Nextro is committed to protecting your privacy.

Privacy Policy for Nextro
Effective Date: 1 Jan 2026

Nextro (referred to as “we”, “us”, or “our”) is committed to protecting your privacy and handling your personal information in a transparent and responsible way in accordance with the Privacy Act 2020 (NZ) and the Information Privacy Principles. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you:

  • Visit and interact with our website (nextro.nz);
  • Contact us by email, web form, phone, or otherwise;
  • Subscribe to marketing communications;
  • Engage with us as a customer, partner, supplier, or contractor.

Please read this Policy carefully. Your use of this website signifies that you accept the practices described here.

The role we play

When we deal with personal information, we act in one of two roles:

As a controller, we decide how and why personal information is collected and used. This applies to information you give us directly – for example, when you contact us through our website, subscribe to our newsletter, or engage with us as a customer, partner, supplier, or contractor. It also applies to information we hold about our own staff and contractors.

As an agent (or processor) for a customer, we handle personal information that the customer collects through systems we have deployed, manage, or support. In this role, the customer is the agency responsible under the Privacy Act 2020, and we follow their instructions in handling that information. Where you have a question about information held in a customer’s system, the customer is the right place to direct it.

This Privacy Policy explains how we handle personal information when we act as a controller. Where we act as an agent, we apply the protections set out in our Information Security Policy and Information Management Procedure, and we limit our handling to what is necessary to deliver the contracted service.

1. What personal information we collect

When we act as a controller, we collect personal information that you voluntarily provide to us, including:

  • Name, email address, phone number, company name, job title;
  • Information submitted via contact forms, enquiry forms, or newsletter registrations;
  • Correspondence you send to us.

We also collect some technical information automatically when you visit our website:

  • IP address, browser type, device type, pages visited, referral source, and similar data (“Navigational Information”).

We do not collect sensitive personal information unless you provide it directly and explicitly consent.

In the course of delivering services to our customers, we may encounter sensitive personal information held in customer systems we support. We act as an agent for a customer in handling this information; the customer is responsible under the Privacy Act 2020. We apply heightened protections set out in our Information Security Policy and Information Management Procedure. We do not collect this information for our own purposes. Any working copies we hold during a support task are deleted once the task is complete, in line with our Information Management Procedure.

2. How we collect personal information

We collect personal information:

  • Directly from you when you submit forms, register for communications, or contact us;
  • Automatically through cookies, website analytics, and server logs when you browse the site.

Where we collect information automatically, it may be technical and not personally identifying unless combined with other data.

There are some circumstances where we may receive personal information about you indirectly – that is, from someone other than you. For example:

  • When we provide services to a customer, we may encounter personal information about the customer’s staff, visitors, or other individuals (such as in surveillance footage or access logs).
  • When we receive applications for employment, a recruiter or referee may provide information about a candidate.
  • When we receive contact details for a business contact at one of our customers, vendors, or partners, we may receive those details from a colleague of the contact rather than from the contact themselves.

When we receive personal information about you indirectly and we hold it under our own control (rather than as an agent for the customer), we comply with our obligations under Information Privacy Principle 3A of the Privacy Act 2020. In most cases, we rely on the agency that originally collected the information to have given the necessary notification. Where this would not be reasonable, we will notify you directly.

3. Why we collect personal information (purposes)

We use personal information for purposes reasonably necessary to operate our business, including:

  • Responding to enquiries and providing requested information;
  • Sending newsletters, updates, or other marketing where you have opted in;
  • Fulfilling service requests and managing customer relationships;
  • Improving our services and website performance;
  • Complying with legal obligations.

We will not use your personal information for purposes incompatible with the original collection without your consent.

4. Disclosure to third parties

We may disclose personal information to:

  • Our service providers (e.g., hosting, analytics, email platforms);
  • Professional advisers such as accountants or lawyers;
  • Legal authorities where required by law.

We do not sell your personal information to third parties.

If a third party processes personal information on our behalf, we require contractual protections to safeguard it.

5. Cross-border transfers

Personal information we hold may be stored or processed in New Zealand or in jurisdictions with broadly comparable privacy laws.

