Does a Software Reseller Need a Privacy Policy in New Zealand?

If you resell software in New Zealand, it is easy to assume the software vendor carries the privacy burden and your business can stay in the background. That assumption often causes trouble. A lot of resellers collect customer names, business email addresses, payment details, usage information, support tickets or billing contacts, then forget to explain what happens to that information. Others copy a generic policy from a SaaS platform, or leave privacy terms buried in their contract instead of making them clear to website users and customers.

The main question is not just whether you have a website. It is whether your business is collecting, holding, using or disclosing personal information as part of selling, onboarding, supporting or renewing software subscriptions. If it is, privacy policy requirements for software reseller businesses matter. This guide explains when a New Zealand software reseller is likely to need a privacy policy, what that policy should cover, where founders commonly get caught, and how privacy fits with your contracts, sales process and day to day operations.

Overview

Many New Zealand software resellers should have a privacy policy because they collect personal information while marketing software, signing customers, managing accounts and providing support. The Privacy Act 2020 does not say every business must publish a privacy policy in every scenario, but it does require businesses to be transparent about how they handle personal information and to comply with the Information Privacy Principles.

• Whether you collect any personal information from leads, customers, end users or supplier contacts
• Whether information is collected through your website, demos, CRM, support desk, licence management or billing system
• Whether you share information with the software vendor, hosting providers, payment processors or overseas service providers
• Whether your contracts and marketing match what your privacy wording actually says
• Whether your collection notices, internal processes and security controls reflect New Zealand privacy law
• Whether you need extra wording for cross border disclosures, cookies, direct marketing or support access

What Privacy Policy Requirements for Software Reseller Means For New Zealand Businesses

A software reseller in New Zealand will often need a privacy policy in practice, even if the legal issue starts with broader privacy compliance rather than a single rule that says every reseller must publish one.

Under the Privacy Act 2020, businesses that collect personal information must generally make people aware of key matters at the time of collection, or as soon as reasonably practicable afterwards. That includes why the information is being collected, who will receive it, whether providing it is required, and the person’s rights to access and correct it. A privacy policy is often the most practical way to give that information clearly and consistently.

For a software reseller, personal information can show up in more places than founders expect. It is not limited to a customer’s first name and email address. It can include business contact details linked to an identifiable person, job titles, support logs, IP addresses where they identify someone, recorded calls, billing contacts, user credentials, training attendance records and communications about service issues.

Why resellers are not just passive intermediaries

If your business markets the software, signs the customer, invoices the customer, handles support or account management, or collects information during demos and onboarding, you are usually doing more than acting as a neutral pass through. In many cases, you are collecting and using personal information for your own business purposes as well as sharing some of it with the software provider.

This is where founders often get caught. They think the vendor’s privacy policy covers everything. Usually, it does not. The vendor’s policy may explain how the vendor handles end user data inside the software platform, but it may say very little about how your reseller business handles lead forms, sales enquiries, implementation contacts, procurement records or support interactions.

What the Privacy Act expects in practical terms

The legal standard is transparency, fair handling and proper safeguards. For most software resellers, that means your privacy approach should explain:

• What personal information you collect
• How you collect it, such as through enquiries, sign-up forms, support requests, contracts or platform provisioning
• Why you collect and use it
• Who you disclose it to, including the software vendor and service providers
• Whether information may be stored or accessed overseas
• How people can request access to or correction of their information
• How your business can be contacted about privacy issues

If you collect information directly through your website, a visible privacy policy is especially sensible. If you sell online, run webinars, gather sales leads, use cookies or analytics tools, or let customers submit support tickets, you should assume users will expect privacy wording that is easy to find.

Privacy policy versus contract terms

Your reseller agreement with the software vendor and your customer contract are not substitutes for a privacy policy.

Contracts deal with commercial rights and responsibilities between parties. A privacy policy is primarily about telling individuals how their personal information is handled. The documents should align, but they do different jobs. For example, your customer terms may explain licence scope, fees, renewal, service levels and liability. Your privacy policy should explain your information practices in a clear public-facing way.

That said, privacy also affects your contracts. Before you sign a reseller agreement, check whether the vendor requires you to collect certain customer data, pass data offshore, use vendor forms, or include mandatory wording in your customer terms. Before you spend money on setup, make sure your sales process, vendor contract and privacy statements all match.

