Privacy Policy

‍1.  OUTLINE

1.1 SCANNABLE NZ LTD (NZCN 8032173) (Scannable, We, Us and our) is committed to protecting the personal information of the subscribers (Subscribers, you, your) of our services (Services) and users of our products (Products), content (Content) and website, being www.scannable.io (the Website).

1.2 When you visit the Website or use our Products and Services, We collect data (some of which may comprise personal information) and use this data to provide our Services to you.  This privacy policy will help you to understand:

1. how and why We collect personal information;
2. how that personal information is stored;
3. how you can access and correct that personal information; and
4. when we might disclose personal information to other people.

1.3 This privacy policy does not limit or exclude any rights that you have or may have under:

1. the Privacy Act 2020 (Privacy Act); and (where applicable)
2. the General Data Protection Regulation 2016/679 (GDPR) – for Subscribers based in the European Union (EU), please refer to our GDPR Addendum for additional terms which form part of this privacy policy.

1.4 For further information, please see www.privacy.org.nz.

2.  APPLICATION OF THIS PRIVACY POLICY

2.1 This privacy policy applies to all instances in which We collect personal information from you.

2.2 By accessing and/or using the Products, Content and/or Services, you consent to the collection, use, disclosure, storage and processing of personal information in accordance with this privacy policy.

2.3 Our Website may contain links to other third party websites and these third parties may have separate and independent privacy policies.  We have no responsibility and We will have no liability for the content and activity of these linked sites.

3.  CHANGES TO THIS POLICY

3.1 We may change or update this privacy policy at any time by uploading a revised privacy policy to the Website.

3.2 By using the Services and Website you agree to be bound by the privacy policy that is in effect at that time.

4.  COLLECTION OF PERSONAL INFORMATION

4.1 The Company may collect the following personal information from you:

1. Your name, phone number, residential address and email address.
2. Your gender, date of birth, job title, place of employment or business.
3. Your IP address in order to determine that Subscriber’s geographic location.
4. Any communication with the Company either directly, via phone or email.
5. The details of any shareholdings you or others may hold.
6. Information obtained by or submitted to Us by you through your use (or prospective use) of the Products or Services.

4.2 We collect and process data when you:

1. create a subscription and/or use the Products, Services or Website;
2. complete a customer survey or provide feedback to Us through our Website or by email;
3. upload anything onto our Website or when using our Products or Services; or
4. use or view our Website via your browser’s cookies.

4.3 We may supplement the information you provide to Us with information We receive from third parties.

4.4 If you choose not to provide information when We ask for it, you may not be able to use the Products or Services.

4.5 We do not collect any other personal information about you, including details about your race, ethnicity, religious beliefs, sexual orientation, political information or any other genetic or biometric data.

5.  USE OF PERSONAL INFORMATION AND DATA

5.1 The information that We collect from you may be used:

1. to verify your identity;
2. in connection with the provision (or potential provision) of the Products or Services to you;
3. to improve, update and maintain the Website and Services;
4. to communicate with you in relation to the Products or Services;
5. to market our Products and Services to you, including contacting you electronically (for example, by text, email or an online messaging platform);
6. to undertake credit checks of you (if necessary);
7. to invoice you and to collect money that you owe to Us, including authorising and processing credit or debit card transactions;
8. to respond to communications from you, including any complaints;
9. to co-operate with any government, industry, legislative or regulatory authorities, where required by law;
10. to protect and/or enforce our legal rights and interests, including defending any claim; or
11. for any other purpose authorised by you, the Privacy Act and/or the GDPR.

5.3 We reserve the right to use data (on an anonymous basis) in relation to your use of the Products for marketing and accounting purposes.

5.4 You may request that We stop sending marketing messages at any time, by contacting the Company on info@scannable.io.

6.  COOKIES

6.1 We use cookies (being an alphanumeric identifier that We transfer to your computer’s hard drive so that We can recognise your browser) in order to monitor your use of the Website.  This information is anonymous and is used to enable Us to enhance and customise your experience across the provision of our Website, Products, and Services.

