Buzzy - Privacy

PRIVACY POLICY

1. Introduction

‍This Privacy Policy explains how Buzzy (the “Platform”, operated by the Buzzy research team, referred to as “we” or “us”) collects, uses, stores, and discloses your personal information. It is designed to comply with the New Zealand Privacy Act 2020 and relevant regulations, ensuring we respect your privacy rights and handle data lawfully. By using Buzzy or participating in our Platform, you agree to the practices described in this policy. We encourage you to read it carefully.

2. Key Principles

‍Buzzy is committed to transparency and protecting individual privacy. We adhere to the Information Privacy Principles under New Zealand law. This means we will be clear about why we collect data, how we use and share it, and we uphold your rights to access and correct your information. We also follow ethical guidelines applicable to our research project, ensuring that data is handled confidentially and only used for approved purposes.

3. Information We Collect

‍We collect various types of information from you when you register and use Buzzy. Under the New Zealand Privacy Act, “personal information” is broadly defined as any information about an identifiable individual. The types of data we collect include:
‍
- Account Information: Username (a chosen handle on the Platform), your first name and real name, and your email address. This information is collected during account creation to identify you and facilitate account-related communication.
- Verification Data: For identity verification purposes, we may collect information to confirm you are an authentic user (eg. verification of your student email domain or status). Currently, for our initial pilot, verification is done by confirming access to your student email address. Future implementations may require additional identity confirmation, which will be handled with the same care and only used for verification purposes.
- Demographic Information (Optional): You have the option to provide demographic details such as your age, gender and ethnicity. Providing this information is completely voluntary; you may use the Platform without giving us these details. If you do provide them, it helps our research team analyse aggregate trends (for example, to ensure diverse participation in research findings). We treat these sensitive details with strict confidentiality and use them only in anonymised form for research analysis.
- Content and Activity: This includes any content you create or contribute on Buzzy. For example:Proposals and Comments: The text of proposals you submit and any comments or feedback you provide on the Platform.Votes: Your votes or endorsements on proposals, topics or comments (including all types of votes, eg. agrees/disagrees and votes of support)We collect these to operate the Platform’s core functions. These core functions allow you and others to share ideas and feedback, and us to conduct research on the data in aggregate.
- Device and Usage Data: We automatically collect certain technical information when you use Buzzy. This may include:Device Information: eg. device type, operating system, and browser type you use to access Buzzy.Usage analytics: eg. pages or screens you visit, time spent, interactions and click data, and other analytical data about your use of the Platform.Log data: such as IP address, timestamps of logins or actions, and cookies or similar identifiers.
- Two-Factor Authentication (2FA) Information: To ensure the security of user accounts and verify participant identities, we implement two-factor authentication (2FA) during account registration and login. This involves sending a one-time 6-digit verification code to your registered Victoria University email address (@myvuw.ac.nz or @vuw.ac.nz). Users are required to enter this code into the app to complete their login/signup process. This step ensures that only the rightful account holder can gain access and helps protect against unauthorised account access.

We collect most personal information from you (for instance, data you enter during sign-up or when filling out your profile) in line with Privacy Act principles of collecting from the individual whenever feasible. In some cases, we may derive data from your use of the service (like analytics collected via cookies or logs). We will always endeavour to only collect information that is necessary for the stated purposes (avoiding overly intrusive data collection).

