NZDEN LMS Privacy Policy (Thinkific)
Last updated: 1st September 2025
Covers: learn.nzden.org.nz (the “LMS”) operated by New Zealand Disability Employers’ Network (“NZDEN”).
Contact: Phil Turner, 09 242 0511
This Privacy Policy applies to our LMS hosted on Thinkific. It complements (and should be read alongside) the Privacy Policy on nzden.org.nz. If there’s any inconsistency, this LMS Privacy Policy governs use of the LMS
1) Who we are and what this policy covers
We’re the New Zealand Disability Employers’ Network (NZDEN). We use Thinkific to deliver online learning. This policy explains what personal information we collect on the LMS, why we collect it, how we use and share it, how long we keep it, where it may be stored, and your rights.
Our practices are designed to meet the Privacy Act 2020 and its 13 Information Privacy Principles (IPPs) in New Zealand, and to address key rights for people in the EU/EEA (GDPR), UK (UK GDPR), Australia (APPs), Canada (PIPEDA), and California (CCPA/CPRA).
2) What we collect on the LMS
Depending on how you use the LMS, we may collect:
- Identity & contact information (e.g., name, email) when you create an account, enrol in a course, or contact us.
- Course activity (e.g., enrolments, progress, quiz scores, forum posts) to run the course and support you.
- Transaction information if you pay for a course (e.g., amount, method; note: card details are handled by payment processors, not by NZDEN).
- Technical data (e.g., IP address, device/browser) to keep the LMS secure and improve performance.
3) How we use your information
We use your information to:
- Provide and support the LMS (create accounts, enrol you, deliver content, track learning progress).
- Communicate with you (service messages about your account or courses; optional updates you choose to receive).
- Process payments for paid courses via integrated payment providers.
- Improve our services (usage analytics, troubleshooting, service improvement).
Our lawful bases (international overview):
- NZ: purposes consistent with IPPs (e.g., purpose of collection, use, disclosure) under the Privacy Act 2020.
- EU/EEA & UK: contract, legitimate interests, legal obligation and, where required, consent — as outlined in GDPR/UK GDPR guidance.
- Australia: consistent with APPs (e.g., collection, use/disclosure, security, access/correction).
- Canada: aligned with PIPEDA principles, including consent and appropriate safeguards.
- California: rights and notices required by the CCPA (as amended by the CPRA).
4) Cookies and similar technologies
The LMS uses cookies and similar technologies for necessary site functions, authentication, and analytics. Thinkific provides a cookies policy that explains cookie categories and controls. We also follow good‑practice guidance from New Zealand’s Office of the Privacy Commissioner about being open and transparent.
You can manage cookies through your browser settings. Disabling some cookies may affect LMS functionality.
5) Payments
If you purchase a course, payments are processed by integrated payment providers (e.g., Thinkific Payments/Stripe or other gateways enabled in the LMS). Those providers receive your card data directly and handle it in line with their own privacy and PCI‑DSS obligations; NZDEN does not store your full card details. (See Thinkific’s privacy policy for how the platform handles financial and transaction data.)
6) When we share information
We share personal information only as needed to operate the LMS, including with:
- Thinkific (our hosting platform and service provider) under its Data Processing Addendum, and privacy/security commitments.
- Payment processors to complete transactions (see above).
- Other service providers we use for support (e.g., email delivery, analytics) — bound by confidentiality and privacy obligations.
- Where required by law (e.g., to comply with legal obligations or lawful requests). (See IPP 11 for disclosure and IPP 12 for cross‑border rules.)
7) International transfers (including hosting outside NZ)
Because we host our LMS on Thinkific (a company based in British Columbia, Canada) and use cloud services, your information may be stored or processed outside New Zealand. To meet IPP 12 (Disclosure outside New Zealand), we rely on contractual safeguards (including Thinkific’s DPA) and comparable protection assessments before making cross‑border disclosures. If comparable safeguards aren’t available, we’ll seek your express authorisation.
We also acknowledge international transfer requirements under EU GDPR/UK GDPR where relevant to learners in those regions.
8) How long we keep information
We keep your LMS information only for as long as it’s needed for the purposes above, then securely delete or anonymise it. In New Zealand, financial records related to paid courses are typically retained for at least 7 years to meet tax/record‑keeping obligations. Course content/learning records are retained while you have an active LMS account and for a reasonable period afterwards to manage course completion, support requests, and reporting, unless you request deletion where applicable.
9) Your privacy rights
New Zealand (Privacy Act 2020) — You can request access to and correction of your personal information. If you’re unhappy with our response, you can complain to the Office of the Privacy Commissioner.
EU/EEA (GDPR) — You have rights including access, rectification, erasure, restriction, portability, and objection, plus rights relating to automated decision‑making. We will respond within GDPR timelines and requirements.
UK (UK GDPR) — Similar rights to the GDPR; note the UK has enacted updates via the Data (Use and Access) Act 2025. We follow ICO guidance when responding.
Australia (APPs) — You can request access and correction; we will handle complaints in line with OAIC guidance.
Canada (PIPEDA) — You have rights to access and challenge the accuracy of your personal information; we follow OPC guidance.
California (CCPA/CPRA) — California residents have rights to know, delete, correct, opt‑out of sale/sharing, limit use of sensitive personal information, and non‑discrimination for exercising rights.
How to exercise your rights: Email us at [email protected] We may need to verify your identity before actioning a request. If we can’t meet your request (e.g., due to legal retention), we’ll explain why.
10) Children and young people
Our LMS is designed for adult professionals. If you are under 16, please use the LMS only with the permission and active involvement of a parent or legal guardian. We do not knowingly collect personal information from children under 13. These standards reflect Thinkific’s platform rules for minors.
11) Security
We use technical and organisational measures appropriate to the nature of the information we hold and consistent with the Privacy Act’s security requirements and platform safeguards provided by Thinkific (including commitments under its DPA). No system can be guaranteed 100% secure, but we work to prevent, detect and respond to incidents.
12) Changes to this policy
We may update this policy from time to time (for example, if we add new courses, turn on new integrations, or laws change). We’ll post the updated version here with the “Last updated” date and, where appropriate, notify users by email or LMS banner.
Plain‑English summary (At a glance)
- We collect only what we need to run your courses, support you, and take payment if applicable.
- Your data may be processed outside NZ because our LMS is hosted on Thinkific (Canada); we use contracts and safeguards to protect it (IPP 12).
- You can see and correct your information. If you’re in the EU/UK/AU/CA/California, you may have additional rights.
- We keep financial records for at least 7 years to meet NZ tax rules.
- Cookies help the LMS work properly; you can manage them in your browser.