Annex 1. Processing of End-User ("Customer Contact") data

Last updated: 2026-04-15

ANNEX 1 – PROCESSING OF END-USER (“CUSTOMER CONTACT”) DATA and RETENTION

(This Annex forms part of – and must be read together with – the SAAS First Privacy Policy and DPA)

────────────────────────────────────────

  1. SCOPE & ROLES

────────────────────────────────────────

  1. “End-User Data” (sometimes called “Customer Contact Data”, “Client Data” or “Subscriber Data”) means any Personal Information that an organisation using the SAAS First platform (“Customer/Controller”) uploads to, generates in, or otherwise instructs Southern Vector Limited (“SAAS First”, “we”, “our”) to process about a natural person who is **not** an employee of that organisation but interacts with the organisation (e.g., a shopper, website visitor, support requester, marketing lead, business prospect).
  2. For all End-User Data **the Customer is the *Controller*** (or joint-controller with its own affiliates); SAAS First acts solely as a **Processor** (or “service provider” / “agent” under comparable laws such as the NZ Privacy Act 2020, EU/UK GDPR, CCPA-CPRA, etc.).
  3. SAAS First processes End-User Data **only on the documented instructions** of the Customer, as set out in:
  • the executed Master Subscription Agreement / Order Form,
  • any Data-Processing Addendum (“DPA”) in place with that Customer, and
  • the configuration choices the Customer as Controller makes inside each Module of the Service.

────────────────────────────────────────

  1. CATEGORIES OF END-USER DATA WE MAY PROCESS (AS DIRECTED BY CUSTOMERS)

────────────────────────────────────────

Depending on which Modules the Customer has enabled and what data the Customer chooses to capture or upload, the following categories may be processed:

 

Category

Typical Examples

Optional / Mandatory

Identity & Contact

First / last name, job title, business e-mail, phone, postal address, LinkedIn profile

Optional – determined by Customer

Communication Content

Chat transcripts, e-mails, attachments, Knowledge-Base search queries, AI-chatbot prompts

Optional

Behavioural & Technical

IP address, cookie IDs, device/browser info, pages visited, feature clicks, event timestamps, Hotjar session replay

Optional (tracking toggles per workspace)

Marketing Engagement

Email-open/click logs, unsubscribe status, campaign tags, UTM parameters, matched-audience IDs

Optional

Transaction & Usage

Subscription level, credit usage, order/payments made to the Customer, invoice references

Optional

Special-Category / Sensitive*

Health, union membership, ethnicity, political opinion, religion, biometric, children’s data, etc.

Prohibited unless Customer has obtained explicit consent or another lawful exemption and has notified SAAS First in writing

 

*SAAS First does **not** monitor for, or automatically block, special-category uploads. Customers must ensure all legal pre-conditions are met before importing such data.

────────────────────────────────────────

  1. PURPOSES OF PROCESSING (ON BEHALF OF THE CUSTOMER)

────────────────────────────────────────

SAAS First processes End-User Data **exclusively** for the following purposes, and only when required to deliver the functionality the Customer has activated:

  1. Provision of Services – hosting, routing, storing, indexing and displaying data inside Inbox, Chat, Boards, Analytics, Marketing and other enabled Modules.
  2. Support & Maintenance – troubleshooting, bug-fixing, back-ups, log-file review.
  3. Security – threat-detection, access controls, anti-spam and abuse prevention, incident response.
  4. Optional AI Features – real-time inference to answer chat queries or generate analytics queries, limited to the data elements and knowledge-base articles the Customer has flagged for AI use.
  5. Aggregated Statistics – we may generate non-identifiable, aggregated metrics (e.g., average response times) for Service-improvement and benchmarking. These aggregates contain **no personal information**.

────────────────────────────────────────

  1. SUB-PROCESSORS & INTERNATIONAL TRANSFERS

────────────────────────────────────────

  1. A current list of Sub-processors (hosting, analytics, AI inference, payment facilitation, e-mail delivery, etc.) and their primary country/region of processing is kept at:

 

  1. **Cross-Border Mechanisms** – Where End-User Data is transmitted outside New Zealand (or, for EU customers, the EEA/UK), SAAS First binds each Sub-processor to:
  • NZ “comparable safeguards” clauses (IPP 12), **and**
  • EU Standard Contractual Clauses (2021/914/EU) or UK Addendum, where applicable.

────────────────────────────────────────

  1. RETENTION & DELETION

────────────────────────────────────────

  • SAAS First will retain End-User Data **only for as long as instructed by the Customer** or as required to comply with law.
  • At the end of the subscription—or upon the Customer’s written instruction—SAAS First will delete or return all End-User Data within **30 days**, save for encrypted back-ups automatically over-written within 15 days and minimal logs retained to evidence lawful processing or defend legal claims.
  • If an individual end-user contacts SAAS First directly to exercise a privacy right, we will promptly forward the request to the relevant Customer and will assist that Customer in fulfilling the request (clause 12 of the Privacy Policy).

────────────────────────────────────────

  1. SECURITY MEASURES (SUMMARY)

────────────────────────────────────────

  • ISO-aligned ISMS with annual penetration-testing
  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and audit logging
  • Multi-factor authentication (MFA) rolled out across internal systems
  • Sub-processor due-diligence and contractual security obligations
  • 24 × 7 infrastructure monitoring, Cloudflare DDoS protection

────────────────────────────────────────

  1. END-USER RIGHTS & HOW TO EXERCISE THEM

────────────────────────────────────────

Under applicable privacy laws (NZ Privacy Act 2020 IPPs 6-8, EU/UK GDPR Arts 15-22, CCPA-CPRA §§1798.100-.125, etc.) individuals have rights to access, correct, delete, port, or object to the processing of their personal information.

**Because the Customer is the Controller, end-users must first direct any privacy enquiry to the Customer that collected their data.** SAAS First will not normally modify or delete End-User Data without the Customer’s explicit, documented instruction (unless we are legally compelled to do so).

  • If you are unsure who the relevant Customer is, e-mail [email protected] with any identifying details you have; we will (i) attempt to identify the Controller, and (ii) pass your request to them.
  • If we are legally required to comply directly (e.g., under NZ Privacy Regulations 2020 breach-notice rules) we will notify the Customer where permitted.

────────────────────────────────────────

  1. CONTACT INFORMATION

────────────────────────────────────────

Southern Vector Limited – Privacy Officer

26 Applefield Road, Northwood, Christchurch, 8051

E-mail: [email protected]

────────────────────────────────────────

  1. AMENDMENTS TO THIS ANNEX

────────────────────────────────────────

We may modify this Annex to reflect changes in the Service or legal requirements. Material amendments will be announced at least **30 days** in advance and posted at the same URL as the main Privacy Policy. Continued use of the Service by Customers after the effective date constitutes acceptance; we will honour pre-existing Customer DPAs where they provide stronger protections.

────────────────────────────────────────

End of Annex 1