Official Beta Launch October 24th
HOIST PRIVACY POLICY
Automotive Workshop Management Software
Last Updated: November 10, 2025
Version: 1.0 (Beta)
INTRODUCTION AND OUR COMMITMENT TO PRIVACY
Hoist Software LTD (Hoist, we, us, our) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our automotive workshop management platform (Service).
This Privacy Policy applies to our website at https://hoist.nz, our web application and dashboard, our mobile applications for iOS and Android, our API and integrations, and any other services we provide.
ABOUT HOIST
Hoist Software LTD
Company Number: 8842848
NZBN: 9429051507626
Website: https://hoist.nz
General Contact: accounts@hoist.nz
Privacy Inquiries: accounts@hoist.nz
Support: accounts@hoist.nz
We are a New Zealand company that provides cloud-based workshop management software specifically designed for automotive workshops, mechanics, and related businesses. Our registered details can be verified through the New Zealand Companies Office using our Company Number 8842848 or NZBN 9429051507626.
WHAT HOIST DOES
Hoist is a cloud-based software platform that helps automotive workshops manage their business operations. The Service provides tools for customer relationship management, job cards and work orders, vehicle service history tracking, parts inventory and stock control, invoicing and payments, staff scheduling and time tracking, workshop calendar and bookings, reporting and business analytics, document storage and management, customer communication, and supplier management.
BETA SERVICE NOTICE
Hoist is currently in beta testing. While in beta, we are actively developing and refining the Service. This means features and functionality may change, data handling practices may evolve, and we are gathering feedback to improve security and privacy. However, beta status does not reduce your privacy rights under New Zealand law. We maintain the same legal obligations to protect your information during beta as we will after full release.
During beta, we may monitor usage more extensively to identify bugs, understand how features are being used, test improvements, optimize performance, and improve security. All monitoring is done in accordance with this Privacy Policy and the Privacy Act 2020.
NEW ZEALAND PRIVACY ACT 2020 COMPLIANCE
We comply with the Privacy Act 2020 and handle personal information in accordance with the 13 Information Privacy Principles (IPPs). We are subject to New Zealand privacy law and the jurisdiction of the Office of the Privacy Commissioner.
The 13 Privacy Principles we follow are: Purpose of collection of personal information, Source of personal information, Collection of information from subject, Manner of collection of personal information, Storage and security of personal information, Access to personal information, Correction of personal information, Accuracy of personal information to be checked before use, Agency not to keep personal information for longer than necessary, Limits on use of personal information, Limits on disclosure of personal information, Unique identifiers, and Certain information not to be collected.
YOUR PRIVACY RIGHTS UNDER NEW ZEALAND LAW
Under the Privacy Act 2020, you have rights to know what personal information we hold about you, access your personal information, request correction of inaccurate information, request deletion in certain circumstances, and complain to the Privacy Commissioner if you believe we have breached the Privacy Act.
This Policy explains how to exercise these rights. See Section 7 for detailed information about exercising your privacy rights.
IMPORTANT DISTINCTION BETWEEN YOUR DATA AND YOUR CUSTOMERS DATA
This Privacy Policy covers two distinct categories of data:
First Category - Your Data (Account Data): This is information about you, your business, your workshop, and your staff members who use Hoist. For this information, we are the data controller or agency under the Privacy Act 2020. This Policy explains how we collect, use, store, and protect your account data.
Second Category - Your Customers Data (Customer Data): This is information about your workshop customers that you choose to store in Hoist, such as their names, contact details, vehicle information, service histories, invoices, and payment records. For this information, you are the data controller (agency) and we are the data processor. You must provide privacy notices to your customers explaining how their information is collected and used. You must comply with the Privacy Act 2020 regarding your customer data. See Section 10 for detailed information about customer data processing.
SECTION 1: INFORMATION WE COLLECT
We collect different types of information depending on how you use our Service. This section explains exactly what information we collect, why we collect it, and the legal basis for collection.
1.1 ACCOUNT REGISTRATION INFORMATION
When you create a Hoist account for your workshop, we collect information necessary to set up and manage your account.
Business Information We Collect:
Workshop business name and trading name (if different)
Business physical address (your workshop location)
Business postal address (if different from physical)
Business phone number
Business email address (this becomes your primary account contact)
GST number (if your business is GST registered)
Business type (sole trader, partnership, limited company, etc)
Number of employees or staff members
Industry focus (general automotive repair, specialist services, tyres, auto electrical, etc)
This information is necessary to create your account, identify your business, process payments and invoicing, comply with tax obligations (GST), and provide appropriate service features for your workshop type.
Personal Information of Account Owner:
Your full name (as business owner or manager)
Your email address (for account access and communications)
Your phone number (for account security and support)
Your role or position in the business
This information is necessary to identify who is responsible for the account, verify authorization to use the Service, provide customer support, and send important account notifications.
Password and Security Information:
We store your password in encrypted (hashed) form using industry-standard encryption. We never store passwords in plain text and our staff cannot see your actual password. When you log in, we create authentication tokens to keep you logged in securely across sessions.
1.2 BILLING AND PAYMENT INFORMATION
To process subscription payments, we collect billing information.
Billing Information We Collect:
Billing contact name and email
Billing address
GST number for invoicing purposes
Payment method details
Payment Processing:
We use third-party payment processors including Stripe and potentially others. When you provide credit card or debit card information, it goes directly to our payment processor and is not stored on our servers. We only receive and store the last 4 digits of the card number, the card type (Visa, Mastercard, etc), the expiry month and year, and the name on the card.
Our payment processors handle full card details in PCI-DSS compliant environments. They process payments according to their own privacy policies. We recommend reviewing the privacy policy of Stripe or whichever payment processor you use.
Transaction Records:
We store records of all transactions including payment dates, amounts, invoice numbers, subscription periods, payment status (successful, failed, refunded), and transaction IDs from the payment processor.
This information is necessary to process your subscription payments, generate invoices, comply with tax laws and accounting requirements (we must retain financial records for 7 years under NZ law), handle refunds or billing disputes, and prevent fraud.
1.3 USER ACCOUNTS FOR YOUR STAFF
When you create user accounts for your employees or staff members who will use Hoist, we collect information about them.
Staff User Information:
Full name of the staff member
Email address for their login
Phone number (optional)
Role or job title (mechanic, service advisor, manager, etc)
Permission level (Admin, Manager, Standard User)
Employment status (active, inactive)
Date account was created
Last login date and time
You are responsible for obtaining consent from your staff members before providing their information to us. You should inform them that their information will be stored in Hoist and explain how it will be used.
Activity Monitoring:
We log activity for all user accounts in your workshop including login times, features accessed, actions taken (creating job cards, generating invoices, etc), and IP addresses. This is for security purposes, to help you manage your team, and to investigate any issues or policy violations.
1.4 CUSTOMER DATA YOU STORE IN HOIST
This is the most important category because it involves personal information of your customers (members of the public). You store this information in Hoist to manage your workshop operations.
Typical Customer Information You Store:
Customer names (first name, last name, business name for commercial clients)
Contact details (phone numbers, email addresses, physical addresses)
Vehicle information (make, model, year, color, VIN number, registration plate number, odometer readings)
Service and repair history (date of service, work performed, parts used, labor hours, technician notes)
Job cards and work orders (description of customer complaints, diagnostic findings, recommended work, work authorization)
Invoices and quotes (itemized charges, parts costs, labor costs, GST, total amounts)
Payment history (payment dates, payment methods, amounts paid, outstanding balances)
Photos and documents (photos of vehicle damage, photos of work performed, uploaded documents like insurance papers or registration)
Customer communications (notes from phone calls, emails, text messages, service reminders sent)
Customer preferences (preferred contact method, service reminders, marketing opt-in status)
Warranty information (warranty periods, warranty claims, manufacturer warranty details)
Insurance information (if relevant to repairs or claims)
Important Legal Point: For customer data, YOU are the data controller (agency under the Privacy Act 2020) and WE are the data processor. This means you determine what customer information to collect, you decide how it is used, and you are responsible for complying with privacy laws regarding your customers. We process this data only according to your instructions and only to provide the Hoist Service to you.
You must obtain appropriate consent from your customers, provide them with privacy notices explaining how their information is collected and used, inform them that you use Hoist to store and manage their data, comply with all Privacy Principles under the Privacy Act 2020, respond to customer requests to access or correct their information, and handle any privacy complaints from your customers.
See Section 10 for more detailed information about your obligations as a data controller for customer data.
1.5 USAGE DATA AND SERVICE ANALYTICS
When you use Hoist, we automatically collect information about how you interact with the Service.
Usage Information We Collect:
Login frequency (how often you and your staff log in)
Session duration (how long you stay logged in)
Features used (which parts of Hoist you use most: job cards, invoicing, calendar, reports, etc)
Pages or screens viewed (which screens you navigate to)
Actions taken (creating a new customer record, generating an invoice, scheduling a job, etc)
Search queries (what you search for within Hoist)
Click patterns and navigation paths
Time spent on different features or pages
Frequency of specific actions
Error messages or issues encountered
This information helps us understand how Hoist is being used, identify which features are most valuable, determine which features need improvement, find bugs and technical issues, optimize performance and loading times, and improve the user interface and user experience.
During Beta: We may analyze usage data more extensively during beta to improve the product before general availability. This includes identifying commonly used workflows, finding features that are confusing or rarely used, understanding performance bottlenecks, and gathering insights for new feature development.
1.6 DEVICE AND TECHNICAL INFORMATION
We automatically collect technical information about the devices and connections you use to access Hoist.
