Convergnce's privacy practice follows the requirements set by the New Zealand's Privacy Act 1993, as we are a New Zealand based company, incorporated in New Zealand. Additionally, we also choose to adhere voluntarily to the requirements of the European Union's General Data Protection Regulation (GDPR) as it is currently the highest standard of privacy worldwide and New Zealand has a privacy adequacy agreement in place with the European Union.
It is the policy of Convergnce that all direct marketing and communication activities are only to happen with permission of the addressee (you), which is only to be asked for (thus granted by you) specific purposes. In order to fulfill said purposes we need to request and obtain certain personal private information.
We collect personal private information from you, including information about your:
• full name;
• contact information;
• information concerning any inquiries you may have made from us.
We collect your personal information in order to:
• advice when new content has been published on our website;
• for sending direct marketing communications;
• for responding to your inquiries.
We store all personal private information securely, on infrastructure that is encrypted and protected by user authentication measures.
Besides our staff, we may share this information with:
• our marketing automation platform providers and our content management system provider (Squarespace) in order to be able to notify you when new content is made available and to send you direct communications.
At this point in time, we are not utilising any marketing automation software and our content management systems does not hold any user personal private information.
We keep your information for as long as you wish to receive our notifications and direct communications at which point we securely destroy it by securely erasing all digital records in our systems, from our marketing automation platform provider's systems (if in use), and from our content management system provider's platform (if in use).
You have the right to ask for a copy of any personal information we hold about you, to ask for it to be corrected if you think it is wrong, and to ask for it to be removed from our records and our communications to you stopped. If you would like to ask for a copy of your information, or to have it corrected, or removed and our communications stopped, please contact us at [email protected] or +64211266705 (by call or text message).
If you have any concerns regarding the possibility that the information that your have provided to us may have been the object of a cyber security (information security) incident, please contact us immediately at [email protected] or +64211266705 (by call preferably, rather than text message). Additionally, in the case of a cyber security incident we also encourage you to get in contact with the Computer Emergency Response Team New Zealand (CERT NZ). That will also be our first action.
Incident Response Policy
In the case we even suspect that there may have been a security incident affecting any of the systems that hold any of our data we will take the following actions, in this order:
• We will contact the Computer Emergency Response Team New Zealand (CERT NZ) in order to report the suspected incident or known incident and obtain their support.
• Upon finishing our first deliberations with CERT NZ, we will issue an immediate alert to all of our clients and to every person or organisation of which we hold any information advising of our suspicion that an incident may have occurred. This policy stance may cause at some point a false positive alert but we will rather fail by being excessively careful with the information under our care than overly protective of our reputation.
• We will conduct an information security forensic analysis to determine whether or not an incident has occurred. If an incident does occur: to determine the impact of said incident, to determine whether any information was accessed, to determine whether any information that may have been accessed was modified or extracted, and to determine how did the incident happen.
• With the facts at hand we will communicate periodically with any affected parties in order to advise of the extent of the situation (risk to them) and to advise on what counter-measures (measured to reduce the resulting risk) are available to them. Depending of the nature of the incident (false alarm, minor incident with no data involvement, medium incident with some data involvement, major incident with confirmed loss of data) the number of these communiques may range from one to many.
• When the information security incident is deemed resolved, we will issue a final comunique with a full report to all affected parties and to CERT NZ.
3rd September, 2018: Incident response policy added. Change Log added.
19th September, 2018: Minor additions and punctuation corrections for the sake of clarity.