Privacy Policy Template: What NZ Businesses Must Include (Example)

If you're running a business in New Zealand, chances are you collect some form of personal information - even if it's "just" names and email addresses for a newsletter or online orders.

That's where a privacy policy comes in. Having a clear, accurate privacy policy isn't just about looking professional - it's one of the practical ways you show customers you take their information seriously, and it can help you meet your obligations under the Privacy Act 2020.

In this guide, we'll walk you through what to include in a privacy policy template for NZ businesses, common mistakes to avoid, and a simple privacy policy example you can use as a starting point (with the important reminder that it should be tailored to your business).

What Is A Privacy Policy (And Do You Really Need One)?

A privacy policy is a public document that explains how your business collects, uses, stores and discloses personal information.

For small businesses, a privacy policy usually covers customer data (like contact details and delivery addresses), marketing lists, website analytics, and sometimes employee or contractor information too.

You "need" a privacy policy in a few different ways:

• Legal compliance: The Privacy Act 2020 sets rules (called "information privacy principles") for handling personal information. A privacy policy is a common way to communicate your practices and support compliance.
• Customer expectations: If you run an online store, SaaS platform, app, or even a service business that books clients online, people expect you to be transparent.
• Platform requirements: Many third-party services (payment providers, ad platforms, app stores) expect you to have a privacy policy if you use their tools.
• Risk management: If something goes wrong (like a customer complaint or a data incident), a clear privacy policy helps show what your process is meant to be.

And importantly: even if your business is small, you're not "too small" to deal with privacy properly. If you collect personal information, it's worth getting your legal foundations in place early - so you're protected from day one.

What Counts As "Personal Information" Under NZ Law?

Under the Privacy Act 2020, personal information is information about an identifiable individual. It doesn't have to be "sensitive" to count.

Common examples in small business include:

• names, emails, phone numbers
• billing and shipping addresses
• IP addresses and device identifiers (often collected via analytics/cookies)
• purchase history and customer service messages
• photos or videos of individuals (for example, testimonials or event photos)

Some types of personal information are also more sensitive and need extra care - for example, health information or identity documents. If your business handles this kind of data (even occasionally), it's worth getting advice so your privacy policy and internal processes align.

If you're building your policy from scratch, it can help to start with a proper Privacy Policy that's drafted for NZ requirements, rather than trying to patch together clauses from different sources.

Privacy Policy Template: The Core Clauses Your NZ Business Should Include

A good privacy policy template doesn't just "say you care about privacy". It explains what you actually do with people's information.

Below are the core sections most New Zealand businesses should include, along with practical notes on what to say (and what to avoid).

1) Who You Are And How To Contact You

Start with the basics:

• your legal business name (and trading name, if different)
• an email address for privacy queries
• your physical address (recommended, and often expected)

If you have a nominated privacy officer (or someone internally who handles privacy questions), you can include that too.

2) What Personal Information You Collect (And Why)

This is where you list the types of personal information you collect and the reasons you collect it. Keep it simple and specific.

Examples:

• Customer orders: name, contact details, delivery address, order details (to process and deliver purchases).
• Bookings: name, contact details, appointment information (to manage bookings and provide services).
• Marketing: email address and preferences (to send newsletters and promotions if the customer opts in).
• Website usage: IP address, pages visited, time on site (to improve your website and understand customer behaviour).

A common trap with a generic privacy policy template is listing a huge range of information your business never actually collects. That can create risk because you're promising (or implying) practices that aren't true.

3) How You Collect Personal Information

Explain the ways you collect information, such as:

• when someone fills in an online form
• when someone creates an account
• when someone makes a purchase
• when someone contacts you by email, phone or social media
• through cookies and analytics tools on your website

If you use cookies (especially for marketing/retargeting), your privacy policy should align with your cookie banner and any cookie preferences you offer.

4) How You Use Personal Information

This is often the heart of the document. Outline how your business uses information, such as to:

• provide products or services
• respond to enquiries and support requests
• send invoices and process payments
• manage customer accounts
• send marketing communications (where permitted)
• comply with legal obligations
• detect and prevent fraud or misuse

If you do direct marketing, make sure your approach aligns with New Zealand's anti-spam rules (including consent requirements and a functional unsubscribe option), as well as any relevant privacy requirements around how you build and use your marketing lists.