Device Information:
Device type (desktop computer, laptop, tablet, smartphone)
Operating system and version (Windows 11, macOS Sonoma, iOS 17, Android 14, etc)
Browser type and version (Chrome 120, Safari 17, Firefox 121, Edge, etc)
Screen size and resolution
Device identifiers (for mobile apps: device ID, advertising ID if permitted)
Device manufacturer and model (for mobile devices)
App version (which version of our mobile app you are using)
Network and Connection Information:
IP address (your internet protocol address)
Internet service provider (ISP)
Geographic location derived from IP address (country, region, city level - not precise location)
Connection type (WiFi, mobile data, ethernet)
Network performance metrics (connection speed, latency)
Log Data:
Date and time of each access to the Service
URLs or pages accessed
Referring URL (what page or site you came from)
HTTP response codes (success, error codes)
Data transferred (upload and download amounts)
User agent string (technical information about your browser)
Why We Collect This:
To provide the Service and ensure it works on your devices
To troubleshoot technical issues and provide support
To optimize performance for different devices and browsers
To detect and prevent security threats and unauthorized access
To analyze geographic usage patterns (for localization and server placement)
To enforce our Terms of Service
To prevent fraud and abuse
1.7 LOCATION INFORMATION
We may collect limited location information.
How We Collect Location:
Approximate location from your IP address (city or region level)
Device location services (only if you explicitly grant permission in our mobile apps)
We do not track precise real-time location or GPS coordinates unless you explicitly enable location features for specific functionality.
How We Use Location Information:
Set appropriate time zone for your account
Display local currency (NZD by default)
Localize date and time formats
Improve service relevance for your region
Security and fraud detection (flag unusual access from unexpected locations)
Analytics about where Hoist is being used (aggregated by region, not individual tracking)
1.8 COOKIES AND SIMILAR TRACKING TECHNOLOGIES
We use cookies, local storage, and similar technologies to provide and improve the Service.
Types of Cookies We Use:
Essential Cookies (Strictly Necessary):
These are required for Hoist to function and cannot be disabled without breaking the Service.
Authentication cookies (keep you logged in to your account)
Session cookies (maintain your session as you navigate Hoist)
Security cookies (prevent fraud, detect attacks, protect your account)
Load balancing cookies (distribute traffic across our servers)
Functional Cookies:
These remember your preferences and settings.
Language and locale preferences
Display preferences (dark mode, layout preferences)
Feature settings (defaults for creating invoices, job cards, etc)
Recently viewed items or customers
Saved filters or search preferences
Analytics Cookies:
These help us understand how you use Hoist.
Usage statistics (which features you use, how often)
Feature adoption metrics (are new features being used)
Performance measurements (page load times, errors)
A/B testing cookies (testing different versions of features)
We may use third-party analytics services such as Google Analytics or similar tools. These services may set their own cookies.
Other Tracking Technologies:
Local Storage:
We use browser local storage to cache data for better performance, store temporary working data, enable offline functionality (view some data when disconnected), and improve loading speeds.
Web Beacons (Pixels):
We may use web beacons in emails to track whether you opened the email and which links you clicked. This helps us understand the effectiveness of our communications.
Mobile App Analytics:
Our mobile apps may use mobile analytics SDKs to track app usage, crashes, and performance.
Your Cookie Choices:
Essential cookies cannot be disabled because they are required for the Service to work.
You can manage functional and analytics cookies in your account settings (when available).
You can also block cookies through your browser settings, but this may affect how Hoist works.
You can opt out of email tracking by disabling image loading in your email client.
Do Not Track Signals:
Currently, we do not respond to Do Not Track (DNT) browser signals because there is no agreed industry standard for how to respond to DNT.
1.9 INFORMATION FROM THIRD-PARTY INTEGRATIONS
When you connect third-party services to Hoist, we may receive information from those services.
Third-Party Integrations May Include:
Accounting software (Xero, MYOB, QuickBooks) - we receive invoice data, customer names, payment information
Payment processors (Stripe, PayPal) - we receive payment confirmations, transaction details, payer information
Parts suppliers and catalogues - we receive parts pricing, availability, specifications
Diagnostic databases - we receive vehicle diagnostic information, service schedules
Communication platforms (email, SMS providers) - we receive delivery status, open rates
Calendar services - we receive appointment information if you sync calendars
Bank feeds - we receive transaction information if you connect bank accounts
You authorize these data flows when you enable integrations. Each integration operates according to the permissions you grant. You can disconnect integrations at any time.
We only request access to information necessary for the integration to work. We do not request access to unrelated information from third-party services.
1.10 INFORMATION FROM SUPPORT INTERACTIONS
When you contact our support team, we collect information to help resolve your issues.
Support Information:
Your support requests and inquiries (questions, problems, feature requests)
Email correspondence with our support team
Support ticket history
Phone call recordings (with notice - if we implement phone support)
Chat transcripts (if using in-app chat support)
Screenshots or files you provide to demonstrate issues
Feedback and survey responses
We use this information to respond to your support requests, troubleshoot technical problems, improve our support quality, train our support staff, identify common issues for product improvement, and maintain a support history for continuity.
Support communications may involve accessing your account data to diagnose issues. Our support staff will only access your data when necessary to help you and will do so in accordance with our access policies.
1.11 INFORMATION WE GENERATE OR DERIVE
From the information we collect, we may generate or derive additional information.
Analytics and Insights:
Aggregated usage statistics (anonymized data about how features are used across all users)
Performance benchmarks (average page load times, uptime statistics)
Industry insights (anonymized trends in the automotive workshop industry)
Product analytics (which features are successful, which need improvement)
Security and Fraud Detection:
Risk scores for login attempts (is this login suspicious?)
Account security status assessments
Anomaly detection patterns (unusual activity patterns)
Threat intelligence (information about security threats affecting the Service)
All analytics and insights are based on aggregated, anonymized data that cannot identify individual users or customers.
SECTION 2: HOW WE USE YOUR INFORMATION
This section explains the specific purposes for which we use your information and the legal basis for each use.
2.1 TO PROVIDE AND OPERATE THE SERVICE
Legal Basis: Contract performance (necessary to perform our contract with you under the Terms of Service) and Legitimate business interests (providing the service you purchased).
We use your information to:
Create and manage your Hoist account
Authenticate you when you log in (verify you are who you say you are)
Provide access to Service features and functionality
Store and manage the data you enter (customer records, job cards, invoices, etc)
Process your workshop operations (create job cards, generate invoices, track vehicles, manage inventory)
Enable multi-user access for your staff with appropriate permissions
Synchronize your data across your devices (desktop, mobile, tablet)
Backup your data for disaster recovery purposes
Maintain service availability, performance, and stability
Provide updates and new features
Enable integrations with third-party services you connect
Generate reports and analytics you request
This is the core purpose of Hoist - to provide you with workshop management software. Without using your information for these purposes, we cannot provide the Service.
2.2 TO PROCESS PAYMENTS AND MANAGE SUBSCRIPTIONS
Legal Basis: Contract performance (necessary to perform our contract) and Legal obligations (tax and financial record-keeping requirements).
We use your information to:
Process subscription payments for your Hoist plan
Generate invoices for your subscription
Handle payment failures and retry failed payments
Process refunds when applicable
Manage automatic subscription renewals
Apply discounts or promotional pricing
Calculate and collect GST (Goods and Services Tax)
Maintain financial records for tax compliance (7 year retention for NZ tax law)
Prevent payment fraud and unauthorized charges
Manage subscription upgrades, downgrades, or cancellations
Send billing notifications and payment receipts
Financial records must be retained for 7 years under New Zealand tax law, even after your account is closed.
2.3 TO COMMUNICATE WITH YOU
Legal Basis: Contract performance (for service-related communications), Legitimate business interests (for operational communications), and Consent (for marketing communications).
We use your information to:
Service and Account Communications:
Send account creation and welcome emails
Provide login verification codes or password reset links
Notify you of successful or failed login attempts from new devices
Alert you to subscription renewal or payment issues
Inform you of upcoming subscription renewals
Send receipts and invoices for payments
Notify you of Terms of Service or Privacy Policy updates
Alert you to important security issues or required actions
Technical and Support Communications:
Respond to your support inquiries and help requests
Provide technical assistance and troubleshooting
Send service status updates (planned maintenance, outages, incidents)
Request additional information to resolve support issues
Follow up on support tickets
Send satisfaction surveys after support interactions (optional participation)
Product and Feature Communications:
Announce new features or improvements to Hoist
Provide tips for using Hoist more effectively
Share educational content about workshop management
Notify you about beta features you can test
Request feedback about your experience with Hoist
Marketing Communications (Opt-In):
Send information about Hoist updates and news
Promote additional features or premium plans
Share customer success stories or case studies
Invite you to events or webinars
Send newsletters about the automotive industry
You can opt out of marketing communications at any time by clicking unsubscribe in any marketing email or by updating your communication preferences in your account settings. You cannot opt out of essential service communications (account, security, billing, legal notices) as these are necessary to operate your account.
2.4 TO IMPROVE AND DEVELOP THE SERVICE
Legal Basis: Legitimate business interests (improving our product and developing new features).
During our beta phase and ongoing, we use information to:
Product Improvement:
Analyze how features are used to identify what works well and what needs improvement
Identify bugs, errors, and technical issues
Test new features and improvements with beta users
Conduct usability research and testing
Optimize performance, speed, and reliability
Improve the user interface and user experience
Understand user workflows and pain points
Identify which features are most valuable to workshops
Product Development:
Develop new features based on usage patterns and feedback
Plan product roadmap based on user needs
Research new integrations that would benefit users
Build features specific to different types of workshops (general mechanics, specialists, etc)
Create industry-specific functionality (compliance with automotive regulations, warranty management, etc)
Research and Analytics:
Conduct research into workshop management practices
Analyze industry trends (anonymized data about automotive service businesses)
Create benchmarks for workshop performance (anonymized, aggregated data)
Understand the needs of different workshop sizes and types
Beta-Specific Development Activities:
During beta, we may analyze your usage more extensively than we would after general availability. This intensive analysis helps us identify issues quickly, understand which features need improvement before full launch, optimize performance and scalability, test different approaches to features, and validate that Hoist meets the needs of real workshops.
