Octavius AI Privacy Policy

Last updated: 20 May 2026
Effective date: 1 May 2026

1. About this Privacy Policy

This Privacy Policy explains how Smile Tactics Limited (NZBN 9429048280945, NZ Company No. 8018818, GST No. 132019169), trading as Octavius AI (“Octavius”, “we”, “us”, or “our”), collects, uses, stores, shares, and protects Personal Information.

It applies to:

• visitors to octavius.ai and any other website, landing page, or web property we operate;
• prospects who interact with us through cold email, networking, web forms, calendar bookings, or AI-driven outreach (including Aria, our voice AI, and the Rapid Lead Follow-Up service);
• Clients who engage us under our Terms of Service for consulting, AI implementation, marketing services, or the Nexus platform;
• End Users of Client systems we build or operate (for example, your customers who interact with a voice AI agent we built for you);
• recipients of marketing or service communications we send;
• candidates for roles at Octavius.

It does not apply to third-party websites, platforms, or services we link to or integrate with. Those have their own privacy policies.

By using our website or Services, you agree to this Privacy Policy. Capitalised terms not defined here have the meaning given in our Terms of Service.

2. Our role: agency, agent, or sub-processor

How we handle Personal Information depends on the context:

2.1 When we are an “agency” (collecting agency / controller)

We act as a collecting agency for the purposes of the Privacy Act 2020, and a controller for the purposes of the GDPR or UK GDPR, when we determine the purposes and means of collecting Personal Information. Examples:

• prospects and visitors interacting with our own marketing (octavius.ai, our cold email, our paid ads, AI Strategy Intensives, scheduled calls with Titus);
• the Aria voice AI service that calls our own prospects;
• the Rapid Lead Follow-Up demo that processes business cards collected at our networking events;
• our own Clients, in respect of the Personal Information we hold about you (billing contacts, account managers, signatories);
• candidates applying for roles at Octavius;
• our employees, contractors, and suppliers.

For these categories, the rest of this Privacy Policy describes our practices.

2.2 When we are an “agent” (service provider / processor)

For most of our Client engagements (AIOS Foundation builds, AI agent and automation builds, marketing services we deliver inside the Client’s platforms, Nexus configurations operating on Client data), we act as the Client’s agent under sections 11 and 120 of the Privacy Act 2020, and as a processor under the GDPR or UK GDPR. In those cases:

• the Client is the agency / controller and bears the primary obligations under the relevant privacy law;
• we hold and process Personal Information only on the Client’s instructions and for the purposes set out in the engagement;
• the Client’s own privacy notices, not this Privacy Policy, are the primary source of information for the data subjects.

We support our Clients in meeting their obligations as agency / controller. Where the law requires a written agreement between controller and processor (for example, GDPR Article 28), we will enter into a Data Processing Agreement on request.

2.3 Mixed role

For some services, our role shifts between agency and agent depending on the activity. For example, a Voice AI agent we operate on a Client’s behalf may collect End User Personal Information as the Client’s agent (Client decides the purpose), but the call recording and transcript may be processed by us as agency for the purpose of model quality assurance and dispute records.

3. What Personal Information we collect

The categories of Personal Information we collect depend on how you interact with us.

3.1 Identifying and contact information

• name, business name, job title;
• email address, postal address, phone number;
• contact preferences;
• signatures (including electronic signatures) on proposals, statements of work, and other agreements.

3.2 Account information

• login credentials (hashed) for Nexus and any other Octavius service requiring authentication;
• multi-factor authentication contact details;
• user roles, permissions, and sub-account assignments.

3.2A Unique identifiers (IPP 13)

Where we need to assign a unique identifier to you (for example, a Nexus account ID, sub-account user ID, billing or customer ID, or an internal CRM ID), we follow the rules in Information Privacy Principle 13 of the Privacy Act 2020:

• we assign a unique identifier only where it is necessary to enable us to carry out one or more of our functions efficiently (IPP 13(1));
• we do not assign you a unique identifier that, to our knowledge, is the same as one already assigned to you by another agency, unless one of the exceptions in IPP 13(2) applies, namely (a) we and the other agency are associated persons within the meaning of subpart YB of the Income Tax Act 2007, or (b) the unique identifier is to be used by us for statistical or research purposes and no other purpose;
• under IPP 13(3), simply recording a unique identifier that another agency (for example, a Client) has assigned to an individual, for the sole purpose of communicating with that other agency about the individual, is not “assigning” a unique identifier and is not restricted by IPP 13(2);
• we take reasonable steps to confirm your identity before we assign you a unique identifier (IPP 13(4)(a));
• we take reasonable steps to minimise the risk of misuse of any unique identifier (for example, by truncating identifiers in receipts, invoices, and external correspondence where the full identifier is not required) (IPP 13(4)(b));
• we do not require you to disclose a unique identifier assigned to you unless the disclosure is for, or directly related to, one of the purposes in connection with which that unique identifier was assigned (IPP 13(5)).

