Privacy Policy

Introduction

GNC Space Limited (we, us, our) complies with the New Zealand Privacy Act 2020 and the General Data Protection Regulation of the European Union (GDPR) and the equivalent laws of the United Kingdom (UK GDPR) when dealing with personal information.

Personal information is information about an identifiable individual (a natural person), and includes personal data, personally identifiable information and equivalent information under applicable privacy and data protection laws.

This policy does not limit or exclude any of your rights under applicable privacy and data protection laws, including the GDPR, or UK GDPR, or the New Zealand Privacy Act 2020.

This policy was drafted with brevity and clarity in mind.  It does not provide exhaustive detail of all aspects of our collection and use of personal information.  We are happy to provide any additional information or explanation needed.  Any request for further information should be sent to our data protection officer at dpo@gncspace.com.

Changes to This Policy

We may change this policy by uploading a revised policy onto our website.  The change will apply from the date that we upload the revised policy.

When Does this Privacy Policy Apply

This privacy policy applies to personal information we collect from visitors to our website, our customers and other person with whom we deal directly.

Users of our SaaS service may collect personal information from individuals (e.g. their employees and customers) and upload, store or process that information to or in that service (User Data).

For the purposes of the GDPR and the UK GDPR, our customers are the data controller when storing or otherwise processing User Data and we are the data processor.  Our customers determine what and how they collect, use, disclose and transfer User Data.  This means that our customers’ collection and use of User Data is governed by their privacy policy and practices, not ours.

We only process User Data as authorised by our customers in our Terms of Use (available at https://gncgo.space/legal/terms/) and/or other agreements with our customers that govern the processing of User Data (as applicable).  Unless required otherwise under applicable law, if we receive any request or enquiry relating to User Data, we will forward this request to our relevant customer.

The remainder of this privacy policy does not apply to User Data.

Children

We do not intend to collect personal information from or about children aged under 16.  If you have reason to believe that we have collected personal information from or about a child under the age of 16, please contact us at dpo@gncspace.com.

What Personal Information do We Collect

Directly From You. We collect the following information directly from you:

When you use our website

• • When you fill in a contact or enquiry form on our website, call us, meet us in person or otherwise contact us, we collect your name, email address, phone number, role and any other information you choose to provide to us.

Automated collection

• • When you access and use our website we may automatically collect information about your device and usage of our website, including your IP address, operating system, browser type, time spent on certain pages of the website, pages visited, links clicked and language preferences.
  • Some of this data is collected through third party tools and/or the use of cookies, web beacons and similar storage technologies. Please refer to our cookie policy below for further information, including information on how you can disable these technologies.

In relation to our SaaS service

• • When you sign up to our SaaS service or register as a user we collect your name, email address, phone number, role, company name and location.
  • We use a third party service provider to process credit card transactions. We do not have access to your credit card information. The name of this third party provider will generally be displayed when you are requested to enter your credit card information. You can see further information about how they process your credit card information in their privacy policy.
  • When you refer another person to use our website or SaaS service, we may collect your name and email address and the other person’s name and email address and any other information you choose to include in the referral.

Automated Collection

• • When you access and use our SaaS service we may automatically collect information about your device and usage of our Saas service, including your IP address, operating system, browser type, time spent on certain pages of the website, pages visited, links clicked and language preferences.
  • Some of this data is collected through third party tools and/or the use of cookies, web beacons and similar storage technologies. Please refer to our cookie policy for further information, including information on how you can disable these technologies.

From Third Party Sources. Where possible, we collect personal information from you directly.  However, sometimes we may collect personal information that is publicly available (e.g. through LinkedIn profiles or public directories).

Combined Sources. We may combine the personal information about you that we receive from third parties with the personal information we collect from you directly or with device and usage data we collect automatically when you visit our website.

How We Use Your Personal Information

We may use your personal information to:

• verify your identity;
• provide our website and our SaaS service to you;
• market our products and our SaaS service to you, including contacting you electronically (e.g. by text or email for this purpose);
• improve our website and our SaaS service;
• publish things on our website (e.g. testimonials and other feedback);
• run promotions (e.g. surveys);
• bill you, provide other related information (e.g. provide invoices) and collect money that you owe us, including authorising and processing credit card transactions (as noted above, we use a third party service provider to process credit card transactions and we do not have access to your credit card information);
• conduct research and statistical analysis;
• tailor content on our website to you;
• protect and/or enforce our legal rights and interests, including defending any claim;
• respond to lawful requests by public authorities, including to comply with law enforcement requirements, or
• for any other purpose authorised by you or applicable law.

We may transfer your information in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.

You can stop receiving our marketing emails by following the unsubscribe instructions included in those emails.

Disclosing Your Personal Information

We may disclose your personal information to:

• any business that supports our website, or our SaaS service, including any person that hosts or maintains any underlying IT system or data centre that we use to provide our website or our SaaS service, or that we use to process payments;
• third parties (for anonymised statistical information);
• professional advisers e.g. accountants, lawyers or auditors;
• a person who can require us to supply your personal information (e.g. a law enforcement agency or regulatory authority);
• any other person with your consent;
• any other company in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition;
• any other person authorised by applicable law.

Also, we may share information about your use of our website with our trusted analytics partners through the use of cookies, web beacons, and similar storage technologies.  Please refer to our cookie policy for further information.

International Transfers of Personal Information

A business that supports our website, or our SaaS service, may be located outside of New Zealand (the country where we are incorporated) and also outside of the country where you are located.  This means that the personal information we collect may be transferred to, and stored in, a country outside of New Zealand and the country where you are located.

