Privacy Policy

Version 1.0 – Effective Date: 26 November 2025 

1. Introduction 

Holistic Data Systems Limited (“we“, “us“, “our“, or “Company“) is committed to protecting your privacy and ensuring you have a positive experience on our website and when using our services. 

This Privacy Policy explains how we collect, use, disclose, store, retain, and protect your personal information in accordance with New Zealand’s Privacy Act 2020 and the 13 Information Privacy Principles (IPPs).1 It applies to: 

  • Visitors to our websites (best-holiday-specials.com and related subdomains) 
  • Clients who engage us for services (IT consulting, web development, VR/AR, AI, casting, telehealth, or other services) 
  • Users of our hosted platforms, portals, email services, or other online systems 

This Privacy Policy does not apply to third-party websites linked from our site; we are not responsible for their privacy practices. 

2. What Is Personal Information? 

Under the Privacy Act 2020, “personal information” means information about an identifiable individual.

This includes: 

  • Names, addresses, contact details (email, phone, postal) 
  • Identification numbers (NZ Tax ID, NZBN, IRD number) 
  • Financial information (bank details, payment card details, credit information) 
  • Employment, professional, and educational details 
  • Medical or health information (including telehealth records) 
  • Sensitive personal information (ethnicity, political opinions, religious beliefs, sexual orientation, health information, criminal history) 
  • Images, video, audio recordings, and biometric data (including talent/casting profiles and VR/AR shoot footage) 
  • IP addresses, cookies, and online identifiers 
  • Marketing preferences and communication history 
  • Any other information that can identify you directly or indirectly 

3. How We Collect Personal Information 

3.1 Collection from You Directly (IPP 3) 

We collect personal information directly from you in the following situations: 

  • Website visitors: When you contact us via our website form, email, or phone, you may provide your name, email, phone number, organisation, and message. 
  • Clients: When you request a quote, sign a proposal, SLA, or service agreement, we collect your name, contact details, business information, billing address, and payment details. 
  • Account creation: When you create an account to access our hosting, platforms, or services, we collect username, password, contact information, and profile details. 
  • Feedback and surveys: When you provide feedback, testimonials, or participate in surveys. 
  • Marketing: When you subscribe to our newsletter or marketing communications. 
  • Project-specific information: Depending on the service, we may collect designs, specifications, code, content, data, talent information, medical records, VR/AR assets, or AI prompts. 

3.2 Collection from Other Sources (IPP 3A) 

Where we collect your personal information from sources other than you directly, under Information Privacy Principle 3A (effective 1 May 2026), we will take reasonable steps to ensure you are aware of the collection.2 These sources may include: 

  • Third-party service providers (hosting, payment processors, email providers) 
  • Third-party platforms or directories (public business records, professional networks, casting databases) 
  • Other clients or third parties acting on your behalf (e.g., referrers, recruitment agents, project managers) 
  • Credit reporting agencies or debt collection agencies 
  • Regulatory bodies or government agencies 
  • Public records or publicly available information 

Where we collect information indirectly, we will use reasonable efforts to notify you of: 

  • The fact that we have collected your information 
  • The type of information collected 
  • The source of collection 
  • The purposes for which we collect and use it 
  • Who we may disclose it to 
  • Your right to access and correct it 

4. Purposes for Collection and Use (IPP 2 & IPP 6) 

We collect and use personal information for the following purposes: 

Primary Purposes 

  • Service delivery: To provide you with IT consulting, web development, hosting, email services, VR/AR content creation, AI implementation, casting services, telehealth platform integration, or other services you request. 
  • Contract administration: To process invoices, manage payments, fulfil obligations under proposals or SLAs, provide support, and manage ongoing relationships. 
  • Website operation: To monitor, maintain, and improve our website and online services. 
  • Communication: To respond to your enquiries, provide updates, troubleshoot issues, and keep you informed about your services. 
  • Billing and accounting: To create invoices, track payments, manage accounts payable and receivable, and comply with accounting and tax obligations. 

