Skip to main content

Privacy

Privacy Policy

Last updated: 23 May 2026 · Issued under the New Zealand Privacy Act 2020

Quick answers

What you probably want to know first.

Do you record calls?
Yes, by default. The AI tells the caller at the start. The Subscriber may disable recording on request.
Do you sell my data?
No. We do not sell Personal Information in any form, including anonymised or aggregated data, and we do not use it for advertising. Selling data is not part of our business model.
Where is data stored?
Personal Information is processed by a network of contracted service providers, including providers located in the United States, the European Union, Australia, and New Zealand. See Section 8 for the framework governing cross-border transfer.
Can I delete my data?
Yes. Submit a request to tamakiaiagency@gmail.com. We will respond within 20 working days, the statutory maximum under the Privacy Act 2020.
Who do I complain to?
Contact us first. If we cannot resolve your concern, you may escalate to the Office of the Privacy Commissioner.

This summary is provided for the convenience of the reader. The binding terms are set out in Sections 1 to 18 below. In the event of any inconsistency, the long-form text prevails.

1. About this Policy

This Privacy Policy (the “Policy”) is issued by Tamaki AI (“Tamaki AI”, “we”, “us”, “our”), an unincorporated business based in Tāmaki Makaurau / Auckland, Aotearoa New Zealand, providing artificial-intelligence-enabled telephony reception services (the “Services”) to business customers (each, a “Subscriber”).

This Policy sets out the manner in which Tamaki AI collects, holds, uses, discloses, and otherwise processes Personal Information (as defined in section 7 of the Privacy Act 2020) in the course of providing the Services, operating the website located at tamakiai.co.nz (the “Website”), and conducting related commercial activities.

This Policy applies to three categories of natural persons: (a) representatives of Subscribers, (b) third-party callers who interact with the Services by telephoning a Subscriber (each, a “Caller”), and (c) visitors to the Website. It should be read together with our Terms of Service and any executed service order or trial agreement, which together constitute the agreement between the parties (the “Agreement”).

2. Definitions and interpretation

In this Policy, unless the context otherwise requires, the following capitalised terms have the meanings ascribed below. All other capitalised terms have the meaning given in the Agreement or the Privacy Act 2020.

  • Personal Information has the meaning given in section 7 of the Privacy Act 2020, being information about an identifiable individual.
  • Call Data means any audio recording, transcript, metadata, AI-extracted booking or message data, call timestamp, call duration, calling line identification, and related information generated when a Caller interacts with the Services.
  • Sub-Processormeans any third party engaged by Tamaki AI to process Personal Information on Tamaki AI’s behalf in connection with the Services. A categorical description of Sub-Processors is set out at Section 7.
  • IPP means an Information Privacy Principle set out in Part 3 of the Privacy Act 2020. The full text of the thirteen IPPs is published by the Office of the Privacy Commissioner.
  • Notifiable Privacy Breach has the meaning given in section 112 of the Privacy Act 2020, being a privacy breach that it is reasonable to believe has caused or is likely to cause serious harm to an affected individual.
  • Applicable Law means the laws of New Zealand and any other laws, statutes, ordinances, regulations, rules, codes, orders, or requirements of any governmental or regulatory authority applicable to the activities contemplated by this Policy.

3. Categories of Personal Information collected

Tamaki AI collects the following categories of Personal Information for the purposes set out at Section 4 and in accordance with IPP 1 (Purpose), IPP 2 (Source), and IPP 4 (Manner of collection):

3.1 Subscriber Information

  • Legal entity name, New Zealand Business Number (NZBN), trading name
  • Authorised representative name, business email, business telephone
  • Business configuration data including operating hours, services, frequently-asked questions, and call-routing destinations
  • Billing information processed by a third-party payment infrastructure provider (Tamaki AI does not retain payment card data)
  • Support correspondence and account activity logs

3.2 Call Data

  • Calling line identification transmitted by the Caller’s telecommunications carrier
  • Call audio recording, where the Subscriber has enabled recording
  • AI-generated transcript of the call
  • Information voluntarily disclosed by the Caller during the call, which may include name, contact details, scheduling information, and the substance of the enquiry
  • Call metadata including timestamp, duration, language detected, and disposition

Tamaki AI collects and processes Call Data in the capacity of an agent acting on behalf of the relevant Subscriber. The Subscriber is the agency responsible for the underlying collection and is the appropriate point of contact for IPP 6 (Access) and IPP 7 (Correction) requests in respect of Call Data.

