Privacy Policy

Groundswell Property Management 2025 Ltd.

Effective date: 6 May 2026 | Version 1.0

1. About This Policy

This Privacy Policy describes how Groundswell Property Management 2025 Ltd. ("Groundswell Property", "we", "us", or "our") collects, holds, uses, and discloses personal information.

We are a short-term rental property management company based in Raglan, New Zealand. We manage all aspects of property owners' short-term rental operations, including guest bookings, payment collection, housekeeping, maintenance, financial reporting, and legal compliance.

This policy applies to:

our company website at https://groundswellproperty.co.nz
our Owner Centre portal
all digital services and platforms we operate or use to deliver our services
any personal information we collect from property owners, guests, job applicants, and other individuals who interact with us

We are bound by the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs) contained within it, including IPP 3A, which governs the collection of personal information from sources other than the individual concerned.

2. Who We Are and How to Contact Us

Legal name: Groundswell Property Management 2025 Ltd.
Location: Raglan, New Zealand
Website: https://groundswellproperty.co.nz
Privacy enquiries: privacy@groundswellproperty.co.nz

Under section 201 of the Privacy Act 2020, we are required to designate a Privacy Officer. All privacy enquiries and complaints should be directed to our Privacy Officer using the contact details above.

3. What Personal Information We Collect

We collect personal information only where it is necessary for our business functions. The categories of information we collect depend on your relationship with us.

3.1 Property Owners

Full name, postal address, email address, and phone number
Bank account details for payment of rental income
Information about your property, including address, access arrangements, and maintenance history
Financial information required for monthly statements and compliance reporting
Communications between you and our team

3.2 Guests

Full name, email address, and phone number
Government-issued identity document details, collected via our Authenticate.com identity verification service (see section 5)
Booking details, including dates, property, number of guests, and any special requirements
Payment information (processed by our third-party payment providers; we do not store full card details)
Communications between you and our team before, during, and after your stay
Feedback and reviews

3.3 Website Visitors

Information you submit via enquiry or contact forms
Technical data collected automatically, including IP address, browser type, pages visited, and referring URL (collected via Google services and Squarespace)
Cookie data (see section 9)

3.4 Job Applicants and Employees

Name, contact details, and employment history
Right-to-work documentation
References and background check results, where applicable

4. How We Collect Personal Information

We collect personal information:

directly from you, when you make an enquiry, register as an owner, make or manage a booking, submit an application, or contact us
from booking platforms such as Airbnb, Booking.com, VRBO, and Marriott, when a booking is made through those channels
from our property management platform, Hostaway
from our identity verification provider, Authenticate.com, in connection with guest verification
from our website via cookies and analytics tools (see section 9)
from third parties, including referees, credit agencies, or regulatory bodies, where this is permitted by law

4.1 Collection from Third Parties (IPP 3A)

Where we collect personal information about you from a source other than you directly, we comply with IPP 3A. This means:

we take reasonable steps to ensure you are aware that we hold your information, the purpose for which it was collected, and your right to access and correct it
we do this as soon as practicable after collection, unless doing so would be impossible or would prejudice the purpose of collection
this applies, for example, when a guest's details are passed to us by Airbnb, Booking.com, or VRBO following a booking

5. Why We Collect and Use Personal Information

We collect and use personal information for the following purposes.

5.1 Property Management Services

Managing owner properties, including maintenance scheduling, contractor coordination, and compliance
Processing guest bookings, payments, and communications
Providing financial statements, reports, and remittances to owners
Operating the Owner Centre portal

5.2 Guest Identity Verification

We use Authenticate.com to verify the identity of guests prior to check-in. This involves collecting and processing identity document details. The purpose is to protect the property, staff, and surrounding community, and to prevent fraudulent bookings. Personal information collected for this purpose is handled in accordance with the Authenticate.com privacy policy.

