Privacy Policy

When clients use MB Private Limited (“MBP”) services, they trust us with their personal and financial information. We understand this is a significant responsibility and work hard to protect their information. Our obligations are set out in the Privacy Act 2020 (“the Act”).

Personal information is defined in the Act and means information about an identifiable individual.

This Privacy Statement explains how MBP collects, uses, shares, and protects your personal information. We only collect information we need for our services, keep it secure, and give you rights to access and correct it. If we share information overseas, we ensure it’s protected. If there’s a serious privacy breach, we will let you and the Office of the Privacy Commissioner know.

MBP follows the thirteen principles of the Privacy Act 2020 when collecting, using, and storing personal information: https://www.privacy.org.nz/privacy-principles/

We collect personal information from clients, employees, contractors, outsource providers, and prospective clients. This information includes names, contact details, financial information, and any other data necessary for our business relationship. The primary source of information will be from the client directly.

In certain situations we may collect information from other sources, such as credit reporting agencies, publicly available registers, regulatory authorities, or referees. In these cases, MBP will take reasonable steps to inform the client of the source of the information and the purpose of the collection, unless doing so would undermine the purpose of the collection (e.g., fraud detection).

Personal information collected by MBP is used to verify identities, process applications, deliver services, and comply with legal requirements. For example, financial information is used to assess creditworthiness, while contact details are used for communication and service updates.

MBP may share personal information with service providers, regulatory authorities, and business partners to fulfil service obligations and comply with legal requirements. When using overseas service providers, we ensure they meet New Zealand privacy laws. When we disclose information about you to someone else for any reason, we require them to adhere to our standards of privacy, security and confidentiality.

MBP retains personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Retention periods are determined based on legal obligations, business needs, and the type of information. For example, residential mortgage application records are retained for a minimum of seven (7) years after the end of the client relationship in accordance with financial services legislation.

MBP implements technical and organisational measures to protect personal information, including encryption, access controls, and regular security audits. We also ensure data security when working remotely and when using third-party service providers. Only authorized staff have access to personal information.

Clients have the right to access, correct, and request deletion of their personal information held by MBP. Requests can be made via mail, phone, or email to our Privacy Officer. We will respond to requests within 20 working days.

Attn: Privacy OfficerPO Box 317, Christchurch 8140

Phone: +64 3 928 1440

Email: admin@mbprivate.nz

Deletion requests will be considered in accordance with applicable legal and regulatory obligations. Where we are required to retain information for statutory, contractual, or operational reasons (e.g., under financial services or anti-money laundering legislation), deletion may not be possible. In such cases, MBP will explain the reasons for refusal and inform the client of their right to complain to the Privacy Commissioner.

MBP has appointed the Head of Compliance and Assurance as the MBP Privacy Officer. The Privacy Officer has a general understanding of the Privacy Act 2020 and the ability to deal with privacy issues when they arise.

Staff must report any privacy breaches or ‘near misses’ to the Privacy Officer within 24 hours of becoming aware of them. If the Privacy Officer is unavailable, breaches must be escalated to the Chief Operating Officer to ensure continuity of response. MB Private maintains an internal Privacy Breach Register, and the Privacy Officer is responsible for overseeing investigation, notification (where required), and remediation.

Privacy breaches can occur in any business that holds personal information. Our breach notification process works as follows:

1. Contain: Immediately contain the breach and investigate its cause.

2. Assess: Evaluate the risks associated with the breach.

3. Notify: Inform affected individuals and the Office of the Privacy Commissioner if necessary.

4. Prevent: Implement measures to prevent future breaches.

MBP must report any serious privacy breaches to the Office of the Privacy Commissioner. A serious breach is one that poses a risk of harm (e.g., leaked personal information is published online or used to facilitate identity theft). Where a serious breach occurs, MBP must also notify the people whose personal information was affected.

We will always follow the guidance published by the Office of the Privacy Commissioner when it comes to potential breaches: https://www.privacy.org.nz/responsibilities/poupou-matatapu-doing-privacy-well/breach-management/

If you have a complaint or concerns about the privacy of your personal information, please let us know, by calling us on +64 3 928 1440 or contacting our Privacy Officer (using the contact details above). We endeavour to resolve all disputes promptly and fairly.

If you are not satisfied with the outcome, you may refer your privacy related complaint to the Privacy Commissioner: https://www.privacy.org.nz/your-rights/making-a-complaint-to-the-privacy-commissioner/

We reserve the right to change, amend or modify this Privacy Statement at any time. If there are material changes to our information use and collection practices, we will apply this to information collected on a going forward basis, and we will update this Privacy Statement. The updated version will be posted on our website and will be effective from the day it is posted.

This statement is current as at 10 October 2025.