Privacy Policy

Privacy Policy

K3 LEGAL LIMITED
PRIVACY AND INFORMATION SECURITY POLICY

K3 Legal Limited, with our registered office at 83 Albert Street (entrance at Kingston Street), Auckland Central (K3 Legal) is a New Zealand law firm.

This policy outlines the way in which K3 Legal (we, us, our) manages the personal information we collect and hold about our clients, potential clients, staff, potential staff, suppliers, potential suppliers, contractors, potential contractors and others (you, your).

K3 Legal is bound by the laws of New Zealand in this respect, principally the Privacy Act 2020 (Privacy Act) but also the Lawyers and Conveyancers Act 2006 and the Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 (the Client Care Rules).

Personal Information

Personal information is information about an identifiable individual. We collect various types of personal information from you when you interact with us, including (but not limited to) information about your:

  • name
  • address
  • occupation
  • date and place of birth
  • contact information
  • nature and purpose of relationship with us and other parties
  • source of funds and source of wealth
  • assets and liabilities
  • interactions with us and other parties
  • New Zealand residency / visa status
  • employment history
  • criminal history
  • education history and academic performance
  • testimonials and feedback
  • billing, payment, and other financial information
  • unique identifiers given to you by Government and other agencies, such as driver licence numbers, passport numbers and IRD numbers
  • identity and personal features (for example, when viewing and taking copies of photographic identification)

The type and extent of information we collect and hold depends upon the nature of your interaction with us.

While we have obligations under the Privacy Act to check accuracy of personal information before using or disclosing it, given practical difficulties with us verifying most personal information we receive, it is your responsibility to ensure that the personal information you provide is accurate, complete and up to date.

Except as otherwise permitted by law, we collect personal information:

  • from you directly or indirectly, for example when you provide your details to us, through emails, forms, subscription applications, face-to-face meetings, video conferences, interviews, registration and attendance at seminars and events we host, business cards, telephone conversations and through the use of the services and facilities available through our website and social media channels
  • from third parties in some instances, including (but not limited to):
    • we may use third parties to analyse traffic at our websites and social media channels, which may involve the use of cookies
    • when we obtain a report provided by a medical professional or an employment reference from another person
    • when we obtain a criminal conviction history report
    • when we obtain a credit check
    • when we verify your identity using our external AML/CFT provider (presently AML Hub)
  • from publicly available sources and websites

We also collect information from our website (Website). When the Website is visited, we collect general user information such as user internet protocol addresses, browser type, internet service provider details and other technical information. We use this information to analyse web traffic, which may involve the use of cookies. Personal information collected via Website contact messages will be used for the purpose for which it has been supplied. 

We will notify you with all information required by the Privacy Act when we indirectly obtain your personal information from a third party that has not been notified to you by us in this Privacy Policy or otherwise, unless an exception applies under the Privacy Act or it would be otherwise contrary to law to notify you. 

Purposes for Which we use your Personal Information

We collect your personal information in order to:

  • conduct our business providing legal and client services
  • act in accordance with your instructions and complete the work you ask us to do
  • provide and market our services to you
  • verify your identity details
  • engage third parties on your behalf
  • communicate with you
  • purchase goods and services
  • help us manage and enhance our services
  • where applicable, check your identity and history (e.g., criminal or employment history) against governmental databases and through third parties
  • conduct invoicing and receipting, make payments to you or on your behalf, conduct firm and trust account transactions, undertake credit management and for debt recovery (which may involve disclosing information to debt collectors)
  • comply with all legal and regulatory requirements arising in the course of acting for you and operating a law firm
  • engage and employ people and contractors to work in and for us
  • provide promotional and marketing information
  • communicate with clients, potential clients, suppliers, staff, contractors and others
  • fulfil any other specific purposes we might tell you about or you might authorise

By using our services or providing your personal information to us, you consent to our collection, storage, use and disclosure of your personal information in accordance with this Privacy Policy

Disclosures

We may use and disclose and/or share your personal information (to the extent necessary to perform our functions and services as requested by you and/or as required by law and regulation such as the Privacy Act or the Client Care Rules) to parties including (but not limited to):

  • any other party to whom or to which you authorise us to disclose it
  • companies or individuals who assist us in providing services or who perform functions on our behalf (such as hosting and data storage providers, specialist consultants and barristers, our bankers)
  • other companies or individuals who perform checks that are necessary or desirable under any law or regulation, including in order to verify information for the purposes of Anti-Money Laundering and Countering Financing of Terrorism 2009 (AML/CFT Act) requirements
  • other companies, agencies or individuals that maintain databases against which your identity may be verified, which may include the New Zealand Department of Internal Affairs, the Ministry of Justice and the New Zealand Transport Agency
  • Land Information New Zealand in order to provide all necessary information when dealing with land in New Zealand, including fulfilling the information requirements of Land Transfer Tax Statements
  • other Government registries, such as the Companies Office and the Personal Property Securities Register
  • courts, tribunals and regulatory authorities
  • social media sites on which we have a presence
  • the New Zealand Law Society in order to comply with audit and other regulatory requirements
  • our insurers where we are required to notify them as to an insurable event
  • auditors we appoint for the purposes of having our risk assessment and compliance programme audited in accordance with the AML/CFT Act
  • any other party where we are required to do so by law

Chapter 8 of the Client Care Rules deals with our duty of confidentiality we owe to our clients.  We consider our obligations under chapter 8 carefully before making any disclosure of your personal information.

Where you provide us with personal information relating to another party, you acknowledge that we may be required under the Privacy Act to notify that party that we have collected their personal information indirectly.  We closely consider our chapter 8 obligations before making disclosures of this nature.

