Effective Date: November 1, 2025
Last Updated: November 27, 2025
1. Introduction
Welcome to The Taprobane (“we,” “us,” “our”). We are committed to protecting your privacy and handling your personal information responsibly and in accordance with the Privacy Act 2020 (New Zealand).
Business Details:
Legal Entity: Ceylon Food & Beverage Suppliers Limited
Company Number: 9383679
NZBN: 9429053239570
Trading Name: The Taprobane
GST Number: 147-156-952
This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you:
- Visit our website
- Place orders for food delivery
- Communicate with us
- Participate in our loyalty program
By using our services, you acknowledge that you have read and understood this Privacy Policy.
Privacy Officer Contact:
Email: contact@thetaprobane.co.nz
Phone: +64 0508 799 899
WhatsApp: +64 204 799 899
Address: Unit 7, 8 MacMurray Road, Remuera, Auckland 1050, New Zealand
2. Information We Collect
2.1 Personal Information Collected Directly From You
When you use our services, we may collect the following personal information directly from you:
Order Information:
- Full name
- Delivery address
- Phone number
- Email address
- Order details (food items, quantities, preferences, spice levels)
- Special dietary requirements or allergies
Payment Information:
- Payment method preference
- Transaction details (processed securely through our payment providers)
- Note: We do not store complete credit card details on our systems
Account Information (if applicable):
- Username and password
- Order history
- Saved delivery addresses
- Communication preferences
Loyalty Program Information:
- Points balance
- Redemption history
- Membership details
Communications:
- Information you provide when contacting us via WhatsApp, phone, email, or our website
- Feedback, reviews, and complaints
2.2 Information Collected Automatically
When you visit our website, we may automatically collect:
- IP address
- Browser type and version
- Device information
- Pages visited and time spent on our website
- Referring website addresses
- Cookies and similar tracking technologies (see Section 10)
2.3 Information Collected from Third Parties (Indirect Collection)
In accordance with Information Privacy Principle 3A (IPP 3A), we inform you that we may collect personal information about you from third-party sources in limited circumstances:
Sources of Indirect Collection:
- Payment processors (transaction verification and fraud prevention)
- Delivery service providers (delivery confirmation and logistics data)
- Social media platforms (if you interact with us on social media)
- Marketing and analytics service providers (website usage and marketing campaign data)
- Publicly available sources (business directories, if applicable)
When We Collect Indirectly: We only collect personal information from third parties when:
- It is necessary to process your order or provide our services
- It is required for fraud prevention and security purposes
- You have consented to such collection
- It is authorized or required by law
Notification of Indirect Collection: If we collect your personal information from a source other than you, we will take reasonable steps to notify you:
- At the time of collection, or as soon as practicable after
- Through direct communication (email, phone, or during order confirmation)
- Via this Privacy Policy
Your Rights Regarding Indirect Collection: You have the right to:
- Know what information was collected and from which source
- Request access to information collected about you from third parties
- Request correction or deletion of inaccurate information
- Withdraw consent for future indirect collection (where applicable)
Note: Currently, The Taprobane primarily collects information directly from you when you place orders. Indirect collection is limited to essential service providers (payment processors, delivery partners) and is used solely to fulfill your orders and improve our services.
3. Purpose of Collection
We collect and use your personal information for the following lawful purposes:
Order Processing and Delivery:
- Process and fulfill your food orders
- Arrange delivery to your specified address
- Calculate delivery fees based on distance
- Contact you regarding your order status or any issues
Payment Processing:
- Process payments securely
- Issue receipts and invoices
- Manage refunds or disputes
Customer Service:
- Respond to your inquiries and requests
- Handle complaints and feedback
- Provide customer support via phone, WhatsApp, or email
Loyalty Program Management:
- Track and manage your loyalty points
- Process point redemptions
- Send program updates and notifications
Business Operations:
- Improve our services and menu offerings
- Analyze customer preferences and ordering patterns
- Maintain business records
- Comply with legal and regulatory requirements
Marketing Communications (with your consent):
- Send promotional offers, newsletters, and updates
- Inform you about new menu items or special events
- Provide personalized recommendations
4. Legal Basis for Processing
Under the Privacy Act 2020, we process your personal information because:
- It is necessary to fulfill our contract with you (processing and delivering your orders)
- We have a legitimate business interest (improving our services, preventing fraud)
- We have your consent (marketing communications, loyalty program participation)
- We are required to comply with legal obligations (taxation, food safety regulations)
5. How We Use Your Information
Your personal information will only be used for the purposes for which it was collected, unless:
- You consent to a new purpose
- The new purpose is directly related to the original purpose
- It is required or authorized by law
- We will not use your personal information for purposes unrelated to your orders or our services without your explicit consent.
