Legal
Privacy Policy
In brief: we collect only the information reasonably needed to respond to enquiries, prepare and deliver website previews, operate our services and meet our legal duties. We do not sell personal information, use it for third-party advertising, or treat information being public as permission to copy it.
1. Who is responsible for your information
Digifinity Limited (NZ company number 9335517, NZBN 9429052772771), trading as Lighthouse Web (“Lighthouse Web”, “we”, “us” or “our”), is the agency that collects and holds personal information covered by this policy. Our registered office is 812 Inland Road, RD 2, Helensville 0875, New Zealand. Our Privacy Officer can be contacted using the details in section 14.
This policy applies to lighthouseweb.co.nz, lighthouseweb.design, our preview service, enquiries, preview requests and related one-to-one communications. It is intended to meet the New Zealand Privacy Act 2020, including the requirements for information collected directly and indirectly. If an Australian privacy law applies to a particular activity, we will comply with it as well.
2. Information you give us directly
When you request a preview, contact us or correspond with us, we may collect:
- your name, business name and email address;
- your region, if you choose to provide it;
- the contents of your message and later correspondence;
- project, billing and contractual information if you choose to work with us; and
- any corrections, preferences or permissions you give us.
Providing information is voluntary. The form marks the fields we need to consider and respond to a preview request. If you do not provide those fields, we may be unable to process the request. Please do not send sensitive personal information that is not necessary for your enquiry.
3. Information collected from public or third-party sources
We may collect limited, work-related information from a business's own website, Google Business Profile, public business directory, a business-data provider such as Outscraper, or another source that is genuinely available to the public. Depending on what the business has published, this may include:
- business name, category, place identifier, address, service area, coordinates, website, phone number, business email address, opening hours, services and other trading details;
- rating, review count, public review text, reviewer display name and rating;
- publicly displayed photo URLs, logos, brand colours and other visual references; and
- public website copy, page URLs, team names and roles, testimonials, services and contact details.
We may also receive information from an authorised representative of the business. Information about a sole trader, employee, reviewer or other identifiable person is personal information even when it appears in a business context.
We collect this information only where it is reasonably necessary to assess whether our service is relevant, understand the business, prepare a preview or deliver that preview to an appropriate business contact. We do not intentionally collect private-profile information, unrelated personal information, or more information than the task requires.
Where the information is personal information collected indirectly, we ordinarily explain in our first communication, or as soon as reasonably practicable, that we collected it, the source or source category, why we collected it, who we are, who may receive it, and how to request access, correction or removal. We will rely on an exception to that notice requirement only where the Privacy Act permits it and we can justify that reliance.
Public does not mean free to reuse. Collecting or looking at publicly available photographs, reviews, copy or other creative material does not transfer ownership or give us permission to reproduce it. We do not claim otherwise. A preview may use material that we created, that is properly licensed, that the rights holder authorised us to use, or a clearly identified placeholder. We do not reproduce identifiable customer reviews or photographs merely because they appear online. We may display content supplied through an authorised platform API in accordance with its licence, attribution, linking and storage requirements, or content for which we or the relevant business have recorded permission. We may analyse public reviews to identify aggregate, non-identifying themes, but do not present those summaries as quotations from a particular customer.
4. Technical information, access keys and cookies
When you use our sites or APIs, our infrastructure may process your IP address, browser and device type, user-agent string, requested URL, timestamps, response status and related security logs. We use this information to deliver the service, diagnose faults, prevent abuse and apply rate limits.
When you unlock a preview at its customer-facing address, we process the preview address and access key to
verify your access. A successful check creates a signed access token that expires after seven days. The token contains an
expiry and a cryptographic signature, not your access key. It is sent once to the preview and exchanged
for a strictly necessary lhw_key cookie configured as Secure, HttpOnly and SameSite=Lax. The
cookie lasts no longer than seven days. Infrastructure providers may transiently process the token as part
of serving the request.
We do not currently use advertising cookies, behavioural profiling, cross-site tracking or third-party analytics on these sites. If that changes, we will update this policy and obtain consent where the law requires it.
5. Why we use personal information
We use personal information only for the purpose for which it was collected, a directly related purpose you would reasonably expect, a purpose you authorise, or another use permitted by law. Those purposes are:
- responding to an enquiry or requested preview;
- assessing fit and researching, preparing, quality-checking and securely presenting a preview;
- contacting the appropriate business representative about a relevant preview or our related services, subject to the electronic-marketing rules in section 6;
- verifying preview access and administering any later engagement;
- operating, protecting, troubleshooting and improving our websites and infrastructure;
- preventing fraud, misuse and security incidents; and
- meeting legal, accounting, dispute-resolution and regulatory obligations.
We use automated and artificial-intelligence tools to assist with research, copy and design drafts, image assessment, quality checks and outreach drafts. Public business information, review material, existing-site content and selected images may be processed for those tasks. A person reviews previews and outreach before use. We do not use these tools to make decisions that produce legal or similarly significant effects about an individual.
We do not sell, rent or trade personal information, build advertising profiles, or allow another business to use it for its own marketing.
6. Email and electronic marketing
A response to something you requested and a promotional message are not treated as the same thing. For commercial electronic messages to New Zealand recipients, we require express consent, properly inferred consent, or deemed consent that satisfies the Unsolicited Electronic Messages Act 2007. We do not assume consent merely because an address exists online. Where we rely on a conspicuously published business address, we first check that there is no statement refusing unsolicited messages and that our message is directly relevant to the recipient's published business role. We keep enough information to demonstrate the basis on which the message was sent.
For Australian recipients, we follow the Spam Act 2003. We require express or properly inferred consent and do not treat publication of an address, by itself, as permission to market to it.
Every commercial message accurately identifies Digifinity Limited trading as Lighthouse Web, provides current contact details and includes a clear, free and functional unsubscribe method. The method remains available for at least 30 days after the message is sent, and we action an unsubscribe within five working days. You may also unsubscribe at any time by replying “unsubscribe” or emailing the address in section 14. We keep only the minimum suppression record needed to prevent further marketing.
7. Who may receive information
Access inside Digifinity Limited is limited to people who need the information for the purposes above. We may also disclose the minimum necessary information to:
- hosting, content-delivery, security, email, communications, form-processing, storage, backup and technical-support providers acting for us;
- public-business-data, licensed-media and automated or artificial-intelligence service providers where needed to research, create or quality-check a preview;
- an authorised representative of the business for which a preview was prepared;
- professional advisers, insurers or auditors where reasonably necessary and subject to duties of confidence; or
- a regulator, court, law-enforcement agency or other person where authorised or required by law, or where reasonably necessary to protect a person, our rights or the security of the service.
Our principal current service providers are Amazon Web Services (“AWS”) for hosting, storage, databases, content delivery, APIs, email delivery and AI-assisted processing; Outscraper for public business data; and Pexels for licensed stock-media sourcing. Google Business Profile and business websites are public information sources rather than places where we upload your enquiry. Provider use can change as our service evolves; our Privacy Officer can provide current information relevant to your data.
Where a provider acts for us, we select and configure it with regard to purpose limitation, confidentiality, security, access and deletion, and require appropriate protections through applicable service terms, contracts and settings.
8. Storage and overseas processing
Our primary application storage and computing are configured in the AWS Asia Pacific (Sydney) region. Submitted preview requests and lead records are stored in access-controlled AWS databases; preview and working assets are held in private AWS object storage. AWS email services send an internal notification copy of a preview request to an authorised operator.
Website delivery, DNS, security and communications services may route or temporarily process technical information through AWS network and edge locations in New Zealand, Australia or other countries. AI-assisted processing uses AWS Bedrock and may use cross-region or global inference routing. Outscraper and other specialist processors may also process information outside New Zealand.
Where a provider processes information only on our behalf, we require it to follow our instructions and protect the information. Before disclosing personal information to an overseas recipient for its own use, we take reasonable steps to ensure an applicable Privacy Act 2020 safeguard exists—such as comparable privacy protection, an enforceable contractual safeguard or your informed authorisation. Contact our Privacy Officer if you would like more information about the safeguards relevant to your information.
9. Security, preview access and breaches
We use safeguards appropriate to the sensitivity of the information. These include encrypted transport, access controls, restricted administrative access, protected secrets, signed and expiring preview tokens, rate limiting, customer-facing preview addresses protected by access keys, and controls that prevent or discourage search-engine indexing. Technical routes may also be used by our authorised operators and providers for administration and quality assurance. No internet service can guarantee absolute security, so do not treat a preview as a confidential document repository. Access keys must be kept confidential and shared only with people authorised by the relevant business.
If we suspect a privacy breach, we will act promptly to contain and investigate it, reduce harm and prevent recurrence. Where a breach has caused or is likely to cause serious harm, we will notify the New Zealand Privacy Commissioner and affected people as soon as practicable, unless the law permits an exception.
10. How long we keep information
We use the following usual maximum periods, unless a shorter period is requested and appropriate or a longer period is reasonably required by law, a current engagement, a dispute, a security investigation or a legal hold:
- Preview requests and prospect correspondence: 12 months after our last substantive contact, unless the person becomes a client.
- Unaccepted previews: access is ordinarily withdrawn after 60 days without activity. Preview working assets and detailed research are deleted or de-identified within six months after access is withdrawn or the business declines, whichever comes first.
- Preview access tokens: seven days. Security and access logs are ordinarily kept for no more than 90 days, unless needed to investigate an incident.
- Outreach and compliance evidence: source, consent-basis and message records for up to 24 months after the last message, unless needed for a complaint or dispute.
- Client, contractual, tax and transaction records: for the engagement and generally seven years afterwards where needed for legal, accounting, warranty or dispute purposes. Working files that are not needed for those purposes are removed earlier.
- Unsubscribe records: a minimal address or irreversible identifier and the date of the request for as long as reasonably needed to ensure the opt-out remains effective.
When a retention period ends, we delete or irreversibly de-identify the information. Deleted material may remain in protected backups until it ages out under the applicable backup cycle; it is not restored for ordinary use. We review retained information periodically.
11. Access and correction
You may ask whether we hold personal information about you, request access to it, and ask us to correct it. We may need to verify your identity or authority before responding. We will respond as soon as reasonably practicable and within 20 working days, subject to any lawful extension. Access is ordinarily free. If the Privacy Act permits us to withhold information or refuse a request, we will explain the applicable reason and your right to complain.
If we do not make a requested correction, you may ask us to attach a statement of the correction sought. Where required, we will take reasonable steps to tell recipients of a correction.
12. Removal, deletion and marketing choices
You may ask us to take down a preview concerning your business, stop contacting you, or delete information we no longer need. New Zealand law does not provide an unrestricted right to deletion in every situation, but we will honour a preview-removal request promptly and ordinarily within 10 working days. We will delete associated personal information unless we still need a minimal suppression record, must keep a record by law, or reasonably need it for a dispute or security matter. We will explain any information we retain.
You may withdraw marketing consent or unsubscribe at any time without affecting the lawfulness of earlier processing or service messages that are necessary to deal with an existing request or engagement.
13. Complaints
Please contact our Privacy Officer first so we have an opportunity to resolve the issue. We will acknowledge a complaint promptly, investigate it fairly and explain the outcome. You may also complain to the New Zealand Office of the Privacy Commissioner at privacy.org.nz. If Australian privacy law applies, you may contact the Office of the Australian Information Commissioner. Australian recipients may contact the Australian Communications and Media Authority about electronic-marketing concerns.
14. Contact and privacy requests
Privacy Officer
Digifinity Limited, trading as Lighthouse Web
NZ company number 9335517 · NZBN 9429052772771
812 Inland Road, RD 2, Helensville 0875, New Zealand
Email: hello@lighthouseweb.co.nz
Please use these details for privacy questions, access or correction requests, preview-removal requests and unsubscribes.
15. Changes to this policy
We may update this policy to reflect changes to our services, practices or legal obligations. We will publish the revised policy here with a new “last updated” date. If a change materially affects how we use information already collected, we will give reasonable notice on our homepage and, where practicable, directly to affected people before the change takes effect. You may request a copy of an earlier version from our Privacy Officer.