FlexiTime Privacy Policy

This Privacy Policy sets out our commitment to protecting the privacy of personal data provided to us, or otherwise collected by us, including through this website and our software. 

When we collect, store and use your personal data, we do so in accordance with the rules set down in the New Zealand Privacy Act 2020 (New Zealand Privacy Act) and, to the extent applicable:

  • the Australian Privacy Act 1988 (Cth) (the Australian Privacy Act);

  • the European Union General Data Protection Regulation (EU) 2016/279 (the EU GDPR); and 

  • the UK Data Protection Act 2018 (and the legislation falling within the definition of ‘applicable data protection legislation’ under the UK Data Protection Act 2018 (together, the UK GDPR)); and/or

  • the California Consumer Privacy Act of 2018.

In this Privacy Policy, when we refer to:

  • ‘applicable data protection law’, we mean the data protection and privacy law applicable to our processing of your personal data;

  • ‘personal data’, we mean data about, or relating to, an identified or identifiable individual, and otherwise the meaning given to the term ‘personal data’ or to the term ‘personal information’ by applicable data protection law;

  • ‘processing’, we mean any operation or set of operations that is used or personal data, whether or not be automated means; and

  • ‘Flexitime’, ‘we’, ‘us’, and ‘our’, we mean Flexitime Limited (New Zealand company number 2333570) and its subsidiaries. 

Where we collect, hold, use and disclose your personal data to provide the Flexitime service to your employer, we do as agent for your employer (in other words, as a ‘processor’ on behalf of your employer, who is the ‘controller’ of the personal data as those terms are recognised under the UK GDPR and the EU GDPR). You should refer to the privacy policy of, and other privacy disclosures made by, your employer to understand how your personal data will be processed by your employer and your rights of access and other rights in respect of such personal data.

Where we collect, hold, use and disclose your personal data to provide any services directly to you, we are the ‘controller’ of your personal data in respect of the circumstances contemplated by this Privacy Policy.


What data do we collect?

We collect personal data when you or your employer provides us with data directly or when you or your employer use our software or website.

The types of personal data that we may collect about you includes:

  • your name; 

  • your contact details, including email, address, mailing address, street address and/or telephone number;

  • your bank account details and payment data;

  • data about your access and use of our services, including personal data contained in any support queries that your submit to us;

  • your browser session and geo-location data, device, and network data, statistics on page views and sessions, acquisition sources, search queries, and/or browsing behaviour;

  • data about your access and use of our software and website, including through the use of Internet cookies, your communications with our software and website, and the type of browser you are using;

  • your demographic information, such as your postcode, age, and date of birth;

  • your tax details;

  • information you provide us, including electronic copies of your passport and documents confirming your right to work (such as a work visa)

  • information about your wages and earnings relating to work you perform; 

  • notes attached to records provided by your employer (including notes that are personal in nature); and

  • any other information that you provide us, directly or indirectly, through your use of our website, software, or our other services (including through your interactions with us on social media and through other third party applications).

Collecting your personal data is necessary so that you are able to access and use our services. If we do not collect your personal data then we may be unable to provide some or all of our services to you or your employer.


Why do we collect your personal data?

For our UK-based and EU-based users, we have to tell you about the reason that we use your personal data – this is called the ‘lawful basis for processing’. Sometimes, we will ask for your permission to process your personal data in a certain way (for example, to send you marketing emails). Other times, we process your personal data on the basis that we have a legitimate interest in doing so: to provide our services, software, and website to you and to your employer for the purposes described below. 

We may collect, hold, use, and disclose your personal data for the following purposes:

  • to enable you to access and use our website, software, and services or the services of our customers;

  • to enable you or your employer to comply with legal obligations, such as requirements under applicable tax law, employment law, and other laws applicable to time recording, employee leave, and payroll;

  • to contact and communicate with you, including to provide you with important notices and information about our website, software, and services, and respond to your queries;

  • for internal record keeping and administrative purposes;

  • for analytics, market research, and business development, including to operate and improve our website, software, services and associated applications and social media pages; 

  • to verify your identity and to assist you if you forget your username or password; 

  • to assist the website and software to function and to help us debug or fix problems with the website or software;

  • to personalise our website in accordance with your preferences or enhance your user experience of our website or software;

  • to provide you with support in using our software or services; and

  • to comply with our legal obligations and resolve any disputes that we may have.

As previously mentioned, with your consent, we may also use your personal data to provide you with other information (including promotional material and news about our services and third party services). To unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details below or by using the unsubscribe facilities provided in the communication.

We will not use or disclose your personal data except as described in this privacy policy or otherwise in accordance with applicable data protection law.


Data others give us about you

We might receive your personal data from third parties (including your employer) who you have authorised to disclose your personal data to us. 

The collection and disclosure of that personal data by those third parties will be governed by the terms you have agreed with them, and by applicable data protection law.

