Privacy Charter

Full Privacy Policy text

Supplementary detail complements summaries printed inside programme pamphlets. Nothing here replaces bespoke contracts executed with councils or landlords.

1. Identity of the controller

The organisation answering privacy questions is the volunteer group operating publicly as Quibraxnmroz. We are a community walking initiative based in Auckland; unless we publish a separate company or charity registration number on this site, we do not represent ourselves as a distinct incorporated entity.

• Postal address: 203/28 College Hill, Freemans Bay, Auckland 1011, New Zealand.
• Telephone: +64 9 215 1636 for coordinated enquiries requiring synchronous clarification.
• Electronic mailbox: mailuse@quibraxnmroz.world. Use the subject line “Privacy Request” when you want to exercise access or correction rights.
• Website: https://quibraxnmroz.world/, delivered exclusively via HTTPS when configured correctly on infrastructure partners.

2. New Zealand law and overseas visitors

We primarily follow the Privacy Act 2020 (New Zealand). If you contact us from overseas, we still apply fair handling practices and will explain transfers or overseas processors where relevant.

3. Philosophical limitation · informational walking programmes only

Articles never prescribe therapies or diagnose medical states. Consequently we seldom seek sensitive health telemetry; when narratives volunteered inside emails accidentally reveal conditions, volunteers segregate those passages behind restricted folders pending deletion or anonymisation.

4. Categories of individuals captured

• Site explorers: passive readers evaluating logistics prior to attending walks.
• Registered allies: recipients who asked for worksheets or seasonal reminders.
• Commercial liaisons: librarians, employers, or sponsors emailing sponsorship hypotheticals.
• Infrastructure guardians: contractors auditing uptime whose identifiers appear inside ticketing correspondence.

5. Data categories we routinely touch

• Identity anchors: preferred names, pronouns when freely supplied, organisation affiliation strings.
• Contact rails: email addresses, optional SMS-ready mobile numbers, rarely postal forwarding preferences.
• Conversation artefacts: attachments illustrating footwear spacing diagrams or annotated PDF maps.
• Technical breadcrumbs: truncated IP addresses, TLS fingerprints encountered inside CDN dashboards, approximate geolocation inferred only at city granularity.
• Consent proofs: hashed snapshots referencing analytics toggles stored locally inside browsers.

6. Data categories we deliberately minimise

We avoid biometric archives, continuous GPS traces, insurance identifiers, and payment credentials unless a discrete procurement workflow mandates narrow subsets referenced elsewhere inside invoicing exhibits.

7. Origins of personal information

• Direct submissions: HTML forms, plaintext replies, voicemail transcripts typed manually.
• Indirect arrivals: forwarded municipal announcements referencing liaison contacts.
• Automatically emitted telemetry: HTTPS termination logs, optional analytics governed via cookie consent.

8. Purposes tying processing to everyday stewardship

• Publishing honest routing narratives referencing gradients observers verified manually.
• Synchronising volunteer staffing forecasts across overlapping weekday arcs.
• Investigating suspicious inbox bursts resembling phishing experimentation.
• Measuring aggregated dwell times only after analytics switches toggle affirmative.
• Fulfilling regulator questionnaires referencing aggregated participant sentiment.

9. Lawful bases articulated plainly

Under the Privacy Act 2020 (New Zealand), we collect and use personal information fairly and only for purposes connected to organising walks, worksheets, and this website. The labels below mirror familiar GDPR-style categories for international readers; if anything conflicts with NZ law, NZ law applies.

• Consent: analytics pixels, marketing attribution snippets, optional worksheet downloads gated behind double opt-ins.
• Legitimate interests: securing TLS endpoints, responding to pragmatic walkway hazards reported spontaneously.
• Contract preparation: aligning invoices ahead of optional educational bundles sold occasionally.
• Legal obligations: subpoenas compelling preservation windows exceeding ordinary deletion horizons.