All product analytics and research use aggregated, anonymized data whenever possible. When we need to analyze individual usage patterns (for example, to understand a specific bug), we limit access to essential personnel and use the data only for product improvement purposes.
2.5 FOR SECURITY, FRAUD PREVENTION, AND SERVICE PROTECTION
Legal Basis: Legitimate business interests (protecting our Service, users, and business) and Legal obligations (complying with security requirements).
We use your information to:
Security Monitoring and Protection:
Detect and prevent unauthorized access to accounts
Monitor for suspicious login attempts or unusual activity patterns
Identify and block brute force attacks, credential stuffing, or other attack vectors
Detect and prevent account takeovers
Monitor for malware, viruses, or malicious code
Identify and respond to security vulnerabilities
Implement rate limiting to prevent abuse
Monitor API usage for abnormal patterns
Fraud Detection and Prevention:
Detect fraudulent account registrations
Identify payment fraud or stolen payment methods
Detect abuse of free trials or promotional offers
Identify users creating multiple accounts to evade restrictions
Monitor for signs of account sharing or resale
Abuse Prevention:
Detect and prevent violations of our Terms of Service
Identify spam, harassment, or abusive behavior
Monitor for prohibited uses (such as using Hoist for illegal purposes)
Detect excessive resource consumption or service abuse
Prevent scraping, unauthorized data extraction, or automated access
Incident Response:
Investigate security incidents when they occur
Respond to data breaches or security compromises
Contain and remediate security issues
Notify affected users when required by law
Cooperate with law enforcement when legally required
Service Protection:
Protect against denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
Maintain service availability and performance for all users
Prevent actions that could harm other users or our infrastructure
Enforce our Terms of Service and policies
2.6 FOR LEGAL COMPLIANCE AND OBLIGATIONS
Legal Basis: Legal obligations (complying with laws, regulations, and legal requirements).
We use your information to:
Comply with Tax and Financial Laws:
Calculate and collect GST on subscription fees
Generate tax invoices with required information
Maintain financial records for the required 7-year period under NZ tax law
Report financial information to Inland Revenue if required
Comply with accounting standards and requirements
Respond to Legal Requirements:
Comply with court orders, subpoenas, or legal process
Respond to lawful requests from government authorities or law enforcement
Provide information required by regulatory bodies
Comply with legal discovery in litigation
Respond to valid legal requests for user information
Privacy Law Compliance:
Comply with Privacy Act 2020 requirements
Respond to privacy requests (access, correction, deletion) as required by law
Maintain records required by privacy law
Report data breaches to the Privacy Commissioner when required (within 72 hours of becoming aware of a notifiable breach)
Cooperate with Privacy Commissioner investigations
Other Legal Obligations:
Comply with consumer protection laws (Consumer Guarantees Act, Fair Trading Act)
Meet record-keeping requirements under various laws
Comply with company law requirements (Companies Act 1993)
Fulfill contractual obligations to you under our Terms of Service
Enforce our legal rights and defend against legal claims
2.7 FOR CUSTOMER SUPPORT AND SERVICE QUALITY
Legal Basis: Contract performance (providing support you request) and Legitimate business interests (improving support quality).
We use your information to:
Respond to your support inquiries and help requests
Troubleshoot technical issues you experience
Provide guidance on how to use Hoist features
Access your account (with permission) to diagnose problems
Replicate issues you report to identify causes
Escalate complex issues to our technical team
Follow up on resolved support tickets
Track support quality and response times
Identify common issues that need documentation or product fixes
Train our support staff using anonymized support interactions
Measure customer satisfaction with support
When providing support, our staff may need to access your account and data. We limit this access to what is necessary to help you, we only access with your permission (except when investigating policy violations or security issues), all access is logged and monitored, and access is limited to authorized support personnel who have signed confidentiality agreements.
2.8 TO ENABLE FEATURES YOU CHOOSE TO USE
Legal Basis: Contract performance (providing features you request) and Consent (when you enable specific features).
Some features require additional data collection or use. We use your information to enable features such as:
Third-Party Integrations:
Connect your Hoist account with accounting software (Xero, MYOB) to synchronize invoices and financial data
Connect payment processors to accept customer payments
Connect parts suppliers to check pricing and availability
Connect diagnostic databases to access vehicle information
Connect communication tools to send service reminders to customers
Calendar and Scheduling:
Display appointments and bookings in calendar format
Send appointment reminders to your customers
Sync with external calendars (Google Calendar, Outlook)
Automated Communications:
Send automated service reminder emails to your customers
Send appointment confirmations and reminders
Notify customers when their vehicle is ready
Send promotional offers to customers (if they opted in)
Reporting and Analytics:
Generate business reports about your workshop performance
Provide insights into your busiest periods, most profitable services, etc
Compare your performance to industry benchmarks (anonymized, aggregated data)
Mobile Access:
Sync your data to mobile devices for access in the workshop
Enable push notifications about important events
Allow offline access to some data
You control which features to enable. You can disable features, disconnect integrations, or turn off automated communications at any time in your account settings.
2.9 FOR ANALYTICS AND BUSINESS INTELLIGENCE
Legal Basis: Legitimate business interests (understanding our business, improving operations, making strategic decisions).
We use aggregated, anonymized information to:
Understand overall usage patterns across all Hoist users
Track growth in users, workshops, and usage
Measure feature adoption and success
Identify industry trends in automotive workshop management
Generate business intelligence for strategic planning
Create benchmark reports for the automotive service industry (anonymized)
Evaluate our business performance and growth
Make decisions about resource allocation and investment
Understand market needs and opportunities
Important: For analytics and business intelligence, we use aggregated, anonymized data that cannot identify you, your workshop, or your customers. We do not sell or share individual user data for analytics purposes.
2.10 WITH YOUR EXPLICIT CONSENT
Legal Basis: Consent (you explicitly agree to the use).
We may ask for your explicit consent to use your information for purposes not covered above, such as:
Participating in detailed case studies or success stories
Using your workshop name and logo in marketing materials
Participating in beta testing of significant new features
Taking part in research studies or surveys
Allowing us to share more detailed information about your usage with partners
Using your testimonials or reviews in our marketing
Appearing in promotional videos or photos
When we ask for consent, we will clearly explain what we want to do, why we want to do it, and how we will use your information. You can decline consent without any negative impact on your use of Hoist. You can withdraw consent at any time by contacting us at accounts@hoist.nz.
2.11 HOW WE USE CUSTOMER DATA YOU STORE
For information about your customers that you store in Hoist (customer names, contact details, vehicle information, service histories, etc), we use this data only as your data processor and only according to your instructions.
We process your customer data to:
Store it securely on our servers
Display it in your Hoist interface when you access it
Include it in reports you generate
Synchronize it across your devices
Back it up for disaster recovery
Include it in data exports when you request them
Transfer it to third-party integrations you enable
We do not use your customer data for our own purposes. We do not use customer data for marketing our services. We do not sell or share customer data with third parties (except service providers necessary to operate Hoist). We do not analyze individual customer data for our business intelligence.
You are responsible for how customer data is collected, used, and shared. You must comply with Privacy Act 2020 regarding your customers. You must provide privacy notices to your customers. See Section 10 for more details about your obligations as data controller for customer data.
SECTION 3: LEGAL BASIS FOR PROCESSING UNDER NEW ZEALAND LAW
Under the Privacy Act 2020, we must have a lawful purpose for collecting and using personal information, and we must not collect more information than is reasonably necessary for that purpose.
Our lawful purposes for processing personal information are:
Contract Performance:
Processing is necessary to perform our contract with you (the Terms of Service). This includes providing the Hoist Service, managing your account, processing payments, and delivering features you purchased.
Legitimate Business Interests:
Processing is necessary for our legitimate business interests, provided these interests do not override your privacy rights. Our legitimate interests include improving and developing our Service, ensuring security and preventing fraud, conducting analytics and research, managing our business operations, protecting our legal rights, providing customer support, and marketing our services to existing customers.
Legal Obligations:
Processing is necessary to comply with legal obligations, such as tax and financial reporting, responding to court orders or legal requests, complying with privacy law requirements, meeting record-keeping obligations, and reporting data breaches when required.
Consent:
In some cases, we ask for your explicit consent, such as marketing communications, optional features that require additional data, participation in case studies or research, and other uses we will clearly explain when requesting consent.
Vital Interests:
In rare cases, processing may be necessary to protect someone's vital interests (life or safety), such as if we need to share information with emergency services.
We do not collect personal information unless we have a lawful purpose, we do not use personal information for purposes incompatible with collection, we collect only information reasonably necessary for our purposes, and we store information securely and retain it only as long as necessary.
SECTION 4: HOW WE SHARE YOUR INFORMATION
We do not sell your personal information to anyone. We do not sell your customer data to anyone. We share information only in the limited circumstances described below.
4.1 SERVICE PROVIDERS AND DATA PROCESSORS
We share information with trusted third-party service providers who process data on our behalf to help us provide the Hoist Service.
Cloud Infrastructure Providers:
We use cloud hosting services to store and process your data. This may include providers such as Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure, or similar infrastructure providers. These providers operate the physical servers and data centers where your data is stored.
Data Storage Location: Your data is primarily stored in [specify location when determined - likely New Zealand, Australia, or a combination]. It may be replicated to other locations for backup and disaster recovery purposes. See Section 5 for more about data storage locations.
Payment Processors:
We use Stripe and potentially other payment processors to handle subscription payments. When you provide payment information, it goes directly to the payment processor. They process payments according to their privacy policies and PCI-DSS security standards.
Communication Service Providers:
We use email service providers (such as SendGrid, Mailgun, or similar) to send transactional emails, support communications, and notifications. We may use SMS providers to send text message notifications if you enable that feature. We use customer support platforms to manage support tickets and communications.
