Policies 

Privacy Policy

Overcyte's Privacy Policy

Last updated: 31 March 2025

Introduction

Overcyte’s mission is to enable our global customers to identify, manage and mitigate business risks to provide continuous assurance over critical infrastructure.

We understand that our customers entrust their personal information to us so we can provide services to you. We value this trust and are committed to protecting the privacy and security of your personal information.

Personal information is information about an identifiable individual (a natural person), and includes personal data, personally identifiable information and equivalent information under applicable privacy and data protection laws.

We have set out further information on how we keep your personal information safe and secure in our Trust Centre. If you have further questions about how we protect your privacy, you can contact us.

This Privacy Notice describes the way in which Overcyte Limited (“Overcyte”, “we”, “our”, or “us”) may collect, process, use, retain and disclose personal information about you through our website, our risk management platform and any precontractual activities operated by us and the choices you can make about the way your personal information is collected and processed.

When does this Privacy Notice apply

This Privacy Notice applies to personal information we collect from visitors to our website, our customers and other person with whom we deal directly.  

Users of the Overcyte SaaS service may collect personal information from individuals (e.g. their employees) and upload, store or process that information to or in that service (“User Data”).  

Our customers determine what and how they collect, use, disclose and transfer User Data.  This means that our customers’ collection and use of User Data is governed by their privacy policies and practices, not ours.  For the purposes of the General Data Protection Regulation of the European Union (GDPR) and the equivalent laws of the United Kingdom (UK GDPR), our customers are the data controller when storing or otherwise processing User Data and we are the data processor.  

We only process User Data as authorised by our customers in our Terms of Service and/or other agreements with our customers that govern the processing of User Data (as applicable).  Unless required otherwise under applicable law, if we receive any request or enquiry relating to User Data, we will forward this request to our relevant customer.    

The remainder of this notice does not apply to User Data.

Here are some important points to know:

  • Overcyte Limited is a New Zealand company that operates in accordance with the New Zealand Privacy Act 2020 and the Privacy Principles and other applicable privacy and data protection laws around the world, including those of Australia, Europe, the United Kingdom and the United States . The European Commission has determined that New Zealand has an adequate level of protection for personal data transferred from the European Union.  New Zealand has also been granted adequacy status for personal data transfers from the United Kingdom.
  • Overcyte is responsible for the personal information that we collect making us a "Data Controller" under the GDPR and UK GDPR and the equivalent under other applicable privacy and data protection laws. We also work with other trusted "Data Controllers" (or equivalent) and “Data Processors” (or equivalent) to deliver our products and services. This can include technology service providers, hosting companies and system developers that integrate with our platform. These organisations have their own privacy statements which can be reviewed from the links below.
  • We use a limited number of third parties to provide technical services and limit what elements of your personal information they can process on our behalf. Most of these organisations are based outside of New Zealand.  We require these companies to have systems and processes in place to protect your personal information, and we only transfer your personal information to these companies in accordance with applicable privacy data protection laws.
  • We sometimes use your personal information to provide a more personalised and relevant experience. This includes personalising our online advertising and marketing activity on our websites, other websites, and social media.
  • We send direct marketing to you but only when we have your permission. If you want us to stop, or want to manage your preferences, you can find information on how to do that.
  • You have rights over your personal information, including the rights of access, correction, and deletion. You can exercise these rights via our platform settings or by contacting our Data Protection Officer.
  • Our website and platform are not intended for use by children, and we do not knowingly collect any information directly from minors.  If you have reason to believe that we have collected personal information from or about a child, please contact us at info@overcyte.com.
  • This notice does not limit or exclude any of your rights under the New Zealand Privacy Act 2020 or any other applicable privacy and data protection laws, including (where applicable) the GDPR and the UK GDPR.
  • This notice was drafted with brevity and clarity in mind.  It does not provide exhaustive detail of all aspects of our collection and use of personal information.  We are happy to provide any additional information or explanation needed.  If you would like further information, you can contact us at info@overcyte.com.