When a separate policy is especially important

A standalone privacy policy becomes even more important where your business:

• Has a public website with contact forms, newsletter sign ups or demo bookings
• Sells subscriptions online
• Acts as first line support and receives incident details or user information
• Uses a CRM to track prospects and customer contacts
• Shares customer details with overseas software publishers or cloud providers
• Provides implementation, migration or managed services alongside the software sale
• Targets both consumers and business customers and uses direct marketing

Even where you mainly deal business to business, privacy law still matters because information about individual employees, administrators and contacts is still personal information.

When This Issue Comes Up

Privacy policy issues usually appear at ordinary growth moments, not just during a legal review.

Many resellers first confront the issue when they launch a website and add a contact form. Others face it when a customer procurement team asks for privacy documents before signing. Some only look at it after a vendor asks them to capture end user details, or after a support incident raises questions about who accessed what information.

When you launch online

If you are about to start a software reseller business in New Zealand, or add a new product line, privacy should be part of your launch checklist. That sits alongside your business structure, company setup, trade mark planning, website terms, customer terms and fair marketing practices.

Founders sometimes focus on reseller margins and supplier approvals, then leave privacy wording until after the website is live. That creates a mismatch from day one. If your site captures enquiries or lets customers request a demo, your privacy messaging should already be in place.

When the vendor asks for customer data

Many software publishers require resellers to provide customer contact details, user counts, deployment information or support contacts. Some also access data through partner portals or require registration of end customers for licence management.

At that point, you need to be clear about what information you collect, why you collect it, and how it is disclosed. If the vendor is based outside New Zealand, cross border disclosure becomes relevant as well. Your policy should reflect what really happens, not what you hope happens.

When you provide support, onboarding or managed services

The privacy position changes when your business does more than introduce the customer to the vendor. If your team handles onboarding, migration, user setup, training, support or account reviews, you may have access to broader sets of personal information.

That can include names of users, login details, support screenshots, helpdesk notes, call recordings and internal contact lists. It may even include customer data visible inside the platform during troubleshooting. In those situations, privacy obligations become more operational, not just a website wording exercise.

When you market to leads and existing customers

Direct marketing is another common trigger. If you collect business cards at events, run email campaigns, track newsletter subscribers or use website analytics to retarget potential customers, privacy disclosures matter.

Your statements should line up with your actual marketing practices. If you say you only use information to respond to enquiries, but your sales team adds every contact to a long term campaign list, the wording is likely incomplete and misleading. That can create both privacy risk and Fair Trading Act risk if your public statements are inaccurate.

When customers ask due diligence questions

Larger customers often ask for privacy documentation before they sign. They may want to know:

• What personal information you collect from their staff
• Whether you disclose information offshore
• How long you keep account information
• Who handles support data
• How access and correction requests are managed
• What security controls you use at a high level

If you do not have a privacy policy, or if it is generic and does not match your actual operations, procurement can stall quickly.

Practical Steps And Common Mistakes

The best approach is to map your data handling from first enquiry to offboarding, then write privacy wording that reflects the real process.

Too many businesses start with a template and try to force their operations to fit it. That is backwards. Your policy should be built around the information your reseller business actually collects and discloses.

Practical steps to sort out first

1. List every point where your business collects personal information. Think about website forms, email enquiries, demos, CRM entries, account setup, billing, support tickets, training records and renewal activity.
2. Identify why you collect each category of information. Common purposes include sales follow up, provisioning licences, account management, customer support, security, payment processing and legal compliance.
3. Work out who receives the information. That might include your internal team, the software vendor, hosting providers, implementation partners, payment processors and cloud tools.
4. Check whether any disclosures are overseas. New Zealand privacy law has rules around disclosing personal information outside New Zealand, so your process and wording need to account for that.
5. Align your privacy policy with your contracts, sign up flow and internal practices. If your customer agreement says one thing and your privacy statement says another, fix the inconsistency before you sign a contract.
6. Set up a simple internal process for access requests, correction requests, data incidents and staff questions. A policy alone is not enough if no one knows how to follow it.

