1. About this policy
This Privacy Policy describes how Wana Stay 2025 Limited (NZBN 9429053225986), trading as APEX AI ("APEX AI", "we", "us" or "our"), collects, uses, stores and discloses personal information. We are bound by the New Zealand Privacy Act 2020 and the thirteen Information Privacy Principles (IPPs) set out in that Act.
APEX AI is an automation agency. Our core service is to take databases of leads and customers provided by our business clients and re-engage them through SMS-based automation, with the goal of converting dormant leads into sales for those clients.
This policy applies to three groups of people:
• Our clients — businesses that engage APEX AI and the individuals who deal with us on their behalf;
• End recipients — individuals whose personal information is contained within databases supplied by our clients, and who may receive SMS communications as part of an APEX AI campaign; and
• Website visitors — anyone who visits apexai.co.nz or otherwise interacts with our online presence.
2. Our role under the Privacy Act
In the language of the Privacy Act, APEX AI acts as an agency that holds personal information. We act in two distinct capacities:
• As an independent agency, for personal information about our own clients, prospects, suppliers and website visitors that we collect for our own business purposes (e.g. account management, billing, marketing of APEX AI services).
• On behalf of our clients, for personal information contained in databases that our clients provide to us, so we can run SMS automation campaigns on their behalf. In this capacity, our client is the agency that originally collected the information from the individual, and we handle that information strictly in accordance with our written services agreement and this policy. Our client remains responsible for ensuring the information was collected lawfully and for honouring opt-outs and access requests received directly by them.
3. Information that we collect
3.1 From our clients
When you engage APEX AI as a client, or enquire about our services, we may collect:
• Identification and contact details (name, business name, role, email, phone, postal address);
• Account and billing information (payment details, GST number, invoicing contact);
• Records of our communications with you (emails, calls, meeting notes, support requests);
• Information you provide during onboarding about your business, target customers, offers and campaign goals.
3.2 From end recipients (your customers and leads)
When a client uploads or grants us access to a database, that database typically contains personal information about end recipients, which may include:
• Name and contact details (mobile phone number, email, postal address);
• Engagement history with the client (e.g. previous enquiries, quotes, purchases, appointment history, status as an active or dormant lead);
• Demographic or segmentation information the client has captured (e.g. location, product interest);
• Records of SMS messages sent and received as part of an APEX AI campaign, including replies, opt-outs, click-throughs on links contained in messages, and conversational AI responses generated on the client’s behalf.
We do not knowingly seek sensitive information (such as health, racial or ethnic origin, religious beliefs, sexual orientation, or biometric data) from end recipients, and we ask our clients not to upload such information to our systems.
3.3 From website visitors
When you visit apexai.co.nz, we may collect:
• Information you actively provide via contact, booking or demo-request forms (name, email, phone, business and message);
• Technical information automatically collected by your browser, such as IP address, device type, browser type, referring URL, pages viewed, and the date and time of your visit;
• Cookie and analytics data — see section 10 (Cookies and analytics) below.
4. How we collect personal information
We collect personal information:
• Directly from you when you contact us, sign up, request a demo, sign a services agreement, or correspond with our team;
• From our clients, when they share customer or lead data with us so we can perform the services they have engaged us for;
• Automatically, when you interact with our website, our SMS platforms, or links contained in messages we send on a client’s behalf;
• From third-party tools and sub-processors we use to deliver our services (for example, SMS gateways, CRM platforms, analytics tools, and AI providers — see section 7 below).
5. Why we collect personal information and how we use it
We collect and use personal information for the following purposes:
• Providing our services — designing, configuring, running and optimising SMS automation campaigns on behalf of our clients, including triggering message sequences, handling replies, and reporting on results.
• Account administration — managing client accounts, billing, contracts and support.
• Communicating with you — responding to enquiries, sending service-related notifications and, where you have opted in or where we are otherwise permitted, sending marketing communications about APEX AI.
• Product improvement — analysing aggregated and de-identified campaign performance data to improve our service, copywriting, and automation logic.
• Security and fraud prevention — monitoring for misuse of our systems, preventing spam and abuse, and protecting our clients and end recipients.
• Legal and regulatory obligations — complying with NZ law, including tax and record-keeping obligations and responding to lawful requests from authorities.
We will not use personal information for a purpose other than the one for which it was collected unless we have your authorisation, the new use is directly related to the original purpose, or another exception under the Privacy Act applies.
6. SMS, voice marketing and electronic messages
SMS messages sent by APEX AI on behalf of a client are commercial electronic messages and are subject to the Unsolicited Electronic Messages Act 2007 (UEMA), administered by the Department of Internal Affairs.
Our practice is that:
• We require our clients to confirm in writing that every individual in a database they supply has given consent (express or inferred) to receive commercial electronic messages from that client, in line with UEMA;
• Every commercial SMS we send on a client’s behalf clearly identifies the client as the sender and includes a functional unsubscribe mechanism (such as replying STOP) at no cost to the recipient beyond the recipient’s standard message rate;
• Unsubscribe requests are processed promptly and, in any event, within five (5) working days, and the relevant phone number is suppressed from all future campaigns we run for that client;
• We do not use harvested address lists or address-harvesting software.