FlexiTime's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.


Data you give us about other people

We may collect data about someone else from you, if you provide that data to us. 

If you do provide us with someone’s personal data, you must make sure you have that person’s authority to do so and you must make sure that person knows that their data may be used by us in the circumstances set out in this policy.


Who do we share your personal data with?

We may disclose your personal data to third parties such as: 

  • your employer;

  • third party service providers and partners who assist and enable us to use the personal data to, for example, support delivery of or provide functionality on our website or services, or to market or promote our goods and services to you, including IT service providers, data storage, web-hosting and server providers, debt collectors, maintenance or problem-solving providers, marketing or advertising providers, and payment system operators; 

  • regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights (and where possible and appropriate, we will notify you of this type of disclosure);

  • an actual or potential buyer (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of us or of any part of our business; 

  • other people where you have directed us to share your personal data to those people (such as a third party site or platform); and

  • other people that you (or your employer, on your behalf) have given consent for us to send personal data to.

Once we share your personal data with another person in the above circumstances, the data received by the other person is controlled by that person and becomes subject to the other person’s data protection policies.


Where is your personal data held?

We access and store our data, including any personal data that we collect in respect of you, through our systems and servers located at our head office in New Zealand. New Zealand is a ‘white list’ country for the purposes of both the EU GDPR and the UK GDPR, which means that the privacy protections provided by New Zealand law have been assessed as providing ‘adequate’ protections personal data transferred to New Zealand. 

Some of the personal data that we collect in respect of you is hosted on our behalf on servers maintained by Microsoft Azure, at its data centre in Australia. 

Wherever your personal data is transferred, stored or processed by us, we will take reasonable steps to safeguard the privacy of your personal data. These steps may include implementing standard contractual clauses where recognised by law, obtaining your consent, or other lawful means of transferring personal data.


Your rights 

You have the right to:

  • request access to personal data that we hold about you; and

  • request that we correct personal data that we hold about you. 


Additional rights under the EU GDPR and UK GDPR

In addition to the other rights granted to you, if the EU GDPR or the UK GDPR applies to our collection of personal data from you, then you have the right: 

  • to obtain the rectification of inaccurate personal data concerning you and, taking into account the purposes of our processing, the completion of any incomplete personal data;

  • to receive access to your personal data that you have provided to us in a commonly-used machine-readable format;

  • to restrict processing of your personal data if a basis for doing so exists under the EU GDPR or the UK GDPR;

  • to have any personal data about you erased upon request if it is no longer relevant (the ‘right to be forgotten’);

  • to not be subject to a decision based solely on automated processing, including profiling;

  • to withdraw your consent to the processing of your personal data, where such consent forms the basis for the processing;

  • to lodge a complaint with the appropriate data protection authority. 


How do we protect your personal data?

The security and integrity of your personal data are important to us. We have implemented technical, administrative, and physical security measures that are designed to protect your personal data from unauthorised access, disclosure, use, and modification. 

To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures such as the pseudonymisation and encryption of personal data, to safeguard and secure personal data and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.


How long do we retain your personal data?

We will retain your personal data for the length of time necessary to fulfil the purposes that we have described in this Privacy Policy, unless a longer retention period is required or permitted by law. 

In the case of data that we hold to help your employer fulfil their legal record keeping obligations under employment law, tax law and other laws applicable to time recording, employee leave, and payroll, this means that we will hold your personal data in accordance with those record keeping obligations (and then for any additional length of time necessary to fulfil the purposes contemplated by this policy).


Cookies and web beacons

We may use cookies on our website occasionally. Cookies are text files placed in your computer’s browser to store your preferences. Cookies, by themselves, do not tell us your email address or other personal data. However, they do allow third parties, such as Google and Facebook, to cause our advertisements to appear on your social media and online media feeds as part of our retargeting campaigns. If and when you choose to provide our website with personal data, this data may be linked to the data stored in the cookie.

Find out more about how we use Cookies in our Cookie Notice.


Links to other websites

Our website may contain links to other websites. We have no control over those websites and we are not responsible for the protection and privacy of any personal data which you provide whilst visiting those websites. Those websites are not governed by this Privacy Policy.



We may amend this Privacy Policy from time to time, in which case this Privacy Policy as amended will supersede prior versions. We will make reasonable efforts to notify you prior to the effective date of any such amendment and your continued use of the Services following the effective date of any such amendment may be relied upon by Flexitime as your consent to any such amendment.


Contacting us

If you wish to exercise your rights under Applicable Data Protection Law, or if you have any questions, please contact our Privacy Officer at: 

Mailing address: FlexiTime Limited, 11 Chews Lane (Level 1), Willis Street, PO Box 10067, Wellington 6143, New Zealand

Email: support@flexitime.works

Version: 2.1
Last update: November 5, 2021