spark.co.nz.

Other Qrious data solutions
  • We can help you uncover and interpret insights from your data (i.e. first party data). In doing such analysis, your first party data may be enhanced through second and third party data (such as publicly available data or data that you may have access to).

  • We will work together to consider privacy aspects for any such analysis, including any privacy impact assessments where appropriate.

  • The environment where this data is housed will be fully dependent on your preference. This will be addressed in the relevant agreement between you and Qrious.

  • You are responsible for ensuring that you have received appropriate customer consent for collecting, enhancing and using your first party data to uncover insights. 

Certificates: 

MSECB - ISO/IEC 27701:2019
MSECB - ISO/IEC 27001:2013