Privacy Policy

1. Introduction

Wedding Signs NZ ("we", "us", "our") operates the website weddingsigns.co.nz and supplies custom-printed wedding signage to customers in New Zealand.

We collect and handle personal information in accordance with the Privacy Act 2020 and the thirteen Information Privacy Principles (IPPs) it sets out. This policy explains:

• what personal information we collect, and how;
• why we collect it and how we use it;
• who we share it with, including disclosure outside New Zealand;
• how long we keep it, and how we keep it secure; and
• the rights you have over your personal information, and how to exercise them.

This policy describes how we handle personal information when you use the site, place an order, or correspond with us. If you do not agree with how we handle personal information, please do not use the site or provide us with personal information.

This policy does not apply to:

• third-party websites we link to (each operator has its own privacy policy); or
• de-identified statistical information that cannot reasonably be linked back to you.

2. Who is responsible for your information

Wedding Signs NZ is operated by Katherine Holland, a sole trader trading as Katherine Holland Design, of 1614 State Highway 30, Horohoro, New Zealand.

For the purposes of the Privacy Act 2020, the "agency" responsible for personal information collected through the site is Katherine Holland trading as Katherine Holland Design.

The Privacy Officer is the contact point for any privacy questions, access or correction requests, and complaints.

3. What we mean by "personal information"

"Personal information" has the meaning given in section 7 of the Privacy Act 2020 — information about an identifiable individual. Where this policy refers to your personal information, it includes information that, on its own or combined with other information we hold, can identify you.

4. What information we collect

4.1 Information you give us when you order or enquire

When you place an order or contact us, we collect:

• Identity and contact: your full name, email address, and (if you provide it in correspondence) phone number.
• Delivery address: street address, suburb/city, postcode, and country.
• Order details: the products you select, the variant and any die-cut shape, quantities, and total amount.
• Personalisation data:the text and design choices you add to each sign — including names (yours, your partner's, family members, or wedding-party members), wedding date, venue name, menu items, and any guest list you enter for a seating-plan product.
• Guest lists you upload for parsing:if you use the seating-plan import feature to paste a list of guests, or upload a PDF, image, or spreadsheet of guests, the contents are sent to Google's Gemini model (via Google Vertex AI) which extracts the names into a table. See §7 for more about this disclosure.
• Correspondence: any messages, emails, or attachments you send us, and our replies.

4.2 Information we receive from payment processing

Payments are handled directly by Stripe. We do not receive or store your full card number, expiry, CVC, or bank account details. From Stripe we receive:

• a payment confirmation token (PaymentIntent ID);
• the last four digits of your card and the card brand, for your receipt;
• the result of any 3-D Secure or fraud check; and
• the billing name and country Stripe captured during checkout.

4.3 Information we receive from shipping providers

When your order is dispatched, we exchange your delivery address with our courier integration partner (GoSweetSpot) so they can generate the courier label and tracking record. We receive back a courier consignment number and tracking events.

4.4 Workspace ("Save my wedding") data

If you choose to save your work to return to it later, we store, against your email address:

• the contents of your shopping cart;
• your personalisation data (text-field values, seating-plan tables, menu courses, bar-menu sections); and
• any couple/wedding details you have entered in the workspace.

This data is sent to the email you provide as a "restore" link. The link contains a signed token; anyone who has the link can view and edit the saved workspace, so do not forward the email to people you do not trust.

4.5 Information we collect automatically

When you visit the site, our hosting infrastructure and analytics tools record:

• your IP address (used briefly to apply rate limits on sensitive endpoints; see §10);
• your device type, operating system, browser, and screen size;
• the pages you view, the buttons you click, and the time spent on each page;
• the referring URL or campaign that brought you to the site (for example, a Google Ads click ID or a Meta campaign parameter); and
• cookies and similar identifiers set by us and our analytics/advertising providers (see §6).