3.3 Website Information

  • Page-level analytics including device type, browser, approximate geographic location, and referrer
  • Internet protocol address, which is anonymised after thirty (30) days
  • Information submitted through the contact, demonstration, or enquiry forms
  • Cookie identifiers, as further described at Section 11

4. Purposes for processing Personal Information

Tamaki AI processes Personal Information for the following purposes (and for no incompatible secondary purpose, save as expressly permitted under IPP 10):

  • To establish, deliver, and improve the Services, including configuration, voice synthesis, conversational AI processing, and integration with Subscriber systems
  • To process inbound calls, generate transcripts, and extract structured data such as bookings, messages, and enquiries
  • To notify Subscribers of call activity through email, SMS, or messaging channels
  • To process payments, issue tax invoices, and maintain financial records as required under the Tax Administration Act 1994 and related fiscal legislation
  • To respond to support enquiries and to manage the commercial relationship with Subscribers
  • To perform aggregated, de-identified analysis for the purpose of improving the operational performance, reliability, and accuracy of the Services
  • To comply with Applicable Law, including responses to lawful requests from regulators, courts of competent jurisdiction, and law-enforcement agencies

For the avoidance of doubt, Tamaki AI does not, and will not, sell Personal Information to any third party in any form, whether identified, anonymised, or aggregated, and does not use Personal Information for advertising or marketing attribution purposes.

5. Lawful basis for collection and processing

The Privacy Act 2020 does not require an enumerated lawful basis in the manner of comparable European legislation; however, Tamaki AI relies on the following IPPs as the framework governing its activities:

  • Subscriber Information: collected with consent and for the purpose of administering the Agreement, in accordance with IPP 1 and IPP 3
  • Call Data: processed on behalf of the Subscriber for the purpose of delivering the receptionist service to which the Caller has elected to connect, in accordance with IPP 1, IPP 3, and IPP 10
  • Website Information: processed for the legitimate operational interests of Tamaki AI, including site analytics, security, and the response to user enquiries

Detailed guidance on the IPPs is published by the Office of the Privacy Commissioner and is available at privacy.org.nz/responsibilities/privacy-act-2020/privacy-principles.

6. Call recording, AI disclosure, and Caller obligations

Tamaki AI’s Services rely on automated call answering and recording. The following provisions apply to all Callers by virtue of their election to remain connected after the opening disclosure of the Services.

  • AI disclosure. The Services identify themselves as an automated virtual receptionist at the commencement of each call. A Caller who enquires whether they are speaking with a natural person will receive an honest negative response.
  • Recording disclosure. Where the relevant Subscriber has enabled recording, the Services notify the Caller at the commencement of the call. By continuing the call after such notification, the Caller is deemed to have consented to the recording for the purposes of section 216B(2)(a) of the Crimes Act 1961.
  • Right to disconnect. Any Caller who does not wish to be recorded or to interact with an automated system may terminate the call or request transfer to a natural person where the Subscriber has configured such transfer.
  • Accuracy limitations. The Services may misinterpret names, contact information, dates, or other particulars. Callers and Subscribers are advised to verify any material information independently prior to relying upon it. The limitation of liability at Section 15 applies without limitation to any loss arising from such misinterpretation.
  • Sensitive information. Callers should refrain from disclosing information of a sensitive nature (including, without limitation, health information, financial account details, government identifiers, or other information attracting heightened statutory protection) unless expressly solicited by the Services.