3.3 Billing and financial information

• billing contact name, address, and email;
• payment method tokens (we use Stripe; we do not store full card numbers);
• invoice and payment history;
• GST / NZBN / ABN or equivalent business tax identifiers;
• bank details only where direct deposit is the chosen payment method.

3.4 Communications and engagement records

• emails to and from us, including content;
• SMS messages to and from numbers we operate;
• voice call recordings and transcripts where we have notified you that the call may be recorded;
• chat / messaging interactions with our agents (human or AI);
• meeting transcripts (via Fathom, Otter, Google Meet, or similar);
• ambient meeting recordings captured via Omi where the participants have been notified;
• support tickets, internal notes, and CRM records about our relationship with you.

3.5 Marketing and intent data

• which web pages you visit, which content you download, which emails you open or click;
• responses to web forms, surveys, and audits (for example, the Octavius Knowledge Audit and Revenue Rescue Calculator);
• registration and attendance data for events we run or sponsor.

3.6 Technical and device information

• IP address, browser type, device type, operating system;
• referring URL, exit URL, click-stream within our site;
• cookie identifiers and similar tracking identifiers (see section 12);
• log data from authentication and Nexus platform usage.

3.7 Business context information about your organisation

Where you are a prospect or Client, we may collect Personal Information about your business and your team to inform proposals and delivery, including team structure, current tools, key metrics, customer profiles, and operational workflows. We may augment what you tell us with public sources (your website, LinkedIn, Companies Office records, public review sites) and lawfully licensed enrichment tools.

3.8 End User information (Client-instructed processing)

Where we operate Services for our Clients, we process Personal Information about the Client’s End Users (your customers, leads, prospects, employees) on the Client’s behalf. Categories include contact details, conversation and call records, transaction history, lead scores, and any other data the Client routes through Nexus or the Client’s AI agents. The Client controls what is collected.

3.9 Sensitive information

We do not collect what is commonly understood as sensitive information (for example, health, biometric, political opinion, or sexual orientation data, being categories treated as sensitive under the Australian Privacy Principles and the GDPR / UK GDPR). The Privacy Act 2020 does not contain a separate definition of “sensitive information”; we nonetheless apply equivalent care when handling these categories in New Zealand, particularly under IPP 4(b) (fair means of collection) and IPP 5 (security of personal information). We do not collect these categories unless you provide them to us voluntarily, or unless we have agreed in writing with a Client to process them under specific safeguards. We strongly recommend that Clients do not route sensitive information through general-purpose AI components without a separate written agreement.

3.10 Children

Our Services are designed for businesses. We do not knowingly collect Personal Information from children under the age of 16. If you believe we have collected Personal Information from a child, please contact us using the details in section 19 and we will delete it.

4. How we collect Personal Information

We collect Personal Information in the following ways.

4.0 Our commitment under IPP 4

We collect Personal Information only by lawful means, and by means that, in the circumstances of the collection, are fair and that do not intrude to an unreasonable extent on the personal affairs of the individual concerned. This commitment tracks Information Privacy Principle 4 of the Privacy Act 2020.

We take particular care where Personal Information is, or may be, collected from a child or young person under the age of 16, including a higher threshold of intrusion-reasonableness and additional safeguards on how the information is then used.

4.1 Directly from you

When you fill in a form, book a call, email us, sign a proposal, complete an audit, pay an invoice, register for an event, attend a meeting, or interact with one of our AI agents.

4.2 Through our technology

When you use our website, web tools, or Nexus, our systems log technical and engagement data automatically.

4.3 From third parties

We may receive Personal Information from:

• referrers who introduce you to us;
• public sources (your business website, LinkedIn, the Companies Office, public review sites);
• lawfully licensed data enrichment services;
• our Clients, where you are their End User and they have directed us to process your data on their behalf;
• service providers that route communications to us (for example, calendar booking platforms, payment platforms, support ticket platforms).

