top of page
Ethica Logo_small_edited.png

Privacy Policy
 

Effective Date: 1 Dec 2025
Last Updated: 1 Dec 2025


At Ethica Consulting (“Ethica”, “we”, “us”, “our”), we help organisations think carefully about how they use technology, especially AI. To do that well, people need to trust us with information about their work, their challenges, and sometimes their people.

 

This Privacy Policy explains in detail how we collect, use, store, and protect information when you:

  • Work with us as a client

  • Take part in our workshops, interviews, or surveys

  • Visit our website or use our online tools
     

We aim to write this in plain language. Where we mention the New Zealand Privacy Act 2020, it’s to reassure you that we are aligning with recognised legal standards, not to drown you in legal jargon.


1. Scope of This Policy

 

This policy applies to:

  • Client organisations – companies, charities, public bodies and other organisations that engage us for consulting, training, or advisory services

  • Individual participants – people who join discovery sessions, interviews, workshops, pilots, research projects, or surveys we run

  • Website and online users – anyone who visits our website, fills in a contact form, or books a call online
     

This policy covers:

  • Information you give us directly (for example during meetings or via email)

  • Information we collect when we run surveys or assessments on your behalf

  • Information we collect automatically when you use our website
     

It does not cover:

  • Websites, apps, or services run by other organisations, even if we link to them. Those will have their own privacy policies.
     

2. Information We Collect

We try to collect only what we need, and to be clear why we’re collecting it.

 

2.1 Information from Consulting Engagements
 

When you work with us as a client, we may collect:

  • Organisation and contact details

    • Organisation name, industry, size, location

    • Names, roles, email addresses, and phone numbers of key contacts
       

  • Strategic and operational information

    • Business goals, challenges, and priorities

    • Descriptions of your services, products, and internal processes

    • Current and planned uses of technology, including AI and data tools
       

  • Engagement-related materials

    • Notes from meetings, workshops, interviews, or discovery sessions

    • Completed readiness assessments and questionnaires

    • Presentations, policies, or documents you share with us
       

  • Internal perspectives and feedback

    • Comments and insights from staff or leadership

    • Organisational culture, risk appetite, and attitudes to change
       

This information often includes commercially sensitive details. We treat it as confidential by default.

 

2.2 Survey and Research Information
For organisational surveys, readiness assessments, or research studies, we may collect:

  • Survey responses and ratings

    • Answers to multiple-choice and open-ended questions

    • Numerical ratings (for example about readiness, confidence, or concerns)
       

  • Background or demographic details (if relevant and optional)

    • Role, team, department, or seniority

    • High-level demographic information, if needed for analysis (e.g. region, years of experience)
       

  • Research notes

    • Thematic summaries of key findings

    • Extracts of anonymised comments for illustrative purposes
       

Where possible, we design surveys so that:

  • Individual respondents are not directly identifiable in the reporting; and

  • Only authorised individuals within Ethica and, where appropriate, within the client organisation see raw responses.
     

If a survey or research project is designed in a way that could identify individuals, we will say so clearly and explain why.

 

2.3 Website and Technical Data
When you visit our website or use our online tools, we may collect:

  • Usage and analytics data

    • Pages visited, time spent on each page

    • Links clicked and general interaction patterns

    • Browser type, operating system, and device information
       

  • Log information and IP address

    • IP address used to connect to our site

    • Timestamps of visits
       

  • Information you actively submit

    • Details from contact forms, such as your name, email address, organisation, and message

    • Information when you book a call or request materials
       

We use this to:

  • Understand how people find and use our site

  • Improve our content and user experience

  • Monitor for suspicious or malicious activity
     

2.4 Sensitive and Special Information
We do not intentionally seek sensitive personal information (such as health, ethnicity, or criminal history). However, because of the nature of our work, people sometimes share:

  • Internal disputes, conflicts, or HR matters

  • Concerns about staff wellbeing or mental health, at an organisational level

  • Issues involving vulnerable individuals or groups
     

Where such information is shared:

  • We treat it as particularly sensitive

  • We restrict access to those who genuinely need to know to deliver the engagement

  • We use it only for the purpose it was shared for (for example, to understand organisational risk or culture)
     

If we ever need to collect clearly identifiable sensitive personal information for a specific purpose, we will explain why and seek explicit consent where required.
 

3. How We Use the Information
We use information in ways that are aligned with why it was given to us in the first place.

