Privacy Policy
Last updated: 20 June 2026
This Privacy Policy is our public privacy statement under the Privacy Act 2020 (New Zealand). It explains how we, as an agency under that Act, collect, use, store, disclose, and protect personal information when you visit https://herbaliamovement.world or contact us.
We also recognise the General Data Protection Regulation (GDPR) where it applies to visitors in the European Economic Area (EEA). A separate section below sets out those rights.
This policy should be read with our Cookie Policy and Terms of Use.
1. Who We Are
Agency name: Herbaliamovement.ddd
Physical address: 44 Ferry Street, Seatoun, Wellington 6022, New Zealand
Email: message@herbaliamovement.world
Phone: +64 21 023 04658
For privacy enquiries, access requests, or complaints, contact us using the details above. We aim to respond as soon as reasonably practicable and, at latest, within 20 working days as required under the Privacy Act 2020.
2. Personal Information We Collect
Personal information means information about an identifiable individual, as defined in the Privacy Act 2020.
2.1 Information you provide directly
- Contact form: name, email address, message content, and confirmation of consent to data processing.
- Event or workshop enquiries: any details you choose to include in your message.
2.2 Information collected automatically
- Server and security logs: IP address, date and time of access, browser type, device type, referring URL, and pages viewed.
- Cookie and local storage data: your cookie preference choices (see Cookie Policy).
- Analytics data (if you consent): aggregated or pseudonymised usage statistics such as pages visited, session duration, and general location (country/region level).
2.3 Information we do not intentionally collect
We do not require you to provide sensitive personal information (such as health records or financial account details) to use this website. Please do not submit such information via the contact form unless it is relevant to your enquiry and you consent to our handling it for that purpose.
The interactive "My Ideal Day" builder runs in your browser. Schedule inputs are not transmitted to or stored on our servers unless you separately send them through the contact form.
3. How We Collect Information (IPP 3 and IPP 3A)
Under Information Privacy Principle (IPP) 3, when we collect personal information directly from you, we inform you of the matters set out in this policy.
Under IPP 3A (in force from 1 May 2026), if we ever collect personal information about you from a third party, we will take reasonable steps to ensure you are aware of that collection, the fact it was collected from another source, and the other matters required by the Privacy Act 2020. We currently collect most information directly from you or automatically through your use of the website.
Collection notice — Contact form
- What we collect: name, email, message, consent confirmation.
- Why we collect it (purpose): to respond to your enquiry, provide information about our resources or events, and maintain a record of correspondence.
- Who will receive it: our staff and authorised service providers (hosting, email) who assist us in operating the website and responding to messages.
- Is provision mandatory? No. Providing information via the contact form is voluntary.
- Consequences if you do not provide it: we may be unable to respond to your enquiry or register your interest in events.
- Your rights: you may request access to and correction of your personal information (see Sections 10 and 11).
4. Purposes of Collection and Use (IPP 1 and IPP 10)
We collect personal information only for lawful purposes connected with our functions, and we use it only for the purpose for which it was collected or a directly related purpose you would reasonably expect, including:
- responding to enquiries and communicating with you;
- operating, maintaining, and securing the website;
- understanding website usage to improve content and usability (with consent for analytics cookies);
- sending information about workshops or planning resources where you have consented (including under the Unsolicited Electronic Messages Act 2007);
- complying with legal obligations and defending legal claims.
We will not use your personal information for a new unrelated purpose without notifying you or obtaining your consent where required.
5. Manner of Collection (IPP 4)
We collect personal information in a way that is lawful, fair, and not unreasonably intrusive. We do not use misleading or deceptive means to obtain information, in accordance with the Fair Trading Act 1986.
6. Disclosure of Personal Information (IPP 11)
We do not sell personal information. We may disclose personal information to:
- Service providers who assist with website hosting, email delivery, analytics (if enabled), or technical support — only to the extent needed for their services and under contractual confidentiality and security obligations;
- Professional advisers (e.g. lawyers) where reasonably necessary;
- Regulators or law enforcement where required or authorised by New Zealand law.
We will not otherwise disclose your personal information except with your authorisation or as permitted by the Privacy Act 2020.
7. Disclosure Outside New Zealand (IPP 12)
Some service providers may store or process data outside New Zealand (for example, in Australia, the United States, or the European Union). Before disclosing personal information overseas, we take reasonable steps to ensure the recipient is subject to:
- privacy laws that provide comparable safeguards to the Privacy Act 2020;
- a binding scheme or contract requiring comparable protection; or
- another safeguard recognised under IPP 12.
