FOUNDHER

Our Commitment to Your Privacy

FoundHer is committed to protecting your personal information in accordance with the Privacy Act 2020, the Privacy Amendment Act 2025, and other applicable laws. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our services or visit our website.

FoundHer is operated by financial adviser Sarah Curley, who also acts as the Privacy Officer for the business. If you have any questions or concerns about this policy, please contact us at [email protected].

1. What Information We Collect

We collect personal information necessary to provide our financial advice services and operate our business. The information we collect includes:

1.1 Information You Provide Directly

When you engage with FoundHer, you provide information directly through meetings, phone calls, online forms, or email correspondence. This may include:

• Contact information (name, email address, phone number, postal address)
• Financial information (income, assets, liabilities, KiwiSaver details, investment holdings)
• Identification information (date of birth, IRD number, driver's licence or passport details)
• Personal circumstances (employment status, family situation, financial goals, health information relevant to insurance advice)

1.2 Information We Collect from Third Parties

We may collect personal information about you from third-party sources, including:

• Financial product providers (KiwiSaver providers, banks, investment platforms, insurance companies)
• Professional advisers (accountants, lawyers, mortgage brokers)
• Referral partners (individuals or businesses who refer you to our services)
• Credit bureaux (for identity verification and credit checks where necessary)
• Business service providers (IT services, cloud storage providers, compliance consultants)

There are limited exceptions to this notification requirement, including when:

• The information is publicly available
• Notification is legally prohibited (for example, suspicious activity reporting under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009)
• You have already been made aware through our engagement process or other communications

1.3 Information We Collect Automatically from Your Website Visit

When you visit foundher.co.nz, we automatically collect certain technical information about your visit using cookies and third-party analytics and advertising tools. This is explained in detail in Section 3 below (Cookies and Tracking Technologies).

2. How We Use Your Information

We use your personal information only for lawful and relevant purposes related to our financial advice services. These purposes include:

• Providing financial advice and ongoing service to you
• Managing our relationship with you, including responding to enquiries and providing updates
• Marketing our services (you can opt out at any time)
• Verifying your identity and conducting credit checks where needed (as required under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009)
• Complying with legal and regulatory obligations (including reporting to the Financial Markets Authority, tax authorities, and other regulatory bodies)
• Protecting our legal rights and interests
• Conducting anonymised research to improve our services
• Website performance analysis, user experience optimisation, advertising, and remarketing (see Section 3)

We will not use your personal information for any purpose other than the reason it was collected, unless you consent or the Privacy Act 2020 permits disclosure (for example, to prevent or lessen a serious threat to public health or safety).

3. Cookies and Tracking Technologies

When you visit foundher.co.nz, we use cookies and third-party tracking technologies to understand how visitors interact with our website, improve user experience, develop our content strategy, and deliver targeted advertising. This section explains what tools we use, what data is collected, and how you can control these technologies.

3.1 What Are Cookies?

Cookies are small text files stored on your device (computer, phone, or tablet) when you visit a website. They help websites remember information about your visit, such as your preferences or browsing behaviour. Cookies can be:

• First-party cookies: Set by foundher.co.nz itself
• Third-party cookies: Set by external services like Google Analytics or Meta (Facebook)
• Session cookies: Temporary cookies that expire when you close your browser
• Persistent cookies: Remain on your device for a set period or until you delete them

3.2 What Tracking Tools We Use

FoundHer uses the following third-party tracking and analytics tools on foundher.co.nz:

Google Analytics 4 (GA4)

Provider: Google LLC

Purpose: To analyse website traffic, understand user behaviour, measure website performance, improve content strategy, and optimise advertising campaigns (including Google Ads)

Data Collected: IP address (anonymised), browser type and version, device type (desktop, mobile, tablet), operating system, pages visited, time spent on each page, links clicked, referring website, geolocation data (country, region, city), session duration, and browsing behaviour

Cookie Type: First-party and third-party persistent cookies

Retention Period: Google Analytics cookies are retained for up to 24 months

Data Sharing: Data is shared with Google as a third-party processor. Google processes this data on our behalf to provide analytics and advertising services.