Where we receive Personal Information from a third party about you, we ensure we have a lawful basis to use it and, where required, we will provide you with notice consistent with IPP 3 of the Privacy Act 2020 and equivalent overseas rules. The specific commitments under IPP 3A for collection from a person other than the individual are set out in section 4.5.

4.4 From observing AI agent interactions

Our AI agents (Aria, voice assistants, chatbots, automation agents) record what is said or written during the interaction. When you interact with an AI agent we operate, we will, by default, disclose at the start of the interaction that it is an AI and that the conversation may be recorded.

4.5 IPP 3A, collection of information from someone other than you

From 1 May 2026 (and now), Information Privacy Principle 3A of the Privacy Act 2020 applies whenever we collect Personal Information about you from someone other than you. This includes the categories of third-party collection set out in section 3.7 (information about your business and team) and section 4.3 (referrers, public sources such as LinkedIn and the Companies Office, licensed data enrichment providers, our Clients passing us their End User data, and service-providers that route communications to us).

Where IPP 3A applies, we take reasonable steps to make you aware of:

(a) the fact that we have collected the Personal Information;
(b) the purposes for which we have collected the Personal Information;
(c) the intended recipients of the Personal Information;
(d) the name and address of (i) the agency that has collected the Personal Information and (ii) the agency that is holding the Personal Information (in most cases both are Smile Tactics Limited trading as Octavius AI, with contact details in section 19);
(e) the legal authority under which the Personal Information is collected, where collection is authorised or required by law;
(f) your right of access to, and correction of, the Personal Information (see section 14).

We rely on the exceptions in IPP 3A(4) to (6) only where they actually apply, and we keep an internal record of which exception is relied on. Examples include:

• where you are already aware of the matters listed above (for example, because the third party has notified you);
• where making you aware would be likely to prejudice the purposes of the collection (rarely applicable in our context);
• where compliance is not reasonably practicable in the circumstances of the case;
• where the Personal Information will not be used in a form in which you are identified;
• where the Personal Information is publicly available.

Our primary route for IPP 3A compliance in B2B prospecting is to rely on the third party (typically the publisher of the Companies Office, LinkedIn, or your own business website) having made you aware of the collection at the point of original collection from you, and on our own outreach being the first direct contact at which we identify ourselves. Where we believe IPP 3A notification has not been satisfied, we will provide the matters above in our first communication with you.

5. Why we use Personal Information, and the lawful basis

We use Personal Information for the following purposes. Where the GDPR or UK GDPR applies, we have listed the legal basis for each purpose.

5.1 Providing and operating our Services

To deliver the Services agreed in your proposal, statement of work, or order form, including consulting, AI implementation, marketing, and Nexus platform access. Legal basis: performance of a contract.

5.2 Communicating with you

To respond to enquiries, send confirmations, deliver invoices and statements, send service-related notices, and provide support. Legal basis: performance of a contract or our legitimate interests in running our business.

5.3 Direct marketing

To send marketing communications about our Services, content (such as newsletters, content drops, AI Strategy Intensive promotions, Phoenix DB Reactivation case studies), and events. Legal basis: our legitimate interests, or consent where required by law (for example, under the Unsolicited Electronic Messages Act 2007 and the AU SPAM Act 2003). Every marketing communication includes a clear and free-of-charge unsubscribe mechanism.

5.4 Onboarding and account management

To verify identity, set up Nexus sub-accounts, provision named users, and maintain the customer relationship. Legal basis: performance of a contract.

5.5 Improving our Services and developing new ones

To analyse aggregate use patterns, improve our prompts and agent designs, train internal patterns, and develop new Services. We do not use Client Confidential Information or End User Personal Information to train public AI models (see section 8). Legal basis: our legitimate interests, or consent where required.

5.6 Compliance, risk management, and dispute records

To meet our legal, tax, accounting, and regulatory obligations, to keep records of advice and consent, and to assert or defend legal claims. Legal basis: legal obligation, and our legitimate interests in protecting the business.

5.7 Security and fraud prevention

To detect, investigate, and respond to fraud, unauthorised access, abuse of the Services, and threats to our systems. Legal basis: our legitimate interests, and legal obligation.

5.8 Recruitment

To assess candidates for roles, conduct reference checks (with your consent), and manage offers. Legal basis: pre-contractual steps at your request, our legitimate interests, and consent where required.