4. How We Use Your Information

‍Buzzy collects and uses your information for the following purposes, in accordance with the law and the consent you provide when joining the Platform:
‍
- Providing and Operating the Service: We use account information (like your username and email) to create and maintain your account, allow you to log in, and to enable core Platform features such as posting proposals, commenting, and voting. Your content (proposals, comments, votes) is processed to display it to you and other users, fostering the interactive community that Buzzy offers.
- Identity Verification: We verify your identity by confirming your access to your Victoria University student email address (@myvuw.ac.nz) during registration. Specifically, after you provide your university email upon signup or login, we send a single 6-digit verification code to this email address, which you then input into the Buzzy app to complete the verification. This additional step is vital to ensure secure access, validate participant eligibility, maintain platform integrity, and protect your personal information from unauthorised access or misuse
- Communication: Your email address (and possibly your name) may be used to send you service-related communications. These include verification emails, notifications about Platform updates or requests for feedback on the experience of using the Platform, changes to policies (including this Privacy Policy), or responses to inquiries you send us. We may also communicate about research progress or results if you have agreed to receive such updates. You can opt out of non-essential communications at any time.- Transactional Emails and Compliance with UEMA 2007: Buzzy strictly limits emails sent to users during the project to those necessary for platform security and account verification purposes. The verification emails containing your one-time 6-digit authentication code are classified as transactional, not commercial, messages. These emails are explicitly requested by you at the time of signup/login and contain no promotional or marketing content. Consequently, these transactional emails fully comply with New Zealand’s Unsolicited Electronic Messages Act 2007 (UEMA), as they are necessary for security purposes, are not commercial in nature, and are sent solely to authenticate your user account.
- Research and Analysis: As Buzzy is part of a research initiative, we analyse the collected data to gain insights and produce research findings. This might involve studying aggregated voting patterns, comment themes, or user engagement levels. All research analysis is performed on anonymised or aggregated data. We look at trends and statistics across many users, not at identifying individuals. Your personal information is never disclosed in research outputs. In academic publications or reports, only summary or aggregate information is presented (for example, “X% of users agreed with topic Y”), ensuring no individual can be identified.
- Service Improvement: We use device and usage data (analytics) to understand how users interact with Buzzy. This helps us identify technical issues, improve the Platform’s features and usability, and ensure a smooth and secure user experience. For instance, understanding which features are most used can guide us in enhancing those features. All such analysis is generally done in aggregate form.
- Enforcing Terms and Ensuring Safety: We may process content and account information to enforce our Code of Conduct or Terms of Service. This includes using information to moderate content and investigate any violations or misuse of the Platform. For example, if a proposal or comment is reported, moderators may review the content (but as noted below, they will not have access to your personal identifiers). We also may use information as needed to ensure the security of user accounts and the overall Platform (such as detecting fraudulent activity or security incidents).
- Legal Compliance: Finally, we will use or disclose your information if necessary to meet any applicable legal obligations. For example, if we are required by law, court order, or governmental authority to release certain data, or to comply with the New Zealand Privacy Act’s requirements (such as responding to your requests to access or correct data, detailed in the Your Rights section). We may also use personal information to fulfill our obligations under any approved ethics protocols governing this research.
- Data Security and the Privacy Act 2020:Under Information Privacy Principle 5 (IPP 5) of the Privacy Act 2020, organisations are required to ensure reasonable safeguards are in place to protect personal information from loss, unauthorised access, or misuse. In alignment with guidance from the Office of the Privacy Commissioner (OPC), we implement two-factor authentication (2FA) as a reasonable and appropriate measure to enhance account security and protect user data. This security practice involves verifying your identity through a unique 6-digit code sent exclusively to your registered Victoria University email address during account registration and login. The use of 2FA is consistent with recommended best practices outlined by the OPC, reflecting our commitment to data security, privacy protection, and compliance with New Zealand’s privacy laws.
- Unsolicited Electronic Messages Act 2007 (UEMA):Buzzy complies with the Unsolicited Electronic Messages Act 2007 by restricting all outbound emails solely to those requested by users explicitly for security or account-related purposes. The verification emails you receive as part of the two-factor authentication process are explicitly excluded from the definition of unsolicited commercial electronic messages under the Act, as they contain necessary account-verification information and no commercial promotional material. You will not receive unsolicited emails or marketing communications from Buzzy.

We will not use your personal data for any purposes that are incompatible with those described above without obtaining your consent, unless permitted or required by law. In particular, we do not use your data for marketing or commercial profiling, nor do we sell your personal information to third parties.

5. Identity Verification Procedures

‍Because maintaining a trusted environment is critical, Buzzy requires user identity verification. Although a full identity verification system is not yet implemented, we include this notice to be transparent that:
‍
- Verification via Student Email: During this pilot stage, we verify each user's identity by confirming they have access to a valid student email address. This typically involves sending a confirmation link or code to your provided student email and requiring you to verify it. By doing so, we ensure that users are actual students (or members of the intended participant group) and not fraudulent accounts.
- Future Verification Measures: As the Platform develops, we may introduce additional verification steps. If and when such measures are implemented, we will update this Privacy Policy accordingly. Any identity verification data collected (such as an ID document or institutional login information) will be used solely to verify your identity and eligibility, and will be safeguarded like other personal data. We will not retain any more verification data than necessary, nor use it for other purposes without consent.

