Privacy Policy

1. Who Does “You” Refer To? (Scope & Terminology)

Because Thankyou Payroll provides cloud-based payroll infrastructure, we handle data from different types of individuals. To ensure absolute clarity under the Privacy Act, the term “you” or “your” is split into two distinct categories within this policy:

• “Employer Client”: Refers to the business owner, company representative, or designated account administrator who registers for our services, manages the payroll dashboard, inputs data, and triggers payments.
• “Employee / Contractor”: Refers to the individual data subject whose payroll, leave, tax, salary, and contact information is processed by our software to fulfill employment distribution and PAYE requirements.

Where provisions apply to anyone interacting with our platform, the terms “individual” or “user” are used.

2. What is Personal Information?

“Personal information” is information about an identifiable living individual. It is not information about a business entity, corporate structure, or company tax number.

3. Why Does Thankyou Payroll Collect Personal Information?

We collect personal information to:

• Support, operate, secure, and deliver our cloud-based payroll application;
• Authenticate authorised access and protect payroll accounts from financial fraud;
• Execute our strict compliance mandates as an IRD-accredited PAYE Intermediary; and
• Provide customer care, technical troubleshooting, and critical platform notifications.

4. How Personal Information is Collected (Direct vs. Indirect)

The path through which we obtain data determines our compliance obligations under the law:

A. Direct Collection (From the Employer Client)

We collect personal information directly from Employer Clients when they manually fill out our onboarding forms, verify their corporate identity, provide banking credentials for direct debits, or communicate directly with our customer support teams.

B. Indirect Collection (About the Employee / Contractor) 

We collect personal information about Employees and Contractors indirectly from another source, specifically, from their respective Employer Client who uploads, enters, or syncs their workplace details into our systems. In compliance with Information Privacy Principle (IPP) 3A, when collecting personal information from a source other than the individual concerned, we take the following reasonable steps to maintain compliance:

1. Contractual Safeguards: We strictly mandate within our Standard Terms of Engagement that Employer Clients must possess all necessary authorisations and have given clear, explicit notice to their Employees/Contractors that their personal information will be passed to a downstream intermediary (Thankyou Payroll) for automated processing.
2. Transparency of Use: We explicitly outline the exact destinations, retention boundaries, and individual correction pathways of that indirect data within this Policy.

5. What Types of Personal Information Do We Process?

• For Employer Clients: Name, business address, phone number, email address, corporate IRD registration status, banking authorisation data, and system access logs are examples but not an exhaustive list.
• For Employees / Contractors (Collected Indirectly): Full name, date of birth, home address, tax code, IRD number, bank account numbers for salary disbursement, hourly rate/salary metrics, Kiwisaver enrollment codes, child support/court deductions, and leave/time-attendance balances are examples but not an exhaustive list.

6. Management and Security of Personal Information

We implement stringent technical controls to safeguard all personal information from misuse, loss, and unauthorised access, modification, or disclosure within our application that is hosted securely in cloud environments. Data is protected using encryption at rest and in transit. We ensure that access to our environments are restricted to authorised staff, securely accessed via single sign-on, and given least privileged access controls.

Where we no longer require your personal information, we will safely destroy or permanently de-identify it, subject to our overriding statutory record-keeping mandates. In the case of tax, wage, and financial reporting data, we are legally required under New Zealand tax law to securely hold this information for a minimum of seven (7) years.

7. Data Retention and Anonymisation Boundaries

We collect, hold, use, and disclose personal information for distinct purposes based on your relationship with the platform:

A. Purposes of Processing

• For Employer Clients: We use your personal information to conduct our business; to provide, manage, and market our services to you; to communicate with you; to verify your identity if you need help with a forgotten password or are experiencing access issues; and to facilitate billing and account management.
• For Employees / Contractors (Collected Indirectly): We process your personal information strictly on behalf of your employer to deliver core payroll functionality, calculate wages and entitlements, process distributions, and fulfill mandatory statutory tax obligations.

B. Internal Operations & Secondary Use

We may also utilise processed data for our internal business purposes, subject to the following strict transparency controls:

• Statutory Minimums: Because payroll data directly impacts New Zealand tax reporting, we are legally required under New Zealand tax law to retain all wage, tax, and employment filing records for a minimum of seven (7) years.
• Data Aggregation: We may use processed data in an aggregated, fully de-identified format for internal system benchmarking, statistical analysis, and platform analytics. Once data is aggregated, it is technically impossible to identify any single Employee or Employer Client; it ceases to be personal information and falls outside the scope of the Privacy Act.
• Internal Training and Quality Assurance: We may use generalised data patterns for internal staff training, procedural risk management, and system quality assurance. However, when active training or troubleshooting sessions occur for staff development, anonymised profiles or dummy environments are prioritised to completely shield live identities.
• Compliance with Law: We will retain, use, and disclose personal information where it is strictly required to do so by an overriding statutory obligation, law enforcement directive, or to comply with our legal duties as an accredited PAYE Intermediary.

8. Who Do We Share Personal Information With?

We only share personal information under strict operational guidelines, specifically with:

• The Employer Client: Providing the authorised account owner full visibility over their own staff entries;
• Inland Revenue (IRD): Transmitting mandatory payday reporting data to satisfy PAYE intermediary laws; 
• Authorised Third-Party Apps: Syncing data exclusively with platforms (like Xero) that the Employer Client has manually authenticated and connected to share their payroll data (department and cost codes) and internal core infrastructure applications that Thankyou Payroll uses to run its business and provide customer support.
• Law Enforcement or Regulators: Only when required to do so by an overriding statutory mandate or court order.

9. Your Rights: Access and Correction

Regardless of whether your personal information was provided to us directly or indirectly, you retain clear statutory rights under New Zealand law:

• If you are an Employer Client: You can access, review, and modify your direct profile data at any time by logging into your secure account dashboard.
• If you are an Employee / Contractor: Because your data was collected indirectly through your workplace, any changes to bank accounts, tax codes, or hourly wages should be requested directly through your employer’s payroll administrator. This prevents technical sync errors. However, you maintain the legal right to request access to or correction of your information directly from us.
• Submitting Requests: You may submit an official access or correction inquiry directly to our Privacy Officer at help@thankyoupayroll.co.nz. We will process and respond to your request within 20 working days, subject to standard identity verification protocols.

10. Contacting Our Privacy Officer

This Policy will be reviewed from time to time to take account of new laws and technology, changes to our operations and practices and the changing business environment. The most current version of this Policy is located at thankyoupayroll.co.nz and can be obtained by contacting kiaora@thankyoupayroll.nz.

For any questions regarding this policy, or to report a suspected privacy concern, please contact our internal compliance lead:

Attention: The Privacy Officer

Email: kiaora@thankyoupayroll.co.nz