We also store, on your Order record, two analytics cookie identifiers (_ga client ID and _fbp) when they are present. We use them only to attribute the purchase event back to the same browser session via server-side conversion APIs (see §6.3 and §7). They are stored for the lifetime of the order record.

4.6 Information about other people you give us

When you personalise a sign you may provide information about other individuals — for example, your partner's name, your wedding party, or the names of guests you list on a seating plan. By providing this information you confirm you have the authority to do so for the purpose of producing your sign. We treat this information the same way we treat your own personal information.

4.7 Sensitive information

We do not deliberately collect "sensitive" information such as health, ethnic origin, religious belief, or biometric data. Please do not include this kind of information in personalisation text or in messages to us.

5. Why we collect it (IPP 1)

We collect personal information for the following lawful business purposes:

We will not use your personal information for any new purpose that is not directly related to one of the purposes above unless you give us permission, or one of the exceptions in IPP 10 applies.

6. Cookies and tracking technologies

A "cookie" is a small text file stored on your device when you visit a website. We also use related technologies such as localStorage, web beacons, and pixel tags. Together we refer to these as "cookies" in this section.

The site sets the following categories of cookies:

6.1 Strictly necessary

Used to make the site work. Switching them off will break core functionality.

• Cart and customisation state — remembers items in your cart and the text you have entered against each design (localStorage, no third party).
• Saved-cart sync — debounced writes back to our server so that changes you make in the workspace are not lost.
• Admin login session — set only if you log in to the staff portal at /admin. Customers do not see this cookie.
• CSRF / session tokens — set by our framework to protect form submissions.

6.2 Analytics

Used in aggregate to understand how the site is used.

• Google Analytics 4 — sets the _ga and _ga_*cookies. We send Google de-identified events (page view, view item, add to cart, begin checkout, purchase value). We do not send your name, email, or address. GA4 does not record full IP addresses, and we do not opt in to Google's personalised-advertising features.

6.3 Advertising

Used to measure the performance of advertising campaigns and, where applicable, build retargeting audiences. These run only if we have campaign IDs configured in our environment.

• Google Ads — sets _gcl_* cookies. Used to record that a visit came from a Google Ad and (if you complete a purchase) to report a conversion event back to Google Ads.
• Meta Pixel (Facebook / Instagram) — sets the _fbp cookie and, if you arrived via a Meta ad, _fbc. Used to measure conversions and to build retargeting audiences. We also send a server-sidepurchase event to Meta's Conversions API after checkout. Before sending, we hash your email (SHA-256) so the raw address never leaves our infrastructure. Meta can still match the hashed value against accounts in their system, meaning that if you have a Facebook or Instagram account it may be associated with the purchase for ad-measurement purposes.

6.4 Payment-provider cookies

• Stripe— sets cookies during checkout for fraud prevention, 3-D Secure, and persisting partial card data within Stripe's own UI. These are governed by Stripe's privacy policy.

6.5 Your choices

You can:

• Block or delete cookies through your browser settings. The site will continue to work, but your cart may be lost between visits and ad measurement will be inaccurate.
• Use your browser's "Do Not Track" signal. Where your browser sends DNT: 1, we suppress all analytics and advertising events(page views, add-to-cart, purchase, etc.). Note that the third-party scripts themselves (Google's gtag.js, Meta's pixel) may still load and set cookies; for a complete block, use a content blocker or one of the opt-outs below.
• Opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Opt out of personalised advertising at youronlinechoices.com (covers most major advertising networks) and via your device-level ad-tracking controls (iOS Settings → Privacy & Security → Apple Advertising; Android Settings → Google → Ads).

We do not currently display a cookie consent banner. New Zealand law does not require GDPR-style "Accept / Reject" gates for analytics or advertising cookies; the standard expected by the Office of the Privacy Commissioner (OPC) is a clearly available privacy policy that lists what is collected and how to opt out, which this section provides.

7. Who we share your information with (IPP 11)

We share personal information only with the third parties needed to run the business. Each provider is bound by their own privacy policy and, where applicable, by contractual obligations to us.