5.9 Case studies and marketing collateral

With your prior written consent, to reference our work with you in case studies, proposals, sales conversations, and marketing material. You may withdraw consent on written notice. Legal basis: consent.

5.10 Anonymised analytics and research

To produce anonymised, aggregated insights for internal benchmarking and the betterment of our Services. Once data has been irreversibly anonymised, it is no longer Personal Information.

6. AI services, Personal Information, and your data

AI is central to what we do, so we apply specific rules to Personal Information that flows through AI components.

6.1 No training of public AI models on your data

We do not feed Client Confidential Information or End User Personal Information into AI systems for the purpose of training a public or third-party model. Our agreements with material AI sub-processors (such as Anthropic and OpenAI) provide that inputs and outputs from our API usage are not used by the provider to train its models, consistent with those providers’ enterprise API terms.

6.2 Using your data to improve our own work

We may use anonymised, aggregated, or de-identified data and patterns from how Clients use the Services to improve our own prompts, agent designs, dashboards, and recommendations. Where data is irreversibly anonymised, it is no longer Personal Information.

Where you have given specific written consent (which can be given by email), we may use identifiable examples (for example, a transcript clip, a workflow diagram, a specific result) in case studies, sales material, or product improvement.

6.3 AI agents that interact with people

When you interact with one of our AI agents (voice or text), we will, by default:

• disclose at the start of the conversation that the agent is an AI, and identify the agency on whose behalf the agent is operating (us, or where the agent is being operated for a Client, that Client);
• where the conversation is recorded, disclose that the conversation may be recorded, and provide a way to opt out (for example, by hanging up or by replying “stop recording”);
• direct you to this Privacy Policy for the rest of the matters required by IPP 3(1) of the Privacy Act 2020 (purpose of collection, intended recipients, holder, legal authority, and your access and correction rights), for example by sending a follow-up SMS with a link to octavius.ai/privacy-policy, by reading a short statement that names this Privacy Policy and how to access it, or both;
• avoid impersonating a regulated professional, a government agency, or a specific human being.

This default is designed to satisfy IPP 3 (notification of collection) and IPP 4(b) (fair means of collection) of the Privacy Act 2020 and equivalent overseas rules.

A Client who has engaged us to deliver an AI agent may, in writing, vary the wording of the default disclosure for that agent or campaign, but may not remove the AI-status disclosure itself, and any variation must still clearly convey to the recipient that they are interacting with an AI. Where a Client varies the wording, the Client remains responsible for ensuring that any other disclosure required by the law applicable to the call is in place (see Terms of Service clause 10.8).

6.4 AI Output is not Personal Information advice

AI Output produced by our Services may reference, describe, or summarise people. AI Output is probabilistic and may be incorrect, incomplete, or fabricated. Decisions about identifiable individuals (for example, lead scoring, churn risk, hiring screens) made by or with the assistance of AI must include human review where the law of the relevant jurisdiction (including but not limited to GDPR Article 22) requires it. We will design human review checkpoints into AI agents that produce such Output.

6.5 Voice recordings and transcripts

Where we record calls (inbound or outbound) made or received by AI agents we operate, we:

• store the recording and transcript in our infrastructure or that of a designated sub-processor;
• retain it for the period set out in section 10;
• restrict access to staff and sub-processors who need it for service operation, QA, dispute records, or compliance;
• delete or irreversibly anonymise it at the end of the retention period.

6.6 Profile and lead enrichment

Where we use AI to enrich a prospect or lead profile from public sources, we identify the source and we do not knowingly retain enrichment data that is inaccurate or that we have been asked to delete.

7. Who we share Personal Information with

We share Personal Information only with the following categories of recipient.

7.1 Our team

Personal Information is accessible to our employees and contractors who need it to do their job. They are bound by confidentiality and security obligations.

7.2 Our sub-processors and service providers

We use third-party providers to operate parts of the Services. They process Personal Information only on our instructions and only for the purposes set out in our agreement with them. A current list of material sub-processors is in Schedule A of this Privacy Policy.

7.3 Our Clients

Where you interact with one of our Clients via Services we operate for them (for example, a Voice AI Receptionist for a dental practice), your Personal Information is shared with that Client because they are the agency / controller.

7.4 Professional advisers

Our lawyers, accountants, auditors, insurers, and other professional advisers, where access is necessary for them to advise us.