Secondary Purposes 

  • Marketing and business development: To send you information about our services, industry news, special offers, and related updates (you may opt out at any time via the unsubscribe link in our emails). 
  • Quality assurance and improvement: To analyse how our services are used, identify trends, improve our offering, and train staff. 
  • Legal compliance: To comply with our legal obligations under NZ tax law, employment law, health and safety law, telehealth regulations (where applicable), and advertising standards. 
  • AI model improvement: For AI and machine learning services, we may use anonymised or aggregated input data and outputs to improve our models and algorithms (see section 11 below). 
  • Portfolio and reference use: To display non-confidential deliverables in our portfolio and to refer to you as a client (see section 10 below). 
  • Security and fraud prevention: To protect our systems, detect and prevent unauthorised access, fraud, or misuse. 
  • Credit and debt recovery: To verify creditworthiness, pursue unpaid debts, and use credit reporting or debt collection agencies where necessary. 
  • Dispute resolution: To manage disputes, complaints, or legal claims. 

We will only use personal information for purposes directly related to those listed above, or where we have your express consent or are required by law. 

5. Disclosure and Sharing of Personal Information (IPP 11) 

We may disclose your personal information to third parties in the following circumstances: 

Routine Disclosures 

  • Service providers: Cloud hosting providers (e.g., AWS, Hostinger), email service providers, payment processors, domain registrars, SSL certificate providers, backup and disaster recovery providers, and telecommunications carriers. 
  • Professional advisers: Accountants, bookkeepers, lawyers, auditors, and tax advisers. 
  • Related companies: Our parent company, subsidiaries, or Related Companies (as defined in the Companies Act 1993) for operational and administrative purposes. 
  • Your authorised representatives: Project managers, employees, agents, or other persons you nominate on your behalf. 
  • Other clients or third parties: As necessary to deliver the services you have requested (e.g., if you have contracted with us for casting services, we may disclose talent information to your production team; if you are using telehealth integration, we may disclose health information to registered healthcare providers). 

Legal and Regulatory Disclosures 

  • Law enforcement and regulators: We may disclose personal information if required or authorised by law, court order, regulatory authority (including the Privacy Commissioner, Health and Disability Commissioner, Commerce Commission), government agency, or in response to official enquiries. 
  • Health and safety: We may disclose information where necessary to protect the health, safety, or rights of individuals or the public. 

Other Disclosures 

  • Business transactions: In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and the choices you may have. 
  • Consent-based disclosures: Where you have explicitly consented to us sharing your information with a specific third party. 

International Transfers 

Some of our service providers are located outside New Zealand, including in Australia, the United States, or the European Union. Where we disclose personal information overseas, we will take reasonable steps to ensure the recipient applies comparable safeguards. By using our services, you acknowledge that your information may be transferred, stored, and processed internationally in accordance with this Privacy Policy. 

6. Data Security (IPP 5) 

We take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification, or disclosure. These steps include: 

  • Encryption: Sensitive data in transit and at rest is encrypted using industry-standard protocols (e.g., TLS/SSL, AES-256). 
  • Access controls: Personal information is restricted to authorised personnel who need it to perform their roles; staff are trained on privacy and security obligations. 
  • Secure storage: Information is stored on secure, password-protected systems and servers with appropriate firewalls and intrusion detection. 
  • Backup and recovery: We maintain secure backups and disaster recovery procedures. 
  • Authentication: We use strong passwords, multi-factor authentication, and role-based access controls where available. 
  • Third-party security: We require service providers to implement comparable security measures through contractual obligations. 

However, no data transmission over the internet or electronic storage is 100% secure. While we use reasonable endeavours to protect your information, we cannot guarantee absolute security. You use our services and provide information at your own risk. If you become aware of a security breach, please notify us immediately (see Contact section below). 

7. Data Retention (IPP 9) 

We retain personal information for as long as it is necessary for the purposes for which it was collected, plus any additional period required by law[1]. 

Typical retention periods are: 

  • Website enquiry forms: Until inquiry is resolved (usually 3–6 months), unless you request deletion or opt out of marketing. 
  • Client information: For the duration of the client relationship and for 7 years after termination (to comply with NZ tax law and accounting standards). 
  • Financial information: For 7 years to meet tax and accounting requirements. 
  • Email communications: For 7 years unless business need dictates longer or shorter periods. 
  • Marketing lists: Until you opt out or request removal. 
  • Cookies and analytics: Typically 1–2 years (see Cookies section below). 
  • Project-specific information (designs, code, content, casting data, telehealth records): For the duration of the project and for a reasonable period thereafter (typically 1–3 years), unless you request deletion or law requires longer retention. 
  • Talent/casting profiles: For a reasonable period to facilitate future opportunities (typically 2–3 years), unless you request deletion. 
  • Backup and archived data: May be retained longer for disaster recovery purposes. 

Once information is no longer required, we will delete or securely destroy it, unless retention is required by law or regulation. 

8. Your Rights (IPP 6, 7, 8 & 10) 

Access to Your Information (IPP 6) 

You have the right to request access to personal information we hold about you. To do so, email info@holistic-data-systems.com with the subject line “Privacy Request – Access to Personal Information”. We will respond within 20 working days with the information we hold, unless a good reason exists for a longer timeframe (e.g., the request is complex or involves a third party). 

Correction of Your Information (IPP 7 & 8) 

You have the right to request correction, update, or amendment of personal information we hold about you if it is inaccurate, outdated, incomplete, irrelevant, or misleading. Send a request to info@holistic-data-systems.com with the subject line “Privacy Request – Correction of Personal Information” and details of the changes you believe are necessary. We will consider your request and respond within 20 working days. 

Deletion and Opt-Out 

  • Marketing: You may opt out of direct marketing (including newsletters and promotional emails) at any time by clicking the unsubscribe link in our emails or by contacting us. 
  • Account deletion: If you have created an account with us, you may request deletion. We will delete your account and associated non-essential personal information unless we are required by law to retain it. 
  • Cookie opt-out: You may disable cookies in your browser settings (see Cookies section below). 
  • General deletion: If you believe we no longer need your personal information, you may request its deletion, subject to legal and contractual obligations that may require us to keep records. 

Complaints to the Privacy Commissioner 

If you believe we have breached the Privacy Act 2020, you may lodge a complaint with the Office of the Privacy Commissioner (Te Mana Mātāpono Matatapu): 

Office of the Privacy Commissioner 
0800 803 969 (free call) 
www.privacy.org.nz 

9. Cookies and Tracking Technologies 

When you visit our website, we use cookies and similar tracking technologies to: 

  • Maintain login sessions and account preferences 
  • Remember your choices (e.g., language, settings) 
  • Analyse website traffic and user behaviour (Google Analytics) 
  • Deliver relevant marketing content 
  • Provide targeted advertising 

Types of Cookies 

  • Essential cookies: Required for website function and security; cannot be disabled. 
  • Analytics cookies: Track usage patterns to improve the website (via Google Analytics). 
  • Marketing cookies: Used to show you relevant advertisements and follow-up marketing. 
  • Third-party cookies: Set by external providers (e.g., Google, social media platforms). 

Managing Cookies 

You may control cookies through your browser settings or via our Cookie Settings. Most browsers allow you to: 

  • Refuse cookies 
  • Clear cookies after each session 
  • Be notified when a cookie is set 

Disabling cookies may affect website functionality. For more information about cookies, visit www.allaboutcookies.org

10. Portfolio Use and References 

Unless you have expressly objected in writing, you consent to us: 

  • Referring to you by name as a client in our general client lists and pitches 
  • Describing, in generic and non-proprietary terms, the nature of Services we provided to you (e.g., “website redesign”, “IT consulting”, “AI implementation”) 
  • Displaying non-confidential deliverables, designs, or screenshots in our portfolio, case studies, or marketing materials 

We will not display: 

  • Sensitive information (health data, financial information, casting profiles, talent images) 
  • Confidential business information or proprietary code 
  • Information that could compromise your privacy, security, or commercial interests 

If you do not wish us to use your name, information, or deliverables in any of these ways, email info@holistic-data-systems.com and we will respect your wishes. 

11. AI Services and Anonymised Data 

Where you engage us for AI or machine learning services (prompt design, model integration, advisory, or use of third-party AI platforms), we may use anonymised or aggregated input data and output data to: 

  • Improve our AI models and algorithms 
  • Analyse trends and patterns 
  • Train new models 
  • Enhance our services and internal processes 

How We Anonymise Data 

Anonymisation means we remove or encrypt identifying information so that you cannot be directly or indirectly identified. This includes: 

  • Removing names, contact details, and business identifiers 
  • Removing dates and timestamps that could identify individuals 
  • Aggregating data across multiple clients 
  • Using statistical techniques to prevent re-identification 

We will only use anonymised data where we are confident that re-identification is not reasonably possible under current technology and without use of additional information sources. 