Cross-Border Transfer: Google Analytics transfers data to servers in the United States and other jurisdictions. Google has implemented contractual protections and participates in recognised data transfer frameworks to safeguard your data.

Learn More: How Google uses information from sites or apps that use our services

Meta Pixel (Facebook Pixel)

Provider: Meta Platforms, Inc. (Facebook)

Purpose: To measure the effectiveness of advertising campaigns, track conversions (for example, form submissions or bookings), build custom audiences for targeted advertising on Facebook and Instagram, and enable remarketing to website visitors

Data Collected: IP address, browser type, device identifiers, pages visited, buttons clicked, forms submitted, referring website, and browsing behaviour

Cookie Type: Third-party persistent cookies

Retention Period: Meta Pixel cookies are retained for up to 90 days

Data Sharing: Data is shared with Meta as a third-party processor. Meta processes this data to provide advertising, remarketing, and analytics services.

Cross-Border Transfer: Meta Pixel transfers data to servers in the United States and other jurisdictions. Meta has implemented contractual protections to safeguard your data.

Google Tag Manager

Provider: Google LLC

Purpose: To manage and deploy tracking codes (such as Google Analytics and Meta Pixel) on our website without modifying the website code directly

Data Collected: Google Tag Manager itself does not collect personal data. It is a container that deploys other tracking tools (like Google Analytics and Meta Pixel), which then collect data as described above.

Cookie Type: First-party cookies (used to coordinate the deployment of other tracking tools)

3.3 Legal Basis for Using Cookies

We use cookies and tracking technologies based on the following legal grounds:

• Legitimate Interest (for essential analytics): We have a legitimate interest in understanding basic website traffic and performance to maintain and improve our services.
• Consent (for advertising and remarketing): For cookies used for advertising and remarketing purposes (Meta Pixel, Google Ads conversion tracking), we rely on your consent as described above through your continued use of the website after being informed of these practices.
• GDPR Compliance (for EU/EEA visitors): If you are visiting from the European Union or European Economic Area, the same consent mechanism applies. You can manage your cookie preferences through your browser settings or opt out using the tools below.

3.4 How to Control Cookies & Opt Out

You have full control over cookies and tracking technologies. You can opt out or manage your preferences at any time:

Browser Settings

Most web browsers allow you to control cookies through their settings. You can:

• Block all cookies
• Block third-party cookies only
• Delete cookies after each browsing session
• Be notified when a cookie is set

For instructions on how to manage cookies in your browser, visit:

• Chrome: support.google.com/chrome/answer/95647
• Firefox: support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
• Safari: support.apple.com/en-nz/guide/safari/sfri11471/mac
• Edge: support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge

4. How We Share Your Information

We only share your personal information when necessary to provide our services, when required by law, or with your explicit consent. We do not sell or trade your personal information to any other company or person.

We may share your information with:

• Business Partners: IT service providers, cloud storage providers (for secure data storage), accountants, legal advisers, and compliance consultants
• Financial Product Providers: KiwiSaver providers, investment platforms, banks, and insurance companies (when necessary to implement your financial advice)
• Regulatory Bodies: Financial Markets Authority (FMA), Inland Revenue, and other regulatory authorities (if legally required or requested)
• Debt Collection Agencies: If necessary to recover unpaid fees
• Locum Advisers: A qualified substitute financial adviser to ensure service continuity if we are unavailable (they will be bound by confidentiality and only use your data for that purpose)
• Third-Party Processors: Google (Google Analytics, Google Tag Manager, Google Ads) and Meta (Meta Pixel) for website analytics, advertising, and remarketing services, as described in Section 3
• Other Authorised Entities: Any other parties authorised by law

When we share information internationally, we ensure the recipient has equivalent data protection standards. This includes using contractual protections and verifying participation in recognised data transfer frameworks.

