Privacy Policy

Last updated: 5 May 2026

Introduction

IwiData NZ ("we", "us", "our") is a governance transparency platform that aggregates publicly-available information about iwi organisations, post-settlement governance entities, and the named individuals who serve as their trustees, directors, and executives. This page explains how we handle that information under the New Zealand Privacy Act 2020.

The full editorial floor — including our source authority, governance-fee disclosure policy, tikanga-aware redaction process, search-engine indexing rules, and right-of-reply pathways — is set out on our Data Principles page. This privacy policy is the legal companion to that document.

Information we publish about iwi trustees, officers and executives

We publish profile information about named individuals serving in iwi governance roles. This is personal information under the Privacy Act 2020, and our publication of it is subject to the Act. The information is sourced from publicly-available publications and registers, and our republication relies on the "publicly available publication" exception in Privacy Act 2020 sections 7 and 22 (IPP 11(e)(iii) / IPP 12(d)). The information we publish includes:

  • Name, role, iwi affiliation, appointment and resignation dates
  • Biographical information voluntarily published by the iwi or the individual
  • Governance fees and KMP remuneration where the iwi has voluntarily disclosed them in its annual report
  • Cross-platform governance roles (Crown agency appointments, Companies Office director records, charity board roles, MP/councillor records)
  • Photographs published by the iwi as part of its annual-report or board materials

We do not publish home addresses, personal email addresses, personal phone numbers, dates of birth, or photographs of minors. We honour suppression orders and protective orders. The full list of categories we always remove on request is on the Data Principles page.

Source registers and publications

The information we publish is sourced from:

  • Iwi annual reports and PSGE disclosures voluntarily published by iwi
  • Treaty settlement Acts and Te Arawhiti / Office of Treaty Settlements records
  • Te Puni Kōkiri iwi data and reports
  • Charities Register (Charities Services / DIA) where an iwi entity is also a registered charity
  • Companies Office records where an iwi entity is also an NZ company
  • Crown Entities Act board and chief-executive appointment records

Information we collect about visitors to the site

Separately from the published-subject information above, when you visit iwidata.co.nz we may collect:

  • Account information — email address, display name (if you sign in via Supabase Auth)
  • Subscription information — Stripe customer ID, subscription status (if you take a paid plan); payment details are processed directly by Stripe and not stored on our servers
  • Usage data — pages visited, time spent, navigation paths
  • Device information — browser type, operating system, screen resolution
  • IP address — for security purposes and approximate geographic location
  • Correspondence — any feedback or correspondence you send to us

We do not sell visitor personal data to third parties or use tracking for advertising purposes. Analytics data is aggregated and anonymised.

Cookies

We use two categories of cookies:

  • Essential cookies — required for authentication and basic site functionality. These cannot be disabled.
  • Analytics cookies — Google Analytics with IP anonymisation enabled. Loaded only after consent. You may opt out at any time by clearing browser storage or selecting "Essential Only" in our cookie banner.

Service providers and disclosure

We share visitor information with the following service providers, who process data only as necessary to perform their services and are bound by confidentiality obligations: Supabase (database hosting and authentication), Stripe (payment processing), Netlify (website hosting), Sentry (error tracking), Anthropic (AI-powered data extraction).

We do not sell, trade or rent visitor personal information to third parties. We may disclose information if required to do so by law or in response to valid requests by public authorities, or to protect our rights, privacy, safety, or property.

Data security

We implement appropriate technical and organisational measures to protect against unauthorised access, alteration, disclosure, or destruction of data. Our website uses HTTPS encryption to secure data in transit. No method of transmission over the Internet is 100% secure.

Your rights under the Privacy Act 2020

Under the Privacy Act 2020 you have the right to:

  • Access the personal information we hold about you (IPP 6)
  • Correct inaccurate personal information (IPP 7)
  • Submit a right-of-reply for any data point or analytical observation we have published about you
  • Request removal of personal data that is not statutorily-public-by-design (photos, personal contact details, home addresses, suppressed-identity information)
  • Complain to the Office of the Privacy Commissioner if you believe we have breached your privacy

The fastest way to exercise these rights is the public dispute & right-of-reply form, which goes to our editorial review queue with a 5-business-day response target. Alternatively, email hello@iwidata.co.nz.

