Introduction and who should read this
This Privacy Policy is written for visitors, prospective clients, workshop participants, and anyone who corresponds with us about hydration education products. It sits alongside the Cookie Policy where we describe storage technologies in more detail. If you are interacting on behalf of an organisation, both you and that entity may hold responsibilities under contract; this document still describes how we handle personal information attributable to identifiable individuals.
We aim for clarity without oversimplifying legal duties. Where words have specific legal meaning (for example “legitimate interests”), we state them explicitly rather than burying them in fine print.
Controller identity and preferred contact routes
The data controller responsible for this website and associated enquiry handling is Shiningwhpolishe. You can reach us at:
262 Queen Street, Auckland CBD, Auckland 1010, New Zealand
Email online@shiningwhpolishe.world
Phone +64 9 375 1537
Privacy requests are easiest to process by email because we can verify identity, attach an internal reference number, and deliver written outcomes within a predictable thread.
Categories of personal data
Not every category applies to every person. The table below summarises typical fields, why they appear, and whether supply is voluntary.
| Category | Examples | Typical origin |
|---|---|---|
| Identity | Name, salutation, employer | You provide them in forms or signature blocks |
| Contact | Email, phone, time zone cues | Forms, email headers, calendar invites |
| Correspondence | Free-text project notes | Contact form, email threads |
| Technical | IP-derived region, user agent | Server logs, analytics if consented |
| Consent records | Cookie choices, checkbox timestamps | Banner interactions, hosted logs |
We do not operate a clinical record system. If you voluntarily disclose health context, we treat it as highly confidential correspondence and discourage including unnecessary clinical identifiers.
Purposes and lawful bases
Where the GDPR applies, we map processing to Article 6 bases. New Zealand’s Privacy Act 2020 sits alongside these explanations for domestic readers.
- Contract and steps prior to contract: preparing quotes, delivering purchased educational materials, scheduling sessions you request.
- Legitimate interests: network defence, abuse detection, aggregated readership analytics inside our organisation, and internal training derived from anonymised feedback, balanced against your rights through minimisation and opt-outs.
- Consent: non-essential cookies, certain marketing sequences where we have no pre-existing relationship, and the GDPR checkbox on contact forms where we rely on consent rather than legitimate interest for that specific message.
- Legal obligation: tax invoices, responses to lawful regulator demands, and document preservation where statute prescribes retention.
We provide educational information and habit design services. We do not provide medical advice, diagnosis, treatment, or healthcare services. We do not make health claims or guarantee specific health outcomes. Always consult qualified healthcare professionals for medical decisions.
Alignment with the New Zealand Privacy Act 2020
We observe the Information Privacy Principles where they apply: purpose limitation, transparency, collection from the individual where practicable, security safeguards, and accuracy. Access and correction requests may be directed to the email above. If we refuse a request, we explain reasons unless disclosure would itself undermine a legally permitted exception.
Cookies, pixels, and local storage
Operational cookies may store session continuity, language, or your saved consent snapshot. Optional analytics or marketing tools load only when you enable those categories through the banner or when law allows strictly necessary compatibility shims. A full inventory lives in the Cookie Policy, including how to revoke consent without impairing core navigation.
Retention schedule (indicative)
| Record type | Indicative period | Notes |
|---|---|---|
| Routine email and form enquiries | Up to 24 months after last reply | Unless attached to an active commercial relationship |
| Contracts and tax evidence | As required by NZ tax law | Often seven years from tax year-end |
| Server security logs | Rolling windows set by host | Typically under 90 days unless investigating abuse |
| Aggregated analytics exports | Indefinite in de-identified form | No persistent individual identifiers retained |
Periods adjust when litigation, regulatory investigations, or charging disputes require a litigation hold. In those cases we notify affected individuals where feasible and lawful.
Processors and international transfers
We rely on reputable subprocessors for hosting, transactional email, calendar tooling, and optional analytics. Contracts incorporate confidentiality obligations, purpose limitation, and deletion requirements at exit. When personal data leaves New Zealand or the EEA, we apply mechanisms such as EU Standard Contractual Clauses, UK addenda, or adequacy decisions where valid.
Transfers purely for storage in recognised cloud regions with equivalent safeguards may still necessitate transparency so you can evaluate risk. Contact us if you require an up-to-date list of material service providers for vendor diligence.
Security measures in outline
Controls scale with sensitivity: transport encryption on public endpoints, role-separated access to mailboxes, phishing awareness for staff, vendor security reviews during onboarding, and hardened authentication where infrastructure providers support it. We cannot warrant absolute security, but we test assumptions after material architectural changes.
Rights for individuals in the EEA and UK
Depending on circumstances, you may exercise access, rectification, erasure, restriction, objection, and data portability where technically feasible. You may withdraw consent for processing that relied on it. You also retain the right to complain to your local supervisory authority; links to directories appear on the European Data Protection Board website.
New Zealand access requests and complaints
You may request confirmation of whether we hold information about you and ask for a copy subject to verification. Corrections can be proposed where data is inaccurate or incomplete. If you believe we breached the Privacy Act, you may complain to the Office of the Privacy Commissioner. We welcome the chance to resolve issues directly before escalation.
Automated decision-making and meaningful human review
We do not make legal or similarly significant decisions about you solely by automated processing. Pricing software might assist humans with arithmetic, but humans confirm quotes and schedules.
Children and teenage participants
Materials target adults responsible for their own hydration routines. Where a guardian books on behalf of a minor, the guardian’s details form the primary contact record. We delete incidental mentions of minors when projects conclude unless law demands otherwise.
Optional marketing and business-to-business outreach
We may send carefully scoped updates about workshop dates or product refreshes. Corporate contacts may receive relevant notices under soft opt-in rules where applicable law permits; consumer contacts receive marketing only with clear consent or after a recorded opt-in. Every marketing email includes an unsubscribe or preference link aligned with the channel.
Personal data breaches
We maintain a response checklist: contain the incident, record facts, notify regulators where mandatory, and inform affected individuals when high risk to rights and freedoms is likely. Lessons learned feed back into vendor reviews and access policies.
Changes, version control, and archiving
We version this policy when practices shift materially. The on-page date stamp reflects the latest editorial pass; historical copies can be emailed for comparison. Continued use after posting constitutes awareness, but fresh consent may still be required for new optional technologies.
Contact for privacy questions
Direct privacy questions to online@shiningwhpolishe.world or use the contact form with “Privacy” in the subject line. Related documents: Cookie Policy, Terms of Use, Refund Policy.