10. Balancing tests summarising legitimate interests

Volunteers document proportionality whenever inbox defence tooling scans attachments for malware. Impacted data subjects may request human-readable summaries describing residual risks accepted during board evenings hosted quarterly inside Freemans Bay meeting pods.

11. Automated decision-making stance

No algorithm allocates punitive bans or scoring ladders influencing statutory opportunities. Filters merely flag spam probabilities requiring manual acknowledgement.

12. Children and supervising adults

Programming assumes guardians supervise minors attending walks. Unsolicited account registrations traced to school-age domains prompt proactive deletion emails referencing safeguarding contacts familiar with regional regulations.

13. Relationship with cookies and local storage

Necessary artefacts memorise consent selections inside localStorage keys labelled transparently within our Cookie Policy. Optional analytics cookies activate solely after affirmative clicks captured inside the persistent banner layered across every route.

14. Recipients and processor archetypes

• Encrypted mailbox hosts residing predominantly inside jurisdictions recognised by adequacy decisions.
• Edge caching vendors stripping identifiable query strings before retaining diagnostics.
• Accounting suites reconciling occasional merchandise shipments tied to educational bundles.

Written agreements impose confidentiality, deletion assistance, and subprocessors transparency obligations mirroring GDPR Article 28 wherever feasible.

15. International transfers beyond Aotearoa borders

Réplicas sometimes persist inside EU or United States regions supporting redundancy. Transfers rely upon adequacy findings, Standard Contractual Clauses, UK International Data Transfer Agreements, or supplementary technical measures such as application-layer encryption prior to queue dispatch.

16. Retention framework expressed as tiers

• Tier A · twelve rolling months: conversational threads resolving enquiries unless superseded by litigation freezes.
• Tier B · ninety sunsets: raw CDN logs lacking correlated identifiers beyond hashed salts.
• Tier C · thirty-six quiet months: anonymised aggregates underpinning seasonal attendance retrospectives.
• Tier D · immediate purge triggers: marketing identifiers withdrawn upon receiving granular objections lacking overriding statutes.

17. Security measures spanning organisation and technology

• Passphrase rotation rituals reinforced during onboarding nights.
• Disk encryption toggled across laptops storing CSV extracts temporarily.
• Two-factor authentication mandated on registrar portals controlling DNS pointing toward HTTPS endpoints.
• Incident retrospectives documented inside encrypted notebooks destroyed annually unless regulators demand archival continuity.

18. Rights catalogue for impacted persons

Depending on residency, you may exercise access, correction, erasure, or complaint rights. In New Zealand you can contact the Office of the Privacy Commissioner. Comparable bodies exist overseas if you live outside NZ.

Requests undergo verification balancing impersonation risks against responsiveness; responses ordinarily arrive within thirty New Zealand business days unless complexity warrants negotiated extensions disclosed proactively.

19. Communications referencing fundraising experiments

Marketing bursts occur rarely and honour granular unsubscribe anchors embedded inside footers. Historical attendance never fuels guilt-oriented segmentation vocabulary forbidden inside editorial guidelines.

20. Hyperlinks exiting toward municipalities

Outbound references inherit distinct controllers whose notices deserve independent review prior to submitting identifiable questionnaires describing accessibility accommodations.

21. Material amendments and archival snapshots

Meaningful revisions publish atop this charter alongside refreshed hero timestamps mirrored dynamically inside browsers referencing cooperative caches. Archives remain obtainable upon authenticated civic audits coordinated ahead of time.

22. Escalation pathways when dissatisfied

Contact our mailbox first; escalate outward only after exhaustion attempts conclude genuinely. Regulators appreciate contemporaneous notes referencing calm correspondence timestamps rather than abrupt filings lacking cooperative tone.

23. Closing invitation toward transparency dialogues

Walking thrives when maps admit ambiguity responsibly; privacy governance echoes that humility. Reach whenever wording obscures operational realities deserving sharper illumination.

Controller recap: Quibraxnmroz · 203/28 College Hill, Freemans Bay, Auckland 1011 · mailuse@quibraxnmroz.world