Filterlybone

Privacy Policy

Privacy Policy - How we handle your personal information

Last updated: . This policy explains how we collect, use, store, and protect your personal information in compliance with New Zealand Privacy Act 2020 and GDPR.

Privacy snapshot figures

18 monthsMaximum retention period for enquiry information without ongoing business relationship.
TLS 1.2+Minimum encryption standard for data transmission.
GDPR compliantSecurity controls meet GDPR Article 32 requirements.

Orientation

Purpose and scope

Filterlybone publishes informational seated-guidance programmes and facilitates voluntary enquiries received through HTTPS endpoints or authenticated mail relays. This Privacy Policy defines how personally identifiable fields collected during those journeys are classified, justified, safeguarded, and eventually erased.

The Policy complements—but does not replace—contractual data-processing annexes executed once commissioned engagements crystallise. Where tensions emerge between summaries here and bespoke clauses inside signed scopes, the executed instruments prevail unless prohibited by compulsory privacy statutes.

Transparency pledge

We describe processors generically until confidentiality commitments permit naming; substantive diligence questionnaires remain available under mutual NDAs prior to invoicing.

Controller identity and supervisory footprint

Filterlybone exercises determination over purposes and means for processing enquiry flows originating from filterlybone.world properties. Postal address: 68 Beach Road, Auckland CBD, Auckland 1010, New Zealand. Electronic correspondence for privacy escalations: service@filterlybone.world. Telephone switchboard: +64 9 919 2320.

No statutory requirement mandates appointment of an EU representative today; nonetheless cross-border frameworks evolve rapidly and contact vectors listed above honour Article 27 inquiry pathways whenever mandated thresholds arise.

Personal data categories we may encounter

The roster widens only when interactions deepen; exploratory browsers might emit solely technical telemetry while contracted cohort members transmit richer narratives.

Identity and communication artefacts
Names, pronouns voluntarily supplied, employer descriptors when relevance emerges, telephone routing digits, routing-friendly email handles.
Messaging payloads
Unstructured narratives typed inside HTML forms or subsequent mail threads detailing workstation frustrations, logistics preferences, or procurement hurdles.
Consent proofs
Timestamped snapshots referencing affirmative analytics or marketing toggles paired with hashed browser fingerprints assisting duplicate-consent suppression.
Infrastructure telemetry
Anonymised-at-collection aggregates aside from narrowly scoped diagnostic logs retaining truncated IP prefixes solely during abuse mitigation windows.
Commercial artefacts
Once engagements mature: invoicing identifiers, taxation identifiers compelled by AML statutes when thresholds oblige enhanced diligence.

Purposes paired with lawful bases

  1. Mailbox triage and qualification conversations. GDPR Article 6(1)(b) applies while correspondence constitutes necessary steps requested ahead of contractual negotiations; Article 6(1)(f) supplements narrowly scoped mailbox hygiene balancing respondent autonomy.
  2. Preference persistence tied to strictly necessary cookies. Article 6(1)(f) legitimate interests anchored on predictable UX continuity reinforced via layered transparency banners duplicating information herein.
  3. Optional analytics or marketing identifiers. Activated strictly pursuant to Article 6(1)(a) granular consent refreshed whenever materially different tooling arrives.
  4. Regulatory bookkeeping. Article 6(1)(c) statutory obligations pertaining to taxation reconciliations once invoices circulate.
  5. Fraud deterrence signals. Article 6(1)(f) protecting organisational integrity against scripted mailbox floods attempting lateral phishing pivots.

Recipients, subprocessors, and confidentiality layering

Hosting vendors supplying immutable asset distribution sign augmented DPAs referencing SCC modules approved by the European Commission where geography warrants. SMTP relays undergo quarterly credential rotations with SPF/DMARC alignment monitored centrally.

Professional advisers—including chartered accountants or litigation counsel—receive subsets strictly proportional to mandates presented; each recipient signs confidentiality commitments referencing fiduciary obligations recognised either under NZ law or correspondent jurisdictions.

No catalogue sale occurs; monetising mailing lists contradicts organisational posture despite prevailing industry shortcuts.

