St James Financial Limited ("we", "us", "our") provides credit-writing services to New Zealand mortgage advisers. This policy explains how we handle personal information in the course of delivering that service, in accordance with the Privacy Act 2020 (Privacy Act) and its Information Privacy Principles (IPPs).
This policy applies to mortgage advisers, financial advisers, and financial advice providers (FAPs) who engage us to perform credit-writing work (each, a "Client"), and to anyone whose personal information is contained in documents the Client provides to us in the course of an engagement.
This Privacy Policy is incorporated by reference into our Terms of Service. Capitalised terms not defined here have the meanings given in the Terms of Service.
i.What information we handle.
1.1 Client contact information
We collect and hold the following personal information about Clients who engage us:
- name and contact details (email address, phone number, business address);
- company name and Companies Office registration details;
- Financial Markets Authority licence or authorisation details;
- billing information necessary to issue invoices (we do not store payment-card numbers);
- correspondence between the Client and us in connection with engagements.
We collect this information directly from the Client at the point of engagement.
1.2 End-client data within submitted documents
When a Client provides us with materials to perform a credit-writing engagement (such as statements of financial position, bank statements, payslips, IDs, or other supporting documents), those materials typically contain personal information and financial information relating to the Client's own clients ("End-Client Data").
We do not retain End-Client Data beyond the engagement. Submitted documents are processed through our AI processing infrastructure (see section 4) solely for the purpose of producing the engagement output, and are deleted from our systems on completion of the engagement.
1.3 Client as data controller for End-Client Data
As between the Client and us, the Client is the data controller in respect of End-Client Data. The Client is responsible for ensuring they hold appropriate authority and consent to share End-Client Data with us, in accordance with their obligations under the Privacy Act, the Financial Markets Conduct Act 2013 (FMC Act), and their professional standards. If an end-client makes a request relating to their personal information (including access, correction, or deletion), the Client is responsible for responding to that request, and should notify us if our assistance is required.
ii.How we use personal information.
We use Client personal information for the following purposes:
- scoping, performing, and delivering credit-writing engagements;
- billing for engagements and issuing GST invoices;
- communicating with the Client about their engagement, including queries, clarifications, and turnaround status;
- complying with our legal, regulatory, and record-keeping obligations;
- defending or asserting legal claims where reasonably necessary.
We do not use personal information for direct marketing without consent. We do not sell, rent, or trade personal information to third parties.
2.1 No use of data for AI training
We do not use End-Client Data, submitted documents, or engagement output to train, fine-tune, or improve any AI model. The AI processing service we use (see section 4) does not retain submitted content for model training purposes under its terms with us.
iii.Disclosure of personal information.
3.1 Third-party service providers
We disclose personal information to third-party service providers who assist us in operating the service, including cloud-hosting providers and the AI processing service described in section 4. We take reasonable steps to ensure these providers handle personal information consistently with the Privacy Act and our contractual obligations to Clients.
3.2 Legal requirements
We may disclose personal information if required to do so by law, court order, or regulatory authority, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of ourselves, our Clients, or others. Where lawful and practicable, we will notify the affected Client before making such a disclosure.
3.3 Business transfers
If we sell or transfer all or part of our business, personal information may be disclosed to the purchaser as part of that transaction. We will take reasonable steps to ensure any such purchaser is bound by equivalent privacy obligations, and will notify Clients of any such transfer in advance where practicable.
iv.Overseas disclosure — AI processing (IPP 12).
This section is our disclosure under Information Privacy Principle 12 of the Privacy Act 2020 regarding the disclosure of personal information to an overseas person.
4.1 The processing chain
To perform credit-writing engagements, we use the following overseas service providers:
- Amazon Web Services, Inc. (AWS) — we run our processing infrastructure on AWS in the Asia Pacific (Sydney) region (ap-southeast-2), located in Australia. Submitted documents are processed in this region.
- Anthropic Claude — the underlying AI model that generates the credit-writing output is Anthropic's Claude, accessed exclusively via AWS Bedrock within the Sydney region. We do not call Anthropic's API directly; all model invocations occur within AWS infrastructure.
- Vercel Inc. — our application front-end (used internally by our team to drive the credit-writing pipeline) is hosted on Vercel, a United States-based hosting platform with global edge infrastructure.
4.2 Steps taken to protect information
Under IPP 12 of the Privacy Act 2020, before disclosing personal information to an overseas person we are required to take reasonable steps to ensure that the overseas person will not hold the information in a way that, in New Zealand, would contravene the Privacy Principles.
We have taken the following steps:
- AI processing occurs in Australia (AWS ap-southeast-2 / Sydney), which is recognised as having a comprehensive data protection regime substantially similar to New Zealand's Privacy Act.
- Per AWS Bedrock's terms of service, AWS does not use, store, or log API content for any purpose other than the immediate processing of the API request. Inputs and outputs are not retained beyond the request lifecycle and are not used to train or improve any model.