7.5 Successors

If we are involved in a sale, merger, restructure, or transfer of all or part of our business, Personal Information may be transferred to the buyer or successor as part of that transaction, subject to that party agreeing to honour this Privacy Policy.

7.6 Legal disclosures

We may disclose Personal Information where required by law, regulator, court order, or other competent authority, or where reasonably necessary to assert, defend, or exercise legal rights, prevent fraud, or protect the safety of a person.

7.7 With your consent

We will share Personal Information for any other purpose with your consent.

8. Cross-border data transfers

Octavius operates from New Zealand. Many of our sub-processors are located outside New Zealand, including in the United States, Australia, the European Union, Singapore, and the United Kingdom. When we share Personal Information with a sub-processor located in another country, that country may not have equivalent privacy protections.

8.1 Privacy Act 2020, IPP 12

Where we disclose Personal Information to a recipient who is a foreign person or entity (and the disclosure is not simply a transfer to one of our own agents or sub-processors acting on our instructions, which is not a “disclosure” under section 11(5) of the Act), we comply with Information Privacy Principle 12 of the Privacy Act 2020 by relying on one of the lawful pathways in IPP 12(1)(a) to (f):

(a) Authorised by the individual. You have authorised the disclosure to the foreign person after being expressly informed by us that the foreign person may not be required to protect the information in a way that, overall, provides comparable safeguards to those in the Act;
(b) NZ-business recipient. The foreign person carries on business in New Zealand and, in relation to the information, we believe on reasonable grounds that they are subject to the Act;
(c) Comparable foreign privacy law. We believe on reasonable grounds that the foreign person is subject to privacy laws that, overall, provide comparable safeguards to those in the Act;
(d) Prescribed binding scheme. We believe on reasonable grounds that the foreign person is a participant in a prescribed binding scheme specified in regulations made under section 213 of the Act;
(e) Prescribed country. We believe on reasonable grounds that the foreign person is subject to privacy laws of a prescribed country specified in regulations made under section 214 of the Act, and the disclosure is not precluded by any limitation or qualification prescribed in respect of that country under section 214(3);
(f) Other comparable safeguards. We otherwise believe on reasonable grounds that the foreign person is required to protect the information in a way that, overall, provides comparable safeguards to those in the Act, for example pursuant to a contract entered into between us and them.

In practice:

• For routine sub-processing (where an overseas provider processes Personal Information on our instructions and only for our purposes), we treat the transfer as not a “disclosure” under section 11(5) and IPP 12 is not engaged. Our contracts with those providers nonetheless require them to protect the information consistent with our obligations under the Act.
• The section 11(5) carve-out applies only while a sub-processor is contractually prohibited from using the information for its own purposes. Under section 11(3) of the Act, the moment a sub-processor uses Personal Information for its own purposes, that information is treated as also held by the sub-processor, the transfer to it becomes a “disclosure”, and we engage IPP 12 in respect of that disclosure by identifying the pathway in IPP 12(1)(a) to (f) that we rely on for that recipient. We do not knowingly engage sub-processors that reserve a right to use Personal Information for their own purposes.
• For disclosures to overseas AI providers in the United States (Anthropic, OpenAI, Google) and similar, we rely primarily on pathway (f) (contractual comparable safeguards) and, where applicable, on pathway (a) for any disclosure that goes beyond routine processing on our instructions.
• For disclosures to recipients in Australia, the United Kingdom, and the European Economic Area, we may also rely on pathway (c) (comparable foreign privacy laws) and, in due course, on pathway (e) for any country that is prescribed under section 214 of the Act.

A current sub-processor list with country of operation is in Schedule A.

8.2 GDPR / UK GDPR transfers

Where the GDPR or UK GDPR applies, we rely on the following safeguards for transfers from the EEA or the UK to countries that do not have an adequacy decision:

• the European Commission’s Standard Contractual Clauses (and, for UK transfers, the UK International Data Transfer Addendum);
• where applicable, an adequacy decision (for example, for transfers within the UK / EU / countries with adequacy);
• where applicable, additional contractual and technical measures consistent with current guidance from the European Data Protection Board and the UK Information Commissioner’s Office.

8.3 Australian Privacy Principle 8

Where the Australian Privacy Principles apply, we take reasonable steps to ensure that overseas recipients of Personal Information handle it in a manner consistent with the APPs, in line with APP 8.

