The kōura KiwiSaver Scheme is issued and managed by kōura Wealth Limited (kōura). kōura is committed to ensuring the privacy of your personal information. Any information that you provide us is held in accordance with all relevant privacy laws, including, without limitation, the Privacy Act 2020.
1. What information we collect and why
We gather your personal data for the following purposes, and we will only use it for the purpose it was collected.
- Create your personal portfolio
- In order to create your kōura KiwiSaver portfolio, we need to collect some personal. This data is provided by you as part of the portfolio creation process through our website.
- Opening an account
- In order to create an account with kōura, we need to collect some personal information which allows us to identify you and connect with your KiwiSaver. This data is provided by you as part of the account opening process on our website.
- Operating your account
- On a day-to-day basis, we process information necessary for your account to function correctly and for us to perform our contractual and regulatory obligations toward you. The uses of information can range from where to invest your KiwiSaver through to effectively assess an application for withdrawal on the grounds of significant financial hardship/serious illness.
- This information is provided to us by your previous provider, the IRD or you in your interactions with kōura.
- Providing you with information and support
- We record all interactions with our Customer Support Team, including, but not limited to emails and phone calls. We will also generate and keep a record of any mandatory statements and/or reports we produce for you.
- Improving our services and products
- We are always looking to improve our services to you and our product offering, and for this reason, we will collect and process data (including profiling) about how you interact with our website, such as where you click and your IP address, for analytical, development and research purposes. We may also receive information relating to you form third-party analytics providers. This helps improve our current services and may inform how we develop new products and services.
- We may use your personal data to share marketing information with you (we will always seek your consent in accordance with the relevant legal and regulatory requirements prior to engaging in this type of processing).
You can unsubscribe from email marketing communication by clicking the link provided in relevant emails.
- Showing you an interest-based web journey
- We may employ common tracking technology such as cookies and pixels to understand how you interact with our website for the purpose of showing you content on it that we think is most relevant to you.
- Complying with legal and regulatory obligations
- In order to comply with our regulatory obligations, we may also process information which is classed as ‘special category’ under the General Data Protection Regulation including, but not limited to, information about your health and personal circumstances in order to service you in line with the Financial Conduct Authority vulnerable customers guidelines and principles (we will always seek your consent in accordance with the relevant legal and regulatory requirements prior to engaging in this type of processing).
2. Why we need to collect this information
kōura is required, in accordance with the Privacy Act 2020 to have a purpose and a legal basis for processing your personal data.
We collect this information primarily to enable us to provide the services required by you.
In particular, in order to provide you with a recommended portfolio and risk profile for your KiwiSaver investment, we are required to collect responses to the risk questionnaire. We also always provide you with additional information explaining the advice and your options. If you are not satisfied with the result of this process, you may contact us at [email protected] or by telephone.
Where explicit consent is required, we will seek this from you, for example, with respect to marketing preferences. However, in most cases, explicit consent is not required, and implicit consent is inferred such that we may perform our responsibilities under the Agreement. Where explicit consent is required and not provided or withdrawn, it may result in non-benefit of service, or the inability to open an account with Kōura.
3. Lawful basis for processing
To process your personal data, we will rely on several different legal bases depending on the purpose of the processing, such as where:
- We have a legal or regulatory obligation to process your personal data, such as performing checks for the prevention of financial crime.
- We have a legitimate business interest to process your personal data which is not overridden, or unbalanced compared to your interests and/or fundamental rights and freedoms;
- You have given us your consent to send you marketing information or to process special category data relating to you.
4. Direct Marketing
kōura will only send you marketing communications where you have given us your explicit consent. This can be managed through our preference centre (the link is provided in relevant emails) where you may withdraw this consent at any time. If you have any questions, please contact [email protected].
5. Your rights
- The right to be informed
- The right of access and data portability
- You have the right to access the data that kōura holds on you and request a portable version of this data.
- The right to rectification
- You have the right to have inaccurate personal data rectified, or incomplete data completed respectively.
- The right to object
- You have the right to object to the processing of your personal data when this is based on legitimate interest, including profiling. You also have the right to object to the processing of your personal data for marketing purposes.
- Should you have any complaints about how we process your personal data, you can make a complaint by emailing us at [email protected].
You may seek to exercise any of these rights by emailing us at [email protected].