International transfers and supplementary mechanics

Transfers rely first on adequacy decisions where Parliament recognises reciprocal safeguards. Elsewhere controllers rely on SCC 2021 modules supplemented by technical measures including envelope encryption prior to mailbox ingestion plus ephemeral decryption solely inside hardened endpoints.

Transfers purely ancillary to mere website browsing absent identifiable payloads remain theoretically plausible yet practically negligible due to CDN caching strategies stripping upstream identifiers aggressively.

Retention matrices and lawful deletion choreography

  • Exploratory enquiries lacking invoices retire eighteen months post final substantive reply unless counterparties renew relevance earlier.
  • Executed programmes preserve narrative artefacts seven years aligning with taxation statutes prevailing near Auckland CBD headquarters.
  • Consent artefacts reside twenty-four rolling months enabling contradiction audits requested under GDPR Article 7 accountability dialogue.
  • Security investigations justified under Article 6(1)(f) may temporarily elongate narrowly scoped subsets pursuant to documented breach timelines.

Deletion employs cryptographic wiping routines where filesystem semantics cooperate; immutable backups reconcile eventual consistency via orchestrated compaction passes announced internally.

Security programme pillars

  • Mandatory MFA across administrator consoles interfacing enquiry repositories.
  • Quarterly tabletop simulations rehearsing ransomware containment preserving mailbox continuity.
  • Patch orchestration pipelines referencing severity scoring frameworks harmonised with NZ CERT alerts.
  • Least-privilege mailbox delegation denying lateral traversal between facilitation pods.
  • Annual penetration exercises commissioned through reputable NZ-headquartered testers referencing seated ergonomics analogy metaphors irrelevant technically yet bolster comprehension among mixed-literacy executives.

Individual rights catalogue

Persons situated inside GDPR jurisdictions retain access, rectification, erasure, restriction, portability, objection, and automated-decision safeguards enumerated across Articles 15–22. Withdrawals of consent operate prospectively without undermining earlier lawful processing anchored on distinct bases.

Requests authenticate via paired mailbox confirmations unless statutory exemptions permit alternate attestations during heightened vulnerability contexts. Responses strive for thirty calendar days acknowledging complexity extensions permissible under Article 12 when voluminous archives merit segmented retrieval.

Complaints may escalate simultaneously toward supervisory authorities without prejudicing informal remediation dialogue encouraged culturally inside facilitation circles.

Alignment with New Zealand Privacy Act 2020 themes

Although GDPR framing dominates multinational readability, principles guiding New Zealand Information Privacy Principles remain honoured: purpose limitation, transparency, accuracy, security, and individual participation pathways articulated through Office of the Privacy Commissioner guidance summaries exported voluntarily.

Serious harm thresholds influencing mandatory breach disclosures integrate NZ OPC guidance distinguishing organisational reputational bruises from tangible individual jeopardy.

Incident notification rhythms

Suspected unauthorised acquisitions trigger sequential containment, eradication, recovery per NIST framing alongside jurisdictional clocks—72-hour GDPR horizon versus NZ statutory windows contingent on seriousness appraisals documented contemporaneously.

Affected individuals receive concise factual summaries avoiding melodrama yet supplying remediation suggestions proportionate to assessed exposure breadth.

Children and guardianship-aware messaging

Primary narratives assume adult occupational contexts; guardians initiating posture-awareness journeys on behalf of adolescents remain welcome yet warrant overt acknowledgement inside introductory paragraphs preventing ambiguity.

No behavioural profiling monetises juvenile curiosity vectors.

Automated decisions and profiling abstention

Routine workflows abstain from singularly automated adjudications carrying legal ramifications; spam heuristics merely queue suspicious payloads for human adjudicators preserving proportionality obligations.

Policy amendment cadence

Material edits adopt semantic versioning mirrored inside changelog anchors appended beneath hero summaries where feasible. Continued engagements benefitting from recurring facilitation invoices receive succinct delta notices referencing differential highlighting assumptions readers reasonably expect.

Dedicated privacy escalation desk

Route nuanced correspondence—including restraint objections or supervisory liaison introductions—to service@filterlybone.world embedding concise subject prefixes accelerating triage parity across Auckland coordination pods.