3PM Privacy Policy 2020

This privacy policy was last updated on 1st December 2019.


“We” “us” “our” and “3PM” shall mean 3PM Limited and “you” and “your” means the person or entity accessing the Website and using the Services. “Services” means any services made available to you by 3pm, including through the Website.   “Website” means www.3pm.nz. and any subdomain of 3pm.nz.

1 Disclaimer: ClientsEmployee Information

(a) Our Services require the collection, storage and use of personal information (which may include name, biometric data and payroll information) of those of your employees and contractors who use the Services to sign in and out of work (Service Data). You may provide us with Service Data. In addition, we may collect Service Data directly from your employees and contractors on your behalf. We store Service Data in a secure manner in accordance with paragraph 12 below and process it on your instructions to deliver the Services.


(b) By agreeing to this privacy policy, you agree that we collect, store and process Service Data on your behalf. It is your sole responsibility to meet your obligations under the Privacy Act 1993 (or the relevant legislation in your jurisdiction if you are not based in New Zealand) in relation to Service Data, including:

  • communicating with your employees and contractors about the purpose for collection, storage and use of their personal information; and
  • (obtaining permission from your employees and contractors to have their personal information collected, stored and used by you, or by us on your behalf, in conjunction with our Services.

(c) By using our Services, you warrant to us that you have met all your legal obligations relating to the collection, storage and use of the Service Data.

(d) The remainder of this privacy policy applies to all personal information we collect, store and process excluding Service Data. Any reference to “personal information” in the remainder of this privacy policy is a reference to personal information excluding Service Data.

2 Purpose of information collection

3PM collects personal information for the purpose of carrying out our business, providing you with the Website and the Services, and for 3PM to better understand, manage and market the Website and the Services.

3 Personal information of minors

We do not intend to collect personal information from children aged under 16. If you have reason to believe that a child under the age of 16 has provided personal information to us through our Website and/or by using the Services, please contact us at the email address set out at paragraph 18 below.

4 Collection of information

  • We collect and hold personal information about (but not limited to):

(i) Clients and potential clients;

(ii) Persons we deal with in the course of carrying out business and delivering Services;

(iii) Persons who access and use the Website;

(iv) 3PM employees and contractors, and potential employees and contractors; and

(v) Other individuals who come into contact with us.

  • The kind of information we collect from you will depend on the purpose for and circumstances of collection, but may include:

(i) Identifying information such as your name, appearance, date of birth, citizenship or residency;

(ii) Contact information, such as your postal address, telephone number and email address;

(iii) Payment information, such as credit card or bank account details;

(iv) Information provided by you through registration on our Website;

(v) Information provided to us by you through any other method (such as through recruitment processes, correspondence or discussions);

(vi) Information collected by us through click tracking in relation to your use of our Website, including the tracking of the content you access and any of our services you utilize; and

(vii) Information collected by us through log files or cookies (as set out in sections 6 and 7).

  • We may collect personal information from you:

(i) Directly, such as when you interact with us in person or via phone or email, when you access or use our Website, when you provide us with documents such as a contract or a curriculum vitae, or when you fill in an online form;

(ii) Automatically, such as when you visit our Website or social media; and

(iii) From third parties, such as our professional advisors, a person you have provided as a referee, or publicly available information.

  • Failure to provide necessary personal information when requested may result in certain services and/or opportunities not being available to you.
  • We may also collect aggregated information generated by our systems, which tracks traffic to our Website but does not relate to you personally (see section 8 below).

5 Identifiers

Information about your computer and about your visits to and use of the Website (such as your IP address, location, browser type and user name) may be recorded when you log in to our Website. This information may be used to identify you. We will treat this information as personal information.

6 Log files

We use log files in order to enhance your experience on our Website and to analyse trends. Log files gather information, such as which URL you just came from, which URL you visit next, what browser you are using and your IP address. This information is used to analyse trends and to administer and operate our Website. Users who log into our Website also have their IP address recorded. An IP address can be used to identify a user; we will treat this information as personal information.