7. Sub-Processors and the Sub-Processor framework

To deliver the Services, Tamaki AI engages a network of specialised third-party service providers, each of which has been selected on the basis of its public commitments to information security and data protection. Sub-Processors are categorised as follows for transparency purposes, without naming individual providers in this Policy in order to preserve commercial confidentiality and the integrity of Tamaki AI’s service architecture:

  • Conversational AI and large-language-model infrastructure providers (United States) — the platforms that generate the AI’s conversational behaviour and transcription output.
  • Voice synthesis providers (United States) — the platforms that render the AI’s spoken voice.
  • Telephony and short-message carriers (United States, Australia, New Zealand) — the carriers that route inbound calls and outbound notifications.
  • Payment processing providers (United States, New Zealand) — the platforms that process Subscriber payments and store payment-instrument credentials in compliance with the Payment Card Industry Data Security Standard.
  • Calendaring and scheduling providers (United States) — the platforms that handle appointment booking.
  • Productivity and messaging providers (United States, Global) — the platforms providing Subscriber-facing call logging, email, and document services.
  • Workflow-automation providers (European Union) — the integration platform connecting the components of the Services.
  • Cloud-hosting and edge-delivery providers (United States, Global) — the providers hosting the Website and supporting infrastructure.
  • Analytics providers (United States) — the providers performing aggregated Website behaviour analytics, with no use of advertising identifiers.

An itemised list of current Sub-Processors, including legal entity names, jurisdictions of incorporation, and published data-protection terms, is maintained internally by Tamaki AI and will be provided to any active Subscriber upon written request to the Privacy Officer, in either case subject to the confidentiality obligations of the Agreement. A list may also be provided to a regulator, court of competent jurisdiction, or law-enforcement agency upon receipt of a lawful request.

Tamaki AI reserves the right to add, remove, or substitute Sub-Processors in its sole discretion, provided that any material change to the categories described above shall be notified to active Subscribers by electronic mail not less than fourteen (14) days prior to the change taking effect.

8. Cross-border disclosure of Personal Information

By reason of the global distribution of the Sub-Processors described at Section 7, Personal Information collected through the Services is, or may be, transferred to and processed in jurisdictions outside of New Zealand, principally including the United States, the European Union, Australia, and other jurisdictions in which Sub-Processors operate infrastructure.

Such cross-border disclosure is undertaken in compliance with IPP 12 of the Privacy Act 2020. Tamaki AI relies on the following safeguards:

  • Selection of Sub-Processors that have published commitments to information-security and data-protection standards comparable to those required by the Privacy Act 2020
  • Reliance on Sub-Processor representations and certifications without independent audit by Tamaki AI
  • Encryption of Personal Information in transit and, where supported by the Sub-Processor, at rest
  • Configuration of Sub-Processor controls to disable model-training or analogous secondary uses of Call Data where such controls are made available
  • Disclosure to Sub-Processors limited to the minimum information reasonably required to perform the function for which the Sub-Processor has been engaged

By using the Services, the relevant Caller and Subscriber authorise the cross-border transfer of Personal Information described in this Section 8. A Caller who does not consent to such transfer should not place a call to a telephone number serviced by Tamaki AI. Further guidance on cross-border disclosure under the Privacy Act 2020 is published at privacy.org.nz/responsibilities/privacy-act-2020/cross-border-data-flows.

9. Retention of Personal Information

Personal Information is retained for the period required to fulfil the purposes for which it was collected, to comply with Applicable Law, and to give effect to the limitation periods set out in the Limitation Act 2010, subject to the following indicative retention periods:

  • Subscriber Information: for the duration of the Agreement and a reasonable period thereafter
  • Call audio recordings: ninety (90) days from the date of the call, unless the Subscriber has elected a different retention period
  • Call transcripts and AI-extracted data: twelve (12) months from the date of the call, unless the Subscriber has elected a different retention period
  • Financial records: seven (7) years, as required by section 22 of the Tax Administration Act 1994 and related fiscal legislation administered by Inland Revenue
  • Personal Information of cancelled Subscribers: deleted ninety (90) days following termination of the Agreement, subject to the financial-record exception above
  • Website analytics: aggregated indefinitely; individual session data anonymised after thirty (30) days

Tamaki AI will, on reasonable request and to the extent permitted by Applicable Law, accommodate earlier deletion of Personal Information.

