— Legal

Privacy Policy.

Version 3.0 · Effective 28 May 2026

Back to home

St James Financial Limited ("we", "us", "our") provides credit-writing services to New Zealand mortgage advisers. This policy explains how we handle personal information in the course of delivering that service, in accordance with the Privacy Act 2020 (Privacy Act) and its Information Privacy Principles (IPPs).

This policy applies to mortgage advisers, financial advisers, and financial advice providers (FAPs) who engage us to perform credit-writing work (each, a "Client"), and to anyone whose personal information is contained in documents the Client provides to us in the course of an engagement.

This Privacy Policy is incorporated by reference into our Terms of Service. Capitalised terms not defined here have the meanings given in the Terms of Service.

i.What information we handle.

1.1 Client contact information

We collect and hold the following personal information about Clients who engage us:

We collect this information directly from the Client at the point of engagement.

1.2 End-client data within submitted documents

When a Client provides us with materials to perform a credit-writing engagement (such as statements of financial position, bank statements, payslips, IDs, or other supporting documents), those materials typically contain personal information and financial information relating to the Client's own clients ("End-Client Data").

We do not retain End-Client Data beyond the engagement. Submitted documents are processed through our AI processing infrastructure (see section 4) solely for the purpose of producing the engagement output, and are deleted from our systems on completion of the engagement.

1.3 Client as data controller for End-Client Data

As between the Client and us, the Client is the data controller in respect of End-Client Data. The Client is responsible for ensuring they hold appropriate authority and consent to share End-Client Data with us, in accordance with their obligations under the Privacy Act, the Financial Markets Conduct Act 2013 (FMC Act), and their professional standards. If an end-client makes a request relating to their personal information (including access, correction, or deletion), the Client is responsible for responding to that request, and should notify us if our assistance is required.

ii.How we use personal information.

We use Client personal information for the following purposes:

We do not use personal information for direct marketing without consent. We do not sell, rent, or trade personal information to third parties.

2.1 No use of data for AI training

We do not use End-Client Data, submitted documents, or engagement output to train, fine-tune, or improve any AI model. The AI processing service we use (see section 4) does not retain submitted content for model training purposes under its terms with us.

iii.Disclosure of personal information.

3.1 Third-party service providers

We disclose personal information to third-party service providers who assist us in operating the service, including cloud-hosting providers and the AI processing service described in section 4. We take reasonable steps to ensure these providers handle personal information consistently with the Privacy Act and our contractual obligations to Clients.

3.2 Legal requirements

We may disclose personal information if required to do so by law, court order, or regulatory authority, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of ourselves, our Clients, or others. Where lawful and practicable, we will notify the affected Client before making such a disclosure.

3.3 Business transfers

If we sell or transfer all or part of our business, personal information may be disclosed to the purchaser as part of that transaction. We will take reasonable steps to ensure any such purchaser is bound by equivalent privacy obligations, and will notify Clients of any such transfer in advance where practicable.

iv.Overseas disclosure — AI processing (IPP 12).

This section is our disclosure under Information Privacy Principle 12 of the Privacy Act 2020 regarding the disclosure of personal information to an overseas person.

4.1 The processing chain

To perform credit-writing engagements, we use the following overseas service providers:

4.2 Steps taken to protect information

Under IPP 12 of the Privacy Act 2020, before disclosing personal information to an overseas person we are required to take reasonable steps to ensure that the overseas person will not hold the information in a way that, in New Zealand, would contravene the Privacy Principles.

We have taken the following steps:

We are satisfied that the data handling practices of AWS, Anthropic (within AWS), and Vercel in respect of the processing we use are, in their effect, broadly consistent with the Privacy Principles — particularly regarding purpose limitation, security, and data retention.

4.3 Client acknowledgement

By engaging us, the Client acknowledges and agrees that documents submitted in the course of the engagement will be processed in Australia (AWS Sydney) using infrastructure operated by United States-headquartered companies (AWS, Anthropic, Vercel), and that it is the Client's responsibility to ensure their end-clients are appropriately informed that personal and financial information may be processed overseas by an AI service, where required by the Client's own obligations under the Privacy Act or their professional standards.

v.Storage and security.

5.1 No retention of engagement materials

Documents and End-Client Data submitted in the course of an engagement are not stored by us after the engagement is complete. We do not maintain content logs, archives, or backups containing End-Client Data. This is a deliberate design feature intended to minimise data-handling risks.

For the avoidance of doubt, we may retain limited operational records that do not contain submitted document content — for example, anonymised processing metadata (job identifiers, timestamps, aggregate token counts) used for billing, capacity planning, and security monitoring.

5.2 Client contact and billing data

Client contact and billing information is hosted on infrastructure located in Australia (AWS Sydney) and the United States (Vercel). We implement reasonable technical and organisational security measures including encryption in transit (TLS), access controls, password-gated administrative access, and regular review of access logs.

5.3 Retention periods

5.4 Privacy breaches

If a privacy breach occurs that is reasonably likely to cause serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as required by Part 6 of the Privacy Act 2020. We will also notify affected Clients as soon as reasonably practicable so they can comply with any notification obligations they may have to their own end-clients.

vi.Your rights.

6.1 Access and correction

Under IPPs 6 and 7 of the Privacy Act 2020, individuals have the right to request access to personal information we hold about them and to request correction of inaccurate, incomplete, or misleading information.

To make an access or correction request, please contact our Privacy Officer at the details in section 9. We will respond within 20 working days as required by the Privacy Act. We may decline an access request in circumstances permitted by the Privacy Act. Where we decline, we will advise the reason and your right to complain to the Privacy Commissioner.

6.2 Deletion requests

You may formally request deletion of personal information we hold about you (a Data Deletion Request) at any time. Email hello@stjamesfinancial.co.nz with the subject line "Data Deletion Request" and include:

Because submitted documents and End-Client Data are not retained after the engagement is complete (see 5.1), there will generally be no document content to delete. We may need to retain certain limited information where a lawful reason applies (tax records, security logs, defence of legal claims).

6.3 Complaints

If you are not satisfied with our response to a privacy concern, you have the right to complain to the New Zealand Privacy Commissioner. Contact details are in section 9.

vii.Cookies & the adviser-login application.

Our internal credit-writing application at app.stjamesfinancial.co.nz is password-gated and used only by authorised personnel of St James Financial Limited. The application sets a single HTTP-only authentication cookie ("st-james-auth") that maintains the authenticated session. No third-party tracking cookies are used. No advertising or analytics cookies are set.

This public website (stjamesfinancial.co.nz) does not set tracking cookies.

viii.Changes to this policy.

We may update this Privacy Policy from time to time. If we make material changes, we will notify active Clients by email at least 14 days before the changes take effect. The version number and effective date appear at the top of this Policy.

ix.Contact & complaints.

9.1 Privacy Officer

For questions or concerns about how we handle personal information, or to make an access, correction, or deletion request, please contact:

Privacy Officer · St James Financial Limited Email: hello@stjamesfinancial.co.nz
Phone: +64 — by request
Registered address: 7 Waituna Street, Pegasus 7612, New Zealand
Companies Office number: 9330894
NZBN: 9429052742569

9.2 Complaints to the Privacy Commissioner

If you are not satisfied with our response to a privacy concern, you have the right to complain to the New Zealand Privacy Commissioner:

Office of the Privacy Commissioner PO Box 10094, The Terrace, Wellington 6143
Phone: 0800 803 909
Website: privacy.org.nz

© 2026 St James Financial Limited · Aotearoa New Zealand