5) When You Disclose Personal Information (Third Parties)

Most small businesses share data with third parties - even if it doesn't feel like "sharing". For example, you might use:

• payment processors
• delivery and logistics providers
• booking platforms
• email marketing platforms
• cloud storage and IT providers
• accounting software

Your privacy policy should clearly say that you may disclose personal information to these categories of service providers, where necessary to run the business.

If you share information in other scenarios (for example, to comply with a court order, or to enforce your terms), you can include that too - but again, keep it realistic.

6) Overseas Storage And Disclosure

Many common business tools store data overseas (for example, cloud servers outside New Zealand). If your business uses overseas providers, your privacy policy should mention:

• that information may be stored or processed outside New Zealand; and
• that where you disclose personal information overseas, you take reasonable steps to comply with the Privacy Act 2020 (including IPP 12), such as ensuring the overseas recipient is subject to comparable privacy safeguards, using contractual protections where appropriate, or relying on another permitted basis for the disclosure.

This is an area where copy-pasting a generic privacy policy template can go wrong quickly - because what you say should match your actual tech stack and vendors.

7) How You Store And Protect Personal Information

You don't need to publish your entire cybersecurity plan (and you shouldn't), but you should communicate that you take reasonable steps to protect personal information.

Examples of "reasonable steps" you might refer to include:

• restricted access to customer data
• secure systems and reputable service providers
• password policies and staff training
• secure payment processing (not storing full card details)

If you're growing your team, it's also smart to align privacy expectations with your internal documents, like workplace policies and confidentiality obligations. For example, your staff might also be bound by an Confidentiality Clause in contracts and internal processes.

8) Access And Correction Requests

Individuals generally have rights to:

• request access to their personal information; and
• request correction if it's wrong.

Your privacy policy should explain:

• how someone can request access/correction
• how you'll respond (for example, within a reasonable timeframe)
• what identification you may require

If you work with health or other sensitive records, access rights can get more complex. (And in those settings, you may need extra forms and privacy processes.)

9) How Long You Keep Information

A good privacy policy template should cover retention in a practical way. You can say something like:

• you keep information only as long as necessary for the purposes it was collected, including legal, accounting, or reporting requirements; and
• you take steps to securely delete or de-identify information when no longer needed.

If your business must keep records for tax or other obligations, you can mention that too.

10) Complaints Process

Make it easy for customers to raise concerns. Your privacy policy should include:

• how to contact you with a complaint
• what happens next (for example, you'll investigate and respond)
• that they may also contact the Office of the Privacy Commissioner if they're not satisfied

This is one of those sections that helps you resolve issues early before they escalate.

Privacy Policy Example (Starter Template You Can Adapt)

Below is a simplified privacy policy example written in a way that can suit many small NZ businesses. Treat this as a starting point only - the details should be adjusted to your actual business model, tools, and data practices.

Example Privacy Policy

1. About This Privacy Policy
This Privacy Policy explains how ("we", "us" or "our") collects, uses, stores and discloses personal information when you interact with our business, including when you visit our website at or purchase our products/services.

2. The Personal Information We Collect
We may collect personal information including your name, email address, phone number, billing and delivery address, purchase or booking details, and information you provide when you contact us.

We may also collect information about how you use our website, including your IP address, device information, and browsing activity, using cookies and similar technologies.

3. How We Collect Personal Information
We collect personal information when you provide it to us directly (for example, when you place an order, create an account, make a booking, fill in a form, subscribe to our marketing list, or contact us). We may also collect information automatically through our website technologies (such as cookies and analytics tools).

4. How We Use Personal Information
We use personal information to:

• provide our products and services to you
• process payments and deliver orders
• manage bookings and customer accounts
• respond to enquiries and provide customer support
• send marketing communications where you have opted in (you can opt out at any time)
• improve our website, products and services
• comply with our legal obligations and resolve disputes

5. Disclosure Of Personal Information
We may share your personal information with trusted third parties who help us operate our business, such as payment processors, delivery and logistics providers, IT and cloud service providers, website and analytics providers, and professional advisers (such as accountants or lawyers).

We only disclose personal information where it is necessary for these purposes, or where required by law.

6. Overseas Storage
Some of our service providers may store or process personal information outside New Zealand. Where we disclose personal information overseas, we take reasonable steps to comply with the Privacy Act 2020 (including IPP 12), such as by ensuring the recipient is subject to comparable privacy safeguards and/or using contractual protections where appropriate.

