PRIVACY POLICY

Updated February 2024

1 – Introduction

1.1 – This privacy policy (Policy) sets out how Black Pearl Group Limited and its subsidiaries and related companies (Black Pearl Group (“we”, “us”, and “our”)) will collect, use, store, and disclose your personal information that we collect through our products and services (products and services), websites (websites), social media pages, activities, and all other activities relating to our business and operations, as described in this privacy policy. Our products and services include but are not limited to black pearl mail, New Old Stamp and pearl diver.

1.2 -This policy deals with personal information as defined in the New Zealand privacy act 2020 (personal information). Generally, we will deal with your personal information in accordance with the New Zealand privacy act 2020. We will also comply with applicable privacy laws in Australia, the European economic area, the United Kingdom, Canada, and specific states in the United States of America (applicable privacy laws).

1.3 – By using our websites, products, services and/or engaging with us in the ways outlined in this policy, you agree to accept this policy. This policy should also be read in conjunction with our terms of use and our cookies and consent policy.

2 – How we collect your personal information

2.1 – We collect personal information in a variety of ways, which are outlined in more detail below. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

When you provide personal information to us directly

2.2 – We will collect personal information when you provide it to us during your interaction or engagement with us. This could include when you visit or use our websites, when you purchase and/or use our products and services, when you submit a form through our websites, when you sign a contract with us, when you contact us with questions or request a demonstration or support, when you use a chat function on our websites, or when you otherwise engage with us through email, phone, social media, phone or audiovisual call, or via mail.

2.3 – The personal information that we may collect from you directly includes, but is not limited to, details about your identity (including your name and title), location and address, contact and social media details, third party email account credentials, information about your employment and education history, details of any company you are associated with, and recordings of customer calls (including phone and audiovisual).

When we collect personal information automatically

2.4 – We will collect personal information automatically when you visit or use our websites or receive emails from us or from our customers using our products and services. This personal information may include your IP address, usage details, the country you are in, and other information about you and your use of a website or interaction with an email collected through tracking technologies including cookies, web beacons, link redirects, scripts, and iframes (Tracking Technologies).

2.5 – Please see our cookies and consent policy for more information, at [insert link to policy].

2.6 – If required to by any applicable privacy laws, we will ask for your consent when placing tracking technologies on your device. You can configure your browser settings to disable some tracking technologies on a per-site basis, but this may mean that you cannot use all the features on our websites, or other websites.

2.7 – Regarding Black Pearl Mail, we may collect personal information about you and/or your own customers relating to interactions with emails sent using our products and services. We do not store any information from the body of emails sent using our products and services with the exception of URLs so that we can resolve these for the recipients, and in the event that an email is undeliverable, we will keep it for a maximum of six hours while it is in a re-sending cycle, before the email is permanently deleted.

When we receive personal information from third parties

2.8 – We may collect and receive personal information from third parties (including third party service providers and third parties with whom we do ordinary business to provide our products and services) who gather personal information from a variety of sources. They may help us by providing additional information to enhance the information that we collect from you and/or automatically.

2.9 – The personal information that we receive from third parties may include, but is not limited to, details about your identity (including your name and title), location and address, contact and social media details, information about your employment and education history, and any company with which you are associated.

Payment details

2.10 – Payment for some products and/or services is made online by way of credit or debit card. When you make a payment for products and services, we will not retain any credit card information except the last four digits and your credit cards expiry date for you to be able to identify your card for future payments.

2.11 – When payment is made for products and services by way of credit card, we engage secure pci-compliant third-party payment system providers who will collect the payment details necessary to process payments.

3 – How we use your personal information

3.1 – What we do with your personal information depends on the purpose for which it was collected. Your personal information will only be used for purposes directly related to our business activities and the provision of our products and services, and when it is necessary for or directly related to these activities.

3.2 – We may use the personal information that we collect for reasons including, but not limited to:

a) To perform a contract with you, including to:

• Provide customers with our products and services, including black pearl mail and pearl diver;
• Allow you to open a customer account with us;
• Provide our websites to you and to improve our websites to give you a better user experience;
• Provide customers with technical support;
• To invoice you and/or process payments;

b) For our business purposes, such as data analysis, identifying usage trends, developing new products and services, improving our current products and services, and for the general operation and expansion of our business activities;

c) To communicate with you including responding to your emails, calls, requests, and/or feedback;

d) To advertise and market our products and services to you;

e) To perform our obligations under any contractual arrangement that we may enter into, including where that involves disclosure of information as set out at section 4 below;

f) To protect and/or enforce our legal rights and interests, including defending any claim; and

g) To comply with applicable privacy laws and regulations, and for any other purpose authorised by you, or applicable privacy laws.

