This privacy policy applies with effect from 28 April 2023, unless agreed otherwise.

Cotiss Limited (New Zealand company number 8143589) (Cotiss, we, us or our), understands that protecting your personal data is important.

This privacy policy sets out our commitment to protecting the privacy of personal data provided to us, or otherwise collected by us when you use and interact with our website or services, communicate with us, visit our office or attend our events, among other things. We have used examples in this privacy policy to help explain some points – please remember that these examples describe common scenarios but do not necessarily cover all situations.

The Cotiss platform itself has its own terms of service that may include specific privacy-related terms.  To the extent that there any such terms conflict with this privacy policy, then the terms of this privacy policy will apply instead.

We may change this privacy policy to reflect changes in our services, and/or to reflect changes in laws we have to comply with. Depending on how significant the changes are, we will either put a notice on our website, send you an email or notify you through the Cotiss platform to inform you of those changes. If we have to make changes to protect the security of your personal data, we can tell you after we've made the change.

We encourage you to read this policy carefully. If you provide personal data to us, you understand we will process it in accordance with this privacy policy. If you do not provide personal data to us, however, it may impact our ability to provide our services to you and your use of the services. If you have any questions, please contact us using the details set out at the bottom of this privacy policy.

This privacy policy explains:

• the types of personal data we may collect about you;
• how we might collect your personal data;
• how we may use your personal data and the reasons we collect it
• how we will store your personal data;
• if we are likely to disclose your personal data overseas, and if so, which countries we are likely to disclose your personal data to;
• your rights in relation to your personal data; and
• how you can contact us if you have any other questions regarding our processing of your personal data.

Personal data

In this policy:

• personal data means identifiable data about you, for example your name, email, address, telephone number and so on. If you cannot be identified (for example, when personal data has been aggregated and anonymised to the extent you can't reasonably be identified) then certain parts of this policy may not apply to that information. This includes "personal information" as it is defined under applicable privacy laws;
• applicable privacy laws means the requirements of privacy laws, codes and regulations relevant to you in the country you reside in, including as applicable the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988; and
• where we refer to processing of your personal data, we mean all activities relating to our use of that personal data, from its collection through to its storage and disposal and everything in between, and process shall be interpreted accordingly.

The types of personal data we may collect about you

The types of personal data we may collect about you include:

• identity data (including first name, middle name, last name, date of birth, job title and employer organisation);
• contact data (including billing address, email address and telephone numbers);
• financial data (including bank account and payment card details through our third party payment processor Stripe);
• transaction data (including details about payments from you to us and other details of services you have purchased from us or we have purchased from you);
• technical and usage data (including internet protocol (IP) address, your login data, your browser session and geo-location data, your location information (for example your GPS location), device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour, information about your access and use of our website, including through the use of internet cookies, your communications with our website, the type of browser you are using, the type of operating system you are using and the domain name of your internet service provider);
• profile data (including your log in for our services, support requests you have made, your interests, preferences, feedback and survey responses, additional personal data that you provide to us, directly or indirectly, through your use of our services, associated applications or accounts from which you permit us to collect information);
• marketing and communications data (including your preferences in receiving marketing from us and our third parties and your communication preferences);
• professional data (including where you are a worker of ours or applying for a role with us, your professional history such as your previous positions and professional experience); and
• requested data (including any other personal data requested by us and/or provided by you or a third party).
  
  

To the extent that we collect any personal data which is defined as "sensitive information" under applicable privacy laws, this will only be with your consent and where the collection is reasonably necessary for Cotiss' functions or activities, or where collection is authorised by the law.

How we might collect your personal data

The ways we collect your personal data can be categorised into: (1) information you provide us directly, (2) information that is collected automatically and (3) information we indirectly collect from third parties.

Information you provide to us directly

The personal data we collect directly from you may include the below:

• information you provide us to during the registration process (user profile data). This user profile data may include your name, address, email address, contact details and professional details such as your trade, job title and qualification;
• information contained in or relating to any communication that you send to us or that we send to you (communication data). The communication data may include the communication content and metadata associated with the communication;
• data allowing us to get in touch with you (contact data). This contact data may include your name, email address, telephone number, postal address and other information you provide us when you send us communication data;
• information relating to your application for employment which may include your CV and other information such as name, address, email address and contact details (employment data);
• information relating to transactions, including your purchase of a Cotiss subscription plan (transaction data). The transaction data may include your payment card details or other payment and transaction details; or
• website user account data (account data). This account data may include your name, email address, account creation, employer, website settings and marketing preferences.

Information that is collected automatically

We collect personal data when you use our website, services and social media platforms.  This information could include your IP address, location data and social media handles. We use cookies and similar technologies to collect personal data in these circumstances.

We may use these technologies to:

• analyse the use and performance of our website and services;
• identify you as you navigate our website;
• collection information about the device you use to access the website; and
• to otherwise protect our user accounts, websites and services generally.

A cookie is a file that stores information about you and your behaviour on the internet. Cookies are created by a web server when you browse a website and are stored on your web browser. Cookies are accessed by a webserver upon entering a website. Cookies used on this website enable some of the website's essential functionality and help us provide the best possible service to you by tailoring our services to best suit your preferences

There are two types of cookies, persistent cookies and session cookies. Persistent cookies are stored on a web browser until they expire or are deleted. Session cookies expire upon the user closing their web browser.

