Privacy policy

This privacy policy applies to the processing of personal data by Plyxarongrwhron in connection with the website at plyxarongrwhron.world and the communications that flow from that site. We describe our practices in plain language, but the underlying obligations include the New Zealand Privacy Act 2020, the EU and UK data protection rules where they apply, and, when Dutch residents use our services, the UAVG (the national implementation of the GDPR). Nothing here is medical advice, and the workplace rhythm content we publish does not require us to know special categories of data from you in ordinary circumstances. We do not use this site to make automated decisions about your health, creditworthiness, or eligibility for employment; if that ever changed, this policy would be updated first.

Who is responsible and how to reach us

Postal address: 233–237 Lambton Quay, Wellington Central, Wellington 6011, New Zealand. Telephone: +64 4 922 0600. Email: contact@plyxarongrwhron.world. In EU or UK law terms, this office is the data controller of the information we decide to collect. If we work with a separate processor, such as a host that stores backups, a written agreement with that processor is in place, and you may ask for the identity of the main categories of recipients when you make an access request.

We are not required to appoint a data protection officer for every size of business, but we do route privacy escalations to a person who can engage counsel when needed. If the European Commission adopts new adequacy decisions, or the UK’s extension framework changes, we will adjust this policy so you can see which transfer tool currently applies to your data.

Categories of personal data we work with

1. Identity and contact data that you type into forms (name, email, organisation) or that appear in a signature. We do not want national identification numbers, health data, or similar details through the public form; if you include them by mistake, ask us to delete the message and we will treat that request with priority.
2. Content data in the free-text message field, which might describe project constraints. We do not use that text to build automated “personality” profiles.
3. Technical data from server logs, such as a truncated or pseudonymised IP address, the user agent, time stamps, and a correlation identifier that helps the incident response team. Some fields may sit in a security information and event management platform.
4. Preference and consent data for cookies and local storage, as set out in the cookie policy, including a timestamp for when you consented, where we have it.

Purposes and legal bases in Article 6 GDPR terms

Where the GDPR or UK GDPR applies, we process information on the following grounds:

• Contract or pre-contract when you want to discuss a paid engagement, because we need your contact data to answer.
• Legitimate interests in securing the service, understanding aggregate traffic, and training staff, balanced against your rights. For sensitive processing we default to the narrowest set of data.
• Consent for optional marketing content or for cookies and storage types that the ePrivacy layer requires, which you can withdraw with future effect as described in the cookie materials.
• Legal obligation when a court, regulator, or tax authority in a jurisdiction to which we are subject compels a narrow disclosure.

International transfers and safeguards

Your visit might touch infrastructure in New Zealand, the European Economic Area, the United Kingdom, the United States, and other countries where reputable cloud and security companies operate. When information originating in the EEA, the UK, or Switzerland is transferred, we use Standard Contractual Clauses, the UK’s International Data Transfer Addendum, or another mechanism the law recognises, plus supplementary measures such as encryption in transit and, where we control keys, at rest. We re-assess transfers when a court or regulator changes the model.

How long we keep it

Contact threads are usually retained for a rolling window in line with our internal retention schedule, often up to twenty-four months from the last substantive reply, unless a longer period is required for a genuine tax, litigation, or regulatory hold. Security logs with IP addresses are typically cycled in under ninety days except when locked for a security investigation. Invoices, where we issue them, are kept in line with tax law. After the window closes, we delete, aggregate, or anonymise where the medium allows deletions without erasing the entire backup tape.

Security measures in outline

We use role-based access, multi-factor controls on production accounts where available, and vendor reviews of subprocessors. Engineering changes run through a simple checklist, and the marketing site itself is a static or lightly generated surface to reduce the attack area. We cannot promise absolute security, but we invest proportionately to the risk.

Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict, port, and object, and, where the basis is consent, to withdraw. You can email us, and in many cases you can also complain to a supervisory authority. For the Netherlands, the Autoriteit Persoonsgegevens is a common choice for EU issues; the Information Commissioner’s Office in the United Kingdom; and the New Zealand Office of the Privacy Commissioner for local matters, without prejudice to other competent bodies.

Children

The site and its forms are for adults. We do not run behavioural advertising directed at children on this property.

Changes

We will refresh this file when the law, our product mix, or our vendors move. A prominent date in the legal hero, produced when you view the page, is there to help you line up a screenshot with your calendar, while a written “last updated” line in your internal logs should still be recorded in your own systems if you are a business reader.