Types of personal information we hold

Personal information we collect directly from you

The types of personal information we collect directly from you will depend on what products or services you have requested from us over time. Information we may collect directly from you could include:

  • Information that you provide to us for contact purposes such as your full name, phone number and email address.
  • Information about you related to the business you are employed by or operate. This could include your business contact details, role or job title, invoicing or cost centre details, payment preferences and transaction information.
  • Your account login details for our website and/or platform including your username, chosen password and your login history and usage activity.
  • Information about whether you want to receive marketing or service communications from Overcyte or our partners.
  • What you have said or shared with us by email, phone, on social media, in online direct message or in person before or after contracting with Overcyte for services. We do record calls made to our phone numbers at this time.
  • Information that you share with us when you participate in product or market research, customer surveys, or competitions.
  • Information about the products you have purchased and the services that we provide to you.
  • Information about any device you have used to access our services (such as your device's make and model, browser, or IP address) and how you use our websites, apps or platform.
  • Information about the emails, alerts and other electronic communications you receive from us, and how you interact with them. This may include noting if a message has been opened and if you have clicked on any links within.
  • You do not have to give us personal information but if you do not, Overcyte may not be able to provide you with the products, services or information you are requesting. Where we hold personal information, you can update your preferences via our website or platform settings or by contacting our Data Protection Officer.

Automatically when you use our website

When you access and use our website or the Overcyte SaaS service we may automatically collect information about your device and usage of our website and the Overcyte SaaS service, including your IP address/operating system/browser type/time spent on certain pages of the website/pages visited/links clicked/language preferences.

Some of this data is collected through third party tools and/or the use of cookies, web beacons and similar storage technologies.  Please refer to our cookie policy at [insert] for further information, including information on how you can disable these technologies.

From third party sources

Where possible, we collect personal information from you directly.  However, sometimes we may collect:

  • personal information that is publicly available (e.g. through LinkedIn profiles or public directories).
  • personal information from third parties where you have authorised this.  This may include accessing certain personal information from third party social media or other authentication services (e.g. Facebook, Google or LinkedIn) if you login to your account with us using these services or otherwise provide us access to information from these sources. The third party provider that we use will be displayed and you can visit its privacy policy for further details on how it deals with personal information.
  • personal information about you from our trusted advertising partners which may include demographic information, browsing history, location and online behavioural or profile information. We may combine the personal information about you that we receive from third parties with the personal information we collect from you directly or with device and usage data we collect automatically when you visit our website.

Our legal basis for processing your personal information

When we process your personal information, we must have a "legal basis" for what we do. The different legal bases we rely on are one or more of the following:

  • Consent - You have told us you are happy for us to process your personal information for a specific purpose(s).
  • Performance of a contract - We must process your personal information to provide you with the products or services you have requested.
  • Legitimate interests - We may process your personal information as is necessary for us to conduct our business, but only where our interests are not overridden by your interests or rights.

How we use your personal information

We use your personal information:

  • To provide Overcyte products and services - we need to use your personal information to make our products and services available to you.
  • To contact you - we use your personal information to contact you. This could be by email, phone, or via direct message. This may be in relation to a service update or to respond to an issue you have asked for help with.
  • To maintain safety and security - we use your personal information to help provide safe and secure environments, including the prevention and detection of fraud.
  • To bill you and collect money - we use your personal information to bill you and collect money that you owe us, including authorising and processing credit card transactions.
  • To provide relevant marketing and advertising - we use your personal information to provide relevant marketing communications relating to our products and services. We may also use information about how you engage with us to measure the effectiveness of these campaigns.
  • To understand your needs through analytics and profiling - we use your personal information for statistical analysis and to help us understand more about our customers. We use this information to create profiles about you and about our customers more generally. This helps us to serve you better and to find ways to improve our products and services.
  • To conduct surveys and market research - we use surveys and other market research techniques to understand our customers and the critical infrastructure sector and to find ways to improve our services.
  • To manage competitions - we use your personal information to run competitions and get prizes to the winners. If we use your personal information for any other purpose, we will let you know when you enter that specific competition.
  • To protect and enforce legal rights and interests - we may use your personal information to protect and/or enforce our legal rights and interests, including defending any claim.
  • To respond to law enforcement agents and regulators - we may use your personal information to respond to lawful requests by public authorities, including to comply with law enforcement requirements.
  • As otherwise authorised - we may use your personal information for any other purpose authorised by you or applicable law.

Who we share your personal information with

Where necessary, we share your personal information with trusted third parties to help us run our business and provide the products and services you request from us. If these third parties are based outside of New Zealand and we need to transfer your personal information to another country, we ensure that your personal information and rights are protected.