7. Security
We take reasonable steps to protect personal information from loss, unauthorised access, use, modification, or disclosure. However, no method of transmission or storage is completely secure.

8. Access And Correction
You may request access to the personal information we hold about you and request corrections if you believe it is inaccurate. To make a request, please contact us using the details below.

9. Retention
We retain personal information only for as long as necessary to fulfil the purposes we collected it for, including for legal, accounting, or reporting requirements. We take reasonable steps to delete or de-identify personal information when it is no longer needed.

10. Privacy Complaints
If you have a complaint about how we handle personal information, please contact us. We will investigate and respond as soon as reasonably possible. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner.

11. Contact Us
If you have questions about this Privacy Policy or want to make a privacy request, contact us at:

Email:
Address:

End Example Privacy Policy

Again, this is a basic privacy policy example. Depending on your business, you may need extra clauses (for example, if you run an app, offer subscriptions, work with minors, collect health information, or use behavioural advertising).

Common Mistakes With A Privacy Policy Template (And How To Avoid Them)

Templates can be useful, but they can also create problems if they don't match what your business actually does. Here are some common privacy policy pitfalls we see.

Copying A Policy That Doesn't Match Your Business

If you say you never share personal information, but your business uses a payment processor, email platform, booking system, or courier - that's a mismatch.

Instead, describe third parties in realistic categories and keep it accurate.

Not Updating The Policy As Your Business Changes

As you grow, you might:

• add a loyalty program
• launch targeted advertising
• start using a new CRM
• hire staff to manage customer enquiries

All of those changes can affect how you handle personal information. Your privacy policy should evolve with your business.

Forgetting About Website Terms And Other Customer-Facing Documents

Your privacy policy is only one part of your customer-facing legal setup. Depending on how you sell, you may also need:

• website terms (to set the rules for using your site)
• eCommerce terms (to cover orders, delivery, refunds, limitations of liability)
• disclaimers (if you publish general information, advice, or results-based claims)

For online businesses, your privacy policy should also align with your Website Terms And Conditions so customers aren't getting conflicting messages about how your site and services work.

Not Building A Process Behind The Policy

A privacy policy shouldn't be a "set and forget" PDF. You also need internal practices that support what you're telling customers - like knowing who can access customer data, how you handle access requests, and what you do if there's a privacy incident.

If you want to formalise that process, having a Data Breach Response Plan is a practical step that can save you a lot of stress if something goes wrong.

How To Tailor Your Privacy Policy For Your Business (Quick Checklist)

Before you publish a privacy policy template on your website, it's worth doing a quick "reality check" against how your business actually operates.

Here's a checklist you can work through:

• What do you collect? (orders, enquiries, bookings, marketing signups, analytics)
• Where does it come from? (website forms, checkout, DMs, phone calls, in-person forms)
• Which tools process/store it? (email marketing, accounting software, booking tools, cloud storage)
• Do you share it? (couriers, payment processors, IT support, contractors)
• Is anything stored overseas? (many cloud tools are)
• Do you collect sensitive information? (health data, IDs, children's data)
• Do you have a process for access requests?
• Do you have a plan if there's a data breach?

If your business works with contractors who might handle customer data (for example, a VA managing your inbox, or an IT provider accessing customer records), you'll also want to make sure your agreements and onboarding cover confidentiality and privacy expectations. Depending on the setup, you might use a tailored Data Processing Agreement to document responsibilities around handling personal information.

Key Takeaways

• A privacy policy explains how your business collects, uses, stores and discloses personal information, and it supports compliance with the Privacy Act 2020.
• A strong privacy policy template should be tailored to your real business practices - especially your third-party tools, overseas storage, and marketing activities.
• Most NZ businesses should include clauses covering what information is collected, how it's collected, why it's used, who it's shared with, how it's protected, and how customers can request access or corrections.
• A privacy policy example can be a helpful starting point, but generic templates can create risk if they include inaccurate statements or don't match your operations.
• Your privacy policy should be consistent with the rest of your customer-facing documents, including your Website Terms And Conditions and any other online trading terms.
• It's worth having internal privacy processes (including a data breach response plan) so you can follow through on what your policy says.

If you'd like help drafting or reviewing a privacy policy that actually fits your business (and your tools), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.