7 Cookies

Our Website uses temporary cookies to keep a session open after a user logs in. We may use the information we obtain from the cookies in the administration of our Website and to improve our Website. These cookies help us recognize previous visitors and also identify the route history of users. We treat information collected by cookies and other similar technologies as non-personal information unless:

(a) applicable laws require us to treat them as personal information; and

(b) to the extent that non-personal information is combined with personal information, we treat the combined information as personal information for the purposes of this privacy policy. Some browsers allow you to refuse to accept cookies. However, this may have a negative impact on the usability of our Website.

8 Other information

We will have access to and may use other information, such as number of users, traffic patterns and demand for the service, for the purpose of monitoring server and software performance as well as for our other internal purposes. We may also collect information about all system interaction with users while they are logged in. This information is owned by us and may be used to verify actions taken by a user or to better understand the behavior of users in order to improve our Website.

9 Use of information

The personal information you provide may be used by us, any person or other entity which directly or indirectly controls, is controlled by or is under common control with us (an Affiliate) and each of our and our Affiliates’ employees, officers, agents and contractors to:

(a) Assist us in conducting our business and providing Services;

(b) Perform our contractual obligations to you;

(c) Assess your suitability to work with or for us;

(d) Communicate with you in the context in which you have engaged with us including responding to queries and complaints;

(e) Bill you for amounts owed by you to us or pay you for amounts owed by us to you;

(f) Verify your identity for use of our Website, conduct address verification or credit checks for invoicing and billing purposes and enrich your profile and search ability;

(g) Assist in providing better Services to you by tailoring the Services to meet your needs;

(h) Provide you with further information about us or other websites or goods or services offered by us or our Affiliates or which we consider may be of interest to you. You may opt out of receiving such information from us by emailing us or using the “unsubscribe” function in any communication that we send you;

(i) Market, promote and otherwise publicise our Services (including through direct marketing), and to carry out market research and surveys (by 3PM only, not by third parties). You may opt out of receiving any marketing, promotional, publicity or market research related correspondent from us by emailing us or using the “unsubscribe function in any communication that we send you;

(j) Keep our Website relevant and of interest to users;

(k) Show you advertising and information that is most relevant to you and your interests;

(l) Assist in arrangements with other organizations (such as loyalty program partners or third party applications that integrate with the Services) in relation to a product or service we make available to you;

(m) Allow us to run our business and perform administrative and operational tasks (such as training staff, risk management; developing and marketing products and services, undertaking planning, research and statistical analysis; and systems development and testing, keeping our records up to date, being efficient about how we fulfil our legal and contractual duties);

(n) Detect any fraud or crime, or for money laundering and counter financing of terrorism purposes in connection with any laws, rules or regulations in New Zealand or overseas; and

(o) Satisfy any other purpose that is stated to you at the time of collection or that you otherwise authorize.

10 Information sharing and disclosure

(a) In relation to personal information, we:

(i) Will not disclose personal information we collect from you other than as set out in this privacy policy or as otherwise agreed with you;

(ii) May disclose information about you, including your personal information, to our Affiliates and each of our and our Affiliates’ employees, officers, agents and contractors for the purposes set out in paragraph 9;

(iii) May disclose information about you, including your personal information, to our contractors and suppliers to enable them to provide services and products to us in relation to our Services and Website, including transaction processing services, hosting services and support services.

(b) Information collected through our Website that does not identify users is owned by us and may be disclosed by us. We may share aggregated demographic information about our user base with our Affiliates, partners and advertisers.

 (c) At your request, we will share your personal data with your representative or any person acting on your behalf (for example, financial advisers, lawyers, attorneys, accountants, executors, administrators, trustees or auditors).