Analytics and Monitoring Services:
We may use analytics services (such as Google Analytics or similar tools) to understand how Hoist is used. We may use error tracking services (such as Sentry or similar) to identify and fix bugs. We may use performance monitoring tools to track Service reliability and speed.
Security Services:
We use security monitoring services to detect threats and attacks. We may use DDoS protection services to protect against denial-of-service attacks. We use services that scan for malware and security vulnerabilities.
All service providers are carefully selected, have contractual obligations to protect your data and use it only according to our instructions, may not use your data for their own purposes, must meet appropriate security standards, and are located in jurisdictions that provide adequate data protection or we ensure appropriate safeguards are in place.
We remain responsible for how our service providers handle your data. If you have concerns about our use of specific service providers, contact us at accounts@hoist.nz.
4.2 THIRD-PARTY INTEGRATIONS YOU ENABLE
When you choose to connect third-party services to your Hoist account, we share relevant data with those services according to your integration settings.
Examples of Integrations and Data Sharing:
Accounting Software (Xero, MYOB, QuickBooks):
We share invoice data, customer names for invoices, payment information, and financial transaction details. This allows your accounting records to stay synchronized with your Hoist invoices.
Payment Processors:
When customers pay through integrated payment systems, we share invoice amounts, customer names, and transaction details necessary to process the payment.
Parts Suppliers and Catalogues:
We may share vehicle information (make, model, year) to look up compatible parts. We share parts order information when you order parts through integrated suppliers.
Email and SMS Communication Providers:
We share customer names, email addresses, and phone numbers when you send service reminders, appointment confirmations, or other communications to your customers through Hoist.
Calendar Services:
If you sync Hoist with external calendar services, we share appointment information, customer names, and scheduling details.
You control which integrations to enable and what data to share. You can review integration settings in your account. You can disconnect any integration at any time. Each third-party service operates under its own privacy policy - review their policies to understand how they handle data. We are not responsible for how third-party services use data you share with them.
4.3 YOUR STAFF USERS
Within your Hoist account, information is shared among your staff users according to the permissions you set.
Account Administrators can access all data in your account, manage all settings, view all customer records and job cards, access all financial information, manage user accounts and permissions, and view activity logs.
Managers may have access to most data but with some restrictions based on permissions you configure.
Standard Users have limited access based on their role and the permissions you assign.
You are responsible for setting appropriate permissions for your staff, ensuring staff understand their obligations to protect customer information, removing access when employees leave your workshop, and monitoring user activity in your account.
All user activity is logged. You can review activity logs to see what actions users have taken.
4.4 LEGAL REQUIREMENTS AND PROTECTION OF RIGHTS
We may disclose information when required by law or to protect rights and safety.
Legal Obligations:
We disclose information when required to comply with court orders, subpoenas, or legal process. We respond to lawful requests from government authorities or law enforcement. We comply with tax, regulatory, or reporting requirements. We provide information in response to valid legal discovery in litigation.
When we receive legal requests for user information, we will notify you unless prohibited by law or court order, we will review requests to ensure they are legally valid, we will limit disclosure to information specifically requested, and we will object to overly broad or inappropriate requests when possible.
Protection of Rights and Safety:
We may disclose information to enforce our Terms of Service and protect our rights. We may share information to protect against fraud, security threats, or illegal activity. We may disclose information to protect our property and legal interests. We may share information to protect the rights, safety, and property of our users or the public. We may disclose information to investigate and prevent security incidents.
We will only disclose information when we believe in good faith that disclosure is reasonably necessary for these purposes.
4.5 BUSINESS TRANSFERS
If Hoist is involved in a merger, acquisition, sale of assets, bankruptcy, reorganization, or similar business transaction, your information may be transferred as part of that transaction.
In the event of a business transfer, your information may be transferred to the acquiring or successor entity. We will notify you before your information is transferred and becomes subject to a different privacy policy. The acquiring entity will be bound by this Privacy Policy (or you will be notified of changes). You will have the opportunity to delete your account before the transfer if you prefer.
We will take reasonable steps to ensure the acquiring entity provides adequate protection for your personal information.
4.6 AGGREGATED AND ANONYMIZED DATA
We may share aggregated, anonymized data that cannot identify you, your workshop, or your customers.
Examples of Aggregated, Anonymized Data:
Industry statistics about automotive workshop usage patterns. Benchmarks like average job completion times or common services performed. Anonymized research findings about workshop management practices. Performance statistics about Hoist (uptime, average response times). General information about Hoist user base (number of workshops, industries served).
This information cannot be used to identify individuals and is not considered personal information. We may use and share this data freely for research, marketing, industry reports, and business purposes.
4.7 WITH YOUR CONSENT
We may share your information with third parties when you give us explicit consent to do so.
Examples might include featuring your workshop in a case study, sharing your contact information with a partner at your request, or allowing a third party to access your account for specific purposes (such as consultants or accountants you authorize).
When we request consent for sharing, we will clearly explain who we want to share with, what information we want to share, why we want to share it, and how the recipient will use the information.
You can decline consent without impact on your Service. You can withdraw consent at any time by contacting accounts@hoist.nz.
SECTION 5: DATA STORAGE, SECURITY, AND PROTECTION
This section explains where your data is stored, how we protect it, and what security measures we have in place.
5.1 WHERE YOUR DATA IS STORED
Primary Storage Location:
Your data is primarily stored on secure servers in [to be specified - likely New Zealand, Australia, or both]. The specific location will be confirmed and documented here before full launch.
Backup and Redundancy:
We maintain backup copies of your data in multiple geographic locations for disaster recovery and business continuity. Backup locations may include New Zealand, Australia, and potentially other locations within Asia-Pacific region.
Cross-Border Data Transfers:
Your data may be transferred to, stored in, or processed in other countries including:
United States (for some cloud infrastructure providers like AWS, Google Cloud). Singapore or other Asia-Pacific locations (for redundancy, backup, or performance optimization). Other locations where our service providers operate.
When we transfer personal information outside New Zealand, we comply with Privacy Principle 12 (cross-border disclosure of personal information) by ensuring the recipient is subject to privacy laws that provide comparable safeguards to New Zealand law, or using contractual protections (such as Standard Contractual Clauses) to ensure your information is protected, or obtaining your consent to the transfer, or ensuring another exception under the Privacy Act 2020 applies.
By using Hoist, you consent to these international transfers of your data. We ensure appropriate protection is in place for all cross-border data transfers.
Data Center Security:
Our cloud infrastructure providers operate data centers with physical security measures including 24/7 monitoring and security staff, access controls and authentication, surveillance systems, environmental controls (fire suppression, cooling), backup power systems, and secure facility design.
5.2 HOW WE PROTECT YOUR DATA
We implement multiple layers of security to protect your information.
Technical Security Measures:
Encryption in Transit:
All data transmitted between your browser/device and our servers is encrypted using TLS/SSL (Transport Layer Security). We use strong encryption protocols (TLS 1.2 or higher). We enforce HTTPS for all connections. API communications are encrypted.
Encryption at Rest:
Sensitive data stored in our databases is encrypted at rest. We use industry-standard encryption algorithms (AES-256 or equivalent). Encryption keys are managed securely and separately from encrypted data. Backups are also encrypted.
Access Controls:
Role-based access control (RBAC) limits who can access what data. Multi-factor authentication is available (and required for admin accounts). Strong password requirements are enforced. Access to production systems is restricted to authorized personnel only. All access to production systems is logged and monitored.
Authentication and Session Security:
We use secure authentication mechanisms. Session tokens are generated securely and expire appropriately. Password are hashed using strong algorithms (bcrypt or Argon2). We detect and prevent brute force login attempts. We implement rate limiting on authentication endpoints.
Network Security:
Firewalls protect our infrastructure. Intrusion detection and prevention systems monitor for threats. We implement network segmentation to isolate systems. DDoS protection helps prevent denial-of-service attacks. Regular security scanning identifies vulnerabilities.
Application Security:
We follow secure coding practices. Input validation prevents injection attacks. Output encoding prevents cross-site scripting (XSS). Protection against cross-site request forgery (CSRF). Regular security code reviews. Automated security testing as part of development.
Database Security:
Databases are not directly exposed to the internet. Access requires authentication and authorization. Query logging helps detect suspicious activity. Regular backups are maintained. Database connections are encrypted.
API Security:
API authentication using secure tokens. Rate limiting prevents abuse. Input validation and output encoding. API versioning for security updates.
Organizational and Operational Security Measures:
Security Policies and Procedures:
Written information security policies. Incident response plan for security breaches. Regular review and update of security measures. Security governance and oversight.
Employee Access and Training:
Background checks for employees with access to systems or data. Confidentiality and non-disclosure agreements for all staff. Security awareness training for all employees. Specialized training for staff with data access. Limited access based on job requirements (principle of least privilege). Access is revoked immediately when employees leave.
Vendor Management:
Security requirements for all vendors and service providers. Regular review of vendor security practices. Contractual requirements for data protection.
Security Monitoring and Logging:
Comprehensive logging of system activity, user actions, and access. Real-time monitoring for suspicious activity and security events. Regular log review and analysis. Automated alerts for security incidents.
Vulnerability Management:
Regular security assessments and penetration testing. Prompt patching of security vulnerabilities. Monitoring of security advisories for software we use. Bug bounty program (or responsible disclosure program) for security researchers.
Backup and Disaster Recovery:
Regular automated backups of all data. Backups stored in multiple geographic locations. Regular testing of backup restoration procedures. Documented disaster recovery plan. Business continuity planning.
Beta Security Considerations:
During beta, we are actively improving security measures. If we identify security vulnerabilities during beta testing, we will address them promptly. We will notify affected users if a vulnerability is discovered that may have affected their data. We take security seriously even during beta and apply the same security standards as we will after full launch.
