Privacy Policy for Ayona Limited

Effective date: 8 February 2026

Ayona Limited (“Ayona”, “we”, “us”, “our”) is a New Zealand social media agency providing social media management, paid advertising, influencer campaigns, creative production, community moderation, and analytics. This Privacy Policy explains what personal information we collect, how we use and share it, where it may be stored or transferred, how long we keep it, and the rights available to individuals under the Privacy Act 2020.

 

Data Controller and Contact

Data controller: Ayona Limited
Registered address:7C Aldersgate Road, Hillsborough, Auckland 1042.
Privacy contact email: social@ayona.co.nz
Postal contact: Privacy Officer, Ayona Limited, 7C Aldersgate Road, Hillsborough, Auckland 1042. New Zealand

 

Scope

This policy applies to personal information we collect about: (1) clients and their authorised contacts; (2) audience members and customers whose data is processed as part of client campaigns; and (3) visitors to Ayona websites and campaign landing pages. It covers Ayona’s role when acting as a data controller for our own administrative and marketing activities and as a data processor when we process client data under client instruction. Specific roles and responsibilities are set out in our client contracts and Data Processing Agreements.

 

Categories of Personal Information Collected

We collect the following categories of personal information depending on the service and context:

Client and contact details: name; business email; phone number; job title; billing and invoicing information.

Social account and campaign data: social media handles; campaign settings; access tokens and credentials (securely stored); reporting exports.

Audience and customer data: names; email addresses; phone numbers; hashed identifiers or customer lists uploaded to ad platforms; demographic attributes supplied by clients.

Content and creative assets: images, video, audio, captions, and associated metadata supplied by clients or created for campaigns.

Technical and analytics data: IP addresses; device and browser information; cookies and tracking identifiers; pixel events and server logs.

Sensitive information: political opinions, health information, or other special categories only where explicitly provided by a client and necessary for a campaign; processed only with documented lawful authority and heightened safeguards.

 

How We Collect Personal Information

Directly from clients and contacts when onboarding, via forms, emails, contracts, or asset uploads.

From social platforms and ad networks via APIs, reporting exports, and platform dashboards.

From third‑party service providers such as analytics platforms, CRMs, payment processors, and cloud providers.

Automatically through cookies, pixels, and server logs when users interact with Ayona websites or campaign landing pages.

From client-supplied lists and audience data provided for targeting or lookalike modelling.

We limit collection to information reasonably necessary for the purposes described in this policy.

 

Purposes of Processing and Legal Basis

We process personal information for the following purposes:

To provide and manage services including campaign setup, content publishing, community moderation, influencer coordination, and reporting. Legal basis: performance of contract and client instruction.

To deliver advertising and audience targeting including uploading hashed customer lists and using platform targeting tools. Legal basis: client instruction and, where required, consent.

For analytics and service improvement to measure campaign performance and improve our services. Legal basis: legitimate interests and contract.

For billing, accounting, and fraud prevention. Legal basis: contract and legal obligation.

To comply with legal obligations and respond to lawful requests from authorities. Legal basis: legal obligation.

For marketing our services where we rely on consent or legitimate interests as required by law.

When processing sensitive personal information we document the lawful authority and apply additional safeguards.

 

Sharing and Disclosure

We may share personal information with:

Social platforms and ad networks (for example Meta, X, TikTok, LinkedIn) to deliver and measure campaigns.

Analytics and reporting providers and data warehouses.

Payment processors and accounting providers for billing and tax compliance.

Subcontractors, freelancers, and vendors engaged to perform services on our behalf under contract and confidentiality obligations.

Legal, regulatory, or law enforcement authorities where required by law or to protect legal rights.

When we share hashed or pseudonymised audience lists with platforms we do so under client instruction and with contractual safeguards. We require subprocessors to implement appropriate security and privacy protections.

 

International Transfers

Personal information may be transferred to, stored, or processed in countries outside New Zealand (for example where social platforms, cloud providers, or analytics services maintain servers). Where transfers occur we rely on lawful transfer mechanisms such as adequacy findings, standard contractual clauses, or other safeguards. Individuals may request details of overseas recipients and the safeguards applied by contacting privacy@ayona.co.nz.