 

3.1 Delivering Our Services
We use your information to:

  • Understand your context, needs, and constraints

  • Run readiness assessments, workshops, and discovery sessions

  • Develop tailored recommendations, frameworks, and roadmaps

  • Help you consider ethical, legal, organisational, and technical implications of AI use

  • Provide follow-up support and check-ins if we’ve agreed to them
     

Without this information, we wouldn’t be able to offer meaningful advice.

 

3.2 Surveys, Evaluations, and Research
For surveys and similar activities, we use information to:

  • Analyse responses at individual and group levels (where appropriate)

  • Identify patterns and themes that can inform recommendations

  • Prepare reports for the client organisation, usually in anonymised or aggregated form

  • Improve our own assessment tools and methodologies
     

Where we use anonymised or aggregated data for benchmarking or developing general insights (for example, “X% of organisations are concerned about data governance”), we make sure that individual organisations and individuals are not identifiable without their consent.

 

3.3 Improving Our Services and Tools
We may use information (often in de-identified form) to:

  • Refine our frameworks and diagnostic tools

  • Understand which types of support are most useful to clients

  • Train our team and improve our internal processes
     

We do not use client-specific confidential information in public materials (like blogs, talks, or case studies) unless:

  • We have your explicit permission, and

  • We agree with you what can be shared and how it will be presented.

 

3.4 Communications and Relationship Management
We may use contact details to:

  • Respond to enquiries

  • Arrange meetings, workshops, or training sessions

  • Share agreed follow-up materials

  • Send occasional updates or invitations that are relevant to existing or past clients
     

You can ask us to stop sending non-essential updates at any time.

 

4. Legal Basis for Processing (NZ Privacy Act 2020)
The New Zealand Privacy Act 2020 sets out principles for how personal information should be handled. In practice, this means:

  • We collect information for specific, genuine purposes related to our work

  • We avoid collecting more information than we reasonably need

  • We store information securely and limit access

  • We provide ways for you to access and correct your information
     

Depending on the situation, our legal basis for processing information may include:

  • Your consent – for example, where you voluntarily participate in a research project or survey

  • Our agreement with you – where we need to process information to deliver services you’ve engaged us for

  • Legitimate interests – such as improving our services and tools in ways that are fair, proportionate, and respect your expectations

  • Legal obligations – including record-keeping obligations or responding to lawful requests from authorities
     

We always balance our interests against your privacy rights.

 

5. Data Sharing and Third Parties
We know that “data sharing” can sound worrying, so we want to be very clear.

 

5.1 We Do Not Sell Your Information
We do not sell, rent, or trade personal or organisational information.

 

5.2 When We Work with Subcontractors or Experts
Sometimes we bring in trusted collaborators, for example:

  • Subject-matter experts

  • Co-facilitators for workshops

  • Specialist researchers
     

Where they need access to certain information to help deliver the work:

  • We limit what they see to what is strictly necessary

  • We ensure they are bound by confidentiality and privacy obligations

  • We keep oversight of how they handle the information
     

5.3 Technology and Service Providers
Like most small firms, we use reputable third-party services for things like:

  • Email, calendars, and file storage

  • Survey hosting and analytics

  • Website hosting and security
     

We choose providers that:

  • Have appropriate technical and organisational security measures

  • Are widely used and respected in their fields

  • Provide clear privacy commitments
     

We do not give these providers permission to use your information for their own marketing or analytics beyond what is necessary to deliver the service.


5.4 Legal and Regulatory Requirements
We may disclose information if required to do so by law, for example:

  • In response to a lawful request from a regulator or law enforcement agency

  • To protect our rights, safety, or property where we believe it is necessary and proportionate
     

Where possible and lawful, we will tell you if this happens.

 

6. Data Storage and Security
We take a combination of technical and organisational measures to keep information safe.

 

6.1 How We Store Information

  • We primarily use secure cloud-based tools for email, documents, and collaboration

  • Access is protected by strong passwords and, where available, multi-factor authentication

  • Client folders are separated from one another and access is limited to the team working on that engagement
     

Physical documents (if any) are stored securely and kept to a minimum.


6.2 How Long We Keep Information
We keep information only for as long as it is genuinely needed.
Indicative retention periods:

  • Client engagement records (including reports, key correspondence, and project notes): usually 2–7 years after the end of the engagement, depending on contractual and legal requirements

  • Survey and research data: retained in de-identified or aggregated form where possible, and only as long as needed for analysis, reporting, or improvement of our tools

  • Website logs and analytics data: retained for a limited period for security monitoring and performance analysis
     

When we no longer need information:

  • We securely delete it, or

  • We anonymise it so that it can no longer be linked to an individual or specific organisation.