Your cooperation in the verification process helps us protect all participants and maintain high data integrity for the research. We treat verification information with the same level of security and confidentiality as the rest of your personal data.

6. Data Storage and International Transfers

‍Your data is stored securely using our backend infrastructure, which is currently hosted on cloud services in multiple geographic locations:
‍
- Heroku (EU Region): Our application backend runs on Heroku servers located in the European Union.
- MongoDB Cloud (Australian Region): All data (including your personal information and content) is stored in a MongoDB Atlas cloud database with servers located in Australia.

This means that the personal information you provide is transferred outside of New Zealand and stored in the European Union and Australia. We acknowledge the New Zealand Privacy Act’s rules regarding transferring personal data overseas, and we take steps to ensure that your information remains protected to a standard comparable to New Zealand’s privacy laws. Specifically:
‍
- Adequate Protection: Both Heroku and MongoDB are established cloud service providers with robust security measures and privacy commitments. They are contractually bound to protect your data and use it only to provide services to us. We have agreements in place to ensure they implement industry-standard security (encryption, access control, etc.) and safeguard personal data against unauthorised access or disclosure.
- Comparable Privacy Standards: The European Union has strong data protection laws, and Heroku’s EU hosting adheres to EU General Data Protection Regulation (GDPR) standards, which are generally in line with or exceed New Zealand’s protections. Australia has privacy laws and practices that we consider to offer protections in line with NZ requirements. In all cases, we ensure that any overseas hosting or processing meets the conditions of the New Zealand Privacy Act for cross-border data transfer; for example, either the receiving location has comparable privacy safeguards, or the service provider has agreed to protect the information to NZ standards.
- User Consent to Transfer: By using Buzzy and providing your information, you consent to this transfer and storage of your data in the EU and Australia. We understand that cross-border data storage is a sensitive issue, and we want to assure you that it does not change our commitment to protect your privacy. Regardless of where your data is physically stored, we will treat it in accordance with this Privacy Policy and New Zealand’s privacy principles.

If in the future we change our data storage locations or add new providers, we will update this section and, if required, seek additional consent. We remain responsible for the protection of your personal data even when it is handled by third-party providers on our behalf.

7. Data Security Measures

‍We take the security of your personal information seriously and implement a range of safeguards to protect it from loss, misuse, unauthorised access or disclosure. These measure include:
‍
- Encryption: All data transmission between your device and our servers is encrypted using secure protocols (HTTPS/TLS). This helps prevent eavesdropping or interception of your personal information as it travels over the internet. Additionally, sensitive data stored in our databases is encrypted at rest where feasible (for example, passwords are hashed and never stored in plain text).
- Access Controls and Restrictions: Access to personal data is strictly limited to authorised personnel who need it for their roles. In particular, only core members of the Buzzy research team have the ability to access personally identifiable information (such as names, emails, or demographic data). This access is granted on a need-to-know basis and is protected by authentication steps (e.g., strong passwords, two-factor authentication) to prevent unauthorised logins. Other staff or volunteers, such as our content moderators, do not have access to your personal identifiers. Moderators may see your public content (like proposals or comments) to perform their duties, but they cannot view sensitive information like your email, real name, or any optional demographic details. This role separation is in place to protect your identity and privacy while allowing the Platform to function effectively.
- Audit Logging: Whenever members of the research team access personal data, we record these accesses. These audit logs create a transparent record of who accessed what data and when. We review these logs to ensure that personal data is only accessed for legitimate purposes consistent with this policy. Any improper access or suspicious activity would be investigated. This transparency and accountability measure aligns with best practices and ethical requirements for research data handling.
- Staff Training and Confidentiality: All Buzzy research team members and any other personnel with potential access to user data are educated on privacy obligations. They are bound by confidentiality agreements and ethical standards to protect your information. We ensure that everyone handling personal data is aware of the legal responsibilities under the Privacy Act and our own policies.
- Security Testing and Updates: We regularly update our systems with security patches and monitor for vulnerabilities. Security audits or assessments may be conducted to evaluate and improve our protections. Our database and application environment are configured with security best practices (for instance, firewalls, intrusion detection, and prevention systems).
- Data Breach Response: Despite all precautions, no system can be fully guaranteed 100% secure. We have a breach response plan in place. In the unlikely event of a data breach that poses a risk to your privacy, we will take immediate steps to contain and remedy the issue. We will also inform affected users and the relevant authorities required by law. In fact, The New Zealand Privacy Act 2020 mandates notification to the Office of the Privacy Commissioner for certain serious breaches. We are committed to complying with these breach reporting obligations and to providing timely notice to you, along with information on steps you should take to protect yourself, if such an incident affecting your data were to occurred.
- Enhanced Account Security: In line with the security requirements set forth under the New Zealand Privacy Act 2020, Buzzy implements two-factor authentication (2FA) as a reasonable and essential safeguard for securing personal information. This practice aligns with guidance provided by the Office of the Privacy Commissioner (OPC), which explicitly identifies multi-factor authentication (including 2FA) as a recommended minimum security standard for organisations handling personal data. Accordingly, we require users to verify their identity by entering a one time 6-digit code sent exclusively to their registered Victoria University email during signup and login. This process significantly enhances account security and data protection, ensuring compliance with our obligations under the Privacy Act 2020.

Our goal is to maintain a high level of security that not only meets legal requirements but also preserves your trust. We continuously improve our security practices in line with evolving threats and industry standards.

8. Access by Buzzy Personnel and Confidentiality

‍Within our organisation, access to personal data is carefully controlled as part of our privacy and security practices:
‍
- Buzzy Research Team: A limited number of authorised researchers/administrators on the Buzzy team can access personal information when necessary (for example, to provide user support, to verify identity, or to perform data analysis for research in a manner consistent with this policy). Every access is logged as noted above, and team members accessing data are subject to strict confidentiality obligations.
- Moderators and Other Users: Aside from the core research team, other platform facilitators (such as community moderators) have no access to personally identifying information about users. Moderators may see your Platform username and the content you post (since those are public by nature of how the Platform works), but they will not see your email, real name, or any demographic information that is not explicitly part of your public content. This ensures that those handling content moderation cannot link contributions back to your real identity.
- No Unnecessary Access: We follow the principle of least privilege; each team member or system role only has the minimum access required to perform their function. There is no broad or unchecked access to user databases. For example, a developer maintaining the software might have access to database structure but not necessarily to the content of personal data, unless that level of access is essential for their work and approved with proper safeguards.
- Transparency of Team Access: As mentioned, all instances of accessing personal data by the research team are recorded. While these logs are internal, we maintain them to be able to demonstrate compliance with privacy requirements. If ever needed (for instance, during an audit or ethics review), these logs can show we have not accessed data inappropriately. Users can be assured that any access to their personal information is not taken lightly and is traceable.
- Third-Party Service Providers: Our cloud service providers (Heroku, MongoDB) technically handle your data to store or transmit it, but they do so under our instructions and do not access it for any independent purposes. They are essentially extensions of our team for infrastructure. They too are bound by contractual obligations to maintain confidentiality and security of your data.

In summary, only those with a justified need see personal data, and even within that small group, all activity is monitored. This layered approach helps prevent misuse and builds trust that your personal information is kept confidential within Buzzy.
‍
9. Disclosure of Personal Information

‍We do not sell or rent your personal information to any third party. We will also never disclose your personally identifiable information to external parties except in certain circumstances allowed or required by law, as detailed below:
‍
- With Your Consent or At Your Direction: We may share information if you explicitly request or consent to it. For example, if in future you choose to integrate Buzzy with another service and approve transferring your data, or if you ask us to share feedback with a third party, we would do so only with your consent.
- Service Providers (Data Processors): We use trusted third party companies to help us operate the Platform and conduct our services (for example, cloud hosting providers, as discussed, or an email delivery service to send verification emails). These providers may process your data on our behalf, but solely for the purposes of providing their services to us. They cannot use your personal information for their own purposes and must handle it confidentially and securely. We ensure any such provider is subject to privacy and security obligations consistent with this Policy and New Zealand’s privacy requirements.
- Legal Requirements and Protection: We may disclose personal information if we are compelled to do so by law or valid legal process (such as a subpoena, court order, or government demand). We will only this after verifying the request’s legitimacy and scope. Additionally, we might disclose data if necessary to enforce our Terms of Service or Code of Conduct, to investigate and defend ourselves against any third-party claims or allegations, or to protect the rights, property, or safety of the Buzzy team, our users, or the public. This could include sharing information with law enforcement or regulatory agencies in cases of suspected fraud, security threats, or other violations of law.
- Research and Academic Publication: As described, any sharing of data for research purposes will never involve personally identifying information without your consent. If we collaborate with research partners or share data with academic institutions, we will only provide anonymised or aggregated data that cannot be linked back to you. For instance, we might share statistical summaries (like overall usage metrics or de-identified survey results) with a university research group assisting us, but we would not share raw data that contains names or emails. Sharing anonymised data is consistent with privacy principles, which recognise that information that can no longer identify an individual is not considered personal information.

In all cases of disclosure, we adhere to the principle that we only disclose the minimum information necessary. We also evaluate each situation to ensure that any sharing is in line with this Privacy Policy, the consent you have provided, and our obligations under law (including the New Zealand Privacy Act’s limits on disclosure and overseas transfer conditions). If we ever need to share your personal information in a new way not covered here, we will seek your consent or update this Policy to notify you of the change.

10. Use of Aggregated and De-Identified Data

‍We may use and share aggregated, anonymised information derived from the data we collect. “Aggregated” means that we compile information about many users so that individual identities are not revealed. “Anonymised” means personal identifiers (such as your name, email, or any unique traits) have been removed or obscured such that the information can no longer be connected to you or any specific user:
‍
- Research Publications and Reports: The Buzzy team may publish research findings or reports based on Platform data. Any such publication will only include aggregated statistics or observations, and will never identify you personally. For example, a research paper might state something like “60% of users found Policy Idea X helpful,” or discuss common themes in user comments, but it would not include your name, your exact comment, or any information that could single you out. This approach ensures that participants remain anonymous.
- Third-Party Research Sharing: We may share de-identified datasets with other researchers or institutions for legitimate research purposes, such as collaborative analysis. Before sharing, we remove personal identifiers so that the data cannot be traced back to you. The recipients of such data will not be able to re-identify individuals and will be required to use the data only for research and to protect it appropriately.
- Internal Analytics: We combine data across users to look at overall trends (for instance, total numbers of votes per category, average of participants, etc.). Results of internal analytics are used to improve the Platform and inform our research, and these results may be shared in presentations or with project stakeholders. Again, this information will be in aggregate form.

By using Buzzy, you understand and consent that your contributions and data may be used in this aggregate, de-identified manner. We undertake these practices in line with ethical research standards. We are using data to advance knowledge while rigorously protecting individual privacy. The New Zealand Privacy Act does not restrict the use or disclosure of truly anonymised data, since it is no longer “personal information” once irreversibly de-identified. Rest assured, if any data cannot be fully anonymised, we treat it as personal information and protect it accordingly.

11. Data Retention and De-Identification Timeline

We will retain your personal information only for as long as it is needed to fulfill the purposes outlined in this Policy or as required by law and our research protocol. How long we keep different types of data is determined as follows:

- Active Account Data: If you have an active account on Buzzy, we will retain your information for as long as your account exists, so that we can provide the service to you. This includes your profile information and all content (proposals, comments, votes) you have provided, which remain available on the Platform unless you delete them or delete your account.
- User-Deleted Data: You have control over certain data through your account settings. If you choose to delete specific content (for example, delete a comment) or if you delete your entire account, we will delete or anonymise that information from our live databases. Account deletion is the primary way to withdraw from the Platform and research. When you delete your account, all personal identifiers (like your name, email and profile info) are removed from our system, and your contributions may be disassociated from you. Some data (like comments or proposals) that you contributed might be retained in an anonymised form for research integrity (for example, we might keep the text of a proposal but without any username attached to it, if that proposal is relevant to the research). In any case, upon account deletion, we will no longer use your data to identify you or contact you.
- Research Project Duration (Data Deletion Date): Buzzy is part of a research project with a defined timeline. We have set the 1 December 2026 as a cut off date for any personally identifiable information (PII). All PII will be permanently erased on or before that date—regardless of account status. This firm deletion deadline minimises long-term privacy risks and ensures that, by default, no personal data remains in our possession after the project ends.
- Backup and Log Data: Our systems may keep backups or log files that include personal data. These are typically retained for short periods for recovery or security auditing purposes. Even if you delete your account or after the de-identification date, some of this data might persist in backups for a short duration until those backups are rotated out or destroyed. We will not use backup data except for legitimate IT recovery or security investigations. All backups are protected with the same security measures. As part of our data management, any backups exceeding their retention period are deleted, and by the deletion date we will ensure that no backups retained contain data older than that deadline.

After the retention period is over, or once data is de-identified, it is no longer personal information and may be retained in aggregate form for historical research analysis without further notice to you. But personal data will not be kept indefinitely “just in case.”. We strictly adhere to the principle that personal information should not be kept longer than necessary.

12. Your Rights and Choices

‍As a user of Buzzy (and as a research participant in this project), you have important rights regarding your personal information. We are committed to upholding these rights regarding your personal information. We are committed to upholding these rights in accordance with New Zealand’s Privacy Act and ethical research standards:
‍
- Access Your Information: You have the right to request a copy of the personal information we hold about you. This includes data you provided to us and data about your usage that is associated with you. Most of your basic profile and content information is accessible by logging into your account (you can view your profile details, past proposals, comments, etc.). If you require a fuller report of your personal data, you can contact us (see Contact Us section below) and we will provide you with an accessible format of the information we have, provided we can authenticate your identity for security.
- Correct or Update Your Information: If any personal information we have about you is inaccurate or outdated, you have the right to ask us to correct it. You can directly edit much of your information through your profile settings (for example, you can update your name if it changes). For any information that you cannot edit yourself, you may contact us with a correction request. We will take reasonable steps to verify the accuracy of the new information and update our records. If for some reason we cannot comply with a correction (for instance, if it pertains to an official record we are required to keep unchanged), we will explain the reason and, if required, annotate the information to note the requested correction.
- Delete Your Data/Withdraw: You have the right to withdraw from the Platform and the research at any time by deleting your account (as described in Data Retention above). Account deletion will remove your personal identifiers from our active data. We have also provided the timeline for complete deletion of all data (December 6, 2026). If you prefer, you may contact us to request deletion, and we can assist in removing your account and data. Please note that while we will cease all use of your identifiable data upon deletion, we may retain anonymised information as part of the research dataset as explained before.
- Object or Restrict Processing: If you have concerns about any particular use of your data, you can contact us to object to or restrict that processing. For example, if you provided optional demographic information and later decide you do not want it used in research analysis, we can remove or stop considering that data. We will consider all such requests in line with legal requirements and ethical considerations. If the law grants you a specific right to opt out of certain processing, we will honour it. (Note: Under the Privacy Act 2020, the emphasis is on transparency and fairness of use; while it doesn’t enumerate opt-out rights as explicitly as some other laws, we are still committed to accommodating reasonable requests where possible.)
- Data Portability: If applicable, you can request a copy of the data you have provided to us in a common format. Since this is a research platform, this might simply mean we provide an export of your proposals, comments and profile info. We will do our best to accommodate such requests to the extent feasible.
- Complain or Ask Questions: If you believe that your privacy rights have been breached or have any questions about your data, you have the right to lodge a complaint or inquiry. We encourage you to contact us first so we can address your concern. We will acknowledge and investigate complaints and resolve them in accordance with our obligations. Additionally, under New Zealand law, if you are not satisfied with our response, you have the right to complain to the Office of the Privacy Commissioner. The Privacy Commissioner can investigate and enforce privacy laws. Contact details for the Commissioner can be found on their official website (we can provide these to you upon request).

Providing personal information (beyond what’s necessary for account creation) is your choice. You can use a pseudonymous username if you do not want your real name to be public. You can choose not to fill in optional profile fields. We will respect the choices you make and will not discriminate against you for exercising any of these rights.Finally, please note that agreeing to this Privacy Policy (which is part of agreeing to our Code of Conduct and terms) is a condition of participation in the Platform. We need to process data as described to operate the service and conduct the research. If you do not agree to this, please refrain from using Buzzy. Even so, we are always happy to answer questions or discuss how your data is handled to alleviate any concerns.