Most internet browsers give you the option to reject all cookies, accept all cookies, erase cookies stored on your device or be notified before a cookie is stored on your device. However, if you reject or erase the cookies referred to above some functionality or features of this website may not function properly or be fully available.

Please refer to your internet browser instructions if you want to find out more about rejecting or blocking cookies.

Information collected indirectly from third parties

We may indirectly collect personal data about you from third parties with your authorisation or where otherwise permitted by law (for example, where the source of the information is publicly available).

If you are a third party providing personal data about somebody else, you represent and warrant that you have such person's consent to provide the personal data to us.

How we may use your personal data and the reasons we collect it

We use your personal data when you apply for our services, while you are a customer and when you use our free services (for example, when you participate in a free trial period offered under your subscription plan). We will use this personal data generally to manage our services and business effectively, as well as for potential development of future products and services.

In particular, we may use your personal data for the following reasons:

• to enable you to access to our services, including to provide you with a login and manage tenders and quotes;
• to provide our services to you, including to give you access to the Cotiss platform, tech stack, and integrations;
• to contact and communicate with you about our services and any enquiries you make via our website;
• for internal record keeping, administrative, invoicing and billing purposes;
• for analytics, market research and business development, including to operate and improve our services;
• to detect and/or prevent any illegal activity that may threaten us or our services;
• for advertising and marketing, including to send you promotional information about our products and services and information that we consider may be of interest to you, noting we will comply with all laws that are relevant to marketing (including the Unsolicited Electronic Messages Act 2007 and Fair Trading Act 1986 of New Zealand);
• to comply with our legal obligations and resolve any disputes that we may have;
• if you have applied for employment with us;
• to consider your employment application; and
• if otherwise required or authorised by law.

We may also share your personal data within Cotiss, to our service providers and to other authorised third parties. We will only share personal data when we are allowed to under applicable data protection laws, or when we are legally required to. We may disclose your personal data to:

• the administrator account of your employer, to the extent that your personal data is related to the provision of potential employment by your employer;
• third party service providers for the purpose of enabling them to provide their services to us and therefore to you (for example, Google Analytic]), including IT service providers, content management system providers, data storage, web-hosting and server providers, debt collectors, maintenance or problem-solving providers, marketing or advertising providers, professional advisors and payment systems operators;
• our employees and contractors;
• our existing or potential agents or business partners;
• anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred;
• courts, tribunals and regulatory authorities, in the event you fail to pay for services we have provided to you;
• courts, tribunals, regulatory authorities and law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights; and
• any other third parties as required or permitted by law.

Google Analytics: We may have enabled Google Analytics Advertising Features including Remarketing Features, Advertising Reporting Features, Demographics and Interest Reports, Store Visits, Google Display Network Impression reporting etc. We and third-party vendors may use first-party cookies (such as the Google Analytics cookie) or other first-party identifiers, and third-party cookies (such as Google advertising cookies) or other third-party identifiers together.

You can opt-out of Google Analytics Advertising Features including using a Google Analytics Opt-out Browser add-on found here. To opt-out of personalised ad delivery on the Google content network, please visit Google’s Ads Preferences Manager here or if you wish to opt-out permanently even when all cookies are deleted from your browser you can install their plugin here.  To opt out of interest-based ads on mobile devices, please follow these instructions for your mobile device: On android open the Google Settings app on your device and select “ads” to control the settings. On iOS devices with iOS 6 and above use Apple’s advertising identifier. To learn more about limiting ad tracking using this identifier, visit the settings menu on your device.

How we will store your personal data

We are committed to ensuring that the personal data we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures, to safeguard and secure personal data and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.

While we are committed to security, we cannot guarantee the security of any information that is stored by us or transmitted to or by us over the internet. The transmission and exchange of information over the internet is carried out at your own risk.

If we are likely to disclose your personal data overseas, and if so, the countries to which we are likely to disclose your personal data

We usually hold your personal data in New Zealand, but sometimes we may disclose your personal data to countries other than the country you live in – such as Australia.  These countries may have laws different to what you are used to. If we do this,  we will put in place contractual safeguards if necessary to ensure your personal data remains protected and comply with applicable data protection laws.

Your rights in relation to your personal data

Under certain circumstances and to the extent that such rights are granted in accordance with applicable data protection laws in your country, you, or someone you give authority to, has the right to request access to or correct your personal data:

• Access: You may request access to the personal data that we hold about you. An administrative fee may be payable for the provision of such information. Please note, in some situations, we may be legally permitted to withhold access to your personal data.
• Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, out of date, incomplete, irrelevant or misleading. Please note, in some situations, we may be legally permitted to not correct your personal data.

When it comes to marketing communications, you can ask us at any time not to send you these by following the unsubscribe instructions in the marketing communication, or by emailing our privacy representative below.

If you wish to make a complaint, please contact us using the details below and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint. You also have the right to contact the Office of the New Zealand Privacy Commissioner (OPC) or the Office of the Australian Information Commissioner (OAIC), or another relevant data protection authority where you are not satisfied with our resolution process.

Links to other websites

Our services may contain links to other websites. We do not have any control over those websites and we are not responsible for the protection and privacy of any personal data which you provide whilst visiting those websites. Those websites are not governed by this privacy policy.

Contact details

For any questions or notices, please contact our privacy representative at:

Cotiss Limited 

Address: 606B, 602-616 Dominion Road, Mount Eden, Auckland 1041, New Zealand

Phone: +64 21 074 8062

Email: privacy@cotiss.com