5.3 YOUR SECURITY RESPONSIBILITIES
Security is a shared responsibility. You must also take steps to protect your account and data.
Your Responsibilities:
Use a Strong, Unique Password:
Create a password that is at least 12 characters long. Use a mix of uppercase, lowercase, numbers, and symbols. Do not reuse passwords from other websites or services. Use a password manager to generate and store strong passwords.
Enable Multi-Factor Authentication:
Enable multi-factor authentication (MFA) in your account settings when available. Use an authenticator app (Google Authenticator, Authy, etc) or SMS codes. This significantly increases account security.
Keep Login Credentials Secure:
Do not share your password with anyone (including employees - create separate accounts for them). Do not write down passwords in insecure locations. Do not send passwords via email or text message. Do not store passwords in unencrypted files.
Secure Your Devices:
Keep your devices (computer, phone, tablet) secure with passwords or biometrics. Keep software and operating systems up to date with security patches. Use antivirus/antimalware software. Be cautious about installing software from unknown sources. Log out of Hoist when using shared or public devices.
Secure Your Network:
Use secure, trusted networks when accessing Hoist. Be cautious when using public WiFi networks. Consider using a VPN on untrusted networks. Ensure your home/business WiFi is password-protected with strong encryption (WPA2 or WPA3).
Monitor Your Account:
Regularly review your account activity. Check who has access to your account (user accounts). Remove access for employees who have left your workshop. Review integration connections periodically. Report suspicious activity immediately.
Manage User Access Appropriately:
Create separate accounts for each employee (do not share login credentials). Set appropriate permission levels for each user. Remove or disable accounts when employees leave. Regularly audit who has access to what.
Keep Contact Information Current:
Keep your email address up to date so we can contact you about security issues. Ensure you receive and read security notifications. Respond to verification requests promptly.
Report Security Issues:
If you discover a security vulnerability in Hoist, report it to accounts@hoist.nz immediately. If you suspect your account has been compromised, contact us immediately. If you notice suspicious activity, report it promptly.
Train Your Staff:
Ensure your employees understand the importance of security. Train staff not to share passwords or access credentials. Educate employees about phishing attempts and social engineering. Establish security policies for your workshop.
5.4 LIMITATIONS AND BREACH NOTIFICATION
No System is Perfectly Secure:
Despite our security measures, no system is completely secure against all possible threats. We cannot guarantee absolute security. Risks include sophisticated cyber attacks, zero-day vulnerabilities (unknown security flaws), insider threats, social engineering and phishing attacks, and compromises of third-party services.
Beta Software Risks:
Beta software may contain undiscovered security vulnerabilities. We are actively working to identify and fix security issues before general availability. If you discover a security issue, please report it responsibly to accounts@hoist.nz.
What We Will Do If There's a Breach:
If we become aware of a data breach that poses a risk of serious harm to you or your customers:
We will investigate the breach promptly to understand what happened, what data was affected, and how many users are impacted.
We will contain the breach and prevent further unauthorized access.
We will notify the Privacy Commissioner within 72 hours of becoming aware of the breach (as required by Privacy Act 2020 for notifiable privacy breaches).
We will notify affected individuals (you and potentially your customers if their data was affected) when required by law or when we determine notification is appropriate.
Our notification will include information about what happened, what data was affected, what we are doing to address the breach, what steps you should take to protect yourself, and how to contact us for more information.
We will take steps to prevent similar breaches in the future.
Your Breach Notification Obligations:
If customer data (your customers' personal information) is breached, you may have independent obligations to notify your customers under the Privacy Act 2020, since you are the data controller for that information. We will assist you by providing information about what customer data was affected and support you in meeting your notification obligations.
SECTION 6: DATA RETENTION - HOW LONG WE KEEP YOUR INFORMATION
We retain personal information only as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.
6.1 RETENTION PERIODS FOR DIFFERENT TYPES OF DATA
Account Data (While Account is Active):
Your account information, business details, and user profiles are retained while your account is active. You can update this information at any time in your account settings.
Customer Data You Store (While Account is Active):
Customer information, vehicle records, job cards, invoices, and other data you enter into Hoist is retained for as long as you keep it. You control this data and can delete it at any time. We do not automatically delete customer data unless you delete it or close your account.
After Account Closure:
When you close your Hoist account:
Active data is deleted from our production systems within 30 days of account closure. Backup copies are deleted according to our backup rotation schedule (within 90 days of account closure). Some data may be retained longer if legally required (see below).
Financial and Billing Records:
Under New Zealand tax law, we must retain financial records for 7 years. This includes invoices issued to you, payment records, transaction history, and GST records. These records are retained for 7 years from the end of the financial year they relate to, even after your account is closed.
Support Communications:
Support tickets, email correspondence, and chat transcripts are retained for 2 years after the support issue is resolved. This helps us provide continuity if you contact support again about the same issue and helps us improve our support quality.
Usage Data and Logs:
Detailed usage logs and activity logs are retained for 90 days. Aggregated, anonymized analytics may be retained indefinitely. Security logs are retained for 1 year to help investigate security incidents.
Marketing Communications:
If you opt in to marketing communications, we retain your contact preferences until you unsubscribe. After you unsubscribe, we retain a record that you unsubscribed (to ensure we don't email you again) but delete other marketing-related data.
Legal Hold:
We may retain data longer than standard retention periods if required for ongoing legal proceedings or investigations, to comply with court orders or legal requirements, for government or regulatory requirements, to resolve disputes, to enforce our Terms of Service, or to defend against legal claims.
Data retained under legal hold is clearly marked and access is restricted to necessary personnel.
6.2 DATA DELETION
When retention periods expire or when you request deletion (and no legal requirement prevents it), we permanently delete your data.
Deletion Process:
Data is removed from active production databases. Indices and caches are cleared. Backup copies are deleted according to our backup rotation (may take up to 90 days for all backup copies to cycle out). Aggregated, anonymized data may be retained indefinitely (it cannot identify you).
Deletion is Permanent:
Once data is deleted, it cannot be recovered. We cannot restore deleted data after the 30-day grace period ends. Before deleting your account, export any data you want to keep.
Exceptions to Deletion:
We may refuse or delay deletion requests if we are legally required to retain the data (such as 7-year financial records), the data is necessary to resolve disputes or enforce our agreements, deletion is technically impossible during the legal retention period, or the data is part of an ongoing legal investigation or proceeding.
If we cannot delete data you request be deleted, we will explain why and indicate when the data will be eligible for deletion.
6.3 YOUR DATA EXPORT BEFORE DELETION
Before closing your account or deleting significant data, we strongly recommend exporting your information.
What You Can Export:
Customer records (names, contact details, vehicle information). Service history and job cards. Invoices and financial records. Parts inventory. Staff user information. Reports and analytics. Documents and photos you have uploaded.
How to Export:
Use the export tools in your account settings (typically CSV or Excel format for structured data, zip files for documents and images). For larger exports, contact our support team at accounts@hoist.nz.
Standard data exports are free. We do not charge fees for reasonable data export requests.
SECTION 7: YOUR PRIVACY RIGHTS
Under the Privacy Act 2020, you have important rights regarding your personal information. This section explains your rights and how to exercise them.
7.1 RIGHT TO ACCESS YOUR INFORMATION
You have the right to request confirmation of whether we hold your personal information and to access that information.
What You Can Access:
What personal information we hold about you. How we obtained your information. What we use your information for. Who we have shared your information with. How long we will retain your information.
How to Request Access:
For most information, log in to your Hoist account and view your account settings, profile information, and usage data. Many types of information are directly accessible in your account.
For information not available in your account, email accounts@hoist.nz with subject line "Privacy Access Request". Include your account email address for verification. Specify what information you want to access. We may need to verify your identity before providing information.
Our Response Timeline:
We will respond within 20 working days (as required by Privacy Act 2020). For complex requests, we may need up to 30 days and will inform you of any delay. We will provide information in a readable format (typically PDF or structured data file).
Fees:
Access is usually provided free of charge. For extensive or repeated requests, we may charge a reasonable fee to cover administrative costs. We will inform you of any fees before processing your request.
Limitations:
We may decline or limit access if providing access would breach someone else's privacy, would reveal commercially sensitive information, would prejudice law enforcement or legal proceedings, the request is frivolous or vexatious, or is otherwise not required by law.
If we decline access, we will explain why and inform you of your right to complain to the Privacy Commissioner.
7.2 RIGHT TO CORRECTION
You have the right to request correction of inaccurate, incomplete, or outdated personal information.
How to Request Correction:
For account information, update it directly in your account settings. Most account information can be edited by you without needing to contact us.
For information you cannot edit yourself, email accounts@hoist.nz with subject line "Privacy Correction Request". Specify what information is incorrect. Provide the correct information. Include evidence or explanation if the correction is not obvious.
Our Response Timeline:
We will respond within 20 working days. If we agree the information is incorrect, we will correct it promptly. If we refuse correction (for example, if we believe the information is accurate), we will explain why and attach a statement of the correction you requested to our records.
If We Correct Information:
We will take reasonable steps to notify other parties to whom we have disclosed the incorrect information, if that notification is reasonable and practicable.
If information you request corrected is your customer data (stored by you in Hoist), you can correct it directly in Hoist at any time. For customer data, you are the data controller and it is your responsibility to keep it accurate.
7.3 RIGHT TO DELETION (ERASURE)
You have the right to request deletion of your personal information in certain circumstances.
When You Can Request Deletion:
The information is no longer necessary for the purposes it was collected. You withdraw consent (where consent was the legal basis for processing). You object to processing and there are no overriding legitimate grounds for us to continue. The information was unlawfully collected or used. Deletion is required by law.
How to Request Deletion:
To close your account and delete all your data, use the account deletion feature in your account settings, or email accounts@hoist.nz with subject line "Privacy Deletion Request".