(d) We may enable you to share information with third party applications or websites that integrate with the Services (e.g. a payroll provider’s website). You can choose to share your information (including personal information) with the third party application or website. Information collected by these third parties is subject to their terms and policies.

3PM is not responsible for the terms or policies of third parties. We operate our business in New Zealand. We may need to share some of the personal information we collect about you with organisations both inside and outside of New Zealand. We will not do this without your permission unless we believe on reasonable grounds that the organisation is subject to privacy laws that provide a comparable safeguard to those in New Zealand. We may also disclose your personal data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, or protect our operations or users.

11 Advertising and third-party links

Our Website may contain links to a variety of advertising and third-party Website sources. Some of these links may request or record information from users or use cookies or other methods to collect information from you. We have no control over the content or privacy policy practices of those sites and encourage our users to review the privacy policies of those sites before engaging in any activity with them.

12 Security of your personal information

We are committed to data security. We will take reasonable and appropriate technical and organizational precautions to prevent the loss, misuse or unauthorized alteration of your personal information. For example, we store data in computer servers with limited access that are located in controlled facilities. However, due to the nature of email and the internet, we cannot guarantee the privacy or confidentiality of your personal information. We may store your information in cloud or other types of networked or electronic storage. When you provide us with personal information, that information may be collected, stored and processed on servers located outside of New Zealand. Where we transfer personal information outside of New Zealand, we will meet our obligations in paragraph 10 and the GDPR Privacy Statement. Sensitive information, such as data entered during the registration process, is encrypted using SSL technology. Credit card payments are encrypted and processed using an external credit card payment processor and details are not stored by us.

13 Your Rights

Without limitation, you have the following rights:

(a) The right to be provided confirmation of whether we hold personal information about you, and access to that information.

(b) The right to request that we correct personal information we hold about you and to request that there be attached to the information a statement of the correction sought but not made. To exercise your rights, or if you require further information about how your personal data is used by us, you can contact us at: support@3pm.nz. You can also contact us if you have any questions or complaints about how we collect, use, disclose, manage or store your personal information. Where we are required by applicable law to provide further information about our use or disclosure of your personal information, we will use reasonable endeavors to do so. We will respond to your request, where required by law, within 20 working days from the date your request is received. We will inform you if this time frame is not achievable and extend this time frame as permitted by applicable law. We may charge a fee to cover the costs of meeting your request, in particular if your request is urgent. If we do not agree to provide you with access to, or to amend or erase, your personal information as requested or otherwise meet your requests, we will notify you accordingly. Where appropriate, we will provide you with the reason(s) for our decision and the mechanisms available to complain about the refusal. If the rejection relates to a request to change your personal information you may make a statement about the requested change and we will attach this to your record. In some circumstances, as set out in the Privacy Act 1993, we may not grant access to your personal information. In those cases we will, if permitted by law, provide you with the reasons why your request has been refused. We will keep your information for so long as is required for our business operations or by applicable laws.

14 Business transitions

In the event of a change in ownership of all or a portion of 3PM Limited or our Website, your user information may be transferred to the new owner so that the Website can continue operations. In this event, your information would remain subject to this privacy policy.

15 Users outside New Zealand

 The information we collect may be processed in and transferred between your location and New Zealand. You should note that New Zealand may have different data protection laws to those in force in your location. If you are located in the European Economic Area, you have the additional rights set out in paragraph 19 of this privacy policy.

16 Linking and advertising

We may include links to third-party materials (Linked Sites) on our Website as well as advertising. Advertisers or Linked Sites may ask you to provide information. We do not have control over the privacy policies of Linked Sites or advertisers. Further requirements about Linked Sites are set out in our Website terms and conditions. Please read carefully their privacy policies to find out how they collect and process your personal data

17 Changes in privacy policy

We reserve the right to make changes to our privacy policy and alter Website functionality. We encourage you to regularly review this privacy policy for the latest information on our privacy practices.

