Privacy policy

Last updated on 13 July 2021.

This Policy applies to all Personal Information processed by Impact Lab.

It describes the categories of Personal Information we gather, how we use it, how we share it with others, how we protect it and how you can access and control it.



If you have any queries about this Policy or our data protection processes, please get in touch with us using the contact form on our website.



In this Policy, unless the context otherwise requires:

Administrator means any individual acting on behalf of a Client that has certain elevated permissions or decision making in respect of the Services provided to the Client.

Authorised User means any individual who is invited by an Administrator to:

  • contribute to the development of the Services provided to the Client; and/or
  • access the Services provided to the Client.

Client means any organisation that engages us for our Services. Clients are typically either:

  • organisations that deliver programs with the aim of improving outcomes for people and communities (Service Providers); or
  • organisations that provide funding to Service Providers.

Data Protection Laws means the data protection and privacy laws applicable to the processing of Personal Information that we are legally obliged to comply with, including the Privacy Act.

Impact Lab, we, us, our means Impact Lab Limited (New Zealand company number 7233576).

Personal Information has the meaning given to that term in the Privacy Act.

Policy means this Privacy Policy.

Privacy Act means the New Zealand Privacy Act 2020.

Services means the products and services provided by Impact Lab to its Clients, including the “GoodMeasure” information and dashboard accessible via our Website and any “GoodMeasure” report.

Websites means any website operated by Impact Lab, including


Personal information we collect

When a Client engages us we collect Personal Information about the Administrators and Authorised Users, including:

Identity Information (first and last name);

Contact Information (email address and phone number); and

Profile Information (business name and address, job title, level of permissions in respect of the Services, a record of our correspondence, preferences and feedback in respect of the Services).

We may also collect Identity, Contact and Profile Information about individuals connected with prospective Clients, including from individuals contacting us using the form on our Website.

Information we observe

When Administrators and Authorised Users access and use the Services provided via our Websites, we collect Personal Information through cookies (or similar technologies) and other tracking technologies including:

Technical Information (IP address, device information, the date and time, location information); and

Usage Information (logins, page views, usage of specific features and errors).

We may also collect Technical and Usage Information about individuals that visit the publically available sections of our Websites.

Analytical information

We may combine and analyse the information that we have collected (including via Google Analytics). This analytical information is collated in such a way so that it no longer reflects any individual Administrator, Authorised User or Website visitor, and is therefore not considered Personal Information. For example, we may aggregate Usage Information to calculate the percentage of users accessing a specific Service feature.

Programme participants

Except in exceptional circumstances, we will not ask Clients to provide us with the Personal Information of individuals who participant in the programmes run by Service Providers (Participants).

The information Clients provide to us (Service Provider Data) will be derived from the Personal Information of Participants. However, prior to sharing the Service Provider Data with us, Clients must collate or aggregate information in such a way that no Participant can be identified within the data. Therefore, the Service Provider Data is not considered Personal Information.

The non-personal Service Provider Data, together with other non-personal information available to us from third-party sources, forms the basis of the Services we provide to our Clients.
We may ask Clients to provide photographs that can be used to make our Service reports more compelling and memorable. To the extent that an individual is identifiable within the image (which may include Participants), the photograph and any inferences that can be drawn from the photograph’s context within the report shall be considered that individual’s Personal Information and subject to this Policy.

Client obligations

Impact Lab has no direct relationship with any person other than Administrators and Authorised Users. For that reason, to the extent Impact Lab is provided with any person’s Personal Information, the Client is solely responsible for:

  • obtaining all necessary consents under Data Protection Laws for Impact Lab to process the Personal Information provided to us, and ensuring that such consent is obtained from the correct person. For example, from the relevant legal guardian of a child (where the Personal Information relates to a child) or the express consent of a person (where Personal Information relating to that person’s heath is provided to us);
  • notifying us without undue delay if any person withdraws their consent, or any part of their consent, or otherwise wishes to exercise their privacy rights in respect of any of their Personal Information within the Services; and
  • making sure that any Personal Information provided to us is accurate and up-to-date.