What a software reseller privacy policy should usually cover

The exact wording depends on your model, but many reseller businesses should address:

• The categories of personal information collected
• The sources of that information, including direct collection and information provided by third parties
• The purposes of collection and use
• The legal and practical consequences if requested information is not provided, where relevant
• The categories of recipients, including software vendors and service providers
• Cross border disclosure or overseas storage arrangements
• Whether cookies, analytics or tracking technologies are used on the website
• How marketing communications are handled
• How people can request access to or correction of their information
• How privacy complaints can be raised
• Your contact details for privacy queries

If your reseller business also offers implementation or managed services, the policy may need to go further and explain when you process information on behalf of customers and how support access works.

Common mistakes

The most common mistake is relying entirely on the software vendor’s privacy policy. That often leaves a gap around your own sales and account management activities.

Another common mistake is using a generic policy that says very little. A policy that vaguely mentions collecting information “to improve services” is not very helpful if your real activities include sharing data with an overseas publisher, using multiple SaaS tools and sending renewal reminders to named contacts.

Other mistakes include:

• Collecting more personal information than you actually need
• Failing to mention offshore disclosures
• Using broad marketing consent wording that does not match the sign up process
• Forgetting support data, call recordings or screenshots may contain personal information
• Leaving old contact details or outdated vendor references in the policy after a business change
• Assuming business contact information is outside privacy law
• Treating privacy as a one off website task instead of an operational process

How privacy connects with other legal requirements

Privacy does not sit alone. If you want to sell software properly in New Zealand, you also need your wider legal setup to make sense.

That can include choosing the right business structure, incorporating through the Companies Office if appropriate, registering a trade mark for your brand, putting customer contracts in place, checking supplier terms, and making sure your advertising complies with the Fair Trading Act. If you are selling to consumers in some situations, the Consumer Guarantees Act may also affect how you present and supply related services.

A privacy policy should fit into that broader legal framework. For example, if your website promises secure handling of data or local storage only, your contracts and operations must support that claim. If your vendor terms require overseas processing, your customer-facing documents need to reflect that reality.

Do small resellers need the same level of detail as larger providers?

Small businesses do not need a massive policy just to sound formal. They do need a policy that is accurate, easy to understand and suited to their actual data practices.

A lean reseller with a brochure website, a contact form and basic account management may need a shorter policy than a reseller that also hosts environments, runs support portals and manages customer deployments. The key is fit. The wording should be specific enough to be useful and honest about what your business does.

FAQs

Does every software reseller in New Zealand legally need a privacy policy?

Not every reseller will be under an express standalone rule to publish one in every scenario, but most resellers that collect personal information should have a privacy policy in practice. It is the clearest way to meet transparency obligations and explain your handling of personal information.

Can I just use the software vendor’s privacy policy?

Usually no. The vendor’s policy may cover the vendor’s platform and processing activities, but it rarely covers your own sales, billing, onboarding, support and marketing activities as a reseller.

What if I only collect business contact details?

Business contact details can still be personal information if they identify an individual. If you collect names, work email addresses, phone numbers or role details linked to a person, privacy obligations can still apply.

Do I need to mention overseas software providers in my privacy policy?

Often yes. If you disclose personal information to an overseas vendor, cloud provider or support provider, your privacy wording should reflect that. You should also check whether your process complies with New Zealand rules on disclosing personal information outside New Zealand.

Is a privacy policy enough on its own?

No. You also need internal practices that match the policy, plus customer contracts and supplier arrangements that support what you tell people. A policy is only one part of privacy compliance.

Key Takeaways

• Most New Zealand software resellers should have a privacy policy if they collect personal information through sales, onboarding, billing, support or marketing.
• The key issue is transparency under the Privacy Act 2020 and compliance with the Information Privacy Principles.
• The software vendor’s privacy policy will not usually cover your reseller business’s own data handling activities.
• Your policy should explain what information you collect, why you collect it, who you share it with, whether it goes offshore, and how people can access or correct it.
• Privacy wording should line up with your website, CRM, support processes, customer contracts and vendor agreements.
• Founders often get caught by generic templates, missing offshore disclosure wording, and treating privacy as a website task instead of an operational one.
• If your business is dealing with privacy policy requirements for software reseller and wants help with a privacy policy, customer contracts, reseller agreement review, and website terms, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.