 

Retention Periods

We retain personal information only as long as necessary for the purposes for which it was collected, subject to legal obligations. Our standard retention periods are:

Client records and billing information: 7 years (to meet tax and accounting obligations).

Campaign data and analytics: 2 years by default; retention can be extended or shortened by written client instruction or contract.

Audience lists and hashed identifiers uploaded to platforms: retained for the duration required by the platform and client instruction; we remove or delete copies when no longer needed.

Backups: retained for up to 90 days.

Cookies and tracking identifiers: retention varies by cookie type; analytics cookies retained up to 13 months unless otherwise specified in the cookie preference centre.

We securely delete or irreversibly anonymise personal information when no longer required.

 

Security Measures

We implement reasonable technical and organisational measures to protect personal information, including:

Role-based access controls and least-privilege access for staff.

Encryption in transit and at rest for sensitive data and credentials.

Secure storage and rotation of access tokens and credentials.

Vendor due diligence and contractual security obligations for subprocessors.

Regular security assessments, patching, and staff training.

Incident response procedures and logging to detect and respond to security events.

Subprocessors are contractually required to maintain equivalent security standards.

 

Data Breach Notification

We maintain an incident response plan. If a privacy breach occurs that poses a risk of serious harm we will notify affected individuals and the Office of the Privacy Commissioner in accordance with the Privacy Act 2020 and applicable guidance. Notifications will include the nature of the breach, likely consequences, and steps taken to mitigate harm.

 

Cookies and Tracking

We use cookies and similar technologies for essential site functionality, analytics, and marketing. Cookie categories include:

Strictly necessary cookies required for site operation.

Preferences cookies to remember user settings.

Analytics cookies to measure site and campaign performance.

Marketing cookies to support advertising and retargeting.

Users can manage cookie preferences via our cookie banner and browser settings. Detailed cookie descriptions and retention periods are available in our cookie preference centre.

 

Children

We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without appropriate authority, we will delete the information unless retention is required by law.

 

Individual Rights and How to Exercise Them

Under the Privacy Act 2020 individuals have rights including:

Access to personal information we hold about them.

Correction of inaccurate personal information.

Request deletion where lawful and appropriate.

Object to certain processing activities.

Request information about overseas disclosures.

To exercise rights, contact the Privacy Officer at social@ayona.co.nz with sufficient detail to identify the information requested. We will verify identity and respond within statutory timeframes. If we decline a request we will explain the reasons and provide information about complaint options.

 

Complaints

If you are not satisfied with our response you may lodge a complaint with the Office of the Privacy Commissioner in New Zealand. We encourage you to contact our Privacy Officer first so we can attempt to resolve your concern.

 

Data Processing Agreement and Client Responsibilities

When Ayona processes client personal data on behalf of a client we will enter a Data Processing Agreement (DPA) that:

Defines roles (controller vs processor).

Lists subprocessors and the purposes of processing.

Specifies security measures and breach notification obligations.

Documents transfer mechanisms for overseas processing.

Records client instructions for audience uploads and targeting.

Clients must ensure they have lawful authority to provide audience lists and to instruct Ayona to process personal information for targeting or profiling. Clients remain responsible for compliance with applicable laws in relation to their customers.

 

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will publish the updated policy on our website with a new effective date and notify clients directly where required by contract or law. However, to be on the safe side, we suggest that you read this document each time you use the website to ensure that it still meets your approval.

 

Additional Information

Short privacy notice for public pages
Ayona Limited collects and uses personal data to provide social media and advertising services, to measure campaign performance, and to comply with legal obligations. We share data with social platforms and service providers. For details and your rights see our full Privacy Policy or contact social@ayona.co.nz.

Record keeping
We maintain a record of processing activities and a register of overseas transfers and subprocessors. Subprocessor lists are available on request.

Contact and Requests

Email: social@ayona.co.nz
Postal: Privacy Officer, Ayona Limited, 7C Aldersgate Road, Hillsborough, Auckland 1042. New Zealand

If you have questions, wish to exercise your rights, or want details about overseas transfers or subprocessors, contact the Privacy Officer.