1. Introduction

Wayne Bishop Group (referred to in this statement as “we”, “us”, or “our”) is committed to protecting the privacy of our customers, clients, employees, suppliers, and other individuals we interact with. This Privacy Statement explains how we collect, use, store, disclose, and protect personal information in accordance with the Privacy Act 2020 and the 13 Information Privacy Principles (IPPs) it contains.

Wayne Bishop Group operates a number of businesses across New Zealand, including:

• Construction Services

• Retirement Village Management

• Commercial & Residential Property Lease Agreements

• Finance and Lending Company

• Mortgage Brokerage

• Real Estate Sales

• Food Services (Café, Restaurant & Events Centre)

• Accommodation Services

• Heavy & Light Automotive and Equipment Mechanical Services

Each of these businesses may collect and use personal information in different ways depending on the nature of the services they provide. This statement applies across all Wayne Bishop Group entities and businesses.

2. What is Personal Information?

Personal information is any information about an identifiable individual. This includes information that could reasonably be used to identify someone, even if their name is not included. Examples include names, contact details, financial information, health information, and transaction history.

3. What Personal Information We Collect

The type of personal information we collect depends on the business you are engaging with and the nature of your relationship with us. This may include:

General (across all businesses)

• Full name, date of birth, and contact details (address, phone number, email)

• Identity verification documents (e.g. passport, driver’s licence)

• Communication records and correspondence

• Information you provide when making enquiries, bookings, or purchases

Construction Services

• Details required to manage contracts and project delivery

• Subcontractor and supplier contact and business information

• Health and safety records, site inductions, and incident reports

• Employment and contractor information

Retirement Village Management

• Health, medical, and care needs information

• Occupation right agreement and financial details

• Next of kin and emergency contact details

• Information about daily wellbeing and care requirements

Commercial & Residential Property Lease Agreements

• Tenant and landlord identification and contact details

• Financial information required for tenancy applications and credit checks

• Tenancy history and references

• Payment records and bond details

• Property inspection and condition report information

Finance and Lending Company

• Financial information including income, assets, liabilities, and credit history

• Bank account details and transaction records

• Employment details and income verification

• Credit bureau and third-party verification information

• Information required for Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) compliance, including proof of identity and source of funds

Mortgage Brokerage

• Financial information including income, assets, liabilities, and credit history

• Employment details and income verification

• Credit bureau and third-party verification information

• Lender application and approval documentation

• Information required for AML/CFT compliance, including proof of identity and source of funds

Real Estate Sales

• Property ownership and transaction history

• Financial pre-approval and purchasing capacity information

• Vendor and purchaser identification and contact details

• Settlement instructions and legal correspondence

Food Services (Café, Restaurant & Events Centre)

• Booking and reservation details

• Dietary requirements and allergy information

• Event planning and catering preferences

• Payment and billing information

Accommodation Services

• Guest identification and contact details

• Booking, check-in, and check-out information

• Payment and billing details

• Special requirements or preferences relevant to your stay

• Identification documents where required for registration purposes

Light Automotive and Equipment Mechanical Services

• Vehicle and equipment registration, make, model, and service history

• Contact details for booking and notification purposes

• Payment information

• Warrant of Fitness and Certificate of Fitness records where applicable

4. How We Collect Personal Information

We collect personal information in a number of ways, including:

• Directly from you when you engage with us, make an enquiry, apply for services, or enter into an agreement

• From third parties such as credit reporting agencies, other lenders, government agencies, or referral partners (where authorised)

• From publicly available sources

• Through our websites, online booking systems, and digital forms

• Through CCTV systems at certain premises for security and safety purposes

We will always endeavour to collect personal information directly from you wherever practicable.

Third-Party Collection of Information

Where we collect your personal information from someone other than you, we will take reasonable steps to notify you that we have collected your personal information, including:

• The purpose of the collection

• The intended recipients of the information

• The name and address of the agency collecting and holding the information

• Whether the collection is authorised or required by law and, if so, the law that authorises or requires the collection

• Your right to access and request correction of that information

This notification obligation applies unless an exception is available under the Privacy Act 2020.

5. Why We Collect Personal Information

We collect and use personal information only for lawful purposes that are directly related to the services we provide or functions we carry out. These purposes include:

• Providing and administering our products and services

• Assessing applications for finance, mortgages, or lending products

• Completing property transactions and managing real estate agency obligations

• Delivering care and support services to retirement village residents

• Managing construction contracts, health and safety obligations, and project delivery

• Taking bookings, managing events, and providing food and hospitality services

• Diagnosing, servicing, and maintaining vehicles

• Complying with legal and regulatory obligations, including the AML/CFT Act 2009, Credit Contracts and Consumer Finance Act 2003, Real Estate Agents Act 2008, and other applicable legislation

• Communicating with you about our services, updates, or changes relevant to you

• Managing our relationship with employees, contractors, and suppliers

• Protecting the safety and security of our people, customers, and premises

6. Disclosure of Personal Information

We may share your personal information with third parties where it is necessary to deliver our services or where we are legally required to do so. This may include:

• Other businesses within the Wayne Bishop Group, where relevant to the service being provided

• Credit reporting agencies and bureaus

• Legal advisors, accountants, and professional service providers

• Government agencies and regulators (e.g. the Financial Markets Authority, Real Estate Authority, Ministry of Health, IRD)

• Insurers and settlement agents

• IT service providers and cloud-based system operators who process data on our behalf

We do not sell personal information to third parties. Any third parties we share information with are required to handle it in accordance with applicable privacy laws.