5. Use of Artificial Intelligence

At FoundHer, we use Artificial Intelligence (AI) tools, including Contented AI and Gamma AI, to assist with meeting summarisation and the drafting of advice documents. These tools enhance our efficiency and help us deliver information to you more clearly.

We prioritise your data security:

• Privacy Protection: We use professional-grade subscriptions that contractually ensure your data is never used to train global AI models.
• Data Sanitisation: We mask or remove sensitive personal identifiers before data is processed by these tools.
• Human Verification: All AI-generated content is reviewed, edited, and validated by a human adviser for accuracy. We do not use AI for financial calculations or core research.

For a detailed explanation of our safeguards and our 'Traffic Light' data policy, please see our AI Transparency & Ethics Statement.

6. Data Storage and Security

We take the security of your personal information seriously and implement appropriate physical and electronic security measures to protect it from unauthorised access, alteration, loss, or destruction.

Your personal information is stored securely, primarily in electronic form using:

• Password-protected electronic systems
• Reputable cloud storage providers with strong security credentials
• Restricted network access for authorised staff and service providers only

7. Data Retention

We keep your personal information only as long as necessary for the purposes for which it was collected or as required by law.

• Financial Advice Records: We are required to retain financial advice-related information for at least seven years to meet tax, legal, and professional obligations.
• Website Data: Cookie retention periods are specified in Section 3.2 (Google Analytics: up to 24 months, Meta Pixel: up to 90 days).
• Marketing Data: If you unsubscribe from our marketing communications, we will remove you from our mailing list but may retain your contact information to ensure we do not inadvertently contact you again.

8. Your Rights

You have the following rights under the Privacy Act 2020:

8.1 Access Your Information

You have the right to request access to the personal information we hold about you. We will respond within a reasonable timeframe (generally within 20 working days).

8.2 Correct Your Information

If you believe your information is incorrect, incomplete, or out of date, you may request a correction. If we do not agree to make the correction, we will add a note to your record stating your requested correction.

8.3 Request Deletion

You may request that we delete your personal information. However, we may not be able to delete information we are legally required to keep (for example, financial advice records that must be retained for seven years).

8.4 Additional Rights for EU/EEA Visitors (GDPR)

If you are visiting from the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Data Portability: You can request a copy of your personal information in a structured, commonly used, and machine-readable format
• Right to Restriction: You can request that we restrict the processing of your personal information in certain circumstances
• Right to Object: You can object to the processing of your personal information for direct marketing purposes or where we are relying on legitimate interests as the legal basis for processing
• Right to Withdraw Consent: You can withdraw your consent for cookies and tracking at any time using the opt-out tools in Section 3.4

8.5 How to Exercise Your Rights

To exercise any of these rights, please contact our Privacy Officer at [email protected]. We will respond within a reasonable timeframe. There may be a charge for access requests to cover administrative costs, but we will inform you of any fees before processing your request.

If we refuse your request, we will provide reasons and information on how to complain to the Office of the Privacy Commissioner.

9. Privacy Breaches

In the unlikely event of a privacy breach that is likely to cause you serious harm, we will:

1. Take immediate steps to contain the breach (for example, retrieving the information and disabling compromised systems)
2. Assess the severity of the breach by considering the nature, type, and volume of personal information involved, who has access to it, and the potential risk of harm
3. Notify you directly so you can take steps to protect yourself
4. Notify the Office of the Privacy Commissioner if the breach meets the criteria of causing serious harm as defined by the Privacy Act 2020
5. Take preventative measures to avoid future breaches, including reviewing and enhancing our security protocols

10. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at [email protected] so we can delete it.

11. Third-Party Websites

Our website may contain links to third-party websites (for example, product provider websites, regulatory bodies, or external resources). These websites are governed by their own privacy policies. We are not responsible for the privacy practices of third-party websites, and we encourage you to read their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the 'Last Updated' date at the top of this policy and notify you by:

• Posting a notice on our website
• Sending you an email notification (if you are a current client)

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

13. Contact Us

If you are not satisfied with our response to your privacy concern or complaint, you have the right to contact the Office of the Privacy Commissioner: