Privacy Policy

Purpose of Collection

Axenic only collects information for the purpose of delivering and marketing our services.


  1. We collect information about prospective customers for the purpose of marketing our services.
  2. We collect information about current customers (including their staff, contractors and suppliers) for the purpose of delivering our services
  3. We collect information from current and prospective employees to deliver our services.
  4. We collect information about website visitors in order to evaluate the performance of our website.
  5. We collect information within our Axenic Risk and Assurance Portal as part of providing this service to our customers.

Personal Information Collected

For customers and prospective customers the information we collect includes:

  • Names
  • Contact details (e.g. email address, phone numbers)
  • Employment details (e.g. employer, job title)

For prospective employees the information we collect includes:

  • Names
  • Contact details (e.g. email address, phone numbers)
  • CVs
  • References
  • Criminal conviction history checks
  • Personal circumstances if required for immigration purposes
  • Qualifications
  • Right to work information
  • Medical information (only where required for employment purposes)

For current employees we additionally collect information required to manage their employment such as:

  • Bank account numbers
  • IRD numbers
  • Payroll information
  • Next of kin and emergency contacts
  • Performance information (including peer and customer feedback)
  • Medical information (only where required for employment purposes)

For website visitors we collect information including:

  • IP addresses
  • Operating system
  • Type of web browser
  • Date, time and duration of visit
  • Pages accessed
  • Search terms

We use Google Analytics to collect statistical information about how visitors use our website. This information is used to improve the website. Google Analytics uses cookies to collect and store the following data when you visit this website:

For more information about Google Analytics click here, and to read Google’s privacy policy click here.

Method of Collection

In general, Axenic will only collect information directly from an individual unless authorised to collect information from another party by that individual (e.g. in the case of references). When collecting personal information, individuals should be made aware of what that information will be used for (e.g. “we will use your email address to send you our newsletters”).

Securing Personal Information

Axenic’s employees follow our information security policy and associated documentation from our Information Security management System (ISMS) that provide guidance on how to secure all of our information including personal information. This includes how and where to store that information.

Retention of Personal Information

Axenic will keep personal information only as long as is required to fulfil the purposes for which it has been collected. Specifically:

  1. Customer and prospective customer contact information is retained indefinitely (as we will get in touch with customers and prospective customers periodically to sell or market services to them).
  2. C&A as a Service Portal data is retained for the lifetime of the customer's subscription.
  3. Website visitor data is retained for 26 months to allow us to understand website trends.
  4. Prospective employee data is retained for two years (from date of application or last active contact, whichever is later).
  5. Employee data is retained for seven years after termination of employment. Sensitive payroll data (e.g. bank account numbers) will be removed as soon as is practical.

Note: if individuals get in touch with us and ask to have personal information removed before the end of the retention period we will entertain all reasonable requests. That is to say, if removing that information doesn’t prevent us from providing a service to our customer or meeting a legal or policy obligation then we should remove that data.

Requests for Personal Information

All individuals may request copies of information held about them by Axenic. They should do this by contacting the Chief Privacy Officer directly or emailing

If we receive a request for personal information we will:

  • Verify the identity of the sender
  • Acknowledge the request within seven working days
  • Responded to within 20 working days (unless an extension is required)
  • Advise a requestor if information needs to be withheld

Correction of Personal Information

Any individual may request that personal information held about them be corrected. Such requests should be directed to the Chief Privacy officer.

Axenic will endeavour to correct the information, or note that a correction was requested if Axenic disagrees that a correction is required (i.e. Axenic believes the information is correct).

If information is corrected, consideration should be given as to whether inaccurate information has been disclosed to other parties.

Disclosure of Information

Personal information will not be disclosed to other parties or organisations unless this has been authorised by the individual concerned, to comply with a legitimate legal request or is necessary for the purposes the information was obtained.


Complaints should be directed to the Chief Privacy Officer. The Chief Privacy Officer should investigate and action privacy complaints within a reasonable timeframe. If during an investigation we discover a privacy incident, then the process described in the section labelled “Incidents” should be followed.


If an event occurs that causes one of the principles of the privacy act to be violated, or that violates one of the statements in this policy then a privacy incident management process should be invoked. If the violation involves security (i.e. a violation of principle 5) then the security incident management process will be used with the addition of the Chief Privacy Officer as a stakeholder.

For a privacy incident with no security implications the security incident process should be used, but the Chief Privacy Officer should replace the CISO as the accountable party.

Your rights

You have the right to ask for a copy of any personal information we hold about you, and to ask for it to be corrected if you think it is wrong.

If you’d like to ask for a copy of your information, or to have it corrected, please contact us using one of the following methods:


Telephone: +64 4 499 8012


Privacy Officer
Axenic Ltd.
PO Box 25494
Wellington 6146
New Zealand

Last updated: August 2023