In New Zealand, the law that governs privacy rights and the collection, handling, and use of personal information is called the Privacy Act 2020.

Thirteen privacy principles make up this act:

Principle 1 - You can only collect personal information if it is for a lawful purpose and the information is necessary for that purpose. You should not require identifying information if it is not necessary for your purpose.

Principle 2 - You should generally collect personal information directly from the person it is about. Because that won’t always be possible, you can collect it from other people in certain situations e.g. the person concerned gives you permission, you are getting it from a publicly available source.

Principle 3 - When you collect personal information, you must take reasonable steps to make sure that the person knows:

• why it’s being collected

• who will receive it

• whether giving it is compulsory or voluntary

• what will happen if they don’t give you the information.

Principle 4 - You may only collect personal information in ways that are lawful, fair, and not unreasonably intrusive.

Principle 5 - You must make sure that there are reasonable security safeguards in place to prevent loss, misuse, or disclosure of personal information. This includes limits on employee browsing of other people’s information.

Principle 6 - People have a right to ask you for access to their personal information. In most cases, you have to promptly give them their information.

Principle 7 - A person has a right to ask an organisation or business to correct their information if they think it is wrong. Even if you don’t agree that it needs correcting, you must take reasonable steps to attach a statement of correction to the information to show the person’s view.

Principle 8 - Before using or disclosing personal information, you must take reasonable steps to check it is accurate, complete, relevant, up to date, and not misleading.

Principle 9 - You must not keep personal information for longer than is necessary.

Principle 10 - You can generally only use personal information for the purpose you collected it.

Principle 11 - You may only disclose personal information in limited circumstances e.g. disclosure is one of the purposes for which you got the information, the person concerned authorised the disclosure, the information will be used in an anonymous way, disclosure is necessary to avoid endangering someone’s health or safety.

Principle 12 - You can only send personal information to someone overseas if the information will be adequately protected e.g. the information is going to a place with comparable privacy safeguards to New Zealand.

Principle 13- You can only assign your own unique identifier to individuals where it is necessary for operational functions.

Kalix and New Zealand Privacy Policy 2020

Here at Kalix, we take data security and privacy very seriously. We have the most stringent procedures and cutting edge technology in place, making sure Kalix meets all government privacy and security requirements.

A summary of Kalix's privacy and security practices are listed below:

Data is encrypted in transit

  • All data is encrypted in transit (to and from the cloud) using TLS (Transport Layer Security).

  • Data is encrypted in transit between Kalix and our third-party messaging providers.

Data is encrypted at rest

  • All data is encrypted at rest including all backup copies.

  • We use certificate-based encryption methods which means that the keys to access your records are stored in a special area of the operating system that is inaccessible to an outside attacker.

  • We also use higher levels of encryption that the current standards recommend making sure your records stay secure.


  • All data is stored in triple redundancies in two data centers 500 miles apart (hence x6 redundancies).

Backing Up

  • We take snapshots of every change you make to every file in Kalix.

  • If you accidentally delete saved information we are able to recover it from a previous snapshot of your data.

Monitoring for suspicious activity

  • Daily operational procedures are in place to log and monitor data 24/7 looking for any suspicious activities.

  • Kalix accounts with multiple users, each user has their own account login. Kalix tracks each user's activity. 

Incident notification

  • Incident response process procedures are in place for containing the incident and notification of covered entities.


  • Plans are in place to address the recovery or continuation of technology infrastructure critical to a covered entity (you) after a natural or human-induced disaster.

Access controls

  • At Kalix, access controls are in place that includes the electronic identification and limiting physical on-site data access to a restricted list of people.

  • Kalix users must log in to Kalix (therefore verify their identity) to access their accounts.

Return or destruction

  • Upon receiving a written request from you at any time and for any reason whatsoever, we will promptly return to you all personal information in our possession or control. Alternatively, if specifically instructed by you in writing, we will securely dispose of any personal information in our possession or control.

Disclosure to third parties

  • Except as specifically permitted by Kalix's Terms & Conditions, or required or permitted by any law, we will not disclose any personal information to any third party without your prior consent.

Compelled disclosures

  • If we become legally compelled to disclose any of the personal information, we will, to the extent permitted by law, provide you with prompt written notice prior to disclosure.

Assistance with complaints/investigations

  • We will co-operate with, and assist in, any investigation of a complaint that any personal information has been collected, used, or disclosed contrary to the New Zealand Privacy Policy 2020, whether such investigation is conducted by you or a body having the legal authority to conduct the investigation.

Kalix and Cloud Hosting (Principle 12 Cross-border Disclosure)

We host, possess, and maintain Kalix and the personal information provided through Kalix on Windows Azure servers located in the United States of America.

It is not against the New Zealand Privacy Policy 2020 to transfer personal information out of New Zealand if the entity meets at least one of the following criteria:

  • carrying on business in New Zealand and is subject to the Privacy Act

  • is subject to privacy laws that overall, provide comparable safeguards to those in the Privacy Act, or

  • is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act (for example, by agreement between the agencies)

  • is subject to the privacy laws of a country, province, or state, or is a participant in a binding scheme for international disclosures of personal information that has been prescribed in regulations by the New Zealand Government as providing comparable safeguards to the Privacy Act.

Kalix Inc. is subject to HIPAA, HITECH, and other privacy/security laws of the United States of America. These provide comparable safeguards to the New Zealand Privacy Policy 2020. Cross-border Disclosure is thought not to be required.

Your Obligations and Responsibilities

As a private-sector organisation, you also have responsibilities under the Privacy Policy 2020. Please see below for details.

Protection of Personal Information

You must safeguard the personal information in your custody and control as outlined in the Privacy Policy and only use and disclose personal information on a need-to-know basis.

Disclosure restricted

You agree not to use or further disclose personal information other than as or the purpose you collected it.


You agree to use appropriate and reasonable safeguards to prevent unauthorized use or disclosure of personal information.


You are responsible for providing training to all of your employees, contractors, subcontractors, agents, and corporate officers regarding the appropriate collection and disclosure of personal information. This includes maintaining the privacy of passwords, not leaving active workstations or devices unattended for prolonged periods of time, and positioning workstations and devices so that personal information cannot be seen by anyone other than those with a need-to-know that have been authorized by you.


The content here is intended only to provide a summary and general overview on matters of interest as of 1/12/2020.

It is neither intended to be comprehensive nor to constitute legal advice.

You should always obtain legal or other professional advice, appropriate to your own circumstances, before acting or relying on any content here.

We may expand or amend this content from time to time by updating this section or by posting on our website or knowledge base.

Did this answer your question?