6.2 You may disable cookies by changing the settings on your browser, although this may mean that you cannot use all of the features of the Website, Products and Services.

7.  DISCLOSURE OF INFORMATION

7.1 Unless expressly authorised by you or under this privacy policy, We will not disclose your personal information to any third party except where disclosure relates to the purposes for which the information was collected (as stated in clause 4.5 above) or where it may be required by law to do so.

8.  PROTECTION AND RETENTION OF PERSONAL INFORMATION

8.1 We will take all reasonable steps to ensure the personal information collected, used or disclosed in accordance with this privacy policy is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification or disclosure.

8.2 We will hold personal information collected in accordance with this privacy policy both before and after the provision of its Products and Services, but only for so long as We are legally entitled to do so.

9.  ACCESS TO AND UPDATES OF PERSONAL INFORMATION

9.1 You may request to see the personal information that We hold on your behalf.

9.2 If the personal information held by Us is not up to date or incomplete you may ask Us to correct the information by updating the information contained within your profile on the Website or contacting Us and advising Us of the correct information.

10.  LEGAL RIGHTS AND ACCESS TO PERSONAL INFORMATION

10.1 You have the following rights in relation to your personal information:

1. To request access to your personal information.
2. To request a correction to your personal information.
3. To request the deletion or removal of your personal information.
4. To object to the processing of your personal information.
5. To request a restriction on the processing of your personal information.
6. To request a transfer of your personal information to you or a third party.
7. To withdraw consent to the use of your personal information.

10.2 You may request access to all of the personal information that We hold about you by contacting Us at info@scannable.io.

11.  SEVERABILITY

If any part of this privacy policy is found by a court to be invalid, void or unenforceable, whether under the Privacy Act, GDPR or any other applicable law, such provision will be deemed to be deleted from this privacy policy and the remaining provisions of will continue in full force and effect.

12.  DISPUTES

12.1 Your concerns can be resolved quickly by contacting Us through the Website.  Should you wish to report a complaint or if you feel that We have not addressed your concern in a satisfactory manner, you may contact the Office of the Privacy Commissioner by lodging a complaint form online or posting it to:

Office of the Privacy Commissioner
PO Box 10094
Wellington 6143

GDPR Addendum

Last updated: 10 September 2025

If you are based in the European Union (EU) and use this Website, our Products, Content or Services, then:

• these additional terms (GDPR Addendum) form part of our privacy policy; and
• to the extent the terms of this GDPR Addendum conflict with the privacy policy, this GDPR Addendum shall prevail.

Please note this GDPR Addendum was drafted with brevity and clarity in mind.  It does not provide exhaustive detail of all aspects of our collection and use of personal data.

Introduction

The General Data Protection Regulation (GDPR) regulates the collection, processing, and transfer of EU individuals’ personal data (as defined in the GDPR).  The personal information described in our privacy policy is personal data under the GDPR.  We are committed to complying with the GDPR when dealing with the personal data of our Subscribers who are based in the EU.

For the purposes of the GDPR, we are the data controller (as defined in the GDPR) when processing the personal data of our Subscribers who are based in the EU.

Processing personal data

We collect and store only the minimal personal data necessary to provide and secure our Services, and process such personal data for the purposes outlined in our privacy policy.  We collect personal data directly from you when you:

• create an account or sign up to use our Services
• submit forms or information through our Website or the Scannable app
• interact with our platform, where certain technical information (such as IP address, browser type, and device details) is automatically collected to support login, security, and service functionality

The personal data we may process broadly consists of the personal information described in our privacy policy and specifically includes:

• your name and email address (for account creation, communication, and authentication)
• your address (optional, if provided by you for inspection records)
• login-related technical data such as IP address and browser user agent (for security and troubleshooting purposes)

We do not collect sensitive categories of personal data such as payment card details, government identification numbers or health-related data.

Legal basis for processing

The legal basis for our processing of your personal data is your consent and, for certain of that personal data, processing is necessary for the performance of a contract to which you are a party or for our legitimate interests (except where such interests would be overridden by your fundamental rights and freedoms which require the protection of personal data).

