
Data protection
Privacy policy
How we collect, use, and protect your personal information in accordance with New Zealand privacy laws.
Last Updated: 21 February 2026
1. Introduction and Scope
Thinkspace Limited (Company Number: 2298832) ("we", "us", "our", "Thinkspace", "Data Controller") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you use our coworking facilities, services, and related technologies.
This Privacy Policy applies to all personal information we collect through our websites, facilities at Downtown Auckland, Parnell, Ponsonby, Mount Eden (Dominion Road), Onehunga, and Botany, online platforms, mobile applications, and any related communications. We comply with the New Zealand Privacy Act 2020, the Privacy Regulations 2020, and applicable international privacy standards including GDPR principles where relevant.Contractual Necessity: The provision of certain personal information is necessary for the performance of your membership agreement. Failure to provide such information may result in our inability to provide services. By executing a membership agreement, accessing our facilities, or using our services, you acknowledge and consent to the collection, use, and processing of your personal information as described in this Privacy Policy.
Data Controller Details: Thinkspace Limited is the data controller responsible for your personal information. Our privacy team can be contacted at [email protected].
2. Categories of Information We Collect
2.1 Identity and Contact Information
- Full legal name, business name, and trading names
- Date of birth, nationality, and government-issued identification (passport, driver's license)
- Residential and business addresses
- Email addresses, phone numbers, and emergency contact details
- Professional titles, LinkedIn profiles, and business credentials
- Photographs for access cards and member directories
- Director and shareholder information for corporate members
- Guarantor information where applicable
2.2 Financial and Transactional Data
- Bank account details and payment card information
- Direct debit authorizations and payment history
- Credit checks and financial references
- Billing addresses and tax identification numbers
- Transaction records, invoices, and receipts
- Security deposits and bond information
- Outstanding balances and payment disputes
2.3 Facility Access and Security Data
- Biometric data (fingerprints or facial recognition where implemented)
- Access card numbers and PIN codes
- Entry/exit logs with timestamps and locations
- CCTV recordings from all common areas and entry points
- Visitor logs and guest registration details
- Vehicle registration for parking access
- Incident reports and security breach records
- After-hours access requests and authorizations
2.4 Technology and Network Usage
- IP addresses, MAC addresses, and device identifiers
- Internet browsing logs and bandwidth usage
- Email metadata (as required by law)
- Network authentication credentials
- Printing and scanning activity logs
- VoIP call records and telephony usage
- Software and application usage on shared devices
- Cloud storage and file sharing activity
2.5 Operational and Service Data
- Meeting room bookings and resource utilisation
- Service requests and maintenance logs
- Mail and package handling records
- Event attendance and networking preferences
- Dietary restrictions and accessibility requirements
- Feedback, complaints, and satisfaction surveys
- Communication preferences and opt-in/opt-out records
- Member directory participation choices
2.6 Health, Safety, and Compliance Information
- Health and safety incident reports
- COVID-19 vaccination status and health declarations (where required)
- Contact tracing information for health emergencies
- Insurance claims and liability information
- Workplace accident and injury records
- Emergency evacuation participation records
- First aid and medical emergency information
2.7 Third-Party and Public Source Information
- Credit bureau reports and financial standing checks
- Companies Office and business registry information
- Professional licensing and certification verification
- Social media profiles and public online presence
- News articles and media mentions
- Court records and litigation history (where relevant)
- Anti-money laundering and sanctions screening results
3. Purposes and Legal Basis for Processing
3.1 Membership and Service Delivery (Contractual Necessity)
- Evaluating membership applications and conducting due diligence
- Provisioning workspace, access credentials, and agreed services
- Managing bookings, resource allocation, and capacity planning
- Processing payments, deposits, and financial reconciliation
- Providing IT infrastructure, internet access, and technical support
- Facilitating mail handling, package receipt, and courier services
- Administering member benefits and loyalty programs
- Managing terminations, make-good obligations, and deposit returns
3.2 Security and Safety (Legitimate Interests & Legal Obligations)
- Maintaining 24/7 CCTV surveillance for crime prevention
- Controlling and monitoring facility access
- Investigating security incidents, theft, and property damage
- Ensuring compliance with health and safety regulations
- Managing emergency evacuations and crisis situations
- Protecting intellectual property and confidential information
- Preventing unauthorized access and cyber security threats
- Conducting background checks for high-security areas
3.3 Legal and Regulatory Compliance (Legal Obligations)
- Complying with tax reporting and GST requirements
- Meeting anti-money laundering (AML) obligations
- Responding to law enforcement and regulatory requests
- Maintaining records for statutory retention periods
- Complying with court orders and legal proceedings