18 Contact details

 If you have any questions about our privacy policy, or any other matter (including a complaint), please feel free to contact us. You can reach us in one of the following ways: email support@3pm.nz, or call 0800 00 00 90 (NZ)

19 European Union General Data Protection Regulation (GDPR)

The GDPR establishes a uniform data protection law across the European Economic Area (EEA) and aims to protect the privacy and use of EEA residents’ personal data in an increasingly digital world. A following GDPR Privacy Statement sets out how we will comply with these obligations to protect the data of customers who reside in an EEA country. EUROPEAN UNION GENERAL DATA PROTECTION REGULATION (GDPR) GDPR Privacy Statement This Privacy Statement only applies to the collection and processing of ‘EU personal data’. ‘EU personal data’ means any personal data (as that term is defined in the GDPR) of an individual who is located in the EEA (whether the individual is a citizen of an EEA country or otherwise). This section will apply to you and the processing of your EU personal data if you are located in an EEA country. This section does not apply with respect to your personal information if you are located outside of the EEA countries, even though you may be a citizen of an EEA country. For the purposes of this Privacy Statement, the term ‘process’ has the same meaning given to it under the GDPR and may include any operation or a series of operations performed on EU personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. EU personal data that is collected by us may have been sourced directly from you, a third party or implied from your use of our products or services. We will process EU personal data in accordance with this Privacy Statement and our Privacy Policy. To the extent of any inconsistencies between other sections of our Privacy Policy and this GDPR Privacy Statement in relation to the processing of EU personal data, this GDPR Privacy Statement prevails. This GDPR Privacy Statement was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal data. However, we are happy to provide any additional information or explanation needed. For further information, please contact us through the contact details provided in paragraph 18. GDPR Principles Any EU personal data will be: (a) Processed lawfully, transparently and in a fair manner; (b) Collected only for the purposes identified in this Privacy Policy or any other agreed specified purposes and not further processed in a manner incompatible with those purposes; (c) Collected in an adequate and relevant manner and limited to what is necessary in relation to the purposes for which the EU personal data is processed; (d) Kept current and up-to-date in accordance with our Privacy Policy; (e) Stored in a form which permits us to identify you, but only for the period necessary in relation to the relevant purposes identified in our Privacy Policy; and (f) Stored and processed securely to protect EU personal data against unlawful or unauthorized access and accidental loss, damage or disclosure in accordance with our Privacy Policy. Lawful basis for processing We will only collect and process EU personal data where we have lawful bases. This may include where: (a) You have given consent; (b) The processing of EU personal data is necessary for the performance of a contract with you (such as to deliver the services you have requested or that have been requested on your behalf); and (c) The processing of EU personal data is necessary for the purposes of our ‘legitimate interests’ and/or those of our Affiliates, provided that such processing does not outweigh your rights or freedoms. Where we rely on your consent to process personal data, you have the right to withdraw, restrict or decline your consent at any time and where we rely on legitimate interests, you have the right to object. If you have any questions about the lawful bases upon which we collect and process EU personal data you should contact us. Rights of EU personal data subjects In addition to other rights you may have as set out in this Privacy Policy, you may exercise the data protection rights set out below in relation to your EU personal data: (a) Access and Portability: a request can be made by you for a copy of your EU personal data (and any other information relating to your EU personal data permitted under Article 15 of the GDPR) held by us in accordance with the ‘Your Rights’ section of our Privacy Policy. In addition, you may request to be provided with EU personal data in a structured, commonly used and machine readable format (including for the purposes of transferring to another party). (b) Restrictions and Objections: You may request that we limit our use or processing of your EU personal data by requesting that we delete or no longer use your EU personal data or that we limit how we use your data, this may include where you believe it is not lawful for us to hold your EU personal data or instances where your EU personal data was provided for direct marketing purposes and you no longer want us to contact you. We will do so, if we are: (i) Relying on our own or someone else’s