TPEA provides interpretive governance assessments for New Zealand businesses. This policy explains how we handle personal information under the Privacy Act 2020.
This policy applies to website visitors, introducers, prospects, and engaged clients.
Status of this policy: This policy is a privacy notice explaining how we handle personal information. It is not intended to create contractual obligations separate from our engagement terms, except where an engagement letter expressly incorporates it. Nothing in this policy limits any rights or obligations that apply under the Privacy Act 2020 or other applicable law.
Privacy Officer: Kory Fagan, Principal.
Privacy Officer email: privacy@tpea.co.nz
General contact: enquiries@tpea.co.nz
We collect different information from different audiences. We tell you what we collect at the point of collection.
Contact details: Names, email addresses, phone numbers, and job titles.
Enquiry content: Messages you send through tpea.co.nz forms or by email.
Public records: Director and entity information from the NZ Companies Office. Publicly available business profile information. We use this to assess fit before contacting you.
Website data: IP addresses and basic analytics from tpea.co.nz. We use essential, security, and basic analytics technologies. We do not use advertising cookies. We do not sell tracking data.
We collect this data direct from you, or from public records. We do not buy data from third parties.
In addition to the items in 2.1, we collect the following from clients who engage us for a Stress Test:
Engagement records: Signed engagement letters, correspondence, invoices, and payment records.
Client documents: Documents the client supplies for assessment. These include H&S policies, risk registers, incident records, training logs, contractor records, board minutes, and officer correspondence.
Some of these documents contain personal information about workers, contractors, officers, and other individuals. This information may be sensitive. It may relate to incidents, health, or conduct.
IPP 3A obligation: We sometimes collect personal information about workers, contractors, officers, and others from client documents. This is indirect collection. We are required by IPP 3A to take steps that are reasonable in the circumstances to ensure those individuals are made aware of the matters set out in IPP 3A, and TPEA remains responsible for satisfying itself that those steps have been taken before client documents are used. We address this in one of two ways:
Where an exception under the Privacy Act applies, we will document the exception. Common exceptions include collection from publicly available sources and where notification would prejudice the purpose of collection.
Residual responsibility: TPEA remains responsible for satisfying itself that the IPP 3A notice obligation has been met in the circumstances. We do not rely on assumed notice. We require, and retain, evidence from the client of the privacy notice or supplementary notice relied on. Where an exception under the Privacy Act is relied on (for example, where notification would prejudice the purpose of collection or where the information comes from a publicly available source), the basis is documented on a case-by-case basis.
Document hygiene: Clients must not provide personal information that is not relevant to the Stress Test, and should redact or omit unnecessary identifiers and sensitive details (including medical or health details) where the underlying information is not material to the documentary review. Where a document contains sensitive information about workers, incidents, health, conduct, or officer correspondence, the client should consider whether the information is required before the document is supplied.
We use personal information only for the purposes for which we collected it:
We do not use your information for marketing to third parties. We do not sell or trade personal information.
TPEA uses Anthropic's Claude AI to help analyse documents and produce reports. Claude is accessed via the Anthropic API.
What this means for your data: Document content is submitted to the Anthropic API. Under the Anthropic Commercial Terms of Service and the Anthropic Data Processing Addendum (DPA), API inputs and outputs are not used to train Anthropic's models. For standard Anthropic API use, inputs and outputs are deleted from Anthropic's backend within 30 days. Stated exceptions apply. These include selected API features, agreed retention arrangements, usage-policy enforcement, and legal compliance.
Cross-border transfer: Anthropic is a US-based company. Submitting data to the API is a cross-border transfer under IPP 12. TPEA's primary basis for IPP 12 compliance is contractual: the Anthropic Commercial Terms of Service and Data Processing Addendum together with TPEA's de-identification controls are intended to ensure the overseas recipient is required to protect the information in a way that, on TPEA's assessment, provides comparable safeguards to the Privacy Act 2020. The client's authorisation in the engagement letter is held as an additional belt-and-braces basis. TPEA may also rely on another permitted basis for cross-border disclosure where appropriate.
Express warning: Where we rely on your authorisation for the transfer, you should be aware of the following. The overseas recipient may not be required to protect the information in a way comparable to the Privacy Act 2020. Your written authorisation in the engagement letter records that you have been informed of this.
We rely primarily on the Anthropic Commercial Terms of Service and Data Processing Addendum as the contractual safeguard for cross-border processing. We also obtain the client's express written authorisation and acknowledgement in the engagement letter as an additional basis.
De-identification: We replace client-identifying details with codes before submission to the API. The lookup table that links codes to identities stays on local TPEA systems. The lookup table is never submitted to the API.
Subprocessors: Anthropic uses subprocessors (such as cloud infrastructure providers) to deliver its services. A current list is available from Anthropic on request.
Our operational controls: TPEA's account is governed by the Anthropic Commercial Terms of Service and the Data Processing Addendum. For client work, TPEA does not use Files API persistence, Batch processing, code execution, Workbench, Managed Agents, or any other longer-retention or non-ZDR-eligible features unless they have been separately assessed and disclosed to the client. For client work, TPEA does not use Claude.ai consumer plans, Claude Pro or Claude Max subscriptions, or third-party Claude wrappers.
Engaged clients receive additional terms about AI processing in the engagement letter.
