Privacy Policy
Last updated: March 2026
1. Who we are
Freehold KiwiSaver Limited ("Freehold", "we", "us") operates a client portal at app.freehold.nz to help New Zealanders with their KiwiSaver and financial planning.
Financial advice is provided by Damian Sligo-Green (FSP1011603), who operates under the Financial Advice Provider licence of Booster Financial Services Limited (FSP28287).
Damian Sligo-Green is Freehold's Privacy Officer. If you have any questions about how we handle your information, contact us at support@freehold.nz.
This policy explains how we collect, use, store, and share your personal information in accordance with the New Zealand Privacy Act 2020.
2. What information we collect
| Category | Examples | When we collect it |
|---|---|---|
| Identity and contact | Name, email address, phone number | Account creation |
| Authentication | Password (hashed), Google account link | Account creation |
| Financial situation | Income, assets, liabilities, insurance, KiwiSaver balance | Fact-find |
| Goals and preferences | Retirement age, savings goals, risk tolerance | Fact-find, risk profiler |
| Booking information | Consultation times, meeting notes | Cal.com booking |
| Technical data | Browser type, IP address, session tokens | Automatic |
We collect information directly from you when you use the Portal. We do not purchase data from third parties or collect information about you from other sources, except for fund data from the Booster API (which does not include your personal information).
3. Why we collect it
We use your information for five purposes:
- To provide the service — operating your account, displaying your dashboard, running projections.
- To facilitate financial advice — sharing your information with your assigned adviser so they can provide personalised KiwiSaver advice.
- To communicate with you — sending transactional emails such as account confirmations, risk profiler results, and meeting reminders.
- To meet our regulatory obligations — record-keeping under the Financial Markets Conduct Act 2013, and identity verification under the AML/CFT Act 2009 when required.
- To maintain and improve the service — monitoring for security issues and understanding how the Portal is used.
We do not use your information for marketing without your separate consent. We do not sell your data to anyone.
4. How we store and protect your data
We take the security of your information seriously. Our protections include:
- Row Level Security (RLS) — our database enforces data isolation. You can only see your own data. Your adviser can only see data for clients assigned to them.
- Encryption — all data is encrypted in transit (HTTPS/TLS) and at rest.
- Access controls — only your assigned adviser and a limited number of system administrators can access your data.
- Hosting — our database and authentication are hosted by Supabase in Sydney, Australia. The Portal is hosted on Vercel with Sydney as the primary region.
5. Who can access your information
| Who | What they can see | Why |
|---|---|---|
| You | All your own data through the Portal | It's your information |
| Your assigned adviser | Your financial profile, goals, risk tolerance, and fact-find data | To provide personalised financial advice |
| Freehold administrators | All user data | Platform maintenance, security, and support |
| Booster Financial Services | Information required for regulatory compliance | FAP licence obligations |
| Law enforcement or regulators | As required by law | Legal obligation (e.g., AML/CFT requirements) |
We do not share your personal information with anyone else unless you give us permission or we are required to by law.
6. Third-party services
We use the following services to operate the Portal. Some are based outside New Zealand:
| Service | What data they receive | Location | Purpose |
|---|---|---|---|
| Supabase | All Portal data (personal info, financial data, auth) | Sydney, Australia | Database and authentication |
| Vercel | Request data, IP addresses | Global (Sydney primary) | Application hosting |
| Loops.so | Email address, name | United States | Transactional emails |
| Cal.com | Name, email, booking details | United States | Appointment scheduling |
| Booster API | Fund queries only (no personal data) | New Zealand | Fund data and valuations |
| Twenty CRM | Name, email, advisory stage | Self-hosted (NZ) | Client relationship management |
| Auth tokens (if you use Google sign-in) | United States | Authentication |
These services process data on our behalf. They do not use your information for their own purposes.
7. Cross-border data transfers
Some of your information is stored or processed outside New Zealand:
- Australia — Supabase hosts our database in Sydney.
- United States — Loops.so (emails), Cal.com (booking), Google (if you use Google sign-in), and Vercel (some edge processing).
Under the Privacy Act 2020 (Information Privacy Principle 12), we can only send your data overseas if adequate protections are in place. We ensure this by:
- Choosing providers that are subject to privacy laws offering comparable protections (Australia's Privacy Act 1988 provides comparable safeguards).
- Requiring contractual commitments from US-based providers to protect your data to our standards.
- Using encryption for all data in transit and at rest.
By creating an account, you acknowledge that your data will be stored and processed in these locations as described above.
8. Cookies and tracking
We keep this simple:
- Essential cookies — we use session cookies to keep you logged in and secure while using the Portal. These are necessary for the Portal to work.
- No tracking — we do not use advertising, marketing, or third-party analytics cookies.
If we ever change our approach to cookies or tracking, we will update this policy and let you know.
9. Your rights
Under the Privacy Act 2020, you have the right to:
- Access your information — ask us for a copy of the personal information we hold about you. We will respond within 20 working days.
- Correct your information — you can update most of your information directly in the Portal. If you need us to correct something, let us know.
- Request deletion — ask us to delete your data. We will do so unless we are required to retain it for regulatory purposes (see section 10).
- Withdraw consent — opt out of non-essential communications at any time.
- Make a complaint — if you are unhappy with how we have handled your information, see section 13 below.
To exercise any of these rights, contact us at support@freehold.nz.
10. Data retention
We keep your information only as long as we need it, or as long as the law requires:
| Data type | How long we keep it | Why |
|---|---|---|
| Financial advice records (fact-finds, snapshots, statements of advice) | 7 years from last advice | FMC Act record-keeping obligations |
| Account and identity data | 7 years from account closure | Regulatory requirements |
| Transactional email records | 2 years | Service operation |
| Session and technical data | 90 days | Security monitoring |
After these periods, your data is securely deleted or anonymised.
11. Children's privacy
The Portal is intended for people aged 18 and over. We do not knowingly collect information from anyone under 18. If you believe we have collected information from a minor, please contact us and we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email. The "Last updated" date at the top tells you when it was last revised.
13. Complaints and the Privacy Commissioner
If you have a concern about how we have handled your personal information:
- Contact us first — email support@freehold.nz. We will try to resolve it as quickly as possible.
- Office of the Privacy Commissioner — if you are not satisfied with our response, you can make a complaint to the Privacy Commissioner:
- Website: privacy.org.nz
- Phone: 0800 803 909
- Email: enquiries@privacy.org.nz
Terms of Use · Disclosure · Complaints
© 2026 Freehold KiwiSaver Ltd. All rights reserved.