Where comparable safeguards cannot be ensured and no exception applies, we will only disclose information overseas with your express authorisation after informing you that the overseas recipient may not be required to protect the information to the same standard as New Zealand law.
8. Unique Identifiers (IPP 13)
We do not assign government-issued unique identifiers (such as IRD or NHI numbers) to individuals. If analytics tools assign pseudonymous identifiers (such as cookie IDs), we use them only where necessary for website analytics (with your consent) and do not combine them with contact form data except where you have clearly linked the two through your actions.
9. Storage, Security, and Retention (IPP 5 and IPP 9)
Security (IPP 5)
We take reasonable security safeguards to protect personal information from loss, misuse, unauthorised access, modification, or disclosure. Measures include HTTPS encryption, access controls, secure hosting environments, and limiting staff access to personal information on a need-to-know basis.
No internet transmission is completely secure. You use this website at your own risk, and we encourage you to protect your devices and accounts.
Retention (IPP 9)
- Contact form records: up to 24 months after our last correspondence with you, unless a longer period is required by law or for dispute resolution.
- Server logs: typically up to 12 months for security and troubleshooting.
- Analytics data: up to 26 months where analytics cookies are enabled, aggregated where possible.
- Cookie consent records: stored in your browser until you clear local storage or withdraw consent.
When personal information is no longer needed for any lawful purpose, we take reasonable steps to destroy it or de-identify it.
10. Access to Your Personal Information (IPP 6)
You have the right to request confirmation of whether we hold personal information about you and to request access to that information.
Submit access requests to message@herbaliamovement.world. We will respond as soon as reasonably practicable and within 20 working days. If we need more time, we will notify you and explain the extension.
We may withhold information in limited circumstances permitted by the Privacy Act 2020 (for example, where disclosure would endanger safety or unreasonably disclose another person's information). If we refuse access, we will explain our reasons and your options to complain to the Office of the Privacy Commissioner.
11. Correction of Personal Information (IPP 7 and IPP 8)
You may request correction of personal information you believe is inaccurate, out of date, incomplete, irrelevant, or misleading. We will take reasonable steps to correct it or, if we disagree, attach a statement of your requested correction to the record.
We take reasonable steps to ensure personal information is accurate, up to date, complete, relevant, and not misleading before using it.
12. Notifiable Privacy Breaches
Under the Privacy Act 2020, if a privacy breach has caused or is likely to cause serious harm, we must notify the Office of the Privacy Commissioner and affected individuals as soon as practicable.
A privacy breach includes unauthorised or accidental access to, disclosure of, alteration of, loss, or destruction of personal information, or an action that prevents us from accessing the information on a temporary or permanent basis.
If you believe your personal information held by us has been compromised, contact us immediately at message@herbaliamovement.world.
13. Direct Marketing and Electronic Messages
We will only send commercial electronic messages (email, SMS) in compliance with the Unsolicited Electronic Messages Act 2007. Messages will identify us as the sender, include accurate contact details, and provide a functional unsubscribe mechanism. We will not add you to marketing lists based on contact form submissions unless you have clearly opted in.
14. Website Monitoring and Cookies
We monitor website behaviour through server logs and, if you consent, analytics cookies. Details are in our Cookie Policy. Non-essential cookies are disabled until you choose to accept them via our cookie banner.
15. Children's Privacy
This website is intended for adults and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will take reasonable steps to delete it.
16. Your Rights Under GDPR (EEA Visitors)
If you are in the EEA, you may also have the right to: access, rectification, erasure, restriction of processing, data portability, object to processing, and withdraw consent. You may lodge a complaint with your local EU supervisory authority. Our lawful bases include consent, legitimate interests, and pre-contractual steps. Contact us to exercise GDPR rights.
17. Complaints
If you have a privacy concern, contact us first so we can try to resolve it. If you are not satisfied, you may complain to:
Office of the Privacy Commissioner
PO Box 10 094, Wellington 6140, New Zealand
Phone: 0800 803 909 (within NZ) / +64 4 474 7590
Website: www.privacy.org.nz
18. Changes to This Policy
We may update this Privacy Policy when our practices or legal obligations change. The "Last updated" date will reflect the current version. Material changes will be posted on this page. Continued use of the website after changes constitutes acknowledgement of the updated policy.