Children’s privacy

Our site is not intended for use by children under 16. We do not knowingly collect personal information from children under 16, and we do not knowingly publish profile information about minors. If you believe we hold or have published information about a minor, please contact us immediately and we will remove it.

Changes to this policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date.

Contact us

Privacy and data-protection enquiries:

hello@iwidata.co.nz

You may also contact the Office of the Privacy Commissioner at privacy.org.nz or 0800 803 909.

Indirect-collection notice (Information Privacy Principle 3A)

Required disclosure under the Privacy Act 2020, in force from 1 May 2026.

This notice satisfies the indirect-collection disclosure duty in IPP 3A for personal information we collect about iwi trustees, directors, executives and post-settlement governance entity officers from public registers and other publicly-available publications. Where the source information is publicly available, the IPP 3A "publicly available information" exception also applies; we publish this notice in addition, so that every data subject knows what we hold and how to access or correct it.

(1) The fact of collection

IwiData NZ collects personal information about the individuals named above and republishes it on IwiData (iwidata.co.nz) for the purpose described in (2) below.

(2) Purpose of the collection

To provide a searchable, cross-referenced governance and transparency record for journalists, funders, regulators, researchers, and the wider public; to support the regulatory and statutory disclosure regimes listed in (5) below; and to operate the commercial subscription products described on the site.

(3) Intended recipients

The general public via IwiData (iwidata.co.nz); verified researchers and Pro-tier subscribers via gated access for higher-detail disclosures; the Office of the Privacy Commissioner, Charities Services, the Financial Markets Authority, the Companies Office, and other regulators on lawful request; our service providers (Supabase, Netlify, Stripe, Sentry, Anthropic) acting under confidentiality obligations.

(4) Agency name and address

IwiData NZ, publisher of IwiData (iwidata.co.nz). Privacy contact: hello@iwidata.co.nz.

(5) Lawful authority for collection

We rely on the "publicly available publication" exception in sections 7 and 22 of the Privacy Act 2020 (IPP 11(e)(iii) and IPP 12(d)) for republication of information that is already on a statutory public register or has been voluntarily published by the data subject or their organisation. The specific source registers and statutory regimes are:

  • Iwi annual reports and post-settlement governance entity (PSGE) disclosures voluntarily published by iwi
    Voluntary publication by the iwi or PSGE
  • Treaty settlement Acts and the Office of Treaty Settlements (Te Arawhiti) public record
    Treaty of Waitangi Act 1975; relevant settlement Acts (Ngāi Tahu Claims Settlement Act 1998, Waikato-Tainui Raupatu Claims Settlement Act 1995, etc.)
  • Te Puni Kōkiri iwi data and reports
    Statutory functions under the Māori Development Act and the State Sector Act
  • Charities Register (where an iwi entity is also a registered charity)
    Charities Act 2005 §25
  • Companies Office records (where an iwi entity is also a NZ company)
    Companies Act 1993 §215
  • Crown agency board and chief-executive appointment records
    Crown Entities Act 2004; Public Service Act 2020
(6) Your right to access and correct

Under IPP 6 you may request access to the personal information we hold about you, and under IPP 7 you may request correction. The fastest route is the public dispute & right-of-reply form, which goes to our editorial review queue with a 5-business-day response target. Alternatively, email hello@iwidata.co.nz. The full editorial floor — including categories of personal data we always remove on request, the search-engine indexing policy, and the right-of-reply pathway for disputed inferences — is set out on our Data Principles page.

If you believe our handling of your personal information falls short of the Privacy Act 2020, you may also raise a complaint directly with the Office of the Privacy Commissioner at privacy.org.nz or 0800 803 909.

Data PrinciplesTerms of UseDisclaimerDispute / Right of Reply