Privacy Policy (for clients of law firms)

Effective: 20th December 2024

Lighthouse Platform Limited (referred to in this privacy policy as “Lighthouse”, “we”, “our” or “us”) helps lawyers and conveyancers complete conveyancing transactions (Services). We provide our services to law firms.

When we provide the Services to a law firm who completes conveyancing services for you, we may receive information about you from that law firm that identifies you. This is “personal information” under the Privacy Act 2020. Please tell your lawyer or conveyancer if you choose not to provide us your personal information, but we will not be able to provide our Services to your law firm to assist with your conveyancing transaction.

This policy explains how we collect, hold, use, disclose and protect your personal information in line with our obligations under the Privacy Act. If you have any questions about this policy, please contact us using the contact information below.

How do we collect your personal information?

We may collect information from any person you have authorised to provide information to us, e.g. your law firm or conveyancer. The information we collect and hold may include any of the following:

  • Your name and date of birth
  • Your contact information (phone number, email address or physical address)
  • Your IRD number
  • Details about any home loan you enter into
  • Any other personal information provided to us in relation to the Services.

How do we use your personal information?

We may use your personal information to:

  • provide, administer, maintain and/or analyze the Services;
  • undertake our business processes (such as invoicing);
  • comply with legal obligations and legal process and to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or other third parties.
  • improve our Services and conduct research; and
  • develop new programs and services.

We may aggregate or de-identify personal information so that it may no longer be used to identify you and use such information to analyze the effectiveness of our Services, to improve and add features to our Services, to conduct research and for other similar purposes. We will maintain and use de-identified information in an anonymous or de-identified format, and we will not attempt to reidentify the information, unless required by law.

Who do we disclose your personal information to?

To provide the Services and carry out the activities detailed above, we may disclose your personal information to the following third parties:

  • The law firm or conveyancer you have engaged that is using our Services.
  • Third party service providers that provide services to us. These providers have limited access to your personal information to perform tasks on our behalf, and include providers of hosting services, cloud-storage, email communication software, web analytics services, and other information technology providers. These parties will access, process, or store personal information only while performing their services to us, and not for any other purpose (except as specifically set out below). Some of these service providers may be located in countries other than New Zealand.
  • Government or regulatory agencies (or any relevant third parties) only if required by law, to protect and defend our rights, or to enforce our terms and policies. Unless prevented by law, we will notify you of any such disclosure.
  • Our affiliates, meaning any entity that controls, is controlled by, or is under common ownership with us. Our affiliates may only use the personal information we share in a manner consistent with this Privacy Policy.
  • Any company or entity that we sell to, or merge some or all of our business or assets with.

How do third party providers access and use your personal information?

We use third party service providers to help us run our business and provide services to us, in order for us to provide the Services. We will only share your personal information with third party providers in accordance with the terms below.

We use the Azure OpenAI Service operated by Microsoft to provide parts of our Services. Microsoft hosts the OpenAI models in Microsoft's Azure environment and the Service does not interact with any services operated by OpenAI (including ChatGPT, or the OpenAI API).

We rely on the documentation provided by Microsoft on how they (and their subprocessors) handle your personal information.

Microsoft will only access and use your personal information to provide us the Azure OpenAI Service and ancillary services. These services include:

  • delivering functional capabilities as licensed, configured, and used by us, including providing personalised user experiences;
  • troubleshooting (preventing, detecting, and repairing problems); and
  • keeping products up to date and performant, and enhancing user productivity, reliability, efficacy, quality, and security.

Microsoft may pseudonymize and aggregate your personal information to undertake certain business operations incident to providing us the Azure OpenAI Service. This may include calculating statistics based on the data. These business operations include:

  • billing and account management;
  • compensation such as calculating employee commissions and partner incentives;
  • internal reporting and business modeling, such as forecasting, revenue, capacity planning, and product strategy; and
  • financial reporting.

However, Microsoft does not access or analyse the content of your personal information to undertake the above operations.

Microsoft will temporarily store input and output information (which may contain your personal information) solely to monitor for and prevent abusive or harmful uses or outputs of the service.  Authorised Microsoft employees may review such data to investigate and verify potential abuse.