5.3 Communication

Responding to enquiries and requests
Providing booking confirmations, updates, and operational notifications
Sending financial statements and compliance reports to owners
Marketing communications, where you have opted in or where permitted under applicable law

5.4 Legal and Regulatory Compliance

Meeting our obligations under New Zealand law, including the Privacy Act 2020, the Residential Tenancies Act 1986, and applicable tax legislation
Financial compliance and fraud prevention
Maintaining records as required by law

5.5 Business Operations

Managing employment and contractor relationships
Improving our services and digital platforms
Website analytics and performance monitoring

6. Disclosure of Personal Information

We do not sell personal information. We share personal information only as follows.

6.1 Service Providers and Platforms

We share personal information with third-party service providers who assist us in delivering our services.

Hostaway — Property management platform. Privacy Policy
Airbnb — Booking channel. Privacy Policy
Booking.com — Booking channel. Privacy Policy
VRBO — Booking channel. Privacy Policy
Marriott — Booking channel. Privacy Policy
Authenticate.com — Guest identity verification. Privacy Policy
Stripe — Payment processing. Privacy Policy
Xero — Accounting and financial reporting. Privacy Policy
PriceLabs — Dynamic pricing and revenue management. Privacy Policy
Breezeway — Property operations and maintenance management. Privacy Policy
Squarespace — Website hosting. Privacy Policy
Google — Email, analytics, and workspace tools. Privacy Policy
Notion — Internal operations and documentation. Privacy Policy
Zapier — Workflow automation. Privacy Policy
Fillout — Online forms. Privacy Policy
Mailchimp — Email marketing platform. Privacy Policy
Meta Business Suite — Social media marketing and advertising. Privacy Policy
LinkedIn — Professional networking and marketing. Privacy Policy
Elfsight — Website widgets and embedded content. Privacy Policy

6.2 Legal Requirements

We may disclose personal information where required or permitted by law, including to government agencies, regulators, courts, or law enforcement, where we have a lawful basis to do so.

6.3 Business Transfers

If we sell or transfer all or part of our business, personal information we hold may be transferred to the new owner as part of that transaction. We will take reasonable steps to ensure the receiving party is bound by equivalent privacy obligations.

7. Transfer of Personal Information Overseas

Some of the third-party providers listed in section 6.1 are based overseas or store data on servers located outside New Zealand. This includes providers such as Google, Squarespace, Notion, Zapier, and Fillout.

When we transfer personal information overseas, we comply with IPP 11, which requires us to take reasonable steps to ensure the overseas recipient does not hold or use the information in a manner inconsistent with the Privacy Act 2020.

We do this by:

using providers who operate under privacy frameworks that provide comparable protections to those in New Zealand
reviewing the privacy policies of our providers before engagement
relying on contractual protections where applicable

By engaging with our services, you acknowledge that your personal information may be transferred to and processed in countries outside New Zealand.

8. Storage and Security of Personal Information

We take reasonable steps to protect personal information from unauthorised access, use, modification, and disclosure. Our security measures include:

access controls limiting who can view personal information within our systems
use of password-protected and encrypted systems
role-based access within our property management platform (Hostaway)
secure transmission of data using encrypted connections (HTTPS)

No method of data transmission or storage is completely secure. While we take reasonable precautions, we cannot guarantee absolute security. In the event of a notifiable privacy breach, we will comply with our obligations under Part 6 of the Privacy Act 2020, including notifying the Office of the Privacy Commissioner and affected individuals where required.

9. Cookies and Online Tracking

Our website uses cookies and similar technologies. A cookie is a small file placed on your device by a website you visit.

9.1 Types of Cookies We Use

Strictly necessary cookies: required for the website to function. These cannot be disabled.
Analytics cookies: used to understand how visitors interact with our website (via Google Analytics and Squarespace Analytics). These collect anonymised usage data.
Preference cookies: used to remember your settings and preferences.

9.2 Managing Cookies

You can control and delete cookies through your browser settings. Disabling certain cookies may affect the functionality of our website. For more information on managing cookies, refer to your browser's help documentation.

For information on how Google uses data from our website, see Google's partner sites policy.