- Meeting workplace health and safety reporting requirements
- Adhering to telecommunications interception obligations
- Fulfilling consumer protection and fair trading requirements
3.4 Business Operations and Improvement (Legitimate Interests)
- Analysing space utilisation and occupancy patterns
- Optimizing facility layout and resource allocation
- Conducting member satisfaction and market research
- Developing new services and amenity offerings
- Managing vendor relationships and service quality
- Training staff and improving customer service
- Benchmarking against industry standards
- Protecting against fraud and financial losses
3.5 Marketing and Community Building (Consent or Legitimate Interests)
- Sending operational updates and service announcements
- Marketing additional services and membership upgrades
- Facilitating member networking and collaboration
- Publishing member directories (with explicit consent)
- Organizing events, workshops, and social activities
- Creating case studies and testimonials (with consent)
- Managing referral and rewards programs
- Conducting targeted advertising and remarketing
4. Legal Basis for Processing
We process your personal information based on the following legal grounds:
- Contract Performance: Processing necessary for membership agreements and service delivery
- Legitimate Interests: Security, facility management, and business improvement purposes
- Legal Obligations: Compliance with tax, employment, and safety regulations
- Consent: Marketing communications and optional services (where applicable)
5. Information Sharing, Disclosure, and International Transfers
5.1 Categories of Recipients
We share your information only where necessary and with appropriate safeguards:
Service Providers (Data Processors)
- Payment processors (Stripe, PayPal, bank direct debit providers)
- Cloud infrastructure (AWS, Google Cloud, Microsoft Azure)
- Access control systems (Kisi, Salto, Brivo)
- CCTV and security monitoring services
- IT support and managed service providers
- Accounting and bookkeeping services
- Email and communication platforms
- Customer relationship management (CRM) systems
Professional Advisors and Authorities
- Legal counsel and litigation support
- Auditors and tax advisors
- Insurance companies for claims processing
- Debt collection agencies (when necessary)
- Law enforcement and regulatory bodies
- Courts and tribunals
- Government agencies (IRD, MBIE, WorkSafe)
Business Partners
- Building owners and property managers
- Partner coworking spaces for reciprocal access
- Event sponsors and collaborators
- Referral partners (with consent)
5.2 Legal Disclosure Obligations
We may disclose your information without consent where required or permitted by law:
- Court orders, subpoenas, and legal proceedings
- Search warrants and law enforcement requests
- Serious fraud office and financial intelligence unit requests
- Immigration and customs investigations
- Health and safety investigations by WorkSafe
- Tax authority audits and information requests
- Telecommunications interception warrants
- Protection of vital interests (medical emergencies)
5.3 International Data Transfers
Some service providers operate internationally. We ensure appropriate safeguards through:
- EU-approved standard contractual clauses
- Adequacy decisions for countries with equivalent protections
- Binding corporate rules for multinational providers
- Privacy Shield certification (where applicable)
- Explicit consent for specific transfers
- Contractual obligations for data protection
5.4 Business Transfers and Restructuring
In the event of merger, acquisition, restructuring, or insolvency:
- Personal information may transfer to successor entities
- Due diligence may require limited disclosure to potential buyers
- Notification will be provided before any material change in data control
- Existing privacy protections will be maintained or enhanced
6. Data Security and Breach Response
6.1 Technical Security Measures
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Multi-factor authentication for system access
- Network segmentation and firewalls
- Intrusion detection and prevention systems
- Regular security patches and updates
- Automated backup and disaster recovery
- Endpoint protection and device management
6.2 Organizational Security Measures
- Role-based access control with principle of least privilege
- Background checks for staff handling sensitive data
- Confidentiality agreements and data protection training
- Clean desk policy and locked filing cabinets
- Visitor management and escort requirements
- Regular security audits and penetration testing
- Incident response team and procedures
- Secure data destruction and device disposal
6.3 Physical Security Controls
- 24/7 CCTV monitoring with 90-day retention
- Biometric or card-based access control
- Alarm systems and security patrols
- Locked server rooms with restricted access
- Environmental monitoring and fire suppression
- Secure disposal bins for confidential documents
6.4 Data Breach Response
In the event of a personal data breach, we will:
- Assess the risk and impact within 24 hours
- Notify the Privacy Commissioner within 72 hours if required
- Notify affected individuals without undue delay if high risk
- Document all breaches in our breach register
- Implement measures to prevent recurrence
- Cooperate with regulatory investigations
- Provide credit monitoring if financial data compromised
6.5 Liability and Insurance
While we implement industry-standard security measures, we cannot guarantee absolute security. Our liability for data breaches is limited as specified in our Terms of Service. We maintain cyber liability insurance to cover potential data breach incidents. Members are advised to maintain their own insurance for their data and equipment.
