1. About this policy

Willis White & Co Limited, trading as Exodesk (“Exodesk”, “we”, “us”, “our”), is a managed IT services provider based in Christchurch and Dunedin. We take privacy seriously, and this policy explains in plain terms what personal information we collect, how we collect it (including when we get it from someone other than you), how we use and share it, how we keep it secure, and the rights you have under New Zealand’s Privacy Act 2020.

This policy reflects the new Information Privacy Principle 3A (IPP 3A), which took effect on 1 May 2026 and adds notification obligations when personal information is collected indirectly.

It covers all personal information we handle as part of running our business — providing IT services, operating our website, marketing, recruiting, and managing relationships with clients, suppliers, and partners.

2. Who we are and how to contact us

Willis White & Co Limited, trading as Exodesk
NZBN: 9429040299006
Christchurch office: Level 1, 85 Riccarton Road, Christchurch 8011 — 03 343 3124
Dunedin office: Level 3, Bartons Building, 2 Stafford Street, Dunedin 9016 — 03 479 2941
Website: https://exodesk.co.nz
Email (privacy and general enquiries): info@exodesk.com
Phone: 0800 396 3375

3. When we act as your service provider

Most of our work involves providing IT services to organisations. When we deliver those services we often handle personal information that belongs to our client and relates to their staff, contractors, or customers — for example, when we manage user accounts, support a helpdesk ticket, or run a Microsoft 365 environment.

In those situations we act as a service provider to our client, and the client remains responsible for how that information is collected and used. We handle the information only as agreed with the client and only to the extent necessary to deliver the service. If you are a staff member or customer of one of our clients and have questions about how your information is handled, the client is generally the right first point of contact.

4. Personal information we collect directly from you

When you deal with us directly we may collect:

Your name, job title, business name, email, phone, and postal address
Information you share in support requests, including details of the IT issue and, where relevant, technical information about your devices, networks, or accounts
Billing and account information
Information you provide when applying for a role with us (CV, references, work history, qualifications, right-to-work status)
A record of our communications — emails, support tickets, meeting notes, call logs
Information automatically collected when you visit our website (see Section 10)

5. Personal information we collect indirectly (IPP 3A)

Sometimes we collect personal information about you from someone other than you. Under IPP 3A we need to take reasonable steps to make you aware of that, and of certain matters about how we will use the information. This section, together with any direct notification we send you, is how we do that.

5.1 Where we get this information

The main indirect sources we use are:

Referrals from clients and partners — existing clients or business partners may refer you to us as a prospective customer, supplier, or candidate. We may receive your name, role, employer, contact details, and a short description of the referral.
References and background checks for recruitment — when you apply for a role we may collect information from your nominated referees, previous employers (with your consent), education providers, recruitment agencies, and (where the role and your consent permit) the Ministry of Justice for a criminal record check. We may also review publicly available professional information such as your LinkedIn profile.
Analytics and advertising platforms — our website and digital marketing use Google Analytics 4, Google Ads, Meta (Facebook and Instagram), and LinkedIn. These platforms provide us with information about visitors to our site and recipients of our ads. Most of this is aggregated and pseudonymous, but in some cases (such as LinkedIn lead-generation forms) we may receive identifiable contact details.
Other sources — including our clients (where we handle their staff or customers’ information as part of delivering a service), publicly available registers (such as the Companies Register and NZBN register), and our suppliers and subcontractors where information needs to be shared to deliver a service.

5.2 How we let you know

When we collect your personal information indirectly, we take reasonable steps to make sure you are aware of it. We do this through one or more of the following:

Publishing this policy on our website
Including a privacy notice in our first direct contact with you (for example, in the first marketing email or sales outreach you receive from us, with a link back to this policy)
Notifying you separately where the circumstances make that more appropriate (for example, during recruitment)

Specifically, where IPP 3A applies we will take reasonable steps to ensure you are aware of:

The fact that we have collected the information, and where reasonably practicable, the source
The purpose of collection (see Section 6)
The intended recipients of the information (see Section 8)
That Willis White & Co Limited (trading as Exodesk) is the agency collecting and holding the information, and our contact details (see Section 2)
Whether the collection is authorised or required by any law, and if so, the law in question, and whether providing the information is voluntary or mandatory
Any consequences for you if the information is not provided
Your right to ask for access to, and correction of, the personal information we hold about you (see Section 13)

5.3 Exceptions

There are limited situations where IPP 3A does not require notification — for example, where the information is already publicly available, where you have already been told the matters above, or where notification would prejudice the purposes of collection or another lawful purpose. We rely on these exceptions only where they genuinely apply. IPP 3A also does not apply to personal information collected before 1 May 2026.