3.3 – We may use aggregated information to improve the quality of our products and services, and for statistical and market research purposes, including to analyse the use of our products and services. This aggregated information is not associated with any individual person. We may use this data in aggregate form as a statistical measure, but not in a manner that would identify any individual personally.

4 – Disclosure of your personal information

4.1 – We may disclose your personal information to third parties in the ways outlined in this policy, for directly related purposes, or otherwise where you have authorised. This will include third parties we engage to support black pearl group’s business activities and operations, such as:

a) Third party service providers who provide us with numerous services, including but not limited to data storage, webhosting, payment system providers, and software; and

b) Third parties with whom we do ordinary business, including to help us and them enhance the information we and they use to provide products and services.

To protect any legal interest or as required by law

4.2 – We may disclose personal information where we believe that the disclosure is necessary to protect and/or enforce our legal rights and interests, including defending any claim.

4.3 – We may also disclose personal information to comply with applicable privacy laws and regulations, and for any other purpose authorised by you, or applicable privacy laws.

5 – Location of processing and data transfers

5.1 – As our websites and products and services are available from anywhere in the world, and due to the international nature of our business activities, we may collect, transfer, store, and process personal information in any country in which we and/or the third parties we engage with operate. Therefore, we may collect, transfer, store, and process your personal information in a different location to where you are situated.

5.2 That personal information is collected and transferred pursuant to and in accordance with applicable privacy laws (except as described in section 1.7 above where you live in a location in which applicable privacy laws do not apply). If at any time we need to send personal information outside of a country in which we operate to an overseas agency that may use the information for its own purposes, we will:

a) Take steps to ensure that we believe on reasonable grounds that the overseas agency receiving the personal information is subject to privacy protections that, overall, provide comparable safeguards to those provided under the applicable privacy law; or

b) Enter into a binding contractual agreement with the overseas agency receiving the personal information confirming that it will protect the personal information in a way that, overall, provides comparable safeguards to those provided under the applicable privacy law; or

c) Obtain the express authorisation of the individual concerned to disclose their personal information overseas after expressly informing them that the overseas agency may not be required to protect the information in a way that, overall, provides comparable safeguards to those provided under the applicable privacy law.

6 – Security of your personal information

6.1 – We take the security of your personal information seriously and ensure that all our staff comply with their legal obligations to protect your personal information, except in a limited number of circumstances as required by the applicable privacy laws.

6.2 – We have taken reasonable steps to ensure the safety of personal information stored in both electronic and hard copy format, and to protect against loss, unauthorised access, use, modification, disclosure, or other misuse.

6.3 – If your business holds a customer account with us, you may be able to designate one or more individuals to be an administrator of the account. The named account holder and any designated administrators are responsible for:

a) Maintaining the confidentiality of the account login and password details;

b) Ensuring that contact details for any administrators are correct and up to date; and

c) Ensuring that all activities that occur with the account comply with our terms of use.

7 – Your rights in respect of your personal information

7.1 – You have the option to decline to provide your personal information. If you choose not to provide personal information, this may affect your use of our products and services, your use of our websites, us responding to your enquiries or requests, processing any forms or payments, or otherwise carrying out our general business activities and functions.

7.2 Access and correction: subject to certain grounds for refusal set out in the applicable privacy laws, you have the right to access your readily retrievable personal information that we hold, and to request a correction to your personal information.

7.3 If you hold a customer account with us, you can access and, in some cases, update certain information that we hold about you or your business by logging into your customer account through our websites.

7.4 In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.

7.5 Restrict / object: in accordance with applicable privacy laws, you may have the right to object to our processing of, and/or restrict or control the dissemination of, your personal information, in certain conditions.

8 – Opt out of communications:

if you are a customer and you do not wish to receive emails or other forms of communications from us, please update your customer account settings by contacting customer success to elect to not receive certain communications from us. We adhere to a strict permission-based email policy.

8.1 – Transfer: in accordance with applicable privacy laws, you may have the right to request that we transfer your personal information to another organisation, or directly to you, under certain conditions.

8.2 – Automated decision making: in accordance with applicable privacy laws, you may have the right to be informed of automated decision making, request additional information on automated decision making, submit observations to us, and contest any decision in relation to automated processing, under certain conditions.

8.3 – Erasure: in accordance with applicable privacy laws, you may have the right to request erasure of your personal information, under certain conditions.

8.4 – If you want to exercise your rights in respect of your personal information, please contact us on the details outlined at section 15 of this policy. Before you exercise these rights, we will need evidence to confirm that you are the individual to whom the personal information relates.

8.5 – In some circumstances where personal information is collected and held by our customer rather than by us, you may need to direct your communications to that customer directly. If you contact us about exercising your privacy rights and we do not hold personal information about you, we will let you know.