Some of our systems and service providers may be based overseas. Where personal information is transferred or accessible outside New Zealand, we take reasonable steps to ensure it receives comparable protections to those required under the Privacy Act 2020.

7. Storage and Security of Personal Information

We may electronically record and store personal information which we collect from you. We take all reasonable steps to keep it secure and prevent unauthorised disclosure, safe from loss, unauthorised activity, or other misuse. Our software is subject to audits to ensure it continues to meet security requirements. All data handled in our software is encrypted in transit and during storage and can only be accessed over secure network connections.

Some information may be held in paper files on-premises at our offices, and is always kept secure. Most information is stored electronically, either in our systems or via cloud-based service providers (see below).

However, we cannot guarantee that your personal information will not be accessed by an unauthorised person (e.g. a hacker) or that unauthorised disclosures will not occur. If we provide you with passwords or other security devices, it is important that you keep these confidential and do not allow them to be used by any other person. You should notify us immediately if the security of your password or security device is breached, to help prevent the unauthorised disclosure of your personal information.

We use a range of physical and electronic security measures to protect the personal information we hold, including:

• Access to information systems is controlled through identity and access management

• Our buildings are secured with a combination of locks, monitored alarms, and cameras to prevent unauthorised access

• Employees are bound by internal information security policies and are required to keep information secure

• Employees are required to complete training about information security and privacy

• When we send information overseas or use service providers to process or store information, we put arrangements in place to protect your information

• We regularly monitor and review our compliance (and our service providers’ compliance) with internal policies and industry best practice

• We only keep information for as long as we need it, or as long as the law requires.

We have a records management policy governing how we manage and destroy information that is outdated, irrelevant, or unnecessary

Cloud-Based Service Providers

We use third-party service providers to store and process most of the information we collect.

All data stored online is backed up and can be retrieved in the event of data loss or corruption. We use Microsoft Azure cloud servers located in New Zealand and Australia. We ensure that our cloud-based service providers are subject to appropriate security and information handling arrangements, and that the information stored or processed by them remains subject to confidentiality obligations.

8. Your Privacy Rights

Under the Privacy Act 2020, you have the right to:

• Request access to the personal information we hold about you

• Request correction of personal information that is inaccurate, incomplete, or out of date

• Ask us to delete or restrict the use of your information in certain circumstances

• Raise a concern or complaint about how we have handled your personal information

To exercise any of these rights, please contact our Privacy Officer using the details set out in

Section 10 of this statement. We will respond to access and correction requests within 20

working days as required by the Act.

In some circumstances, we may be unable to provide access to certain information (for

example, where doing so would prejudice the privacy of another individual or where a legal

exemption applies). If this occurs, we will explain the reasons for declining your request.

9. Our Website, Cookies & Online Interactions

If you visit us through our website or social media pages, we collect information about your use and experience using cookies. Cookies are small pieces of information stored on your hard drive or mobile browser. They record information about your visit to the site, allowing it to remember you the next time you visit and provide a more meaningful experience.

The cookies we send to your device cannot read your hard drive, obtain information from your browser, or command your device to perform any action. They are designed so that they cannot be retrieved by any non-Wayne Bishop Group website or application. You may disable cookies by changing the settings on your browser, although this may mean you cannot use all features of the website.

When you interact with us through our website or social media pages, information collected through cookies may include:

• The date and time of visits

• Website page or pages viewed

• The website from which you accessed our website or other digital platform

• How you navigate through the website and interact with pages, including any fields completed in forms or applications

• Information about your location

• Information about the device used to visit our digital platform

• IP address and the type of web browser used

We may use information about your use of our websites and other IT systems to prevent unauthorised access or attacks on our software. We may utilise services from one or more third-party suppliers to monitor the use of our systems. These third-party suppliers will have access to monitoring and logging information as well as information processed on our websites and other IT systems.

Social Media

We will not ask you to supply personal information publicly on Facebook, Twitter, or any other social media platform we use. We may occasionally invite you to send your details via a private message, for example to answer a question. You may also be invited to share personal information through secure channels to participate in activities such as competitions, but we would require your express consent before including you in such activities.

While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk. If you follow a link on our website to another site, the owner of that site will have its own privacy policy. We suggest you review that site’s privacy policy before providing personal information.

Bots

A bot is a piece of software programmed to perform certain tasks, such as responding to phrases with pre-set responses. When you interact with a bot through a third-party platform such as Facebook Messenger, our third-party service provider will temporarily store and analyse your conversation so that the bot can respond to you. The third-party platform provider may also store your bot conversation. We recommend that you do not share sensitive personal information, such as bank account details, with a bot.

10. Contact Us – Privacy Officer

If you have any questions about this Privacy Statement, wish to request access to or correction of your personal information, or want to make a privacy complaint, please contact our Privacy Officer:

Wayne Bishop Group – Privacy Officer

Unit 1D, 5 Bush Street, Levin 5510

Email: shaun.t@wbg.co.nz

Phone: 027 3388035

If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Privacy Commissioner:

Office of the Privacy Commissioner

Website: www.privacy.org.nz

Phone: 0800 803 909

11. Changes to This Privacy Statement

We may update this Privacy Statement from time to time to reflect changes in our practices, legal obligations, or the services we offer. The current version will always be available on our website. We encourage you to review this statement periodically. Continued use of our services after any changes are posted constitutes your acceptance of the updated statement.

This Privacy Statement is effective as of the date shown above.