Privacy Policy

1. Data Controller Information

The data controller responsible for your personal information is:

Kneerefine
7 Queen Street, Auckland CBD, Auckland 1010, New Zealand
Email: admin@kneerefine.world
Phone: +64 9 300 7446

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us using the details above. We will respond to legitimate requests within the timeframes required by applicable law, typically within 30 days for GDPR-related requests.

2. Scope of This Policy

This Privacy Policy applies to all personal data collected through the website kneerefine.world, including when you browse our pages, submit contact forms, purchase educational products, enroll in programs, or interact with our cookie consent tools. It does not apply to third-party websites linked from our pages, which maintain their own privacy practices.

By using our website, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a legal basis for processing, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

3. Categories of Personal Data We Collect

3.1 Information You Provide Directly

When you contact us, purchase products, or enroll in programs, we may collect:

• Full name
• Email address
• Phone number (if provided)
• Message content and inquiry details
• Billing and payment information (processed through secure third-party payment providers)
• Program preferences and dietary notes you voluntarily share during guidance sessions

3.2 Information Collected Automatically

When you visit our website, we may automatically collect certain technical data, including:

• IP address (which may be anonymised depending on your cookie preferences)
• Browser type and version
• Operating system
• Referring URL and pages visited on our site
• Date and time of access
• Device identifiers and screen resolution

Automatic collection occurs primarily through cookies and similar technologies. See our Cookie Policy for detailed information about the cookies we use and how to manage your preferences.

3.3 Special Categories of Data

We do not intentionally collect special categories of personal data as defined under GDPR Article 9 (such as data concerning health, racial or ethnic origin, or religious beliefs). If you voluntarily share health-related dietary information during a guidance session, we treat it with heightened care and process it only with your explicit consent and solely for the purpose of delivering the requested educational service.

4. Purposes and Legal Bases for Processing

We process personal data only where a valid legal basis exists. The table below summarises our primary processing activities:

4.1 Responding to Inquiries

Purpose: To read, respond to, and follow up on messages submitted through our contact form or email.
Legal basis: Legitimate interest in communicating with prospective and existing clients, or consent where you tick the GDPR checkbox on our contact form.
Data used: Name, email, message content.

4.2 Delivering Services and Products

Purpose: To provide guidance sessions, custom meal frameworks, educational products, and program enrollment.
Legal basis: Performance of a contract or steps taken at your request prior to entering a contract.
Data used: Contact details, payment information, session notes, program participation data.

4.3 Website Analytics and Improvement

Purpose: To understand how visitors use our website, identify popular content, and improve user experience.
Legal basis: Consent (analytics cookies are only activated after you accept them via our cookie banner).
Data used: Anonymised or pseudonymised usage data, page views, session duration.

4.4 Marketing Communications

Purpose: To send information about new guides, programs, or educational content that may interest you.
Legal basis: Consent. We do not send marketing emails without your explicit opt-in.
Data used: Email address, communication preferences.

4.5 Legal Compliance and Security

Purpose: To comply with legal obligations, prevent fraud, protect our rights, and maintain website security.
Legal basis: Legal obligation and legitimate interest in protecting our business and users.
Data used: IP addresses, access logs, transaction records.

5. Data Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required by law. Our standard retention periods are:

• Contact form submissions: 24 months from the date of submission, unless an ongoing business relationship exists.
• Customer and transaction records: 7 years from the date of the last transaction, in accordance with New Zealand tax and accounting requirements.
• Guidance session notes: 3 years from the date of the last session, unless you request earlier deletion.
• Marketing consent records: Duration of consent plus 3 years for audit purposes.
• Analytics data: 26 months from collection, aligned with common analytics platform defaults.
• Server access logs: 90 days, unless required for security investigations.
• Cookie consent preferences: 12 months, after which we will ask for your preferences again.

When retention periods expire, data is securely deleted or anonymised so it can no longer be associated with you.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data with third parties only in the following circumstances:

• Service providers: Hosting providers, email delivery services, payment processors, and analytics platforms that process data on our behalf under strict data processing agreements.
• Legal requirements: When required by law, court order, or governmental authority.
• Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity with prior notice to affected users.

All third-party processors are required to implement appropriate technical and organisational measures to protect your data and process it only according to our instructions. Where data is transferred outside the European Economic Area or to countries without an adequacy decision, we implement appropriate safeguards such as Standard Contractual Clauses.

7. Security Measures

We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• HTTPS encryption for all data transmitted between your browser and our servers
• Secure hosting infrastructure with regular security updates and monitoring
• Access controls limiting personal data access to authorised personnel only
• Encrypted storage for sensitive records where applicable
• Regular review of security practices and incident response procedures
• Staff training on data protection principles and confidentiality obligations

While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is completely secure. We encourage you to use strong passwords for any accounts and to contact us immediately if you suspect unauthorised access to your data.

8. Your Rights Under GDPR and Applicable Law

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your data where there is no compelling reason for continued processing.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Withdraw consent at any time where processing is consent-based.
• Right to lodge a complaint: File a complaint with a supervisory authority. In New Zealand, contact the Office of the Privacy Commissioner. In the EU, contact your local data protection authority.

To exercise any of these rights, email admin@kneerefine.world with the subject line "Data Protection Request" and sufficient information to verify your identity. We may request additional verification to prevent unauthorised disclosure. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

9. Children's Privacy

Our website and services are intended for individuals aged 16 and older. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that information promptly. Parents or guardians who believe their child has provided us with personal data should contact us immediately.

10. International Data Transfers

Kneerefine is based in New Zealand. If you access our website from the European Union, United Kingdom, or other jurisdictions, your data may be transferred to and processed in New Zealand or other countries where our service providers operate. We ensure appropriate safeguards are in place for such transfers, including adequacy decisions, Standard Contractual Clauses, or other mechanisms recognised under applicable data protection law.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. Any personalisation of content recommendations is based on general browsing patterns and does not constitute automated decision-making under GDPR Article 22.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website. We encourage you to review this page regularly to stay informed about how we protect your data.

13. Contact and Data Protection Inquiries

For any questions, concerns, or requests related to this Privacy Policy or our data handling practices, contact us at:

Kneerefine
7 Queen Street, Auckland CBD, Auckland 1010, New Zealand
Email: admin@kneerefine.world
Phone: +64 9 300 7446

We aim to resolve all privacy-related inquiries fairly and promptly.