Boost Conversions and Sales with Faster Lead Response Metrics

We take reasonable technical and organisational measures to protect Personal Information against unauthorised access, alteration, disclosure, or destruction. These include:

• access controls and the principle of least privilege;
• multi-factor authentication on production systems;
• encryption in transit (TLS 1.2 or higher) for all production traffic that carries Personal Information; we do not engage sub-processors for production processing of Personal Information that do not support encryption in transit;
• segregation of customer environments within Nexus;
• regular review of staff access rights;
• backup procedures for critical Client Data held in Nexus;
• defined incident response procedures with senior accountability.

No security measure is perfect, and we cannot guarantee that our security measures will prevent every unauthorised access or attack. See section 11 (Notifiable Privacy Breaches).

9A. Accuracy of Personal Information (IPP 8)

Before we use or disclose Personal Information, we take reasonable steps in the circumstances to ensure that the information is accurate, up to date, complete, relevant, and not misleading, having regard to the purpose for which the information is being used or disclosed. This commitment tracks Information Privacy Principle 8 of the Privacy Act 2020.

In practice, this means:

• we periodically prompt Clients and prospects to confirm contact details and decision-maker information;
• we treat publicly sourced enrichment data (LinkedIn, Companies Office, public review sites) as subject to verification before we rely on it for any decision that affects an individual;
• we apply additional human checks before any AI-generated profile, lead score, classification, or recommendation about an identifiable individual is acted on externally (see section 6.4);
• if we become aware that Personal Information we hold is inaccurate, we correct or annotate it as soon as practicable and notify any party we have disclosed it to where the law requires it (Privacy Act 2020 IPP 7(5)).

You can ask us to correct Personal Information we hold about you under section 14 of this Privacy Policy.

10. Retention and deletion

10.1 General

We retain Personal Information only as long as we need it for the purpose for which it was collected, including legal, accounting, tax, and dispute-record purposes. At the end of the retention period, we will delete or irreversibly anonymise the Personal Information.

10.2 Retention periods (default, unless a longer or shorter period is required by law or agreed with the Client)

10.3 Deletion on termination of a Client engagement

When a Client engagement ends, Terms of Service clause 21.5 applies. We will provide a commercially reasonable export of Client Data on request, and then, after 60 days from termination, we will delete or irreversibly anonymise the Client Data and configurations from Nexus, unless we are required by law to retain them or we have agreed a longer retention period with the Client in writing.

10.4 Right to erasure

Where you have a right under applicable law to ask us to delete Personal Information about you (for example, under GDPR Article 17), we will action that request in accordance with section 14 below.

11. Notifiable privacy breaches

11.1 Our commitment

If we become aware of a privacy breach affecting Personal Information that we hold, we will:

(a) take immediate steps to contain and assess the breach;
(b) record the breach in our internal breach register; and
(c) where the breach is or may be a “notifiable privacy breach” under section 112 of the Privacy Act 2020, notify the Office of the Privacy Commissioner under section 114 of the Act, and notify affected individuals under section 115, or, where it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals, give public notice of the breach under section 115(2) of the Act. All notifications and public notices will be given as soon as practicable after we become aware that a notifiable privacy breach has occurred.

11.2 When we are a Client’s agent

Where the breach affects Personal Information that we hold as a Client’s agent, we acknowledge that, under section 121(4) of the Privacy Act 2020, our knowledge of the breach is treated as the Client’s knowledge for the purposes of the Act.

We will notify the affected Client immediately or as soon as practicable and will provide the information required by section 117 of the Act as soon as it is available, so the Client can meet its section 114 obligation to notify the Privacy Commissioner as soon as practicable, and its section 115 obligation to notify affected individuals (or to give public notice under section 115(2)). We will not delay notification, or providing the section 117 particulars, on the basis that our own internal investigation is incomplete.

11.3 Equivalent regimes overseas

Where the breach affects data subjects in jurisdictions with their own breach notification regimes (for example, the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth), or the GDPR / UK GDPR Article 33 / 34), we will support the relevant agency / controller to comply with that regime.

12. Cookies and tracking

12.1 What we use

We use cookies and similar technologies on octavius.ai and any of our connected web properties to:

• keep you signed in to Nexus and other authenticated services;
• remember preferences (such as language and consent settings);
• measure traffic and content performance (via Google Analytics and equivalent tools);
• attribute marketing campaigns;
• support advertising on Google, Meta, LinkedIn, TikTok, Microsoft, and other platforms.