  • Vendors and service providers - we may provide your personal information to our trusted vendors and service providers who support us in doing business. For example, this can include:
  • companies that help deliver, monitor, control or support our digital services, systems and infrastructure
  • payment service providers that enable us to take payments and give refunds
  • insights and analytics service providers
  • advertising and market research partners
  • security and fraud prevention companies to ensure the safety and security of our customers, employees, and business
  • our professional advisors, such as lawyers and consultants
  • Law enforcement and regulators - information may be shared with government agencies and authorities, law enforcement officials, or law courts on request or otherwise if disclosure is required by applicable law, regulation, or legal process.
  • Anonymised statistical information – we may share anonymised statistical information with third parties.
  • With your consent - we may share your personal information with any other person with your consent
  • Sale of business - we may transfer your personal information any other company in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.
  • Other legal authorisation - we may share your personal information with any other person as authorised by applicable law.
  • To the extent that the California Consumer Privacy Act (CCPA) applies, we do not sell or share (as those terms are defined in the CCPA) your personal information.

If you would like to know more about the third parties, we share your personal information with, please contact us.

Marketing communications

We contact current customers and those interested in Overcyte products and service where we have your consent, or if we have a legitimate business reason to do so. You can control what Overcyte marketing communications you receive through the following options:

  • Edit your preferences - if you have an Overcyte platform account, you can log in and update your marketing preferences.
  • Clicking 'unsubscribe' - you can click on the 'unsubscribe' link at the bottom of every email we send out.
  • Contacting us - you can contact Overcyte and we will update our records on marketing preferences.

For more information on our use of advertising technologies and cookies, please see our cookie notice.  

Your privacy rights

Overcyte respects your rights to access and manage the information that we hold about you. You have the right to:

• access your personal information

• correct any inaccurate personal information

• restrict our use of your personal information

• request that we delete your personal information

• withdraw consent for any consent-based processing

• complain to your data protection regulator. As a New Zealand based company, our primary regulator is the New Zealand Office of the Privacy Commissioner.  Your local data protection regulator may also have jurisdiction.

Please contact our Data Protection Officer to exercise these rights. Please note that we will need to verify your identity before actioning your request. This might involve asking you some security questions or checking your identity documents. We do this to protect your privacy.

Please note that if you choose to limit how we use your personal information or withdraw your consent for us to process your personal information, we may not be able to offer all our services to you.

Keeping your personal information

We only keep your personal information for as long as necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer. We review the information we hold and delete it securely, or in some cases anonymise it, when there is no longer a legal, business or customer need for it to be retained.

Our employees receive privacy training to build a culture of care around how personal information is handled. We have implemented security and privacy measures and processes to minimise the risk of unauthorised use or disclosure of information. For more information on our cyber security practices please see our Trust Centre.

You play an important role in keeping your personal information secure by maintaining the confidentiality of any password and accounts used in relation to our products and services.  You should not disclose your password to third parties.  Please notify us immediately if there is any unauthorised use of your account or any other breach of security.

Internet use

While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.

If you follow a link on our website to another website, the owner of that website will have its own privacy policy relating to your personal information.  We suggest you review that website’s privacy policy before you provide personal information to that owner or website.

Contact us

If you have a question about this privacy notice or the way Overcyte processes your personal information in accordance with your national privacy legislation, please contact us.

You can contact our Data Protection Officer by:

Email - info@overcyte.com

Phone - by calling us at +64 27 501 3804

Post – Overcyte DPO, 49 Currie Street, New Plymouth, New Plymouth, 4310, New Zealand

If you feel that Overcyte has not adequately responded to your privacy issue, you have the right to lodge a complaint with the New Zealand Office of the Privacy Commissioner or with any other  local data protection regulator that has jurisdiction.

Changes to this statement

Overcyte may change this Privacy Notice to reflect how we collect, use, or store your personal information or to include new third parties that we work with by uploading a revised Privacy Notice onto our website.  The change will apply from the date that we upload the revised Privacy Notice.  

This Privacy Notice was last updated 31 March 2025.

Identify. Secure. Assure.

Ready to simplify cybersecurity compliance for critical infrastructure?
Book a demo
Trust CentreTerms of
ServicePrivacy Policy
© Copyright Overcyte 2025