10. Rights of individuals under the Privacy Act 2020

Subject to the exceptions set out at sections 49 to 53 of the Privacy Act 2020 (including, without limitation, the exceptions relating to legal professional privilege, third-party privacy, and information that is evaluative material), an individual has the following rights in respect of Personal Information held by Tamaki AI:

  • The right to confirmation of whether Tamaki AI holds Personal Information about the individual and to access that information (IPP 6)
  • The right to request correction of Personal Information that the individual considers inaccurate (IPP 7)
  • The right to request deletion of Personal Information, to the extent permitted by Applicable Law and contractual obligations to third parties
  • The right to opt out of marketing communications at any time
  • The right to lodge a complaint with Tamaki AI in the first instance
  • The right to lodge a complaint with the Office of the Privacy Commissioner in the event that Tamaki AI’s response is, in the view of the complainant, unsatisfactory

Requests under this Section 10 should be directed to the Privacy Officer at tamakiaiagency@gmail.com. Tamaki AI will respond within twenty (20) working days, in accordance with section 40 of the Privacy Act 2020. Tamaki AI may, in accordance with section 66 of the Privacy Act 2020, charge a reasonable fee for repeated, voluminous, or manifestly unreasonable requests.

A Caller seeking to exercise rights in respect of Call Data is directed in the first instance to the Subscriber on whose behalf the Call Data was collected, the Subscriber being the agency responsible for the underlying collection under the Privacy Act 2020.

11. Cookies, tracking technologies, and Website analytics

The Website uses cookies and analogous tracking technologies to facilitate site operation and to perform aggregated behavioural analytics. The categories of cookies used are:

  • Strictly necessary cookies: required for the operation of the Website and not subject to consent
  • Analytics cookies: operated by third-party analytics providers (as further described at Section 7) for the purpose of measuring aggregate site usage

The Website does not deploy advertising cookies, retargeting pixels, or cross-site tracking identifiers. Users may configure cookie preferences through the cookie banner or through their browser settings.

12. Direct marketing communications

Tamaki AI may from time to time send electronic communications to Subscribers in relation to new features, service improvements, account matters, and invoicing. Marketing communications include an unsubscribe mechanism in accordance with the Unsolicited Electronic Messages Act 2007. Operational and transactional communications relating to the Services (including, without limitation, invoices, call notifications, and security notices) are integral to the provision of the Services and may not be opted out of for the duration of the Agreement.

Tamaki AI does not send marketing communications by short message service (SMS) without the prior express opt-in of the recipient.

13. Information concerning minors

The Services are intended for use by business entities and their authorised representatives. Tamaki AI does not knowingly collect Personal Information directly from individuals under the age of sixteen (16).

Where a minor places an inbound call to a Subscriber telephone number serviced by Tamaki AI, the resulting Call Data is collected on behalf of the Subscriber and is treated in accordance with the Subscriber’s own privacy obligations. Notification of the inadvertent collection of a minor’s Personal Information may be directed to the Privacy Officer at tamakiaiagency@gmail.com.

14. Subscriber privacy obligations

In the relationship between Tamaki AI and the Subscriber, Tamaki AI processes Call Data on behalf of, and at the direction of, the Subscriber. The Subscriber is, for the purposes of the Privacy Act 2020, the agency that collects the Personal Information of its Callers. Accordingly, by entering into the Agreement, the Subscriber represents, warrants, and undertakes that:

  • The Subscriber has a lawful basis under the Privacy Act 2020 to receive, hold, and use the Personal Information that Callers disclose to the Services
  • The Subscriber will, through its own public-facing channels and through the AI’s opening line, inform its Callers that calls may be answered by an automated system and may be recorded
  • The Subscriber will respond, at its own cost, to access, correction, and deletion requests made by its Callers under IPPs 6 and 7
  • The Subscriber will not use the Services for any purpose contrary to Applicable Law, including any use prohibited by the Unsolicited Electronic Messages Act 2007 or the Fair Trading Act 1986
  • The Subscriber shall indemnify Tamaki AI in respect of any claim, loss, or liability arising from the Subscriber’s own privacy practices, including any claim made by a Caller in respect of the Subscriber’s handling of Personal Information following its delivery by the Services

15. Service limitations and limitation of liability

The Services are provided on an “as is” and “as available” basis. To the maximum extent permitted by Applicable Law, Tamaki AI makes no representation, warranty, or condition (whether express or implied) as to the fitness of the Services for the Subscriber’s particular purpose, the accuracy of AI-generated output, or the uninterrupted operation of the Services. Further:

  • AI accuracy. The Services may misinterpret information communicated during a call. The Subscriber and Caller bear sole responsibility for the independent verification of material information prior to acting upon it.
  • Sub-Processor dependence. The availability and accuracy of the Services is contingent upon the continued operation of the Sub-Processors described at Section 7. Outages, degradation, or termination of any Sub-Processor are events of Force Majeure within the meaning of the Terms of Service.
  • Limitation of liability. Without prejudice to the foregoing and subject to the limitation set out in the Terms of Service, the aggregate liability of Tamaki AI to any Subscriber arising out of or in connection with the Services is, to the maximum extent permitted by Applicable Law, limited to an amount equal to the fees actually paid by that Subscriber to Tamaki AI during the twelve (12) months immediately preceding the event giving rise to the claim.
  • Consumer Guarantees Act. Nothing in this Policy or the Terms of Service excludes, restricts, or modifies any right or remedy that a Subscriber, in its capacity as a consumer, may have under the Consumer Guarantees Act 1993 or the Fair Trading Act 1986. Where the Services are acquired for the purposes of a business, the parties acknowledge and agree that they have contracted out of the Consumer Guarantees Act 1993 pursuant to section 43 of that Act.
  • Governing law. This Policy is governed by, and shall be construed in accordance with, the laws of New Zealand. The parties submit to the exclusive jurisdiction of the New Zealand courts.

16. Notifiable Privacy Breach procedure

In the event of a Notifiable Privacy Breach (as defined in section 112 of the Privacy Act 2020), Tamaki AI shall undertake the following actions in accordance with Part 6 of the Privacy Act 2020 and the guidance published by the Office of the Privacy Commissioner:

  • Notification of affected individuals as soon as practicable, in a manner reasonably calculated to inform such individuals of the nature of the breach and the steps available to mitigate any resulting harm
  • Notification of the Office of the Privacy Commissioner as soon as practicable, in accordance with section 117 of the Privacy Act 2020
  • Investigation of the cause of the breach and implementation of remedial measures reasonably designed to prevent its recurrence
  • Provision of a written incident summary to affected Subscribers

The decision as to whether a privacy breach amounts to a Notifiable Privacy Breach is to be made by Tamaki AI, acting reasonably and on the basis of the criteria set out in sections 112 and 113 of the Privacy Act 2020, taking account of the guidance published by the Office of the Privacy Commissioner from time to time.

17. Privacy Officer and contact details

In accordance with section 201 of the Privacy Act 2020, Tamaki AI has designated a Privacy Officer with responsibility for the encouragement of compliance with the IPPs, the management of privacy enquiries and complaints, and the management of Tamaki AI’s response to regulatory enquiries from the Office of the Privacy Commissioner.

Privacy Officer: Tipasy Tim, Co-founder.

All privacy enquiries, access requests, correction requests, deletion requests, complaints, and Notifiable Privacy Breach notifications should be directed to:

Tamaki AI — Office of the Privacy Officer
Email: tamakiaiagency@gmail.com
Telephone: 021 0906 0600
Postal address: Auckland, Aotearoa New Zealand

In the event of dissatisfaction with Tamaki AI’s response, an individual may direct a complaint to the independent regulator:

Office of the Privacy Commissioner / Te Mana Mātāpono Matatapu
Website: privacy.org.nz
Complaints portal: privacy.org.nz/your-rights/making-a-complaint

18. Amendments to this Policy

Tamaki AI reserves the right to amend, modify, supplement, or replace this Policy from time to time in its sole discretion. Material amendments shall be notified to active Subscribers by electronic mail to the registered email address not less than fourteen (14) days prior to the effective date of such amendment. Continued use of the Services following the effective date constitutes acceptance of the amended Policy.

The “Last updated” date appearing at the head of this Policy reflects the date of the most recent amendment. Prior versions of the Policy are maintained internally by Tamaki AI and may be provided to an active Subscriber upon written request.

This Policy is to be read in conjunction with the Terms of Service. In the event of any inconsistency between this Policy and the Terms of Service, the Terms of Service shall prevail in respect of contractual matters and this Policy shall prevail in respect of privacy-related matters.

This Policy is provided in good faith and reflects Tamaki AI’s interpretation of the obligations applicable to it under the New Zealand Privacy Act 2020 and related legislation. Nothing in this Policy constitutes legal advice. Persons intending to rely on this Policy in a contractual, regulatory, or contentious matter are advised to seek independent advice from a New Zealand qualified legal practitioner.