Who else may access your personal information, and what for?

Microsoft can disclose personal information to its representatives on a strictly need-to-know basis. These representatives are subject to strict nondisclosure obligations, and include Microsoft’s employees, affiliates[1], contractors, advisors and consultants.

Microsoft can only disclose personal information to third parties such as law enforcement agencies, if required by law. However, Microsoft’s policy is to reject such a request unless required by law to comply. If required to comply, Microsoft will attempt to redirect the third party to request the information directly from us, in which case we will promptly inform you, and will work with you on responding to the request.

Microsoft also uses subprocessors based in various countries to provide services to them. Microsoft’s subprocessors can only process, store or access pseudonymized personal information to provide services to Microsoft. These services include powering technologies that are integrated with Microsoft Online Services, providing ancillary services to help support, operate and maintain those services, and providing contract staff to operate, deliver and maintain those services. See here for more information on who those subprocessors are, where they are located, and what services they deliver to Microsoft.

We may also disclose your IP address or other information about your device to Microsoft to protect the security or integrity of our Services and our related services, including to ensure the security of our IT systems, architecture and networks.

What we and third party providers (and their subprocessors) will not use your information for

Your personal information will only be used for the purposes set out above, and will not be used to:

  • improve AI training models, or to train, retrain or improve foundation models;
  • improve any Microsoft or other third party products or services;
  • conduct user profiling, advertising or similar commercial purposes; or
  • conduct market research aimed at creating new functionalities, services, or products or any other purpose.

Your personal information is not available to OpenAI.

How do we and our third party providers store and secure your personal information?

Security of information is very important to our business. We take all reasonable precautions to protect personal information from misuse, loss, unauthorized access, disclosure or modification. Some of the ways we protect your information include:

  • premises security
  • storing information in access-controlled systems; and
  • providing Privacy Act training to our staff.

We use Microsoft Azure’s cloud services to host and store electronic data, including your personal information. We may also store your personal information in hard copy form.

Users can connect to our platform from anywhere in the world, and as a result, your personal information may be transmitted outside New Zealand. To provide the Azure OpenAI Service and cloud hosting services to us, Microsoft stores and processes your personal information in datacenters located in various countries. The data within datacenters are encrypted, and no personnel within the datacenters are permitted to access it. See here for more information on the location of Microsoft’s datacentres.

There may be differences between New Zealand’s privacy laws and those of the overseas locations in which your personal information (and other data we collect) is located. Where a third-party service provider is outside New Zealand, we take reasonable steps to confirm that those providers hold your information subject to standards that comply with our privacy obligations.

Despite all of our security measures, we can’t prevent, and are not responsible for, interception or “hacking” of information by unauthorised third parties, or any data breach by our third party providers (or their subprocessors). We will comply with our obligations under the Privacy Act 2020 if we become aware of any data breach, including notifying you and the Privacy Commissioner as appropriate. If you believe a privacy breach may have occurred, please contact us as soon as possible using the contact details below.

Retention of information

As our third party provider, Microsoft will delete all information, including personal information, if our contract with them terminates or if we no longer provide the Services.

Otherwise, Microsoft may retain your personal information in a secure form for the purpose of providing services to us, unless you ask for your information to be deleted. If you want your personal information to be deleted at any point, we will try our best to ensure that this takes place (unless prevented by our contractual obligations or by law).

How can you access and change your information?

It is your responsibility to ensure that the personal information you provide is accurate, complete and up to date.

Subject to the Privacy Act 2020, you have the right to request access to any personal information we hold about you, and to ask us to correct it if you think it is wrong.

Updates to this policy

We may update this Privacy Policy from time to time. Any changes will apply from the date we post the updated policy on our website.

Contact information and Privacy Commissioner

We take your concerns seriously. If you need assistance accessing or updating your personal information or if you have any concerns about privacy, or the way we use or collect your personal information, please email support@light-house.co.nz.

If you are not satisfied with our response to any privacy related concern you may have, you can contact the Office of the Privacy Commissioner online at www.privacy.org.nz.

 

 

[1] An affiliate is any legal entity that controls, is controlled by, or is under common control with Microsoft.