 

6.3 Security Practices
To reduce the risk of unauthorised access, alteration, or disclosure:

  • We limit access to those who need the information to do their work

  • We review access rights periodically

  • We avoid sending sensitive material via unencrypted channels where possible

  • We encourage clients to use secure sharing methods for documents
     

No system can be 100% secure, but we aim to make sensible, proportionate choices to minimise risk.

 

7. Your Rights
If we hold personal information about you (for example, as an individual participant in a survey or as a contact person for a client organisation), you have the right to:

  • Ask if we hold information about you

  • Request access to that information

  • Request correction if it is inaccurate, incomplete, or misleading

  • Ask us to delete information in certain circumstances (for example, if it is no longer needed for the purpose we collected it)
     

We may need to verify your identity before releasing information, and in some cases we may not be able to provide all details (for example, if it would compromise another person’s privacy), but we will explain the reasons clearly.
To exercise these rights, you can contact us using the details in Section 12.

 

8. Confidentiality in Consulting Engagements
Confidentiality is central to how we work.

  • We treat all client-specific information as confidential unless you have clearly agreed that something can be shared

  • We avoid discussing one client’s internal details with another client

  • We may share general learnings and anonymised patterns (for example, “many organisations are struggling with data governance”) but without identifying you
     

Any formal agreement we sign with you will typically include a separate confidentiality clause. Our practice is to act in line with that standard, even before paperwork is in place.

 

9. Use of AI Tools in Our Work
Because we work in the AI space, it’s important we are open about how we use AI ourselves.

 

9.1 How We Use AI and Digital Tools

We may use AI-powered or advanced digital tools to:

  • Summarise long documents or meeting notes

  • Categorise and analyse survey responses in de-identified form

  • Draft internal working documents or frameworks
     

9.2 Safeguards We Apply
When using such tools, we:

  • Minimise and de-identify data where possible (for example, removing names, specific company identifiers, or sensitive details)

  • Use providers that have strong security and privacy commitments

  • Avoid pasting highly confidential or sensitive data into public tools

  • Keep a human in the loop – our team remains responsible for interpreting outputs and making judgments
     

If we propose using a particular tool or process that could involve more direct use of your confidential materials, we are happy to discuss it and, if needed, seek your explicit consent.
 

10. International Data Transfers
Some of the cloud services and tools we use may store or process data on servers outside New Zealand (for example, in Australia, the EU, the UK, or the US).
Where this happens:

  • We choose providers with appropriate security measures and strong reputations

  • We review their privacy commitments and terms of service

  • We treat your information in line with the standards set by the New Zealand Privacy Act, regardless of where the servers are located
     

If you have specific questions about where your data is stored in a particular engagement, we can discuss this with you.

 

11. Children & Vulnerable Individuals
Our services are aimed at organisations and professionals, not children.
If information about children or vulnerable individuals is shared with us in the course of an engagement:

  • We will treat it with heightened care and sensitivity

  • We will restrict access to those who strictly need to know

  • We will consider whether anonymisation or deletion is appropriate, once the purpose for which it was shared has been met
     

Where a project expressly involves such groups (for example, research into the impact of technology on young people), we will put additional safeguards in place and explain these clearly in any project-specific information sheets.

 

12. Contact Us
If you have questions, concerns, or requests about this Privacy Policy or how we handle information, please get in touch.

 

Ethica Consulting
Email: info@ethica.co.nz
Website: www.ethica.co.nz
Phone: +64 21 022 50222

 

We will do our best to respond promptly and helpfully.
If you are not satisfied with our response, you can contact:

 

Office of the Privacy Commissioner (New Zealand)
Website: www.privacy.org.nz
They provide advice and can investigate complaints related to privacy in New Zealand.

 

13. Updates to This Policy
We may update this Privacy Policy from time to time to reflect:

  • Changes in our services or tools

  • Changes in law or regulatory guidance

  • Feedback from clients or participants
     

When we make changes:

  • We will update the “Effective Date” at the top of this page

  • For material changes, we will highlight the update on our website and, where appropriate, notify affected clients directly
     

We encourage you to review this policy periodically if you are working with us or sharing information with us.

bottom of page