- Anthropic's API terms (as applied via AWS Bedrock) likewise state that content submitted via the API is not used to train Anthropic's models.
- All data transmission is encrypted in transit (TLS 1.2 or higher).
- Vercel acts only as the application-delivery layer; submitted documents do not persist on Vercel's infrastructure beyond the duration of the request, and Vercel's terms restrict use of customer data to providing the hosting service.
We are satisfied that the data handling practices of AWS, Anthropic (within AWS), and Vercel in respect of the processing we use are, in their effect, broadly consistent with the Privacy Principles — particularly regarding purpose limitation, security, and data retention.
4.3 Client acknowledgement
By engaging us, the Client acknowledges and agrees that documents submitted in the course of the engagement will be processed in Australia (AWS Sydney) using infrastructure operated by United States-headquartered companies (AWS, Anthropic, Vercel), and that it is the Client's responsibility to ensure their end-clients are appropriately informed that personal and financial information may be processed overseas by an AI service, where required by the Client's own obligations under the Privacy Act or their professional standards.
v.Storage and security.
5.1 No retention of engagement materials
Documents and End-Client Data submitted in the course of an engagement are not stored by us after the engagement is complete. We do not maintain content logs, archives, or backups containing End-Client Data. This is a deliberate design feature intended to minimise data-handling risks.
For the avoidance of doubt, we may retain limited operational records that do not contain submitted document content — for example, anonymised processing metadata (job identifiers, timestamps, aggregate token counts) used for billing, capacity planning, and security monitoring.
5.2 Client contact and billing data
Client contact and billing information is hosted on infrastructure located in Australia (AWS Sydney) and the United States (Vercel). We implement reasonable technical and organisational security measures including encryption in transit (TLS), access controls, password-gated administrative access, and regular review of access logs.
5.3 Retention periods
- Documents and End-Client Data: not retained — deleted from our systems on completion of each engagement (see 5.1).
- Client account and billing information: retained for as long as the engagement relationship is active and for seven years following the last engagement, to comply with our tax and record-keeping obligations under New Zealand law.
- Technical logs and security records: retained for the period reasonably necessary for security monitoring and abuse prevention (typically up to 90 days), then deleted or anonymised.
- Engagement correspondence: retained for as long as reasonably necessary to provide support and resolve disputes, typically up to three years.
5.4 Privacy breaches
If a privacy breach occurs that is reasonably likely to cause serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as required by Part 6 of the Privacy Act 2020. We will also notify affected Clients as soon as reasonably practicable so they can comply with any notification obligations they may have to their own end-clients.
vi.Your rights.
6.1 Access and correction
Under IPPs 6 and 7 of the Privacy Act 2020, individuals have the right to request access to personal information we hold about them and to request correction of inaccurate, incomplete, or misleading information.
To make an access or correction request, please contact our Privacy Officer at the details in section 9. We will respond within 20 working days as required by the Privacy Act. We may decline an access request in circumstances permitted by the Privacy Act. Where we decline, we will advise the reason and your right to complain to the Privacy Commissioner.
6.2 Deletion requests
You may formally request deletion of personal information we hold about you (a Data Deletion Request) at any time. Email hello@stjamesfinancial.co.nz with the subject line "Data Deletion Request" and include:
- your full name and contact email address;
- the engagement(s) or organisation you are associated with (if applicable);
- a description of the data you would like deleted.
Because submitted documents and End-Client Data are not retained after the engagement is complete (see 5.1), there will generally be no document content to delete. We may need to retain certain limited information where a lawful reason applies (tax records, security logs, defence of legal claims).
6.3 Complaints
If you are not satisfied with our response to a privacy concern, you have the right to complain to the New Zealand Privacy Commissioner. Contact details are in section 9.
vii.Cookies & the adviser-login application.
Our internal credit-writing application at app.stjamesfinancial.co.nz is password-gated and used only by authorised personnel of St James Financial Limited. The application sets a single HTTP-only authentication cookie ("st-james-auth") that maintains the authenticated session. No third-party tracking cookies are used. No advertising or analytics cookies are set.
This public website (stjamesfinancial.co.nz) does not set tracking cookies.
viii.Changes to this policy.
We may update this Privacy Policy from time to time. If we make material changes, we will notify active Clients by email at least 14 days before the changes take effect. The version number and effective date appear at the top of this Policy.
ix.Contact & complaints.
9.1 Privacy Officer
For questions or concerns about how we handle personal information, or to make an access, correction, or deletion request, please contact:
Phone: +64 — by request
Registered address: 7 Waituna Street, Pegasus 7612, New Zealand
Companies Office number: 9330894
NZBN: 9429052742569
9.2 Complaints to the Privacy Commissioner
If you are not satisfied with our response to a privacy concern, you have the right to complain to the New Zealand Privacy Commissioner:
Phone: 0800 803 909
Website: privacy.org.nz
© 2026 St James Financial Limited · Aotearoa New Zealand