Anthropic (API processing). See Section 4.
Stripe (payment processing). For invoicing and payment collection.
Cloud storage providers (such as Google Workspace and Microsoft 365). May be used for email and document storage. Data may be stored or processed outside New Zealand depending on the provider, service, plan, and configuration. We configure these services to use appropriate security and residency settings where available.
Professional advisers — our lawyer, accountant, and insurer where necessary.
We do not share Stress Test reports with third parties, except in three cases. First, on client instruction. Second, with professional advisers under confidentiality. Third, where legally required.
Compelled disclosure: We may disclose information where the law requires it. This includes compulsory legal process and HSWA Part 4 powers. We will notify the client of such a disclosure, except where notification is prohibited by law, would prejudice an investigation, law-enforcement activity, or current or anticipated proceedings, would endanger the safety of any person, or would breach a court order or other statutory restriction.
Client documents are stored in encrypted cloud storage. Access is restricted to TPEA personnel working on the engagement.
We do not store credit card or bank account numbers. Payments go through Stripe.
We use the code-substitution process described in Section 4 before AI processing.
Retention periods are summarised below. The trigger column shows when the deletion clock starts.
| Data type | Retention period | Trigger to delete |
|---|---|---|
| Website enquiry | 12 months from last contact. | No reply for 12 months. |
| Introducer record | Active relationship plus 24 months. | Relationship ends. |
| Prospect record | 24 months from last contact. | No engagement and no contact for 24 months. |
| Client source documents (routine) | 90 days after report delivery, subject to a legal, insurance, regulatory, dispute, or litigation-hold exception. | End of QA window, unless a hold applies. |
| Entity-identified report (routine) | 90 days after report delivery, subject to a legal, insurance, regulatory, dispute, or litigation-hold exception. | End of QA window, unless a hold applies. |
| De-identified data | Indefinite. Not reasonably identifiable. | Not applicable. |
| Engagement records | 7 years from completion, or longer where reasonably required for legal, insurance, regulatory, dispute, or litigation-hold purposes. | End of statutory limitation. |
| AI processing data | Deleted by API provider per their terms. | Per provider schedule. |
De-identified data: We may retain de-identified and aggregated data derived from engagements for methodology development and benchmarking. TPEA retains such data only where it has assessed that the data is not reasonably identifiable, including the risk of identification by combination with other information reasonably available to TPEA. Direct client and individual identifiers are removed. The lookup table that links codes to identities is held only on TPEA's local systems and is deleted within the same period as the underlying source documents, unless a legal, insurance, regulatory, dispute, or litigation-hold exception applies. This treatment is also reflected in the engagement letter.
This policy addresses the Privacy Act 2020 information privacy principles, including IPP 3A which came into force on 1 May 2026. The table below shows where each principle is addressed.
| IPP | Principle | How TPEA complies |
|---|---|---|
| 1 | Purpose of collection | We collect data only to deliver the Stress Test or to respond to enquiries. See Section 3. |
| 2 | Source of personal information | We collect from individuals directly where practicable. We also collect indirectly from clients, public sources, or other permitted sources where the Privacy Act allows. |
| 3 | Collection from individual | We tell you what we collect, why, and who sees it. This policy and the engagement letter give that notice. |
| 3A | Indirect collection notification | Where we collect about a person from a source other than that person, we take reasonable steps to make them aware. See Section 2.2. |
| 4 | Manner of collection | We collect lawfully and fairly. We do not collect by deception or unfair pressure. |
| 5 | Storage and security | We use access controls, encryption in transit, and limited retention. See Section 6. |
| 6 | Access to information | You can ask for a copy of what we hold about you. See Section 9. |
| 7 | Correction of information | You can ask us to correct your information. See Section 9. |
| 8 | Accuracy before use | We check the information is accurate before we use it in a Stress Test report. |
| 9 | Retention limit | We delete personal information when we no longer need it. See Section 7. |
| 10 | Use limited to purpose | We use your information only for the purpose we collected it. See Section 3. |
| 11 | Limits on disclosure | We disclose personal information only where permitted by the Privacy Act, including to service providers, professional advisers, with authorisation, or where legally required. See Section 5. |
| 12 | Cross-border disclosure | We use overseas providers. See Section 4. |
| 13 | Unique identifiers | We do not assign unique identifiers to clients beyond a project code. |
Under the Privacy Act 2020, you have rights to:
To use any of these rights, email privacy@tpea.co.nz. We will respond as soon as reasonably practicable and within 20 working days after receiving the request, unless the Privacy Act 2020 permits an extension.
Where TPEA becomes aware that a notifiable privacy breach has occurred — that is, a privacy breach that it is reasonable to believe has caused, or is likely to cause, serious harm to an affected individual — TPEA will notify the Office of the Privacy Commissioner as soon as practicable after becoming aware. TPEA will also notify affected individuals as required by Part 6 of the Privacy Act 2020, unless an exception applies.
We will tell you what happened. We will tell you what data was affected. We will tell you what we are doing about it.
If you have a complaint about how we handle your information, contact us first:
If you are not satisfied with our response, you can complain to the Office of the Privacy Commissioner:
We may update this policy. The current version will always be at tpea.co.nz/privacy.html.
Material changes will be communicated to active clients directly.