1. What is this policy about?

  2. How we collect your data

  3. How we use your data

  4. How we secure and manage your data

  5. Data Disposal
    Suspension of service
    Termination of service
    Termination of platform

  6. Data breaches

  7. Updates to the Privacy Policy

  8. Your choice and rights to controlling your personal information


HeyPenny Security and Privacy Policy

1. What is this Policy all about?

HeyPenny understands that protecting your personal information is important. This Privacy Policy sets out our commitment to protecting the privacy of personal information provided to us, or collected by us, when interacting with you.

2. How we collect your data

When you engage with our website or the HeyPenny platform, we collect personal information to enable you to have access and usage of our service and product.

This information can be divided into three categories:

  1. Straight from you: While browsing our site or using the HeyPenny platform, we might pop a question or two about certain details which you can choose to answer (or not).

  2. Behind the scenes: Some data, like which device you're on or your IP address, is collected automatically when navigating the internet. It is anonymous.

  3. From your Employer: If you work for a HeyPenny customer who has signed-up to the platform, your employer may provide us with some high level professional data on you, such as your role and reporting structure, to enable smooth access and usage of the platform.

3. How We Use Your Data

The primary reason we collect personal information is to deliver products, services, and features tailored to meet your needs. Here are specific ways we use your data:

  • To communicate with you: To keep you informed about operational updates, marketing initiatives, and solicit feedback or participation in research we conduct.

  • Technical and Usage Data optimisation: When accessing our website or platform, details about your internet protocol (IP) address, login data, internet cookies, browser sessions and/or search queries may be collected. 

  • Security: To monitor for malicious or fraudulent activity and ensure our website and/or platform remains secure.

  • To validate the HeyPenny Platform product offering: We retain access and ownership to insights generated through the HeyPenny platform in an anonymised format, protecting the personal information of you and your people, to validate our offering and service.

  • Analysis and reporting: We may use your data, combined with others, to produce anonymised analytics and reports.

4. How we secure and manage your data

When we collect personal data about you, we only collect what is necessary, and security is key. That is why we protect your information using industry standard measures and limit access to this data to only those that really need it. Such as:

  • Legal entities when required under New Zealand Privacy Law Principles and/or the New Zealand Crimes Act (with prior notice when feasible).

  • Cases where you've given us explicit consent.

In order to prevent unauthorised access or disclosure to your data, we have put in place suitable physical, electronic and procedural safeguards. Such as:

  • Modern authentication and password management.

  • Least privilege concept towards administration access.

  • Observability of platform and website for threat monitoring and disruption.

  • Cloud hosted provider, Amazon (AWS), for resiliency and high availability. 

  • Testing, assurance and compliance measures.

The HeyPenny platform provides modern industry-standard levels of security and encryption. This means all traffic, including any containing personal information, is transmitted to and from the platform using strong end-to-end encryption. Further encryption is added to all file and data storage components, including any backups of said storage components.

These steps aim to secure your information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure. While we are committed to security, we cannot guarantee the security of any information that is transmitted to or by us over the internet. The transmission and exchange of information is carried out at your own risk.

Data Disposal

Suspension of service

When a customer temporarily stops using or paying for HeyPenny's service, their data and associated snapshots are retained until the suspension is resolved. This allows the customer to easily resume using the service without losing any important information.

If the suspension is not resolved within a certain period of time, HeyPenny will initiate the termination of service process. During this process, the customer's data will be securely deleted in accordance with HeyPenny's data retention policy. This policy outlines the specific time periods for which different types of data are retained.

Termination of service

When a customer makes the decision to terminate their use of the HeyPenny platform, a series of procedures are initiated to manage the customer's data and ensure compliance with relevant regulations. These procedures are designed to protect the customer's privacy while allowing HeyPenny to maintain necessary records and improve its services.

Immediate Actions Upon Termination

  • Instance Data Deletion: As soon as the service termination date arrives, all data specific to the customer's instance is permanently deleted from HeyPenny's active systems. This includes any transactional data, customer records, configurations, and other information associated with the customer's use of the platform. The customer's instance will no longer be accessible, and all functionality will cease.

  • Access Revocation: All access credentials and permissions granted to the customer and their users will be immediately revoked. This prevents any further interaction with the platform and ensures the security of the remaining data.

Data Retention and Deletion

  • Snapshot Data: While instance data is deleted immediately, data stored in snapshots may be retained for a brief period. These snapshots, which are point-in-time copies of the customer's data, will be automatically and irrevocably deleted within 30 days of the termination date. This grace period allows customers to retrieve any necessary data before it is permanently removed.

  • Financial Data: Due to legal and regulatory requirements, HeyPenny is obligated to retain certain financial data for a specified period. This includes transaction records, invoices, and other financial information that may be required for tax purposes or to comply with other New Zealand laws. This data is securely stored and accessed only by authorized personnel for legitimate purposes.

  • Anonymized Data: HeyPenny may retain anonymized analytics and performance data collected during the customer's use of the platform. This data, which is stripped of any personally identifiable information, is used to analyze trends, identify areas for improvement, and enhance the overall user experience. This practice benefits future customers by allowing HeyPenny to optimize its platform and services based on aggregated insights.

Additional Considerations

  • Data Security: Throughout the termination process, HeyPenny maintains strict security measures to protect the customer's data from unauthorized access, disclosure, or misuse. This includes encryption, access controls, and regular security audits.

  • Compliance: HeyPenny is committed to complying with all applicable laws and regulations regarding data privacy and protection. This includes the New Zealand Privacy Act and other relevant legislation.

  • Customer Support: HeyPenny provides customer support throughout the termination process to address any questions or concerns that may arise. Customers can contact HeyPenny's support team for assistance with data retrieval, account closure, or any other related matters.

By following these procedures, HeyPenny ensures a smooth and compliant termination process for its customers. This approach prioritizes data privacy, security, and regulatory compliance while maintaining the integrity of HeyPenny's platform and services.

Termination of platform

In the event that the HeyPenny platform is terminated due to the business ceasing operations, all data associated with the platform will also be terminated, including any snapshots, analytics, and tracking information. This means that all user data, company data, and any other information stored on the platform will be permanently deleted and will not be recoverable.

Financial data, however, will be retained in accordance with New Zealand laws and regulations. This includes data related to transactions, invoices, and other financial records. The purpose of this retention is to ensure compliance with tax and reporting obligations, as well as to protect the rights of users and customers.

The retention period for financial data will vary depending on the specific laws and regulations that apply. Generally, financial records must be kept for a minimum of seven years for tax purposes. However, some records, such as those related to payroll or employee benefits, may need to be retained for longer periods.

HeyPenny will take all necessary steps to securely delete all non-financial data upon termination of the platform. This will include removing data from servers, backups, and any other storage locations. Financial data will be retained in a secure and confidential manner in accordance with the relevant laws and regulations.

Data Breaches

In the unlikely event of a data breach that compromises your personal data, we are committed to notifying you and relevant authorities within the timeframes prescribed by law, such as the New Zealand Privacy Act. We will also take all necessary steps to mitigate the effects and prevent future breaches.

Updates to the Privacy Policy

Our privacy policy may be updated periodically to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify users of any significant changes through either email or a prominent notice on our website. We encourage you to periodically review our policy to stay informed.

Your Choice and Rights to Controlling Your Personal Information

Please read this Privacy Policy carefully. If you provide personal information to us, you understand we will collect, hold, use and disclose your personal information in accordance with this Privacy Policy. You do not have to provide personal information to us, however, if you do not, it may affect our ability to do business with you.

Security and Privacy Policy v1.0