6. How we use your personal information

We use personal information for ordinary business purposes, including:

Delivering IT services and support to our clients
Managing our relationships with clients, suppliers, partners, and prospective clients
Marketing our services to organisations and individuals who may have a legitimate interest in them (see Section 7)
Operating, securing, and improving our website and digital channels
Recruiting, assessing, and onboarding staff and contractors
Meeting our legal, regulatory, accounting, and contractual obligations
Investigating and responding to incidents, complaints, and disputes

7. Marketing communications and your choices

We send marketing emails, newsletters, and other communications about our services to people who we believe have a legitimate interest in hearing about them. Our bulk marketing emails include an unsubscribe link. For individual or tailored emails that don’t include a link, you can opt out by replying to the email asking to unsubscribe, or by emailing info@exodesk.com. Once you opt out, we will stop sending you marketing communications, although we may still contact you about services we are delivering, accounts, billing, or other matters that are not promotional.

8. Who we share your personal information with

We share personal information only where it is necessary and lawful. Recipients may include:

Our staff and contractors, on a need-to-know basis
Service providers who support our operations, such as hosting, IT and security tooling, professional services platforms, payment processors, recruitment, marketing and analytics, and accounting providers
Our clients, where the information relates to services we are providing them
Professional advisers (legal, accounting, audit, insurance)
Government and regulatory authorities where required or permitted by law
Parties involved in a corporate transaction (for example, a sale, merger, or restructuring), under appropriate confidentiality terms

We do not sell your personal information.

9. Storage, security, and overseas transfer

We hold personal information in a mix of cloud-based and on-premises systems we manage. We use reasonable technical and organisational measures to protect it from loss, unauthorised access, modification, and disclosure. These include access controls, encryption of data in transit (using TLS) and where appropriate at rest, multi-factor authentication, vendor due diligence, logging and monitoring, and staff training.

Some of the cloud services we rely on are hosted overseas, most commonly in Australia, the United States, and the European Union. Where personal information is transferred to a recipient outside New Zealand, we comply with IPP 12 of the Privacy Act 2020 — for example, by relying on the recipient operating in a country with comparable privacy laws, or by putting appropriate contractual safeguards in place.

We keep personal information only for as long as we need it for the purposes for which it was collected, or as required by law.

10. Cookies and website tracking

Our website uses cookies and similar technologies. The categories we use are:

Strictly necessary cookies, which are required for the site to function
Analytics cookies, including Google Analytics 4, to understand how visitors interact with the site
Advertising and retargeting cookies and pixels, including Google Ads, Meta, and LinkedIn, used to deliver and measure ads

You can control cookies through your browser settings or, where available, through the cookie controls on our website. Disabling some cookies may affect site functionality.

11. AI and automated tools

We use AI and automated tools in some parts of our business — for example, productivity tools, ticket triage, content drafting, and security monitoring. We do not use AI to make decisions about you that have a significant or legal effect without human involvement. If you have concerns about how an AI tool we use may have affected you, please email us at info@exodesk.com.

12. Children’s personal information

Our services are aimed at businesses and organisations, not children. We do not knowingly collect personal information directly from children under the age of 16. If you believe we have collected information from a child in this way, please email us at info@exodesk.com so we can address it.

13. Your rights: access, correction, and complaints

Under the Privacy Act 2020 you have the right to:

Ask whether we hold personal information about you
Request access to that information
Request correction of information that is inaccurate, out of date, incomplete, or misleading

To exercise any of these rights, email us at info@exodesk.com. We will respond within the timeframes required by the Privacy Act.

If you are not satisfied with our response, you can complain to the Office of the Privacy Commissioner:

Website: privacy.org.nz
Phone: 0800 803 909

14. Changes to this policy

We review this policy from time to time and may update it as our practices, services, or the law change. The current version is always available on our website, and the effective date at the top of this document tells you when it was last updated. Where changes are material, we will take reasonable steps to bring them to your attention.