To delete specific data (not your entire account), specify exactly what information you want deleted and email accounts@hoist.nz.
Our Response Timeline:
We will respond within 30 days. If we agree to deletion, we will delete your data within 30 days from active systems (backups deleted within 90 days). If we decline deletion, we will explain why.
Limitations on Deletion:
We may decline or delay deletion if we are legally required to retain the information (for example, 7-year retention for financial records), the data is necessary to resolve disputes or enforce our Terms of Service, deletion would prejudice ongoing legal proceedings or investigations, or the data is subject to a legal hold.
If we cannot delete immediately, we will inform you when the data will be eligible for deletion.
Important Note About Customer Data:
For customer data you store in Hoist (your customers' information), you control deletion. You can delete customer records at any time in Hoist. When you delete customer data in Hoist, it is permanently deleted according to the timeline above.
If your customers request deletion of their data, you must handle those requests. We can assist by deleting the data from Hoist when you request it, but the obligation to respond to your customers' deletion requests is yours (as the data controller).
7.4 RIGHT TO OBJECT TO PROCESSING
You have the right to object to processing of your personal information in certain circumstances, particularly processing based on legitimate interests.
When You Can Object:
Processing based on our legitimate business interests (you can object and we will stop unless we have compelling legitimate grounds). Direct marketing (you can always object to marketing). Research or statistical purposes (you can object).
You cannot object to processing that is necessary to perform our contract with you (providing the Hoist Service), required to comply with legal obligations, or necessary to protect vital interests.
How to Object:
Email accounts@hoist.nz with subject line "Privacy Objection". Explain what processing you object to and why. We will evaluate your objection and respond within 20 working days.
If Your Objection is Valid:
We will stop the processing you objected to unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.
Specific Objection to Marketing:
You can object to marketing communications at any time by clicking "Unsubscribe" in any marketing email, or updating your communication preferences in account settings. We will stop marketing communications immediately (typically within 48 hours).
7.5 RIGHT TO DATA PORTABILITY
You have the right to receive your personal information in a structured, commonly used, machine-readable format and to transmit it to another service provider.
What Data You Can Port:
Account information. Business and workshop details. User profiles. Customer records you store in Hoist. Job cards and service histories. Invoices and financial records. Other data you have provided to Hoist.
This right applies to data you provided to us or that was generated through your use of the Service.
How to Request Data Portability:
Use the export tools in your account settings to download your data in portable formats (CSV, Excel, JSON). For large exports or specific format requests, email accounts@hoist.nz with subject line "Data Portability Request". Specify what data you want and what format you prefer.
Formats We Provide:
CSV (Comma-Separated Values) for structured data like customer lists, job cards, invoices. Excel spreadsheets for financial data and reports. JSON for technical data or API-style exports. PDF for documents and reports. ZIP files for collections of documents and images.
Timeline and Fees:
We will provide your data within 30 days. Standard exports are free of charge. Large or complex exports may take longer and we will inform you of the timeline.
7.6 RIGHT TO WITHDRAW CONSENT
Where we process your personal information based on consent, you can withdraw consent at any time.
How to Withdraw Consent:
For marketing communications, click "Unsubscribe" in emails or update communication preferences in settings. For optional features, disable the feature in your account settings. For other consent-based processing, email accounts@hoist.nz with subject line "Withdraw Consent" and specify what consent you are withdrawing.
Effect of Withdrawing Consent:
We will stop the processing based on that consent. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal. Withdrawal of consent for essential service functions may mean we cannot provide certain features or may need to close your account (for example, if you withdraw consent to process data necessary for the core Service).
7.7 RIGHT TO COMPLAIN
If you believe we have breached the Privacy Act 2020 or mishandled your personal information, you have the right to complain.
Complain to Us First:
We prefer to resolve concerns directly. Email accounts@hoist.nz with subject line "Privacy Complaint". Explain your concern or complaint. Provide relevant details and documentation. We will investigate and respond within 20 working days.
Complain to the Privacy Commissioner:
If you are not satisfied with our response, or if you prefer to complain directly to the regulator, you can contact:
Office of the Privacy Commissioner
PO Box 10094
Wellington 6143
New Zealand
Phone: 0800 803 909
Email: enquiries@privacy.org.nz
Website: www.privacy.org.nz
The Privacy Commissioner can investigate complaints, make findings about whether the Privacy Act has been breached, require us to take corrective action, and issue binding directions.
No Retaliation:
We will not retaliate against you or take any negative action for exercising your privacy rights or filing a privacy complaint.
SECTION 8: COOKIES AND TRACKING TECHNOLOGIES
We use cookies and similar technologies to provide and improve Hoist. This section explains what technologies we use and how you can control them.
8.1 WHAT ARE COOKIES AND HOW WE USE THEM
Cookies are small text files stored on your device by your web browser. They help us recognize your device and remember information about your visit.
Categories of Cookies We Use:
Essential Cookies (Strictly Necessary):
These cookies are required for Hoist to function properly. You cannot disable these cookies without breaking core functionality.
Authentication cookies: Keep you logged in to your account between page loads.
Session cookies: Maintain your session as you navigate through Hoist.
Security cookies: Protect against fraud and unauthorized access (CSRF tokens, etc).
Load balancing cookies: Distribute traffic across our servers for reliability.
These cookies typically expire when you close your browser or after a set period (usually 24 hours to 30 days for authentication cookies).
Functional Cookies:
These cookies remember your preferences and settings to provide a better experience.
User interface preferences: Dark mode, layout preferences, default views.
Language and locale settings: Which language you prefer, time zone, date format.
Recent items: Recently viewed customers or job cards for quick access.
Form data: Temporarily store form inputs to prevent data loss.
Filter settings: Remember filters you applied to lists or reports.
Collapsed/expanded sections: Remember which sections of the interface you expanded or collapsed.
You can disable functional cookies, but it may reduce functionality and you will need to reset your preferences each time you visit.
Analytics Cookies:
These cookies help us understand how you use Hoist so we can improve it.
Usage tracking: Which features you use, how often, and for how long.
Feature adoption: Are new features being discovered and used?
Performance monitoring: Page load times, response times, errors encountered.
Conversion tracking: Did you complete key actions like creating your first invoice?
A/B testing: Testing different versions of features to see which works better.
We may use third-party analytics services (such as Google Analytics) which set their own cookies.
During beta, we use analytics cookies more extensively to understand usage patterns and improve the product.
8.2 OTHER TRACKING TECHNOLOGIES
Local Storage and Session Storage:
We use browser local storage and session storage to cache data for better performance, store temporary working data (like a draft invoice before you save it), enable offline viewing of some data, and reduce server requests for faster loading.
Local storage persists until explicitly deleted. Session storage clears when you close the browser tab.
Web Beacons (Tracking Pixels):
We may use web beacons (small transparent images) in emails to track whether you opened the email and which links you clicked. This helps us understand engagement with our communications and improve email effectiveness.
You can disable web beacons by disabling image loading in your email client.
Mobile SDKs and Identifiers:
Our mobile apps may use analytics SDKs (software development kits) to track app usage, crashes, and performance. Mobile device identifiers may be collected (device ID, advertising ID if you have not disabled it).
You can limit tracking in your mobile device settings (iOS: Settings > Privacy > Tracking; Android: Settings > Google > Ads).
8.3 THIRD-PARTY COOKIES
Third-party services we integrate with may set their own cookies. These include analytics providers (like Google Analytics), payment processors (like Stripe), customer support tools (if we implement chat support), and other integrated services.
We do not control third-party cookies. These cookies are governed by the third party's privacy policy, not ours.
8.4 YOUR CHOICES ABOUT COOKIES
Managing Cookies in Hoist:
Essential cookies cannot be disabled (Hoist won't work without them). When we implement cookie preference settings, you will be able to manage functional and analytics cookies in your account settings. Marketing cookies (if we use them in the future) can always be disabled.
Browser Settings:
You can control cookies through your web browser settings:
Most browsers allow you to block all cookies, block third-party cookies, or delete cookies. Check your browser's help documentation for instructions.
Be aware that blocking essential cookies will prevent Hoist from working properly. You will not be able to log in or use the Service if you block all cookies.
Do Not Track:
Some browsers send a "Do Not Track" (DNT) signal to websites. Currently, there is no industry standard for how to respond to DNT signals, so we do not alter our behavior based on DNT signals. This may change in the future as standards develop.
Mobile Device Settings:
You can limit mobile tracking through device settings:
iOS: Settings > Privacy & Security > Tracking (disable "Allow Apps to Request to Track")
iOS: Settings > Privacy & Security > Apple Advertising (disable "Personalized Ads")
Android: Settings > Privacy > Ads (enable "Opt out of Ads Personalization")
SECTION 9: CHILDREN'S PRIVACY
Hoist is intended for business use and is not designed for children.
9.1 AGE RESTRICTIONS
Minimum Age: Hoist is not intended for individuals under 13 years old. We do not knowingly collect personal information from children under 13.
Ages 13-17: If you are between 13 and 17 years old, you need permission from a parent or guardian to use Hoist. Your parent or guardian must agree to our Terms of Service and this Privacy Policy on your behalf.
As stated in our Terms of Service, if you are under 18, you need permission from a parent or guardian who must agree to these Terms on your behalf and supervise your use.
9.2 CHILDREN'S DATA IN CUSTOMER RECORDS
Your workshop may serve customers who are under 18 (for example, a teenager with their first car). If you collect personal information about customers under 18:
You are responsible for complying with privacy laws regarding children's information. You may need parental consent to collect and use personal information of customers under 16 (or other age depending on applicable law). You should have policies about how you handle information of minor customers. You must protect children's information with appropriate security.
Hoist provides the tools to store this information, but you are the data controller and responsible for lawful collection and use.
9.3 IF WE DISCOVER CHILDREN'S INFORMATION
If we discover that we have inadvertently collected personal information directly from a child under 13 (not as customer data you stored, but as account holder information), we will delete it promptly upon discovery.