10. Retention of Personal Information

We retain personal information for as long as is necessary for the purpose for which it was collected, or as required by law.

Guest booking records: 7 years from date of booking
Owner account records: duration of management relationship, plus 7 years
Identity verification records: in accordance with Authenticate.com's retention policy
Marketing communications: until consent is withdrawn or you unsubscribe
Job applicant records: 12 months from date of application, unless employment is offered

When personal information is no longer needed, we take reasonable steps to destroy it or ensure it is de-identified.

11. Your Rights

Under the Privacy Act 2020, you have the right to:

11.1 Access Your Information

You may request access to the personal information we hold about you. We will respond within 20 working days of receiving your request. We may charge a reasonable fee for providing access where permitted by law.

11.2 Correct Your Information

If you believe personal information we hold about you is incorrect, you may ask us to correct it. Where we are satisfied the information is inaccurate, we will correct it without charge.

11.3 Withdraw Consent

Where our processing is based on your consent (for example, marketing communications), you may withdraw your consent at any time. This will not affect any processing that took place before withdrawal.

11.4 Complain

If you believe we have interfered with your privacy, you have the right to make a complaint. Please contact our Privacy Officer in the first instance (see section 2). If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner:

www.privacy.org.nz | Phone: 0800 803 909

12. Marketing Communications and Promotional Use of Personal Information

12.1 Email Marketing

We use Mailchimp to manage and send email marketing communications. Mailchimp is operated by The Rocket Science Group LLC and processes personal information on our behalf in accordance with its privacy policy.

We send email marketing communications only where one of the following conditions applies:

you have given us explicit consent to do so
you are an existing owner or guest and the communication relates to services similar to those you have already used, and you have not opted out (soft opt-in)

Every marketing email we send will include a clearly visible unsubscribe link. You can opt out at any time by clicking that link or by contacting our Privacy Officer. We will process unsubscribe requests within 5 working days.

We do not send unsolicited commercial email. We do not purchase email lists or share your email address with third parties for their own marketing purposes.

12.2 Social Media and Digital Advertising

We use Meta Business Suite (Facebook and Instagram) and LinkedIn to manage our social media presence and run targeted advertising campaigns. These platforms may use personal information, including identifiers such as email addresses or device data, to serve relevant advertising to you or to audiences with similar characteristics (lookalike audiences).

This may involve:

uploading contact information (such as hashed email addresses) to Meta or LinkedIn to match against their user base for targeted advertising. Data is transmitted in hashed form and is not used for any purpose other than ad targeting
the use of tracking pixels or cookies on our website that pass anonymised browsing data to these platforms
the creation of custom and lookalike audiences based on existing owner or guest contact lists

You can manage your advertising preferences directly with these platforms:

We use Elfsight to embed widgets and social content on our website. Elfsight may collect limited technical data from website visitors. See the Elfsight privacy policy.

12.3 Disclaimer

Personal information used for marketing purposes is limited to what is necessary for the relevant campaign or communication. We do not use sensitive personal information (such as identity document data collected via Authenticate.com) for marketing purposes.

Marketing use of your personal information is always subject to your right to object or opt out. Opting out of marketing will not affect the delivery of operational communications necessary to your booking or property management relationship with us.

Where we rely on consent as the basis for marketing, withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.

13. Children

Our services are not directed at children under the age of 16. We do not knowingly collect personal information from children under 16 without parental or guardian consent. If you believe we have inadvertently collected such information, please contact us and we will delete it.

14. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices, services, or legal obligations. We will publish the updated policy on our website with a revised effective date. Where changes are material, we will take reasonable steps to notify affected individuals.

We encourage you to review this policy periodically.

15. Contact Us

For any privacy enquiries, access or correction requests, or complaints, please contact our Privacy Officer:

Privacy Officer: Tomek Piatek
Email: privacy@groundswellproperty.co.nz
Postal address: 15 Nau Mai Road, Raglan 3295, New Zealand

We will acknowledge your request within 5 working days and respond fully within 20 working days, as required by the Privacy Act 2020.