Notwithstanding the above, we may process any of your personal data where such processing is necessary for compliance with applicable laws.

Security practices applied

We apply the following security practices when processing your personal data:

• encrypting data in transit and at rest where applicable
• limiting access to personal data to authorised personnel only, based on role and need-to-know principles
• monitoring and logging system access to detect and respond to potential security incidents
• regularly reviewing and updating our security measures in line with industry best practices and applicable legal requirements

Your rights

Your rights in relation to your personal data under the GDPR include:

• right to be informed - you have the right to be informed about how we collect and use your personal data.  Our privacy policy as supplemented by this GDPR Addendum is intended to fulfil that obligation
• right of access – you have the right to request a copy of the personal data we hold about you
• right to rectification – you have the right to request that we correct any information you believe is inaccurate or incomplete, and we will take every reasonable step to ensure personal data which is inaccurate is rectified
• right to erasure/ “right to be forgotten” – you have the right to request that we erase your personal data under certain conditions and we will do so if deletion does not contravene any applicable laws
• right to restrict processing - you have the right to request that we restrict or block the processing of your personal data under certain conditions
• right to withdraw consent – if the basis of our processing of your personal data is consent, you can withdraw that consent at any time
• right to data portability - you have the right to request that we transfer the data that we have collected to another organisation, or directly to you, in a structured, commonly used and machine-readable format
• right to object - you have the right to object to our processing of your personal data under certain conditions and we will do so to the extent required by the GDPR
• rights related to automated decision-making, including profiling - you have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you, except where such automated decision making is necessary for entering into, or the performance of, a contract with you, is authorised by applicable laws or is based on your explicit consent
• right to complain to a supervisory authority – you can report any concerns you have about our privacy practices to the relevant data protection supervisory authority

If you would like to exercise any of your above rights, please contact us at info@scannable.io.

International transfer of data

As a company based in New Zealand, the personal data we collect may be transferred to and processed in countries outside of the EU, the European Economic Area (EEA) and the UK.  New Zealand is recognised by the European Commission as a country that ensures an adequate level of data protection and we rely on this decision when transferring personal data from the EEA to New Zealand.

To ensure your personal data remains protected when transferred, we rely on appropriate legal safeguards as required by GDPR.  We use Standard Contractual Clauses (SCCs), which are model contract clauses approved by the European Commission, as the primary legal mechanism for international data transfers.

These clauses impose specific data protection obligations on both us and any third party receiving your data to ensure it is protected to the same high standard as in the EU.  We also ensure that any third parties we transfer data to have appropriate technical and organisational measures in place to protect your data.

These representatives have been authorised by us to be contacted by supervisory authorities and data subjects on all issues related to processing, to ensure our compliance with the GDPR.

Data retention policy

Personal data that we collect and process will not be kept longer than necessary for the purposes for which it is collected, including to satisfy any legal, accounting, or reporting requirements, or for the duration required for compliance with applicable law, whichever is longer.  The criteria we use to determine the period of time for which we keep personal data includes:

• the amount, nature and sensitivity of the personal data that you provide to us
• the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and the applicable legal requirements.

In some cases, we may anonymise your personal data so it can no longer be associated with you, and we may use this information indefinitely without further notice.

Contacting us

As a company located outside of the European Union (EU) and United Kingdom (UK), we are required to designate a representative to act as a direct point of contact for data subjects and supervisory authorities.  The name and contact details of our representative is:

EU Representative:

Adam Brogden
contact@gdprlocal.com
+353 15 549 700
Ireland

UK Representative:

Adam Brogden
contact@gdprlocal.com
+441 772 217 800
UK

Disputes and complaints

If you have a concern about our privacy practices or you are not satisfied by the way your query is dealt with by our representative, you have the right to refer your query to and/or file a complaint with your local data protection supervisory authority in the country where you reside, where you work, or where the alleged infringement took place.  For example, in the United Kingdom this is the Information Commissioner’s Office.

Version History

Version 1.0 24 June 2021 Initial release

Version 2.0 10 September 2025 Minor revisions and GDPR Addendum update

‍