Parents: If you believe your child under 13 has provided personal information to us directly, contact us immediately at accounts@hoist.nz with subject line "Child Privacy" and we will delete the information.
SECTION 10: CUSTOMER DATA PROCESSING - YOUR ROLE AS DATA CONTROLLER
This is one of the most important sections if you store your customers' personal information in Hoist. It explains the division of responsibilities between you and us.
10.1 YOU ARE THE DATA CONTROLLER, WE ARE THE DATA PROCESSOR
When you store personal information about your customers in Hoist (customer names, addresses, phone numbers, vehicle information, service histories, etc), the legal responsibilities are divided:
You are the Data Controller (Agency under Privacy Act 2020):
You determine what customer information to collect. You decide what customer information to store in Hoist. You determine how customer information is used. You decide who in your workshop can access customer information. You choose what to do with customer information (keep it, update it, delete it). You are responsible for complying with privacy laws regarding your customers.
We are the Data Processor:
We provide the software platform (Hoist) where you can store customer information. We process customer information only according to your instructions (what you tell Hoist to do). We provide security to protect customer information on our servers. We don't use customer information for our own purposes. We don't make decisions about how customer information is used.
This relationship is governed by our Terms of Service and, if needed, a separate Data Processing Addendum.
10.2 YOUR OBLIGATIONS AS DATA CONTROLLER
As the data controller for your customer information, you have legal obligations under the Privacy Act 2020.
Collection Obligations:
You must collect customer information lawfully and fairly. You must collect only information reasonably necessary for your workshop business purposes. You must not collect information by unlawful or unfair means. You must not intrude unreasonably upon personal affairs of customers.
Privacy Notices to Your Customers:
You must inform your customers when you collect their personal information. You should provide a privacy notice or policy to your customers explaining what information you collect, why you collect it, how you use it, that you use Hoist to store and manage their data, who you may share it with, how long you keep it, and how they can access or correct their information.
Many workshops include privacy information on their booking forms, websites, or in their premises.
Lawful Basis for Processing:
You need a lawful basis to collect and use customer personal information. Typical lawful bases include providing services the customer requested (contract performance), complying with legal obligations (such as warranty records), legitimate business interests (such as marketing with appropriate consent), or consent from the customer.
Consent Requirements:
For some uses of customer information, you need consent, particularly for marketing communications to customers, sharing information with third parties beyond service delivery, or using information for purposes beyond the services requested.
Consent must be freely given, specific, informed, and unambiguous. Customers must be able to withdraw consent easily.
Customer Rights:
You must respond to customer requests to access their information, correct inaccurate information, or delete their information (with some exceptions for legal retention). You must handle customer privacy complaints.
If a customer contacts you requesting access to or deletion of their information, you need to respond appropriately. You can use Hoist's tools to fulfill these requests (export customer data, delete customer records).
Data Quality:
You must take reasonable steps to ensure customer information is accurate, complete, and up to date. You should correct inaccurate information when you become aware of it. You should delete information when it is no longer needed for a lawful purpose.
Security:
You must protect customer information with appropriate security measures. This includes using strong passwords for your Hoist account, managing user access appropriately, and not sharing customer information insecurely.
Retention:
You must not keep customer information longer than necessary. You should have a retention policy. Some information may need to be kept for legal reasons (such as tax records for 7 years), but other information should be deleted when no longer needed.
Data Breach Notification:
If customer information is breached, you may have obligations under Privacy Act 2020 to notify affected customers if the breach causes serious harm or is likely to cause serious harm, and notify the Privacy Commissioner if required.
We will assist by informing you if customer data in Hoist is breached, but the ultimate responsibility to notify your customers is yours.
10.3 OUR OBLIGATIONS AS DATA PROCESSOR
As the data processor for your customer information, we have obligations to you and your customers.
Processing According to Your Instructions:
We process customer data only to provide the Hoist Service to you. We do not use customer data for our own purposes (such as marketing our services). We process data according to your instructions (what you do in Hoist - create, update, delete customer records).
Security:
We implement appropriate technical and organizational security measures to protect customer data (see Section 5). We protect customer data with the same security measures we use for all data in Hoist.
Confidentiality:
We treat customer data as confidential. Our staff are bound by confidentiality obligations. We limit access to customer data to authorized personnel who need access to provide the Service.
Subprocessors:
We may use subprocessors (service providers) to help provide the Service, such as cloud infrastructure providers (AWS, Google Cloud, etc), backup and disaster recovery services, and security and monitoring services.
We ensure subprocessors have appropriate data protection obligations. We remain responsible for how subprocessors handle customer data. We can provide a list of subprocessors upon request.
Assisting You with Privacy Obligations:
We will assist you in responding to customer access requests by providing data export tools. We will assist with deletion requests by deleting data when you request. We will notify you of data breaches affecting customer data within 72 hours. We will cooperate with privacy audits if required.
Data Breach Notification:
If we become aware of a data breach affecting customer data stored in Hoist, we will notify you within 72 hours with details about what data was affected, how the breach occurred, what we are doing to address it, and recommendations for what you should communicate to affected customers.
You are then responsible for determining whether to notify your customers and the Privacy Commissioner based on the circumstances.
Data Returns and Deletion:
When you close your account or delete customer data, we will delete it according to our data retention policy (see Section 6). We will not retain customer data longer than necessary except for legal requirements.
10.4 DATA PROCESSING ADDENDUM
For customers who need a formal Data Processing Addendum (DPA), particularly if you process personal information of European Union residents (subject to GDPR), we can provide a DPA that includes detailed data processing terms, security commitments, audit rights, subprocessor lists, liability provisions, and Standard Contractual Clauses for international data transfers.
To request a Data Processing Addendum, contact us at accounts@hoist.nz with subject line "DPA Request".
10.5 EXAMPLE SCENARIO - HOW THE DIVISION WORKS
Example: A customer of your workshop, Jane Smith, contacts you requesting deletion of her information.
Your Responsibility (as Data Controller):
Evaluate the request. Determine if you can delete the information or if legal requirements prevent deletion (such as tax records). Respond to Jane within the required timeframe. If you agree to delete, remove her information from Hoist. Confirm deletion to Jane.
Our Responsibility (as Data Processor):
Provide tools in Hoist for you to delete Jane's customer record. Permanently delete the data from our servers when you delete it in Hoist. Ensure the data is also deleted from backups according to our retention schedule.
We do not interact with Jane directly. Our relationship is with you, and we process data according to your instructions.
SECTION 11: CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, service features, or other factors.
11.1 HOW WE NOTIFY YOU OF CHANGES
For Material Changes:
Material changes that significantly affect how we handle your information or your rights will be communicated as follows:
We will email you at least 30 days before the changes take effect. We will post a prominent notice in the Hoist application. We will update the "Last Updated" date at the top of this Policy. We may require you to acknowledge the updated Policy when you next log in.
Examples of material changes include significant new data collection practices, major changes to how we use data, changes to data sharing practices, reduction in your privacy rights, or changes to our data retention periods.
For Minor Changes:
Minor changes such as clarifying existing practices, correcting typos, updating contact information, or reformatting for clarity may be made without advance notice. We will update the "Last Updated" date at the top of the Policy.
Beta to General Availability:
When Hoist transitions from beta to general availability, this Privacy Policy may be updated to remove beta-specific provisions, clarify practices now that the service is fully launched, or reflect new features or changes. We will provide at least 60 days notice of any material changes during this transition.
11.2 YOUR ACCEPTANCE OF CHANGES
Your continued use of Hoist after changes take effect means you accept the updated Privacy Policy. If you do not agree to changes, please stop using the Service and close your account before the changes take effect (see Section 7.3 for how to request account deletion).
11.3 REVIEWING FOR UPDATES
We recommend reviewing this Privacy Policy periodically to stay informed about how we protect your information. The most current version is always available at https://hoist.nz/privacy-policy and in your account settings under Legal or Privacy.
SECTION 12: INTERNATIONAL USERS AND DATA TRANSFERS
Hoist is operated from New Zealand and governed by New Zealand law, but may be used by customers internationally.
12.1 NEW ZEALAND OPERATION
Hoist Software LTD is a New Zealand company (Company Number: 8842848, NZBN: 9429051507626). We operate under New Zealand law. The Privacy Act 2020 (New Zealand) governs how we handle personal information. The Office of the Privacy Commissioner (New Zealand) has jurisdiction over privacy matters.
12.2 USE FROM OUTSIDE NEW ZEALAND
If you use Hoist from outside New Zealand, your information may be transferred to, stored in, and processed in New Zealand and other countries where we or our service providers operate.
By using Hoist, you consent to the transfer of your information to New Zealand and other countries where data protection laws may differ from those in your country.
We ensure appropriate protections are in place for international data transfers as described in Section 5.
12.3 EUROPEAN ECONOMIC AREA (EEA) AND UNITED KINGDOM USERS
If you are located in the EEA or UK, the General Data Protection Regulation (GDPR) and UK GDPR may apply to you in addition to this Privacy Policy.
GDPR Rights:
You have rights under GDPR including right of access, right to rectification, right to erasure (right to be forgotten), right to restriction of processing, right to data portability, right to object to processing, and rights related to automated decision-making and profiling.
These rights are similar to (but may be broader than) the rights under New Zealand Privacy Act 2020 described in Section 7.
Legal Basis Under GDPR:
Our legal bases for processing under GDPR include contract performance (necessary to provide Hoist services), legitimate interests (service improvement, security, fraud prevention), legal obligations (tax laws, compliance), and consent (marketing, optional features).
Data Protection Officer:
For GDPR-related inquiries, you can contact us at accounts@hoist.nz with subject "GDPR Inquiry".