Some of the cloud services we use (including productivity, email, marketing, and AI tools) operate from servers in jurisdictions without comparable privacy laws. Where personal information may be processed in those jurisdictions, we rely on contractual safeguards with the relevant providers, including data processing agreements, security and confidentiality commitments, and breach notification obligations, to ensure a comparable standard of protection.

The specific cross-border arrangements that apply to our operations are reviewed under our Vendor Privacy Management Procedure. We do not transfer customer personal information offshore beyond what is necessary to deliver the contracted service and what the customer has agreed to.

6. Data retention & security

We retain personal information only for as long as necessary for the purposes for which it was collected or as required by law. Specific retention periods, the legal framework that drives them, and our disposal practices are set out in our Retention and Disposal Policy.

We implement reasonable technical and organisational safeguards to protect personal information against unauthorised access, loss, alteration, or disclosure, in accordance with our Information Security Policy.

Sensitive personal information held in customer systems we support is subject to additional safeguards.

7. Cookies & analytics

Our website uses cookies and similar technologies. We use a small number of analytics cookies to understand how visitors use our site and to improve performance (Google Analytics and similar). We do not use cookies to build advertising profiles or to share information with advertising networks. You can control or block cookies through your browser settings, though this may affect some site functionality.

8. Your rights

Under the Privacy Act 2020, you have the right to:

  • Ask whether we hold personal information about you, and if we do, to receive a copy
  • Ask us to correct personal information we hold about you that is inaccurate, out of date, incomplete, or misleading
  • Make a complaint to the Office of the Privacy Commissioner if you believe we have not handled your personal information in accordance with the Privacy Act

If you would like to make an access or correction request, please contact our Privacy Officer using the details in Section 11. We may need to verify your identity before responding, particularly where the information is sensitive. We will respond within 20 working days as required by the Privacy Act.

Where you make a request and the information is held in a customer’s system that we support (rather than in our own systems) we may need to direct you to the customer, who is the agency responsible for that information. We will help you identify the right contact where we can.

If you are not satisfied with how we respond, you can make a complaint to the Office of the Privacy Commissioner:

  • Website: privacy.org.nz
  • Phone: 0800 803 909
  • Postal address: Office of the Privacy Commissioner, PO Box 10094, Wellington 6143
9. Marketing communications

We will only send marketing communications if you have consented to receive them. You can opt out at any time by:

  • Clicking “unsubscribe” in emails; or
  • Contacting us directly.

We comply with the Unsolicited Electronic Messages Act 2007 regarding marketing emails and messages.

10. Data breaches

We take privacy breaches seriously and have a documented Privacy Breach Response Procedure. If a privacy breach occurs that is reasonable to believe has caused, or is likely to cause, serious harm to one or more affected individuals, we will:

  • Notify the Office of the Privacy Commissioner as soon as practicable, and in any event within the timeframe expected by the Office of the Privacy Commissioner (currently within 72 hours of becoming aware of the breach where reasonably possible)
  • Notify affected individuals as soon as practicable, in line with the requirements of sections 115 & 116 of the Privacy Act 2020
  • Take steps to contain the breach and prevent recurrence

Where we act as an agent for a customer and a breach affects information held in the customer’s system, we will notify the customer promptly, who is the agency responsible for notification under the Privacy Act. We will support the customer in their notification process, and we will not directly notify individuals or the Privacy Commissioner unless instructed by the customer or required by law.

11. Complaints & contact information

If you have a privacy-related complaint or question, please contact our Privacy Officer:

  • Nadia Levy, Privacy Officer
  • Email:
  • Phone: 021 899 544 (direct) or +64 (9) 869 5800 (main)
  • Postal address: PO Box 3838, Victoria Street West Box Lobby, 15 Hardinge Street. Auckland 1010, New Zealand

We aim to respond to privacy enquiries within 5 working days, and to resolve any complaint promptly. Where you have made a formal access or correction request under the Privacy Act 2020, we will respond within 20 working days as required by the Act.

If you are not satisfied with our response to a complaint, you can also contact the Office of the Privacy Commissioner: privacy.org.nz, 0800 803 909, or PO Box 10094, Wellington 6143.