Privacy
What we collect, why, what we don't
Last updated: 16 July 2026.
Who we are.
Trailblazer Predictive Ltd is a New Zealand company registered in Auckland. We operate trailblazerpredictive.agency and provide audit-led performance marketing services to NZ businesses.
Our Privacy Officer.
Our Privacy Officer is Inder Singh, Director. The Privacy Officer is responsible for ensuring Trailblazer Predictive Ltd's compliance with the Privacy Act 2020 and for responding to privacy requests. You can reach the Privacy Officer at hello@trailblazerai.nz with the subject line "Privacy Officer".
What we collect.
When you visit this website, our hosting provider (Netlify) automatically collects standard web server log data including your IP address, browser type, device type, referring URL, and pages requested. This data is retained by Netlify under their privacy policy and is used to operate and secure the website. Trailblazer Predictive does not access, analyse, or use these logs other than for security incident response.
This website also uses HubSpot analytics, our CRM platform's tracking code. It sets cookies that identify your browser across visits and records pages viewed, referring source, and approximate location. We use this to understand how the site is used and to connect an enquiry to the visits that led to it.
In addition, we use Google Analytics 4 to measure site usage in aggregate, and a Meta (Facebook) Pixel to measure the performance of our advertising and to build advertising audiences from site visits. This means Meta may connect your visit to your Meta account if you have one. We do not sell visitor data.
When you contact us by email or book a discovery call, we collect what you give us: name, email, and what you write in the message. When you book the Revenue Leak Audit through Stripe, Stripe collects payment details directly — we never see your card number.
During an engagement, we collect business data necessary to do the work: ad account access (read-only or read-write depending on scope), CRM access, GA4 access, and any reporting platforms relevant to the audit or retainer.
Why we collect it.
To deliver the service you've engaged us for. That's the only reason. We don't sell, share, or monetise client data.
Third-party processors.
To deliver our services, we use the following third-party service providers ("processors"). Each processor handles your information under their own contracted terms and security obligations:
- Stripe (payment processing) — processes audit payments. Stripe collects your card and billing details directly. We never see your card number. Stripe is a US-incorporated entity with data centres in the US and EU.
- Google Workspace (email, document storage) — stores engagement correspondence and operational documents. Google data centres include locations in Asia-Pacific, US, and EU.
- HubSpot (CRM, forms, and website analytics) — stores client contact records, engagement notes, and deal pipeline; hosts our enquiry forms and meeting booking; and provides the website analytics cookies described in the Cookies section. HubSpot data centres include US and EU locations.
- n8n (automation) — runs internal workflows. We use a self-hosted n8n instance hosted in New Zealand.
- Netlify (website hosting) — serves this website. Data centres include US locations.
- Google Analytics (website analytics): measures site usage in aggregate. Google data centres include US, EU, and Asia-Pacific locations.
- Meta Platforms (advertising measurement): the Meta Pixel records site visits for ad measurement and retargeting audiences. Meta is a US-incorporated entity.
Each processor is bound to use your information only to provide the service to us. We do not authorise them to use your information for their own marketing or product purposes.
Overseas data transfers.
Some of our processors store data outside New Zealand, as listed in the section above. Under Information Privacy Principle 12 (IPP 12) of the Privacy Act 2020, we may only disclose your personal information to a recipient outside New Zealand if certain conditions are met. We rely on the following bases for the offshore transfers we make:
- Comparable protection. Each of our processors operates under privacy frameworks (the EU GDPR, US state privacy laws, or comparable) that we consider provide protections comparable to the Privacy Act 2020.
- Contractual safeguards. Where applicable, we have data processing agreements in place with each processor.
- Necessity. The disclosure is necessary to provide the service you have engaged us for (IPP 12(1)(b)).
If you do not consent to overseas storage of your personal information, please notify us before engagement begins. In some cases this may mean we cannot accept the engagement.
How we protect your information.
We use the following technical and organisational measures to protect your information:
- Multi-factor authentication on all internal systems
- Role-based access controls — team members access only what their work requires
- Encrypted data transmission (TLS) for all client communications and tool integrations
- At-rest encryption provided by our cloud processors
- Annual access reviews and offboarding within 24 hours of a team member leaving
- Periodic backup verification
No security system is perfect. If a notifiable privacy breach occurs, we will act under the Privacy Act 2020 breach-notification framework (see below).
Privacy breach response.
If a privacy breach occurs that we assess as likely to cause serious harm (a "notifiable privacy breach" under the Privacy Act 2020), we will:
- Notify the affected individuals as soon as practicable after becoming aware of the breach
- Notify the Office of the Privacy Commissioner (OPC) as required by section 114 of the Privacy Act 2020
- Provide affected individuals with information on the nature of the breach, what data was affected, what we are doing in response, and steps they may wish to take to protect themselves
We maintain an internal breach response procedure and review it at least annually.
How long we keep it.
For active engagements: as long as the engagement runs, plus 7 years for tax and contract records as required by NZ law. For prospects who didn't proceed: 12 months after last contact, then deleted.
AI and model training.
We do not provide client data to third parties for the purpose of training or improving artificial-intelligence or machine-learning models, including the model-training programs operated by OpenAI, Anthropic, Google, or any similar provider.
Some of our processors (notably Google Workspace and HubSpot) offer optional AI features that may process your data in transit. We configure these features to minimise data exposure and we do not opt in to processor-side training on client data. If our position on AI feature usage changes materially, we will notify active retainer clients before any change takes effect.
Your rights under the NZ Privacy Act 2020.
You can ask us what personal information we hold about you. You can ask us to correct it. You can ask us to delete it (subject to legal retention obligations). Email hello@trailblazerai.nz with the subject line "Privacy request" and we'll respond within 20 working days.
Your right to complain.
If you are not satisfied with how we have handled your information or a privacy request, you have the right to complain to the Office of the Privacy Commissioner.
Office of the Privacy Commissioner
Phone: 0800 803 909
Web: privacy.org.nz
Email: enquiries@privacy.org.nz
Children's information.
Our services are not directed at people under 18. We do not knowingly collect personal information from anyone under 18. If you believe we may have collected such information, please contact our Privacy Officer and we will delete it.
Cookies.
This website sets cookies from three providers. HubSpot, our CRM and analytics platform, sets cookies (hubspotutk, __hstc, __hssc, and __hssrc) that identify your browser across visits so we can measure how the site is used and connect an enquiry to the visits that led to it. Google Analytics sets cookies (_ga and _ga_*) that measure site usage in aggregate. The Meta Pixel sets a cookie (_fbp) that measures ad performance and supports retargeting audiences. You can block or clear cookies in your browser settings; the site works fine without them. The theme toggle (light/dark) stores a single key in your browser's localStorage. It never leaves your device.
Updates to this notice.
If we make material changes to this notice, we will update the "Last updated" date at the top, notify active retainer clients by email, and provide a 14-day notice period before the changes take effect for ongoing engagements. For past clients within our retention window, we will make the updated notice available on this page; you can subscribe to email notifications for future updates by contacting our Privacy Officer.
Contact for privacy matters.
Email hello@trailblazerai.nz. We respond within one NZ business day.