We may store personal information we collect either at our offices or at locations outside our offices, including data storage facilities based overseas, which may be operated by independent service contractors.  Please note, the privacy laws of other countries may not require the same or substantially similar privacy protections as the laws of New Zealand.  However, where we disclose personal information to a third party in another country we endeavour to put safeguards in place to ensure your personal information is protected. Electronic data that is stored in the cloud by third parties is usually encrypted.

Presently, our document management system Leap, Microsoft Office Suite, cloud information storage tools like Dropbox, and AI tools like ChatGPT involve disclosing your personal information to organisations outside of New Zealand in the ordinary course of our business to provide services to you. By continuing to engage us for services, you consent to this and analogous disclosures in the course of our interactions with you.

Where Information Privacy Principle 12 applies for disclosures to organisations outside of New Zealand that are not covered by your consent under this Privacy Policy, we will take steps required by law before making the disclosure.

By providing us with your personal information, you agree to the disclosure of your personal information to overseas persons in accordance with this Privacy and Information Security Policy and acknowledge in such a case that your personal information may not receive the same protections that it would in New Zealand.

Providing some personal information is optional. If you choose not to provide the information we require, we will be unable to provide some (or any) of our services to you.

Where we no longer require your personal information, we will comply with our legal obligations in respect of that information. We retain personal information as long as necessary for services, backups, claims, insurance, and legal obligations. This means that we usually retain client records for 10 years after our last engagement with you. If you request that we delete your Personal Information, we will take reasonable steps to do so unless we are legally required, or otherwise have a legitimate reason, to retain it.

Biometric Information

Biometric Information means any information that is generated from the measurement of an individual’s biological or behavioural characteristics and that is capable of uniquely identifying that individual.

We will collect Biometric Information only for a lawful purpose as set out in this Privacy Policy, and where we have assessed that:

  • no less privacy-intrusive alternative is as effective;
  • the expected benefits to our clients, the public, or us substantially outweigh the privacy risks; and
  • the processing is proportionate, taking account of cultural considerations (including any impacts on Māori).

Biometric Information will be collected directly from you, where practicable.

We will not:

  • use Biometric Information for any type of biometric processing other than that expressly notified to you;
  • use Biometric Information for biometric categorisation; and
  • combine Biometric Information with other datasets for unrelated profiling.

Contacting Us

You have the right to ask for a copy of any personal information we hold about you, and to ask for it to be corrected if you think it is wrong or outdated.

If you’d like to ask for a copy of your information, to have it corrected, or raise any concerns or complaints, please contact our Privacy Officer by email at info@k3.co.nz, or by phone on (09)366 1366, or by post to PO Box 2137, Auckland 1140. We will respond as quickly as possible and handle any complaints or queries you may have in a way that is fair and consistent. However, if you remain dissatisfied, you can make a formal complaint with Office of the Privacy Commissioner.

We will review your request as soon as reasonably practicable to comply with our legal obligations. If we are unable to give you access to the information you have requested, we will give you reasons for this decision when we respond to your request.

Where you request copies of your personal information, we will provide this, though you will meet our costs in doing so on the basis of time spent to locate your personal information, physically redact it (if relevant) and provide it to you in accordance with our most recent hourly charge out rates.

Marketing

We are committed to complying with the Unsolicited Electronic Messages Act 2007.

By subscribing to emails and/or text communications, or otherwise providing your email address and/or mobile number, you consent to receiving emails and/or texts (as the case may be) which promote and market our products and services, or the products and services of others, from time to time.

You can unsubscribe from our email communications and/or text communications at any time by clicking the “Unsubscribe” link in any promotional or marketing email or text received or by emailing info@k3.co.nz.

Once you have unsubscribed from the email or text communications, you will be removed from the corresponding marketing list as soon as is reasonably practicable.

Security

We take reasonable steps to protect the security of your personal information.

We do this by use of appropriate physical security, including third party data storage facilities, and restricted access to both electronic and hard copy records. All K3 Legal personnel are required to access personal information for work-related purposes only, to respect the confidentiality of personal information and the underlying privacy of individuals.

We have reasonable security measures in place to prevent the loss, misuse and alteration of information under our control. Our systems are subject to ongoing monitoring (including activity logging), analysis and auditing, which are intended to maintain information security. All of our personnel are also obliged to maintain the security of the information they access, for example by not disclosing passwords and PIN information to any other persons.  We also implement physical security measures and restrict access to electronic records.

We may use information about your use of our Website and other IT systems to prevent unauthorised access or attacks on these systems or to resolve such events. We may use this information even if you are not involved in such activity.  We may also utilise services from one or more third party suppliers to monitor or maintain the cyber security of our systems and information. These third party suppliers may have access to monitoring and logging information as well as information processed on our Website and other systems.

If your personal information is subject to unauthorised or accidental access, disclosure, alteration, loss or destruction or actions which prevent us from accessing it on a temporary or permanent basis (each event being a Privacy Breach), and such Privacy Breach is likely to cause you serious harm, we will notify you and the Privacy Commissioner in accordance with our obligations under the Act/

Updates to this Privacy Policy

This Privacy Policy will be reviewed from time to time to take account of new legislation and technology, changes to our operations and practices, and the changing business environment. Changes to this Privacy Policy will be notified by posting an updated version on our Website. It is your responsibility to check our Website periodically for changes to this Privacy Policy and to keep your contact information current.

Your continued use of our Services following notification of any changes to this Privacy Policy constitutes acceptance of those changes. If you do not agree with any aspect of the updated Privacy Policy, you must immediately cease all use of our Services.

Last updated: May 2025

Contact us