International Data Transfers:
When we transfer your data from the EEA or UK to New Zealand or other countries, we use appropriate safeguards such as Standard Contractual Clauses (also called Model Clauses), adequacy decisions (if New Zealand is deemed adequate by EU Commission), or other approved transfer mechanisms.
Supervisory Authority:
EEA users can complain to their local data protection authority. UK users can complain to the Information Commissioner's Office (ICO).
12.4 AUSTRALIAN USERS
If you are located in Australia, the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) may apply to you.
We comply with both New Zealand and Australian privacy requirements where we have Australian users. Australian users have similar rights to those described in Section 7.
Australian users can complain to the Office of the Australian Information Commissioner (OAIC) if they believe we have breached Australian privacy law.
12.5 OTHER JURISDICTIONS
If you are located in another jurisdiction with specific privacy laws, those laws may apply to you in addition to this Policy. You are responsible for ensuring your use of Hoist complies with laws applicable to you.
If your local privacy laws conflict with this Policy, contact us at accounts@hoist.nz to discuss appropriate arrangements.
SECTION 13: CONTACT US ABOUT PRIVACY
If you have questions about this Privacy Policy, how we handle your information, or wish to exercise your privacy rights, please contact us.
13.1 PRIVACY INQUIRIES
General Privacy Questions:
Email: accounts@hoist.nz
Subject Line: Privacy Inquiry
Include your account email address and details of your question.
We will respond to general privacy inquiries within 5 business days.
13.2 PRIVACY REQUESTS
For specific privacy requests, use these subject lines to help us route your request quickly:
"Privacy Access Request" - to access your personal information
"Privacy Correction Request" - to correct inaccurate information
"Privacy Deletion Request" - to delete your information
"Data Portability Request" - to export your data
"Privacy Objection" - to object to processing
"Withdraw Consent" - to withdraw consent
"Privacy Complaint" - to file a privacy complaint
Email: accounts@hoist.nz
Include:
Your name and account email address for verification. Specific details about your request. Any relevant documentation or explanation.
We may need to verify your identity before processing privacy requests. We will respond within 20 working days (as required by Privacy Act 2020), or within 30 days for complex requests.
13.3 COMPANY CONTACT INFORMATION
Hoist Software LTD
Company Number: 8842848
NZBN: 9429051507626
Email: accounts@hoist.nz
Website: https://hoist.nz
Physical Address: (To be provided when office location finalized)
13.4 PRIVACY REGULATOR
If you are not satisfied with our response to a privacy inquiry or complaint, or if you prefer to contact the regulator directly:
Office of the Privacy Commissioner
PO Box 10094
Wellington 6143
New Zealand
Phone: 0800 803 909
Email: enquiries@privacy.org.nz
Website: www.privacy.org.nz
The Privacy Commissioner can investigate complaints, make findings, and issue binding directions regarding privacy breaches.
SECTION 14: ADDITIONAL INFORMATION
14.1 AUTOMATED DECISION-MAKING AND PROFILING
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any analytics or algorithms we use are for service improvement and do not make decisions about your access, rights, or treatment.
14.2 SENSITIVE INFORMATION
We do not intentionally collect sensitive personal information such as health information, biometric data, racial or ethnic origin, religious beliefs, sexual orientation, or criminal records.
If you choose to store sensitive information about your customers in Hoist job notes or customer records (for example, medical information relevant to accessibility needs), you are responsible for obtaining appropriate consent and providing required protections under privacy law. You should carefully consider whether storing sensitive information is necessary and lawful.
14.3 ANONYMIZATION AND AGGREGATION
We may create anonymized or aggregated data from personal information. Once data is truly anonymized (cannot be linked back to an individual), it is not considered personal information and we may use and share it freely for analytics, research, benchmarking, marketing, industry reports, and business purposes.
For example, we might create industry benchmarks like "average job completion time for brake repairs across all workshops" or "percentage of workshops using mobile apps." This anonymized data helps us and the industry understand trends but does not identify any individual workshop or customer.
14.4 YOUR CUSTOMER PRIVACY POLICY
As a workshop owner using Hoist to store customer information, you should have your own privacy policy to provide to your customers. Your privacy policy should explain to customers what information you collect, why you collect it, how you use it, that you use Hoist to manage their information, how long you keep it, who you share it with, and how they can access or correct their information.
Your privacy policy can reference this Privacy Policy for details about how Hoist protects data, but you need your own policy covering your specific workshop practices.
14.5 LINKS TO THIRD-PARTY WEBSITES AND SERVICES
Hoist may contain links to third-party websites or services (such as parts supplier websites, manufacturer sites, or other resources). This Privacy Policy does not apply to those third-party sites. Third-party sites have their own privacy policies. We are not responsible for the privacy practices of third-party sites. Review their privacy policies before providing information to them.
14.6 JOB APPLICANTS
If you apply for a job at Hoist Software LTD, we collect and process your application materials (resume, cover letter, references) for recruitment purposes. Job applicant information is handled separately from customer information and is subject to its own privacy practices. Contact accounts@hoist.nz for information about applicant privacy.
14.7 BUSINESS CONTACTS AND PARTNERS
If you interact with us as a business partner, supplier, vendor, or professional contact (not as a Hoist customer), we collect and use your business contact information (name, company, email, phone) for business relationship purposes. This information is handled separately from customer information.
SECTION 15: PRIVACY ACT 2020 INFORMATION PRIVACY PRINCIPLES COMPLIANCE STATEMENT
This section confirms our compliance with each of the 13 Information Privacy Principles under the Privacy Act 2020.
IPP 1 - Purpose of Collection:
We collect personal information for lawful purposes connected with our business functions and activities (providing workshop management software). Collection is necessary for our business operations. We do not collect information for unlawful purposes.
IPP 2 - Source of Personal Information:
We collect personal information directly from you wherever it is reasonable and practicable. We collect directly when you register, use Hoist, and interact with us. We collect from third parties (integrations, service providers) only with appropriate authorization or lawful basis.
IPP 3 - Collection of Information from Subject:
When we collect information directly from you, we take reasonable steps to ensure you are aware of the purpose of collection, how to contact us, whether collection is voluntary or required, and who will receive the information.
This Privacy Policy serves as our collection notice, and we make it available before or at the time of collection.
IPP 4 - Manner of Collection:
We collect information lawfully, fairly, and in a manner that is not unreasonably intrusive. We do not use unlawful or unfair means to collect information. We do not intrude unreasonably upon personal affairs of individuals.
IPP 5 - Storage and Security:
We protect personal information with appropriate security safeguards against loss, unauthorized access, use, modification, disclosure, and other misuse. Our security measures are described in Section 5. We take reasonable steps to ensure staff, contractors, and service providers protect information.
IPP 6 - Access to Personal Information:
Individuals have the right to request access to their personal information (subject to exceptions). We provide mechanisms for individuals to access their information (account settings, access requests). We respond to access requests within required timeframes (20 working days). See Section 7.1.
IPP 7 - Correction of Personal Information:
Individuals have the right to request correction of inaccurate information. We provide mechanisms to correct information (account settings, correction requests). We respond to correction requests within required timeframes (20 working days). If we refuse correction, we attach a statement of the requested correction. See Section 7.2.
IPP 8 - Accuracy:
We take reasonable steps to ensure personal information is accurate, up to date, complete, and relevant before we use it. We encourage users to keep their information current. We correct information when we become aware of inaccuracies.
IPP 9 - Retention:
We do not keep personal information longer than is required for the purposes for which it may lawfully be used. We have retention schedules (see Section 6). We delete information when retention periods expire (subject to legal requirements).
IPP 10 - Limits on Use:
We use personal information only for the purposes for which it was collected, related purposes the individual would reasonably expect, or other purposes authorized by law or consented to by the individual. We do not use information for unrelated purposes without authorization.
IPP 11 - Limits on Disclosure:
We disclose personal information only as permitted by this Privacy Policy and law. We do not disclose to third parties except as described in Section 4. We ensure recipients are authorized to receive the information and will protect it.
IPP 12 - Unique Identifiers:
We only assign unique identifiers (account IDs, customer IDs) when necessary for our business functions. We do not adopt government-assigned identifiers (like driver's license numbers) as our own identifiers. Unique identifiers are used only for their assigned purpose.
IPP 13 - Information Matching:
We do not participate in information matching programs as defined in the Privacy Act 2020.
IPP 12 - Cross-Border Disclosure:
When we disclose personal information to recipients outside New Zealand, we take reasonable steps to ensure the recipient protects the information in a manner comparable to New Zealand law, or we use contractual protections (Standard Contractual Clauses), or we obtain consent for the cross-border disclosure, or we ensure another exception applies.
See Section 5 for information about cross-border data transfers and locations where data is stored.
ACCEPTANCE OF THIS PRIVACY POLICY
By using Hoist, creating an account, or providing personal information to us, you acknowledge that:
You have read and understood this Privacy Policy. You agree to the collection, use, storage, and sharing of your information as described in this Policy. You consent to international transfers of your information as described in this Policy. You understand your privacy rights and how to exercise them. If you are providing information about others (your staff, your customers), you represent that you have authority to provide that information and have obtained necessary consents.
If you do not agree to this Privacy Policy, please do not use Hoist or provide personal information to us.
EFFECTIVE DATE
This Privacy Policy is effective as of November 10, 2025.
POLICY VERSION
This is Version 1.0 (Beta) of the Hoist Privacy Policy.
END OF PRIVACY POLICY
Last Updated: November 10, 2025
Version: 1.0 (Beta)
Hoist Software LTD
Company Number: 8842848
NZBN: 9429051507626
Website: https://hoist.nz
Email: accounts@hoist.nz
Copyright 2025 Hoist Software LTD. All rights reserved.
This Privacy Policy is governed by New Zealand law and subject to the jurisdiction of the Office of the Privacy Commissioner of New Zealand.
Connect
Support
accounts@hoist.nz
+64 4 242 0665
© 2025. All rights reserved.