If you are located in the European Union (EU), your personal information may be transferred outside of the European Economic Area (EEA).  Under the GDPR, the transfer of personal information to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection.  In the absence of an adequacy decision, we may transfer personal information if other appropriate safeguards are in place.

If you are located in the United Kingdom (UK) your personal information may be transferred outside of the UK.  Under the UK GDPR, the transfer of personal information to a country outside the UK may take place where that country has been granted adequacy status for the purposes of the UK GDPR.  In the absence of adequacy status, we may transfer personal information if other appropriate safeguards are in place.

Where we transfer personal information outside the EEA or UK, it will only be transferred to countries that have been identified as providing adequate protection for EU/UK data, or to a third party where approved transfer mechanisms are in place to protect your personal information (e.g. by entering into Standard Contractual Clauses).  For further information, please contact at dpo@gncspace.com.

Some of the personal information we collect is processed in New Zealand.  New Zealand is recognised by the European Commission and for the purposes of the UK GDPR as a country that has an adequate level of data protection and we rely on this decision in transferring personal information to New Zealand.

Protecting Your Personal Information

As required by applicable law, we will take steps to keep your personal information safe from loss, unauthorised activity, or other misuse.  We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks inherent in processing personal information.

You play an important role in keeping your personal information secure by maintaining the confidentiality of any password and accounts used in relation to our SaaS service.  You should not disclose your password to third parties.  Please notify us immediately if there is any unauthorised use of your account or any other breach of security.

Accessing and Correcting Your Personal Information

Subject to certain grounds for refusal under applicable law, you have the right to access your personal information that we hold and to request a correction to your personal information.  Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.

Where you request a correction, if we think the correction is reasonable and we are reasonably able to change your personal information, we will make the correction.  In all other cases, we will take reasonable steps to make a note of the personal information that was the subject of your correction request.

If you want to exercise either of the above rights, email us at dpo@gncspace.com.  Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information to be corrected and the correction that you are requesting).

Subject to applicable law, we may charge you our reasonable costs of providing to you copies of your personal information or correcting that information.

In addition to the rights to access and correct your personal information, if you are based in the EU or UK, you have the additional rights set out in the GDPR Additional Terms section of this privacy policy below.

Internet Use

While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.

If you follow a link on our website or our SaaS service, to another website, the owner of that website will have its own privacy policy relating to your personal information.  We suggest you review that website’s privacy policy before you provide personal information to that owner or website.

Data Retention Policy

The personal information that we collect and use will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer.

Contacting Us

If you have any question about this privacy policy, or our privacy practices, or if you would like to request access to, or correction of, your personal information, you can contact us at dpo@gncspace.com.

The name and contact details of our Data Protection Officer for the purposes of the GDPR and the UK GDPR are:

• Name: Magnus Erixzon
• Email: dpo@gncspace.com.

GDPR Additional Terms

Lawful Basis for Processing Personal Information

Our lawful basis for processing (as that term is defined in the GDPR and UK GDPR) personal information that we collect, use and disclose depends on the personal information collected and the context in which we collect it.

Generally, we collect personal information from you where we have your consent, where processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, or where processing is necessary for the purposes of our legitimate interests (except where such interests are overridden by your interests or fundamental rights and freedoms).

Where we process personal information based on your consent, you may withdraw your consent at any time.

Despite the above, we may process your personal information where such processing is necessary for compliance with applicable laws.

If you have any question about the legal basis on which we process personal information or need further information, please contact us at dpo@gncspace.com.

Your Rights Under the GDPR and UK GDPR

If you are located in the European Union or the United Kingdom, your rights in relation to your personal information include:

• Right of access. If you ask us, we will confirm whether we are processing your personal information and provide you with a copy of that personal information.
• Right to rectification. If the personal information we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed. We will take reasonable steps to ensure inaccurate personal information is rectified.  If we have shared your personal information with any third party, we will tell them about the rectification where possible.
• Right to erasure. When your personal information is no longer needed for the purposes for which you provided it, we will delete it. You may request that we delete your personal information and we will do so if deletion does not contravene any applicable law.  If we have shared your personal data with any third party, we will take reasonable steps to inform those third parties that they must delete your personal information.
• Right to withdraw consent. If the basis of our processing of your personal information is consent, you can withdraw that consent at any time.
• Right to restrict processing. You may request that we restrict or block the processing of your personal information in certain circumstances. If we have shared your personal information with any third party, we will tell them about this request where possible.
• Right to object to processing. You may request that we stop processing your personal information at any time and we will do so to the extent required by the GDPR and/or UK GDPR (as applicable).
• Rights related to automated decision-making, including profiling. You have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such automated decision-making is necessary for entering into, or the performance of, a contract with you, is authorised by applicable laws or is based on your explicit consent. We do not undertake automated individual decision-making.
• Right to data portability. You may obtain your personal information from us that you have consented to give us or that is necessary to perform a contract with you. We will provide this personal information in a commonly used, machine-readable and interoperable format to enable data portability to another data controller.  Where technically feasible, and at your request, we will transmit your personal information directly to another data controller.
• Right to complain to a supervisory authority. You can report any concern you have about our privacy practices to your local data protection authority.

Where personal information is processed for the purposes of direct marketing, you have the right to object to such processing, including profiling related to direct marketing.

If you would like to exercise any of your above rights, please contact us at dpo@gncspace.com. If you are not satisfied by the way we deal with your query, you may refer your query to your local data protection authority.