legitimate interests to process your personal information, except if we can demonstrate compelling legal grounds for the processing; or (ii) Processing your personal information for direct marketing. (c) Please note that certain conditions may apply to the exercise of these rights. Our responsibilities as a ‘data controller’ and ‘data processor’ We may act as the ‘data controller’, the ‘data processor’ or in some instances both the data collector and data processor simultaneously in relation to EU personal data. We will be a data controller where we determine the purposes and means of the processing of EU personal data alone or jointly with others. To the extent that we are a data controller with respect to EU personal data, we: (a) Set out in our Privacy Policy how we collect personal information (including EU personal data), how it is stored, to whom such personal information is disclosed and how the EU personal data is otherwise processed; (b) Only appoint processors under agreements that the processor will comply with the GDPR; (c) Will maintain a record of processing activities which are under our responsibility (where required by GDPR); (d) Co-operate with relevant authorities which enforce the GDPR; (e) Implement appropriate technical and organisational security measures to protect EU personal data and report any data breaches to authorities and affected individuals as required by the GDPR in accordance with our Privacy Policy. If a third party discloses EU personal data to us for a specific purpose, we will be acting as a data processor in processing the EU personal data for that purpose. Where we collect Service Data in accordance with paragraph 1 of this Privacy Policy, we will be a data processor of that information, and you will be the data controller. Where we act as a data processor, we will: (a) Only act on the controller’s documented instructions; (b) Impose confidentiality obligations on all personnel who process the EU personal data; (c) Not appoint sub-processors without the prior written consent of the controller; (d) At the instruction of the controller, return or destroy the EU personal data in accordance with our Privacy Policy; and (e) Where applicable, assist the controller in complying with the rights of the data subjects of the EU personal data; (f) Maintain and keep accurate records of processing activities (where required by GDPR); and (g) Implement appropriate technical and organisational security measures to protect EU personal data and report any data breaches to controller without undue delay. Where we are a data processor of “special categories” of personal data about your employees or contractors (as defined in the GDPR), you confirm that you have obtained explicit consent to that processing from your employees and contractors. Disclosure to third parties If we are required to disclose your EU personal data to third parties, including data processors or sub-processors, we will notify the third party that it has an obligation to handle any EU personal data in accordance with the GDPR, and, where we have an agreement with that third party, that agreement will comply with the requirements of the GDPR. In the event we are responsible for a transfer of EU personal data outside of the EU, such transfer will be for the necessary and lawful performance of our services, including the establishment, exercise or defense of a legal right. Transfer of information overseas We are based in New Zealand. This means that if you are an EU resident, your personal information in will be transferred and stored outside the European Economic Area. New Zealand has “adequacy” for the purpose of Article 45 of Regulation (EU) 2016/679. Certain personal information may be transferred to third countries and/or international organisations outside New Zealand and the European Union for adequate storage and security reasons. Where personal information is transferred outside of the European Economic Area or New Zealand, it will be: (a) to a country or organization that has ‘adequacy’ for the purpose of Article 45 of Regulation (EU) 2016/679 (including organisations subject to the Privacy Shield); or (b) transferred subject to the European Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses), pursuant to Decision 2004/915/EC and Decision 2010/87/EU as appropriate.

How do you make a complaint? If you have a complaint about how we handle your EU personal data, you can contact us: email support@3pm.nz, or call 0800 00 00 90.

If you still feel your issue or request hasn’t been resolved to your satisfaction, then you can escalate your privacy concern to the relevant data protection authority (for example in the place you reside or where you believe we breached your rights). If your complaint relates to how we handled your access and correction requests you may take your complaint directly to the New Zealand Privacy Commissioner, or the authority of the country in which you are located.

Contact details for escalating complaints Office of the New Zealand Privacy Commissioner

(a) Online: www.privacy.org.nz

(b) Phone: +64 4 474 7590 or +64 9 302 8680

(c) Email: investigations@privacy.org