Your Opt-Out 

If you do not wish us to use your data for AI model improvement, please notify us in writing at info@holistic-data-systems.com and we will exclude your data from such use. 

12. Sensitive Personal Information 

The Privacy Act 2020 recognises certain categories of information as “sensitive”, including: 

  • Health and medical information (including telehealth records and patient data) 
  • Information about ethnic origin, national origin, or citizenship 
  • Information about political opinions or affiliations 
  • Information about religious beliefs or moral convictions 
  • Information about sexual orientation or sexual life 
  • Criminal history, court proceedings, or convictions 

If you provide sensitive personal information to us (e.g., for telehealth platform integration, medical trial research, or health-related content), we will: 

  • Collect and use it only for the specific purposes disclosed at the time of collection 
  • Apply heightened security measures 
  • Limit disclosure to only those who need it for the specified purpose 
  • Not use it for secondary purposes without your express consent 
  • Comply with relevant health regulations (e.g., Health Information Privacy Code, telehealth guidelines) 

For health or telehealth-related services, we will comply with all applicable health privacy regulations and will not disclose your information to third parties without your explicit consent (except where required by law or emergency health circumstances). 

13. Marketing and Communication 

Email Marketing 

We may send you email marketing (newsletters, updates, special offers) if you have subscribed or, in some cases, as a valued client (after opt-in). You may opt out of these emails by: 

  • Clicking the “unsubscribe” link at the bottom of any marketing email 
  • Emailing info@holistic-data-systems.com with “Unsubscribe” in the subject line 

Direct Marketing Compliance 

All direct marketing communications comply with: 

  • New Zealand Unsolicited Electronic Messages Act 2007 
  • New Zealand Fair Trading Act 1986 
  • Privacy Act 2020 requirements 
  • Where applicable, EU General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR) if you are located in the EU 

Transactional Emails 

Transactional emails (e.g., invoices, service updates, password resets) are not considered marketing and are sent for operational necessity. You cannot opt out of these emails while maintaining an active account. 

14. Changes to This Privacy Policy 

We may update this Privacy Policy from time to time to reflect: 

  • Changes in our business practices 
  • Changes in law or regulation (including new IPPs, Privacy Amendment Act requirements, or industry codes) 
  • Improved privacy practices 
  • Other relevant circumstances 

Any material changes will be posted on our website with an updated “Effective Date”. Your continued use of our website or services after such updates constitutes acceptance of the updated Privacy Policy. We recommend reviewing this policy periodically. 

15. Complaints and Feedback 

If you have questions, concerns, or complaints about our privacy practices, please contact us: 

Holistic Data Systems Limited 
Email: info@holistic-data-systems.com 
Phone: +64 22 183 6357 

We will investigate your complaint and respond within a reasonable timeframe (typically 20–30 working days). 

If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner

Office of the Privacy Commissioner 
0800 803 969 (free call) 
guidance@privacy.org.nz 
www.privacy.org.nz 

16. Glossary of Privacy Act Terms 

Agency: An organisation, business, or other entity that collects or holds personal information (including us). 

Information Privacy Principles (IPPs): 13 principles under the Privacy Act 2020 that govern how agencies must collect, use, disclose, store, and manage personal information. 

IPP 3A (Indirect Collection): A new principle effective 1 May 2026 requiring agencies to notify individuals when personal information is collected indirectly (from someone other than the individual). 

Personal Information: Information about an identifiable individual, including sensitive information. 

Privacy Breach: An unauthorised access to, use, or disclosure of personal information. 

Privacy Commissioner: The independent authority responsible for enforcing the Privacy Act 2020. 

Anonymised Data: Data that has been de-identified so that the individual cannot be identified directly or indirectly. 

17. Contact Information 

For enquiries, complaints, or privacy requests, please contact: 

Holistic Data Systems Limited 
NZBN: 9429052701979 
Email: info@holistic-data-systems.com
Phone: +64 22 183 6357 
Website: www.holistic-data-systems.com 

Office of the Privacy Commissioner NZ. (2025). IPP 3A – Indirect Collection of Personal Information. Guidance effective 1 May 2026. https://www.privacy.org.nz/focus-areas/ipp3a/ ↩︎

Office of the Privacy Commissioner NZ. (2025). Privacy Act 2020: Information Privacy Principles. https://www.privacy.org.nz/privacy-principles/ ↩︎