6. Data Retention
kōura is required to retain certain data records to comply with the Financial Markets Authority (FMA) general recording keeping requirements. In general, we are required to retain data for at least seven years.
Your personal information may be transferred or disclosed to third parties.
This enables us to provide services to you and to discharge our obligations to third parties, including relevant government agencies and regulators. Such third parties may also have their own data retention periods.
7. With whom do we share this information
For the purposes of the Agreement, we are required to share your information with third parties, the situations in which we share this information are detailed below:
- Regulatory bodies and Supervisors to comply with our legal obligations;
- Fraud prevention agencies, and other organisations in order to detect and prevent financial and other crime;
- Suppliers, where necessary for the performance of the contract.
In particular, Public Trust, as our Supervisor lawfully receives customers personal information to perform their Supervisor functions.
We may also share your personal information with certain suppliers when we have a legitimate interest to do so, or your explicit consent, as detailed below:
- Data, service and software providers to help improve, develop and maintain our products and website (which may include, for example customer data modelling or statistical and trend analysis);
- Data, service and software providers to provide you with an interest-based web journey.
We will endeavour to anonymise your data and minimise the amount of your data we share with these third parties, where possible. Prior to sharing any of your personal information with these suppliers we will ensure the appropriate contractual, technical and organisational measures are in place to safeguard your personal information.
All of our suppliers and partners who we may share your data with are compliant with the New Zealand Privacy Act, or an equivalent international standard.
We will not sell or lease your personal information to third parties.
We are committed to ensuring that your data is retained securely by us. In order to prevent unauthorised access to or disclosure of your data, we have put in place physical, electronic and managerial procedures to safeguard and secure the information we collect.
Using the internet comes with risks, we cannot guarantee that any information sent to us by email or via our website will not be intercepted or tampered with. Any communications are sent at your own risk.
- What are cookies?
- A cookie is a small text file that is placed on your computer or mobile device when you visit our website or mobile app. There are two main types of cookies, persistent cookies (that remain on your hard drive and your browser for an extended period of time) and session ID cookies (that expire when you close your browser). We have categorised the cookies we use by function, along with a short description of each, below.
- What cookies do we use?
- Necessary Cookies. Necessary cookies are essential to the website and mobile app functionality. These cookies enable you to navigate our website, use their features and avail of our services effectively. They also help us maintain our website services. As these cookies are essential to website functionality, disabling all cookies on kōura.co.nz will mean that our website may not be fully functional.
- Functionality and Analytical Cookies. These cookies collect information about how visitors use our website, allowing us to provide you with a more enhanced and personal experience when using our website and services. They also allow us to perform analytics (such as gathering data about the number of visits to, and the time spent on, our site), remember user preferences (such as your username and password) and provide certain content services (such as enabling you to watch videos). We also use other tracking technologies like web pixels (sometimes called “tracking pixels”). These are tiny graphics files that contain a unique identifier, enabling us to recognise when someone has visited our website or opened an email that we have sent them.
- Targeted Advertising Cookies. Targeted advertising cookies enable us to deliver advertising and marketing that is relevant to you, and also allow us to limit the number of times you see certain advertisements. These cookies are also used to analyse how effective some of our advertising campaigns are by tracking users’ clicks.
- How can you control cookies?
- kōura use both essential and tracking cookies on our website, which are mainly persistent cookies unless labelled as session only. You can accept or reject cookies by amending your web browser controls.
10. Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites, and such sites are not governed by this privacy statement. You should exercise caution and review the privacy statement applicable to the relevant website.
11. Privacy Officer
We have a Privacy Officer. Our Privacy Officer is responsible for ensuring the organisation complies with the Privacy Act, dealing with any complaints about possible privacy breaches and requests for personal information, or correction of personal information. If you believe your privacy has been compromised or we’ve breached the Privacy Act or a Code of Conduct and you would like to make a complaint, you can complain to our Privacy Officer via email ([email protected]), and we will do our best to help resolve any issue you may have.
12. Privacy Breaches
Kōura must report any serious privacy breaches to the Office of the Privacy Commissioner. A serious breach is one that poses a risk of harm (e.g. leaked personal information is published online or used to facilitate identity theft). Where a serious breach occurs, we will also notify the people whose information was affected.
Breach notifications to the Office of the Privacy Commissioner can be made by email, telephone or by using their online enquiry form: https://www.privacy.org.nz/privacy-for-agencies/privacy-breaches/