Legal information for Expelliving, Whangārei, New Zealand. Fitness education services — not medical care.
Expelliving

Privacy Policy

How Expelliving collects, uses, and protects personal information.

Effective date:

1. Data Controller and Contact Details

The data controller responsible for processing personal data described in this Privacy Policy is:

Expelliving
12 Pahau Avenue, Tikipunga, Whangārei 0112, New Zealand
Phone: +64 9 434 4659
Email: admin@expelliving.world
Website: expelliving.world

For privacy-related requests, including access, correction, deletion, or restriction of processing, contact us using the details above. We will respond within timeframes required by applicable law, typically within 30 days for GDPR requests and within a reasonable period under the New Zealand Privacy Act 2020.

2. Scope and Purpose of This Policy

This Privacy Policy applies to personal data collected through our website, contact forms, telephone communications, in-person visits at our studio, purchase of educational materials, and participation in training sessions or programs offered by Expelliving.

Our services relate to general functional training education. We do not process special categories of personal data (such as health diagnoses) unless you voluntarily provide such information in a message. If you share sensitive information, we will limit use to responding to your enquiry and may advise you to contact qualified health professionals.

3. Categories of Personal Data We Collect

3.1 Identity and Contact Data

Name, email address, telephone number, and postal address when you submit forms, book sessions, or purchase products.

3.2 Communication Data

Content of messages, enquiries, and feedback you send to us, including metadata such as date and channel of communication.

3.3 Technical and Usage Data

When you use our website, we may collect IP address, browser type, device type, pages viewed, referring URL, and cookie identifiers as described in our Cookie Policy. Analytics cookies are placed only with your consent.

3.4 Transaction Data

Records of services booked, educational products purchased, payment status, and refund requests. Payment card details are processed by third-party payment providers; we do not store full card numbers on our servers.

3.5 Session Participation Data

Attendance records, voluntary effort notes, and coaching observations related to general fitness education. These records are not medical files and are not used for clinical decision-making.

4. Legal Bases for Processing (GDPR)

Where the General Data Protection Regulation (EU) 2016/679 applies, we rely on the following legal bases:

  • Contract: Processing necessary to provide sessions, plans, or products you request.
  • Consent: Marketing communications, non-essential cookies, and optional newsletters where applicable.
  • Legitimate interests: Website security, fraud prevention, improving services, and responding to enquiries, balanced against your rights.
  • Legal obligation: Retention of financial records for tax and accounting requirements.

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

5. Purposes of Data Use

We use personal data for the following purposes:

  • Responding to contact form submissions and telephone enquiries
  • Scheduling and administering functional training sessions
  • Delivering personalised plans, educational materials, and structured programs
  • Processing payments and managing refund requests under our Refund Policy
  • Maintaining website functionality and security
  • Analysing aggregated website usage when you consent to analytics cookies
  • Complying with legal and regulatory obligations in New Zealand and, where relevant, the European Economic Area
  • Defending legal claims and resolving disputes

We do not use personal data for automated decision-making that produces legal or similarly significant effects.

6. Data Retention Periods

We retain personal data only as long as necessary for the purposes described:

  • Contact enquiries: Up to 24 months after last interaction, unless a longer period is needed for ongoing services.
  • Client session records: Up to 36 months after your last attended session, unless you request earlier deletion and no legal hold applies.
  • Transaction and invoice data: Minimum 7 years where required by New Zealand tax law.
  • Marketing consents: Until withdrawal of consent plus a short suppression record to honour opt-out requests.
  • Server logs: Typically 90 days for security monitoring.
  • Cookie data: As specified in the Cookie Policy, generally between session end and 13 months depending on cookie type.

When retention periods expire, data is securely deleted or anonymised.

7. Data Sharing and International Transfers

We do not sell personal data. We may share data with:

  • Hosting and email service providers bound by confidentiality agreements
  • Payment processors for secure transaction handling
  • Professional advisers (lawyers, accountants) when necessary
  • Authorities when required by law or court order

Some providers may process data outside New Zealand or the EEA. Where required, we implement appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms approved under GDPR.

8. Security Measures

We implement technical and organisational measures appropriate to the risk, including:

  • HTTPS encryption for website traffic
  • Access controls limiting staff access to personal data on a need-to-know basis
  • Secure storage for digital records with regular backups
  • Staff training on confidentiality and data handling
  • Procedures for reporting and responding to suspected data breaches

No method of transmission over the internet is completely secure. We encourage you to use strong passwords for any accounts we provide and to avoid sending unnecessary sensitive information by email.

9. Your Rights

Depending on your location, you may have the following rights:

  • Right of access to your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten") in certain circumstances
  • Right to restrict processing
  • Right to data portability for data processed by automated means based on consent or contract
  • Right to object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority (for EU/EEA residents, your local data protection authority; for New Zealand residents, the Office of the Privacy Commissioner)

To exercise rights, contact us at the details in Section 1. We may need to verify your identity before fulfilling requests.

10. Children

Our website and services are directed at adults. We do not knowingly collect personal data from individuals under 16 without parental consent. If you believe we have collected such data, contact us for prompt deletion.

11. Third-Party Links

Our website may link to external resources. We are not responsible for the privacy practices of third-party sites. Review their policies before providing personal data.

12. Changes to This Policy

We may update this Privacy Policy to reflect legal or operational changes. Material updates will be indicated by revising the effective date at the top of this page. Continued use of our services after updates constitutes acknowledgment where permitted by law.