If you receive an SMS that you believe was sent in breach of UEMA, please contact us at https://apexai.co.nz/contact and we will investigate.
7. Who we share personal information with
We share personal information only where necessary, and only with parties bound by appropriate confidentiality and security obligations. Categories of recipients include:
• Our clients — for personal information collected in the course of providing services, the relevant client receives campaign data, replies, opt-outs and conversion information for their own records.
• Sub-processors and service providers — we rely on a limited set of third parties to deliver our service, which may include: SMS gateway providers Twilio, ClickSend, CRM and automation platforms (e.g. [CRM PLATFORM, e.g. GoHighLevel, HubSpot]), AI / large language model providers (e.g. Anthropic, OpenAI, Google Gemini), cloud hosting and storage providers (e.g. AWS, Google Cloud]), analytics providers, and accounting and payment processors. We require all sub-processors to keep personal information secure and to use it only for the purposes for which we engaged them.
• Professional advisors — our lawyers, accountants and auditors, where reasonably required.
• Authorities and others — where we are required by law, where disclosure is necessary to prevent or investigate a serious threat, or where you have authorised disclosure.
• Successors — in connection with a sale, merger, restructure or insolvency of APEX AI, in which case we will take reasonable steps to ensure the recipient is bound by privacy obligations no less protective than this policy.
We do not sell personal information.
8. Sending information overseas
Some of the sub-processors listed above are located outside New Zealand (commonly in the United States, Australia, or the European Union). When we disclose personal information to an overseas recipient, we comply with Information Privacy Principle 12 of the Privacy Act 2020. Specifically, we will only do so where one or more of the following applies: (a) the individual has authorised the disclosure after being expressly informed that the recipient may not be required to protect the information in a way that provides comparable safeguards to those in the Privacy Act; (b) the overseas recipient is in a country with comparable privacy laws or is bound by binding privacy rules or contractual safeguards that provide comparable protection; or (c) another exception in IPP 12 applies.
A current list of our key overseas sub-processors and the countries in which they hold data is available on request from https://apexai.co.nz/contact.
9. How we keep your information secure
We take reasonable technical and organisational steps to protect personal information from loss, misuse, unauthorised access, modification or disclosure. These include:
• Encryption of data in transit (TLS) and, for stored databases, encryption at rest where supported by our sub-processors;
• Access controls and unique user accounts for staff, with access to client databases limited to those who need it to perform their role;
• Multi-factor authentication on administrative accounts;
• Vendor due diligence on sub-processors with access to personal information;
• Logging and monitoring of access to client systems and databases.
No system is completely secure. If we become aware of a privacy breach that has caused, or is likely to cause, serious harm to an affected individual, we will notify the Office of the Privacy Commissioner and affected individuals as required by the Privacy Act 2020.
10. Cookies and website analytics
Our website uses cookies and similar technologies to make the site work, remember your preferences, and help us understand how visitors use the site. We may use analytics products such as Google Analytics 4 and conversion-tracking pixels from advertising platforms such as Meta, Google Ads.
You can configure your browser to refuse cookies or to alert you when cookies are being sent. If you disable cookies, some parts of our website may not function correctly.
11. How long we keep personal information
We keep personal information only for as long as we have a lawful purpose for holding it. As a guide:
• Client account and billing records are retained for at least seven (7) years after the end of our engagement, in line with NZ tax and record-keeping requirements;
• Databases supplied by clients for use in campaigns are retained for the duration of our engagement with that client, and are deleted or returned within 30 days of termination, except where we are required to retain certain records (e.g. evidence of opt-outs);
• Website analytics data is kept in line with the retention settings of our analytics provider.
12. Your rights
Under the Privacy Act 2020, you have the right to:
• Access — request confirmation of whether we hold personal information about you, and to obtain a copy of that information;
• Correction — request that we correct personal information about you that you believe is wrong, or attach a statement of correction if we decline;
• Withdraw consent — opt out of marketing communications at any time, including by replying STOP to any SMS;
• Complain — raise a privacy complaint with us, or with the Office of the Privacy Commissioner.
Where personal information about you is held in a database we manage on behalf of one of our clients, your primary point of contact is that client (the agency that originally collected your information). You are also welcome to contact us, and we will pass your request on to the relevant client and assist with handling it.
To exercise any of these rights, please contact us via https://apexai.co.nz/contact. We may need to verify your identity before responding. We will respond within twenty (20) working days, as required by the Privacy Act.
13. Children
Our services are directed at businesses, not at children. We do not knowingly collect personal information from anyone under the age of sixteen (16). If you believe a child has provided us with personal information, please contact us so we can delete it.
14. Changes to this policy
We may update this Privacy Policy from time to time. The current version will always be available at apexai.co.nz/privacy. Where changes are material, we will take reasonable steps to notify affected individuals — for example, by email or a notice on our website.
15. Contact us and complaints
If you have any questions, requests or concerns about this policy or about how we handle personal information, please contact us:
APEX AI (Wana Stay 2025 Limited)
Privacy Officer: Dan Ballard
Email: [email protected]
Postal address: Sidekick, Spencer House Mall, 31 Dunmore Street, Wanaka, 9305 NZ