6. Disclosure of Personal Information
We may share your personal information with the following third parties:
Service Providers:
- Payment processors (for secure payment handling)
- Delivery personnel (only name, phone number, and delivery address)
- Cloud hosting providers (for data storage)
- IT support and website maintenance providers
Legal Requirements:
- Law enforcement agencies, courts, or government authorities when required by law
- To protect our legal rights or prevent fraud
Business Partners (with your consent):
- Marketing service providers for promotional communications
We ensure all third parties who handle your personal information:
- Are contractually obligated to protect your data
- Use your information only for the specified purposes
- Comply with New Zealand privacy laws
We will never sell, rent, or trade your personal information to third parties for their marketing purposes.
7. International Data Transfers
Some of our service providers may process or store data outside of New Zealand. When transferring personal information overseas, we ensure:
- The receiving country has privacy laws comparable to New Zealand’s Privacy Act 2020
- The overseas recipient is bound by privacy rules that provide substantially similar protection
- You have been informed and consented to the transfer where required
Currently, all data is processed and stored within New Zealand. We do not transfer your personal information outside of New Zealand.
8. Data Security
We take reasonable steps to protect your personal information from:
- Unauthorized access or disclosure
- Loss, misuse, or alteration
- Damage or destruction
Our security measures include:
- SSL encryption for data transmission on our website
- Secure payment gateways that are PCI DSS compliant
- Password protection for customer accounts
- Access controls limiting who can view personal information
- Regular security assessments and updates
- Staff training on privacy and data protection
However, no method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
9. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
Retention Periods:
- Order information: 7 years (for accounting and tax purposes)
- Customer account data: Until you request deletion or account closure
- Loyalty program data: 6 months after points expiry or account inactivity
- Marketing communications: Until you withdraw consent
- Website analytics: 12-24 months
After the retention period expires, we will securely delete or anonymize your personal information.
10. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to:
- Remember your preferences
- Analyze website traffic and usage patterns
- Improve website functionality and user experience
- Serve relevant content
Types of Cookies We Use:
- Essential cookies: Required for website operation
- Performance cookies: Help us understand how visitors use our site
- Functional cookies: Remember your preferences and settings
You can control cookies through your browser settings. However, disabling cookies may affect your ability to use certain features of our website.
For more information, see our Cookie Policy.
11. Your Privacy Rights
Under the Privacy Act 2020, you have the following rights:
11.1 Right to Access
You can request access to the personal information we hold about you. We will provide this information within 20 working days, unless an extension is required.
11.2 Right to Correction
If you believe your personal information is inaccurate, incomplete, or out-of-date, you can request that we correct it.
11.3 Right to Object
You can object to:
- Marketing communications (opt-out at any time)
- Processing of your information for certain purposes
11.4 Right to Deletion
You can request deletion of your personal information in certain circumstances, subject to our legal retention obligations.
11.5 Right to Withdraw Consent
Where we rely on your consent to process personal information, you can withdraw that consent at any time.
To Exercise Your Rights: Contact our Privacy Officer at contact@thetaprobane.co.nz or +64 0508 799 899. We may need to verify your identity before processing your request.
12. Marketing and Communications
12.1 Marketing Consent
We will only send you marketing communications if you have:
- Opted in to receive them
- Provided consent during the ordering process
- Participated in our loyalty program
12.2 Opt-Out
You can opt-out of marketing communications at any time by:
- Clicking the “unsubscribe” link in our emails
- Contacting us directly via phone or email
- Updating your communication preferences in your account settings
You will continue to receive transactional communications (order confirmations, delivery updates) even if you opt-out of marketing.