8.6 – To exercise your rights in relation to personal information collected through our website visitor identification software (Pearl Diver), please complete, and submit the pearl diver opt-out form, which is available here https://pearldiver.Io/opt-out/

9 – Accuracy of personal information

9.1 – We will take steps reasonable in the circumstances to ensure that your personal information is accurate, up to date, complete, relevant, and not misleading before using or disclosing it in accordance with this policy.

10 – Retention of your personal information

10.1 – We will only retain personal information for as long as required for the purpose/s for which it may be lawfully used.

10.2 – As set out at section 7 above, you have the right to request that we erase your personal information, or restrict the processing of your personal information, under certain conditions.

11 – Changes to this policy

11.1 – We may update this policy from time to time. We will notify you of any such updates by publishing the updated policy on our website.

11.2 – Where have made a material change to the policy, the revised policy will take effect fourteen (14) days after the date on which we inform our customers and upload it to our websites.

11.3 – In all other cases, the revised policy will apply from the date we upload it to our websites.

11.4 – Your continued use of our websites and/or products and services constitute your agreement to this policy as updated.

12 Contact and complaints

12.1 – If you have any questions, concerns, or to make a complaint in relation to this policy or the protection of your personal information, please direct them to the privacy officer at privacy@blackpearl.Com. To enable us to address any questions or concerns more easily, it is preferable if they are made in writing.

12.2 – The privacy officer will investigate and respond to any complaints or concerns as soon as possible and in accordance with the times and procedures set out in the applicable privacy laws.

13 – If you are not satisfied with how we have handled your complaint, you can contact the following in each jurisdiction:

13.1 – New Zealand office of the privacy commissioner

13.2 – Europe https://edps.Europa.Eu/data-protection/our-role-supervisor/complaints_en

13.3 – United Kingdom https://www.Gov.Uk/data-protection/make-a-complaint

13.4 – Australia https://www.Oaic.Gov.Au/privacy/privacy-complaints

13.5 – United states of America, to look up your state https://www.Usa.Gov/state-consumer

13.6 – Canada https://www.Priv.Gc.Ca/en/report-a-concern/file-a-formal-privacy-complaint/; or

13.7 – The relevant supervisory authority in your country.

14 – Residents of EU, your additional rights under the General Data Protection Regulation (GDPR)

14.1 – You have a right to access your personal and right to data portability. Meaning you can ask what personal data of yours is processed, and the list of third parties which have access to the information, clarification of this policy, period of processing and protection measures we implemented.

14.2 – You have the right to restrict the processing of your personal data i.e. Instead of the erasure of information its processing will be restricted.

15 – Residents of California, your additional rights under the California privacy rights act (CPRA)

15.1 – To request the disclosure of the following information:

15.1.1 – The categories and specific pieces of personal data we have collected about you;

15.1.2 – The categories of sources from which the personal data is collected;

15.1.3 – The business or commercial purpose for collecting or selling data;

15.1.4 – The categories of third parties with whom we share personal data; and

15.1.5 – The categories of personal data that we disclosed about you for a business purpose.

15.2 – To not be discriminated when exercising any of the rights under the CPRA.

15.3 – Regarding the right to be deletion request, we will exercise your right to be forgotten with the potential exceptions of the need to:

15.3.1 – Complete the transaction, fulfil the terms of a written warranty, provide the services requested, or otherwise perform an agreement with you;

15.3.2 – Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity;

15.3.3 – Debug to identify and repair errors that impair existing intended functionality of our websites;

15.3.4 – Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law;

15.3.5 – Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the data deletion is likely to render impossible or seriously impair the achievement of such research, and if you provided informed consent for such processing;

15.3.6 – To enable solely internal uses that are aligned with your expectations based on your relationship with us;

15.3.7 – Comply with legal obligations.

The Delete Act of 2023 statistics and monitoring

Request My Information Requests:

- - Number of Requests Received: 9
  - Number of Requests Fulfilled: 3
  - Number of Requests Denied: 6
  - Average Number of Days to Fulfil Requests: 8.22

Opt-Out Requests:

- - Number of Requests Received: 10
  - Number of Requests Fulfilled: 6
  - Number of Requests Denied: 4
  - Average Number of Days to Fulfil Requests: 5.5

Delete Requests:

- - Number of Requests Received: 18
  - Number of Requests Fulfilled: 12
  - Number of Requests Denied: 6
  - Average Number of Days to Fulfil Requests: 6

Do Not Sell Requests:

- - Number of Requests Received: 14
  - Number of Requests Fulfilled: 6
  - Number of Requests Denied: 7
  - Median Number of Days to Fulfil Requests: 5