We may also disclose personal information:

• where required or permitted by New Zealand law, including in response to a lawful request from a regulator, court, or law-enforcement agency;
• to our professional advisors (lawyers, accountants, auditors) under obligations of confidentiality, where reasonably necessary;
• to a successor entity in the event of a sale, merger, or restructure of our business — in which case we will require the successor to honour this policy; and
• with your express consent.

We will not sell your personal information, and we will not share it with third parties for their own independent marketing purposes.

8. Sending information overseas (IPP 12)

Several of the providers above are located outside New Zealand, principally in the United States. IPP 12 permits cross-border disclosure in a number of situations, including where:

• the recipient is required to protect the information on a basis that, on the whole, is comparable to the Privacy Act 2020 (typically established by contract);
• the recipient is itself "carrying on business in New Zealand" within the meaning of section 4 of the Privacy Act, in which case the recipient is directly subject to New Zealand privacy law (this is generally how Google, Meta, and Stripe qualify);
• the recipient is in a country prescribed by Regulations as having comparable safeguards;
• the disclosure is otherwise required or authorised by law; or
• you authorise the disclosure after being told that the recipient may not be required to protect the information on a comparable basis.

For our US-based providers we rely on a combination of the first two — contractual obligations imposed via data-processing addenda, and the extraterritorial reach of the Privacy Act 2020 to providers that "carry on business" in New Zealand.

9. How we keep it secure (IPP 5)

We protect personal information using a combination of technical and organisational controls, including:

• Encryption in transit via TLS for all traffic between your browser and our servers, and on the encrypted connection from our servers to the database;
• Encryption at rest for the database, file storage, and backups, using Google-managed keys;
• Hashed administrator passwords (bcrypt) — we do not have, and cannot recover, plain-text admin passwords;
• Role-based access control — only the people who need access to a particular system have it;
• Secrets management — API keys and database credentials live in Google Secret Manager and are not committed to source code;
• Rate limiting on sensitive endpoints (saved-cart send/resend, admin login) to defend against abuse; and
• Delivery logging for transactional email so that we can investigate issues if a confirmation or tracking email does not reach you.

Payment card data is handled exclusively by Stripe (a Level 1 PCI-DSS Service Provider) and never touches our servers.

No system is perfectly secure. If we ever experience a privacy breach that has caused, or is likely to cause, serious harm, we will notify affected individuals and the Office of the Privacy Commissioner as required by Part 6 of the Privacy Act 2020 (the Notifiable Privacy Breach regime).

10. How long we keep your information (IPP 9)

We keep personal information only for as long as we have a lawful purpose to do so.

We review retention periodically. When information is no longer needed for a lawful purpose, we delete or de-identify it.

11. Your rights

Under the Privacy Act 2020 you have the following rights in relation to the personal information we hold about you:

11.1 Right of access (IPP 6)

You can ask us to confirm whether we hold personal information about you, and to give you a copy of it. We will respond as soon as reasonably practicable, and in any case within 20 working days of receiving your request, as required by the Privacy Act 2020.

We may charge a reasonable fee only where the request is for additional copies or is manifestly unreasonable, and will tell you in advance.

11.2 Right of correction (IPP 7)

You can ask us to correct information you believe is wrong, misleading, incomplete, or out of date. If we decline to correct it, you can ask us to attach a statement of correction to the record, and we will do so.

11.3 Right to ask for deletion

The Privacy Act does not give a free-standing "right to be forgotten", but you can ask us to delete information we no longer have a lawful purpose to keep. We will honour such requests except where:

• we are required by law to retain it (for example, the 7-year tax record rule); or
• it forms part of an order record that is still being fulfilled or is within the post-purchase support window.

11.4 Right to opt out of direct marketing

You can opt out of marketing emails at any time by clicking the unsubscribe link in any message we send, or by emailing privacy@weddingsigns.co.nz. We comply with the Unsolicited Electronic Messages Act 2007— every commercial electronic message we send identifies us as the sender and includes a functional unsubscribe mechanism that remains valid for at least 30 days. Transactional messages related to an order you have placed (confirmations, tracking, invoices) are not "commercial electronic messages" and will continue regardless.