13. Privacy Breach Notification
In the event of a privacy breach that is likely to cause serious harm to you, we will:
- Notify the Office of the Privacy Commissioner within 72 hours of becoming aware
- Notify you directly without undue delay
- Take immediate steps to contain and remedy the breach
A privacy breach occurs when your personal information is:
- Accessed or disclosed without authorization
- Lost or stolen
- Modified without authorization
14. Children’s Privacy
Our services are not directed at children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately so we can delete it.
15. Biometric Information
15.1 Biometric Processing Privacy Code 2025
In accordance with the Biometric Processing Privacy Code 2025 (effective November 3, 2025), we provide the following disclosure regarding biometric information:
Current Use of Biometric Data: The Taprobane does not currently collect, use, or store biometric information such as:
- Facial recognition data
- Fingerprints
- Iris or retina scans
- Voice recognition data
- Other unique biological identifiers
Future Use Notification: If we decide to implement biometric technology in the future (such as facial recognition for customer verification, delivery confirmation, or security purposes), we will:
- Update this Privacy Policy with detailed biometric processing information
- Obtain your explicit informed consent before collecting any biometric data
- Provide clear notice of the purpose, retention period, and security measures
- Comply fully with the Biometric Processing Privacy Code 2025
Your Biometric Rights (if applicable in future): If we collect biometric information, you will have the right to:
- Be informed about what biometric data is collected and why
- Consent to or refuse biometric data collection
- Access your biometric information
- Request deletion of your biometric data
- Opt for alternative non-biometric verification methods
Third-Party Biometric Processing: We do not share any information with third parties who use biometric processing technology. If this changes, we will notify you and obtain consent as required by law.
16. Third-Party Links
Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect:
- Changes in our practices
- Legal or regulatory requirements (including amendments to the Privacy Act 2020)
- New services or features
- Implementation of new technologies (including biometric systems)
When we make significant changes, we will:
- Update the “Last Updated” date
- Notify you via email or website announcement
- Obtain your consent where required by law (particularly for biometric data collection or material changes to data processing)
We encourage you to review this Privacy Policy periodically.
Recent Legislative Updates: This Privacy Policy has been updated to reflect:
- Privacy Amendment Act 2025 (IPP 3A – indirect collection notification, effective May 1, 2026)
- Biometric Processing Privacy Code 2025 (effective November 3, 2025, transition period until August 3, 2026)
- Technical amendments to Privacy Act 2020 (effective September 24, 2025)
18. Complaints and Disputes
If you have concerns about how we handle your personal information:
Step 1: Contact our Privacy Officer
Email: contact@thetaprobane.co.nz
Phone: +64 0508 799 899
WhatsApp: +64 204 799 899
We will investigate your complaint and respond within 20 working days.
Step 2: If you are not satisfied with our response, you can complain to:
Office of the Privacy Commissioner
Website: www.privacy.org.nz
Email: enquiries@privacy.org.nz
Phone: 0800 803 909
Address: PO Box 10094, Wellington 6143, New Zealand
19. Consent and Acceptance
By using our services, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.
If you do not agree with this Privacy Policy, please do not use our services or provide us with your personal information.
20. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:
The Taprobane
Trading name of Ceylon Food & Beverage Suppliers Limited
Privacy Officer
Legal Entity: Ceylon Food & Beverage Suppliers Limited
Company Number: 9383679
Company Number: 9383679
NZBN: 9429053239570
GST Number: 147-156-952
Email: contact@thetaprobane.co.nz
Phone: +64 0508 799 899
WhatsApp: +64 204 799 899
Postal Address: Unit 7, 8 MacMurray Road, Remuera, Auckland 1050, New Zealand
Kitchen Location: Mount Wellington, Harris Road, Auckland, New Zealand
Acknowledgment:
This Privacy Policy has been prepared in accordance with the Privacy Act 2020 (New Zealand), including all amendments current as of November 2025, the 13 Information Privacy Principles (including IPP 3A on indirect collection effective May 1, 2026), and the Biometric Processing Privacy Code 2025 (effective November 3, 2025). We are committed to protecting your privacy and handling your personal information with care and respect.
This Privacy Policy is governed by New Zealand law. The Taprobane reserves the right to update this policy to maintain compliance with applicable laws and regulations, including future amendments to privacy legislation.
