Privacy Policy

Privacy Policy

Last updated: 23 April 2025

1. About Nodi and this policy: Nodi Handmade Rugs Limited ("Nodi", "we", "us", "our") is an agency under the New Zealand Privacy Act 2020 and a data controller for certain overseas laws such as the EU General Data Protection Regulation (GDPR). This Privacy Policy explains how we collect, use, disclose and protect your personal information when you visit or shop at nodi.co.nz (the "Site") or otherwise interact with any of our online or offline services (together, the "Services").

By using the Services, you accept the practices described in this Privacy Policy. If you do not agree, please do not use the Services.

2. Changes to this Privacy Policy: We may update this Privacy Policy from time to time to reflect changes in legislation, best practice or our business operations. When we do, we will post the revised policy on the Site, update the "Last updated" date and, where the changes are material, give you reasonable advance notice (for example, by email or an on‑site banner).

3. How we collect and use personal information: We collect personal information so that we can provide the Services, run our business and meet our legal obligations. The information we collect and how we use it depend on how you interact with us. In general, we use personal information to:

  • process payments and fulfil online and in‑store orders;

  • deliver customer care and support;

  • provide and improve our websites, products and Services;

  • conduct marketing and remarketing (with your consent where required);

  • detect and prevent fraud or other malicious activity; and

  • comply with applicable law and enforce our terms.

4. Legal bases for processing 

Because we sell to customers worldwide, we rely on different legal grounds for different activities:

  • Contract – processing your order and delivering the Services;

  • Consent – sending marketing emails/SMS and setting non‑essential cookies;

  • Legitimate interests – analysing and improving the Site, preventing fraud and protecting our rights; and

  • Legal obligation – keeping tax records and complying with the Privacy Act 2020.

5. What personal information we collect

  • Information you provide directly

  • Contact details such as name, billing and delivery address, telephone number and email address.

  • Order details such as products purchased and payment confirmation.

  • Account credentials such as username, password and security questions.

  • Shopping information such as items viewed, added to cart or wish‑list.

  • Customer‑support information you include in your communications with us.

You may decline to give us certain information, but some features of the Services will not work without it.

Information we collect automatically

When you visit the Site we automatically collect technical information such as your IP address, device and browser details, pages visited, time spent and links clicked. We use cookies, pixels and similar technologies to collect this data.

Information we obtain from third parties

We receive personal information from service providers that support our business, including:

  • Shopify (website platform and hosting);

  • payment processors (to confirm and settle transactions); and

  • marketing and analytics partners (to measure performance and display advertising).

6. Cookies and similar technologies

Cookies help us understand how visitors use our Site and improve their experience. On your first visit we display a banner that lets you Accept all, Reject non‑essential or Customise cookies. You can change your preferences at any time via Cookie Settings in the footer.

Most browsers accept cookies by default. You can disable or delete cookies in your browser settings, but some parts of the Services may not function properly.

7. Cross‑border disclosures (IPP 12)

Some suppliers who process personal information for us are located outside Aotearoa New Zealand (for example, in Australia, Canada, the United States and the European Economic Area). Before transferring data overseas we either:

  • ensure the supplier carries on business in New Zealand and is therefore subject to the Privacy Act 2020; 

  • enter into contract terms requiring safeguards comparable to those in New Zealand; or

  • obtain your express authorisation.

8. Sharing personal information: We do not sell or lease your personal information. We disclose it only:

  • to service providers who perform business functions for us under contract (e.g. payment processing, warehousing, IT support, marketing);

  • to any person you authorise us to disclose it to;

  • within our corporate group for legitimate business purposes;

  • to regulators, law‑enforcement or courts when required or permitted by law; and

  • in connection with a business transaction such as a merger or asset sale.

9. Security and retention

We use technical and organisational measures designed to protect personal information, but no system is completely secure. If you believe your interaction with us is no longer secure, please contact us immediately.

We keep order information for seven years to meet tax and accounting obligations, support warranty claims and maintain accurate business records. Browsing analytics are aggregated or deleted after 26 months.

10. Notifiable privacy breaches

If we believe a privacy breach has caused, or is likely to cause, serious harm, we will:

  • notify the New Zealand Privacy Commissioner via the NotifyUs tool as soon as practicable; and

  • inform affected individuals directly, explaining what happened and what steps they can take.

11. Your rights and choices

You have the following rights in relation to your personal information:

Right

Scope

Access & Correction

Rights guaranteed under the Privacy Act 2020.

Deletion (erasure)

We will delete personal information we hold about you, subject to legal retention requirements

Portability

You may request a copy of your personal information in a portable format.

Restriction

You may ask us to stop or restrict certain processing.

Withdraw consent

You may withdraw your consent at any time (for example, to marketing).


To exercise any right, email hello@nodi.co.nz. We will respond within 7-10 working days.

Marketing emails include an unsubscribe link. Opting out of marketing does not affect transactional communications (e.g. order confirmations).

12. Complaints

If you have a privacy concern, please contact us first. If we do not resolve your complaint, you may raise it with the Office of the Privacy Commissioner (www.privacy.org.nz).

13. International users

We operate primarily from New Zealand. By providing personal information to us, you understand that it may be transferred, stored and processed outside your country. Where required, we use appropriate safeguards such as standard contractual clauses.

14. Contact us

28 Mackelvie Street, Ponsonby, Auckland, 1011 New Zealand Phone: +64 9 390 0370 Email: hello@nodi.co.nz