How we use Personal information

We will only use Personal Information for:

  • the purposes for which we collected it (as described below) or such other purposes that are compatible with that original purpose; or
  • any other purpose consented to from time to time.

Provision of our Services

We use Personal Information in order to provide the Services to our Client, including account creation and authentication for Administrators and Authorised Users.

We use your contact Personal Information in order to communicate with you about our Services. For example, we send you emails for confirmations, customer support, updates to the Services, technical notices and security notifications.

Marketing and promotion of our Services

When you fill out a contact form on our Website, we use the contact Personal Information to get in touch with you to resolve your query.

We may use your Personal Information in order to send promotional information to you that may be of specific interest to you. Our goal is to make the communication as meaningful as possible for you.

Cookies and analytics

We continuously improve our Services and may use your Personal Information for this purpose. For example, we may track how you use and navigate through our Websites and Services, and how and if you use a specific feature.

Safety and security

We use your Personal Information to protect the safety and security of our Websites and Services. For example for verifying your account, detecting fraudulent activities and anything else that would make our Services more secure.


Information Sharing

We will not sell or rent your Personal Information to anyone.

Service providers and third parties

We may work with third-party service providers for various Impact Lab organisational tasks, including billing, marketing, customer relationship management and support, data analytics, accounting, data hosting and designers.

If we transfer your Personal Information to a third-party service provider, we will make sure that the service provider only processes the data based on our instructions and guarantees the same privacy safeguards as we do.

Change of ownership

We may share Personal Information in the case of any merger, sale, financing or acquisition of a part or the whole of our business. We will notify you accordingly in case this situation should arise.

Law enforcement and compliance

We will share your Personal Information with a third party (including law enforcement authorities) if we believe that sharing is necessary to comply with any applicable law or governmental request.



We are committed to protecting the security of your Personal Information and we take all reasonable precautions to protect it from unauthorised access, modification or disclosure.

Measures that may be taken include the following:

  • We limit access to Personal Information to those employees, agents, contractors and other third parties who have a business need to know.
  • Our employees, agents, contractors and other third parties will only process Personal Information on our instructions and they are subject to a duty of confidentiality.

Data security incidents

We have put in place procedures to deal with any suspected Personal Information breach and we will advise affected individuals and any applicable regulator upon discovering or being advised of a security breach where we are legally required to do so.


Data Retention and Deletion


We will only retain Personal Information for as long as reasonably necessary to fulfil the purposes we collected it for. To determine the appropriate retention period, we consider:

  • the amount, nature and sensitivity of the Personal Information;
  • the potential risk of harm from unauthorised use or disclosure of your Personal Information;
  • the purposes for which we process your Personal Information and whether we can achieve those purposes through other means; and
  • the applicable legal, regulatory, tax, accounting or other requirements.


We keep Personal Information connected to a Client’s account for the term of the Client’s engagement with us. On the date that is 12 months after the end of the engagement period, we will either delete the Personal Information connected to the Client’s account or anonymise the information (so that the data is no longer considered Personal Information).


We may retain your Personal Information for a longer period:

  • for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements; or
  • in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.


Privacy Rights

Under the Privacy Act, you have the right to:

  • check whether we hold Personal Information about you and to access such Personal Information;
  • request that we correct any Personal Information about you that is inaccurate as soon as reasonably practicable;
  • ascertain our policies and practices in relation to Personal Information and the kind of Personal Information held by us (as set out in this Policy); and
  • object to the use of your Personal Information for direct marketing purposes and we shall not use your Personal Information for direct marketing purposes after you communicate your objection to us.

If you wish to exercise your rights, please contact us using the information provided at the beginning of this Policy. We may require you to provide verification of your identity. Any such requests will be replied to within 30 days. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.


Changes to this policy

Impact Lab reserves the right to change this Policy. We will provide notification of material changes through our website at least 14 days prior to the change taking effect. Your continued use of the Websites and Services after the update has become effective indicates that you have read, understood and agreed to the new version of this Policy.