7. Data Retention and Deletion
7.1 Retention Periods
We retain personal information according to legal requirements and business needs:
- Membership Records: Duration of membership plus 7 years
- Financial/Tax Records: 7 years from end of financial year (IRD requirement)
- Contracts and Agreements: 7 years after expiry or termination
- CCTV Footage: 90 days unless required for investigations
- Access Logs: 12 months for security audit purposes
- Internet Usage Logs: 6 months (telecommunications regulations)
- Health & Safety Records: 5 years (or longer for serious incidents)
- Marketing Lists: Until consent withdrawn or 3 years inactive
- Guest Information: 30 days after visit
- Unsuccessful Applications: 12 months
- Legal Claims: Until resolution plus limitation period
7.2 Deletion and Anonymization
After retention periods expire, we will:
- Securely delete electronic records using data wiping tools
- Shred physical documents using cross-cut shredders
- Anonymize data for statistical analysis where permitted
- Remove personal identifiers from archived records
- Destroy backup copies according to rotation schedules
7.3 Exceptions to Deletion
We may retain information beyond standard periods where:
- Required by law or court order
- Necessary for legal proceedings or disputes
- Subject to litigation hold notices
- Required for ongoing investigations
- Necessary to establish, exercise, or defend legal claims
8. Your Privacy Rights
Under New Zealand privacy law, you have the following rights regarding your personal information:
8.1 Access Rights
- Request access to personal information we hold about you
- Receive a copy of your personal information in a portable format
- Understand how your information is being used and shared
8.2 Correction and Update Rights
- Request correction of inaccurate or incomplete information
- Update your contact details and preferences
- Add context or explanations to disputed information
8.3 Deletion and Restriction Rights
- Request deletion of personal information (subject to legal requirements)
- Restrict processing of your information in certain circumstances
- Object to processing based on legitimate interests
8.4 Marketing Rights
- Opt out of marketing communications at any time
- Choose specific types of communications you wish to receive
- Withdraw consent for optional data processing
9. Cookies and Website Technologies
9.1 Cookie Usage
Our website uses cookies and similar technologies to improve your browsing experience:
- Essential Cookies: Required for website functionality and security
- Analytics Cookies: Help us understand how visitors use our website
- Marketing Cookies: Used to deliver relevant advertisements (with consent)
- Preference Cookies: Remember your settings and choices
9.2 Cookie Management
You can control cookie preferences through your browser settings or our cookie consent tool. Note that disabling certain cookies may affect website functionality.
10. International Data Transfers
Some of our service providers may be located outside New Zealand. When we transfer personal information internationally, we ensure appropriate safeguards are in place through:
- Adequacy decisions by relevant privacy authorities
- Standard contractual clauses for data protection
- Certification schemes and approved codes of conduct
- Explicit consent for specific transfers where required
11. Children's Privacy
Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly.
12. Changes to this privacy policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We will notify you of any material changes by:
- Posting the updated policy on our website
- Sending email notifications to members
- Providing notice at our facilities
- Other appropriate communication methods
Your continued use of our services after the effective date of the updated Privacy Policy constitutes acceptance of the changes.
13. Complaints, Disputes, and Enforcement
13.1 Internal Complaint Process
If you have concerns about our privacy practices:
- Contact our privacy team at [email protected]
- We will acknowledge receipt within 5 working days
- We will investigate and respond within 20 working days
- Complex matters may require up to 40 working days with notice
- We will provide reasons if we cannot fulfill your request
13.2 External Complaint Options
If unsatisfied with our response, you may contact:
- Privacy Commissioner: privacy.org.nz or 0800 803 909
- Commerce Commission: For fair trading issues
- Banking Ombudsman: For payment processing disputes
- Disputes Tribunal: For claims under $30,000
- District Court: For larger claims or injunctions
13.3 Liability and Remedies
Limitation of Liability: Our liability for privacy breaches is limited to the maximum extent permitted by law. We exclude liability for indirect, consequential, or punitive damages. Our total liability shall not exceed the fees paid by you in the 12 months preceding the incident.
Your Remedies: You may be entitled to compensation for humiliation, loss of dignity, or injury to feelings under the Privacy Act. The Privacy Commissioner may also require us to modify our practices or provide training.
13.4 Dispute Resolution
Privacy disputes are subject to New Zealand law and the exclusive jurisdiction of New Zealand courts. We encourage mediation before litigation where appropriate.
Privacy Contact Information
For privacy-related enquiries, requests, or concerns, please contact our Data Protection Officer:
Email: [email protected]
Post: Privacy Team, Thinkspace Limited, 30 Pollen Street, Grey Lynn, Auckland 1021, New Zealand
We will respond to privacy requests within 20 working days as required by New Zealand privacy law.
This Privacy Policy was last updated on 21 February 2026.
Your Privacy Matters to Us
We're committed to protecting your personal information and ensuring transparency in how we use your data.