13. Compliance with Laws and Ethics

‍We undertake all data practices in line with New Zealand’s Privacy Act 2020 and other applicable privacy laws. The Privacy Act establishes robust rules for how personal information must be collected, used, stored and disclosed in New Zealand, and we have built this policy around those rules. Key principles we comply with include:

- Purpose and Transparency: We only collect personal information for purposes that are lawful and necessary (Principle 1), and we are transparent about those purposes (Principle 3); as evidenced by the detailed explanations in this policy. You will always know why we need the data and how we intend to use it.
- Use and Disclosure: We do not use or disclose personal data for purposes other than those for which it was collected, except with consent or as permitted by law (Principles 10 and 11). We have outlined exactly how and with whom data might be shared, and we abide by the rule that information should generally only be disclosed in ways consistent with the original purpose or in an anonymised form.
- Data Minimisation: We aim to collect only what we need (Principle 1 & 4) and retain it only for as long as needed (Principle 9). The retention limits and optional nature of certain data reflect this commitment.
- Security Safeguards: We have strong security measures and access controls (Principle 5) to protect personal information against loss and unauthorised access.
- International Transfer: When transferring data overseas (Principle 12), we ensure the recipient (in our case, our own servers overseas) provides protections comparable to NZ standards.
- Access and Correction: We facilitate your right to access and correct your information (Principles 6 and 7).
- Privacy Officer: As required by the Privacy Act, we have a designated privacy officer (within the Buzzy research team) responsible for overseeing compliance and handling queries or complaints about personal data.

In addition to privacy laws, this project is conducted under an approved research ethics framework (as this Platform is part of an academic research study). That means we also adhere to commitments made in our ethics application regarding confidentiality, participant rights, and data handling. For instance, we ensure participation is voluntary, we avoid any harm to participants, and we have an obligation to keep information confidential unless permission is given or required by law. Our deletion of data by Dec 1, 2026 and the use of data only in aggregate form for publications are driven by these ethical considerations.We regularly review our privacy practices against current laws and ethics guidelines. If new regulations (for example, changes in New Zealand law or relevant international regulations) come into effect, we will update our processes and this Policy to remain compliant. Our aim is not only legal compliance but to foster a culture of respect for privacy.

14. Contact Us

‍If you have any questions, concerns, or requests regarding this Privacy Policy or how your information is handled, please do not hesitate to contact us. We value your feedback and the opportunity to clarify any aspect of our privacy practices.

You can reach the Buzzy team for privacy-related inquiries in the following ways:
- Email: Please email us at support@buzzyapp.co.nz. In your email, please detail your question or request, and include the email associated with your Buzzy account for identification.
- In-App Report/Contact: You may use the in-app reporting mechanism to send a message to the administrators. This can be found in the app’s settings or help section. Messages sent through the app will be received by our team, and we will respond as soon as possible.

We will endeavour to respond to all legitimate requests or concerns within a reasonable timeframe and in accordance with applicable law. If you are contacting us to exercise a specific right (like accessing or deleting data), please be aware we may need to verify your identity for security reasons before fulfilling your request. This is to ensure that personal information is not disclosed to the wrong person or wrongfully altered. As mentioned in Your Rights, you also have the right to contact the Office of the Privacy Commissioner in New Zealand if you have a complaint that we cannot resolve. However, we encourage you to contact us first so we can first address the issue directly and fairly.

15. Changes to Privacy Policy

‍We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for any other reason. When we make changes, we will update the “Last updated” date at the top of the Policy. For significant changes, we will provide a more prominent notice; for example, by emailing all users or by placing a notice on the Platform.Your continued use of Buzzy after any changes to this Policy constitutes acceptance of the updated terms, to the extent permitted by law. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.If we were ever to use your personal information in a materially different way than described here, we would seek your consent where required. We remain committed to the core principles of privacy and will not dilute your rights under this Policy without such consent.

‍By using the Buzzy Platform, you acknowledge that you have read and understood this Privacy Policy. We thank you for your trust and for participating in this research community. Protecting your privacy while enabling meaningful research insights is our priority.