11.5 Right to withdraw consent

Where we rely on your consent to do something — for example, sending you marketing emails or sharing personal information with a third party for a purpose outside this policy — you can withdraw that consent at any time by contacting the Privacy Officer. Withdrawal does not affect the lawfulness of anything we did before you withdrew.

11.6 Right to complain

If you believe we have mishandled your personal information, please contact our Privacy Officer first so we have a chance to put it right. If you are not satisfied with our response, you can complain to the:

11.7 How to make a request

Send any access, correction, deletion, or opt-out request to privacy@weddingsigns.co.nz with enough information for us to identify you and locate the record (for example, your full name and the email address you used at checkout, or an order number). We may need to verify your identity before releasing or changing information.

12. Marketing communications

We send two kinds of email:

• Transactional— order confirmations, payment receipts, dispatch and tracking updates, replies to your enquiries, and saved-cart reminders if you used the "Save my wedding" feature. We send these as part of fulfilling your order or honouring a request you made; they do not require separate consent under the Unsolicited Electronic Messages Act 2007.
• Marketing — occasional updates about new designs, promotions, or wedding-planning tips. We send these only if you have expressly opted in, and every message contains a one-click unsubscribe link that takes effect within 5 working days at the latest.

We do not run SMS marketing.

13. Children

The site is intended for adults planning a wedding. We do not knowingly collect personal information from minors. If you believe a child has submitted information to us, please contact the Privacy Officer so we can remove it.

14. Automated decision-making

We do not make decisions that have a legal or similarly significant effect on you using purely automated processing. Stripe runs automated fraud-scoring on payment attempts; if a payment is declined for fraud reasons you can contact us and we will assist where appropriate.

15. Links to third-party sites

The site contains links to other websites — for example, social-media profiles, suppliers, or articles we cite. This policy does not apply to those websites. We encourage you to review their privacy policies before providing any personal information.

16. Changes to this policy

We may update this policy from time to time as our practices, the law, or the third parties we work with change. The "Last updated" date at the top of the policy reflects the most recent change. For material changes (extensions to the categories of data we collect, new third-party recipients, or significant new uses) we will give reasonable advance notice — for example, by a banner on the site, or by emailing customers with whom we have an active relationship.

17. Contact

For any privacy questions, complaints, access or correction requests, or to exercise any other right under this policy:

Appendix A — Glossary of NZ-law references

• Privacy Act 2020 — the principal New Zealand privacy statute, in force since 1 December 2020.
• Information Privacy Principles (IPPs) — the thirteen principles in Part 3 of the Privacy Act that govern how agencies collect, use, store, disclose, and give access to personal information.
• IPP 12 — added in the 2020 Act; restricts disclosure of personal information to recipients outside New Zealand unless certain conditions are met (comparable privacy safeguards, the recipient is in a prescribed country, contractual safeguards, or the individual has authorised the disclosure).
• Office of the Privacy Commissioner (OPC) — the independent regulator responsible for promoting and protecting privacy in New Zealand.
• Notifiable privacy breach — Part 6 of the Privacy Act requires agencies to notify the Privacy Commissioner and affected individuals as soon as practicable when a breach has caused or is likely to cause serious harm.
• Unsolicited Electronic Messages Act 2007 (UEMA) — governs the sending of commercial electronic messages (email, SMS) to or from New Zealand. Requires consent, sender identification, and a functional unsubscribe.
• Tax Administration Act 1994 — section 22 requires business records (including invoices, receipts, and customer details that support them) to be retained for at least seven years.
• Fair Trading Act 1986 / Consumer Guarantees Act 1993 — referenced here for completeness; while not privacy statutes, both interact with how we describe products and handle consumer complaints, and inform the way we keep correspondence records.