12.2 Categories

• Strictly necessary cookies, required to operate the site.
• Performance and analytics cookies, used to understand how visitors use the site.
• Functional cookies, used to remember preferences.
• Marketing cookies, used to deliver and measure advertising.

12.3 Your choices

You can refuse or delete non-essential cookies through your browser settings. Most browsers let you block cookies altogether, block third-party cookies only, or delete cookies that have already been set. Refer to your browser’s help documentation for the specific steps. Refusing strictly necessary cookies may prevent parts of the site from working.

New Zealand and Australian privacy law do not require a separate cookie consent banner for the categories of cookies we use; browser-level controls and the disclosure in this section satisfy the relevant transparency obligations. If we later target users in jurisdictions that do require a consent banner (for example, under the EU ePrivacy Directive or UK PECR), we will implement one for those users and update this section.

12.4 Do not track

We currently do not respond to “Do Not Track” browser signals because there is no consistent industry standard.

13. Direct marketing

We send marketing communications only where we have a lawful basis under the Unsolicited Electronic Messages Act 2007 (NZ) (“UEMA“), the SPAM Act 2003 (Cth), or equivalent law in your jurisdiction.

13.1 Sender identification and content

Every commercial electronic message we send:

• identifies us as the sender, with current and accurate sender information, consistent with UEMA section 10;
• includes a clear and functional unsubscribe facility that meets the requirements of UEMA section 11, in particular that the facility:
• is reasonably easy to use (one-click in email; reply “STOP” for SMS);
• is provided at no cost to you;
• presents a functional electronic address for unsubscribe requests; and
• remains valid for at least 30 days after the message is sent.

13.2 What happens when you unsubscribe

Once you have used a valid unsubscribe facility, under UEMA section 9(2) any prior consent is treated as withdrawn from 5 working days after the unsubscribe request. We action unsubscribe requests within that 5 working day window, and we keep your contact on a suppression list so we do not send you further commercial electronic messages.

You can also opt out at any time by:

• using the unsubscribe link in a marketing email;
• replying “STOP” to a marketing SMS;
• emailing [email protected] (see section 19).

13.3 Service communications

Opting out of marketing does not stop service-related communications (such as invoices, system notices, breach notifications, or scheduled-call confirmations) that you are entitled to receive while you remain a Client. Service-related communications of this kind, where they contain no marketing or promotional content, are not “commercial electronic messages” within the meaning of section 6 of UEMA.

Where a service-related communication contains marketing or promotional content (for example, an invoice that cross-sells, or a system notice that includes upsell messaging), the marketing or promotional component of that communication is treated as a commercial electronic message, and the requirements of UEMA sections 9 (consent), 10 (sender identification), and 11 (unsubscribe facility) apply to that component.

14. Your rights

Subject to applicable law, you have rights in relation to your Personal Information. Some rights apply only in certain jurisdictions.

14.1 Rights under the Privacy Act 2020 (NZ)

You have the right to:

(a) request confirmation of whether we hold Personal Information about you, and request access to that information (IPP 6(1)(a) and IPP 6(1)(b));
(b) request correction of that information (IPP 7). If we decide not to make a requested correction, you also have the right under IPP 7(3)(b) of the Privacy Act 2020 to provide us with a statement of the correction sought and to require us to attach that statement to the information in such a way that it will always be read with the information;
(c) complain to the Office of the Privacy Commissioner (see section 18).

14.2 Rights under the Australian Privacy Principles

If the APPs apply, you also have the right to access (APP 12) and seek correction of (APP 13) Personal Information we hold about you, and to complain to the Office of the Australian Information Commissioner.

14.3 Rights under the GDPR / UK GDPR

If the GDPR or UK GDPR applies, you also have the right to:

(a) request access to a copy of your Personal Information (Art 15);
(b) request correction (Art 16);
(c) request erasure / “right to be forgotten” (Art 17);
(d) request restriction of processing (Art 18);
(e) data portability (Art 20);
(f) object to processing based on legitimate interests, including direct marketing (Art 21);
(g) not be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significantly affects you (Art 22). See section 6.4;
(h) withdraw consent at any time, where consent is the legal basis (Art 7);
(i) lodge a complaint with a supervisory authority in the EEA or the UK.

14.4 How to exercise your rights

Send a request to [email protected]. For requests under the Privacy Act 2020 we will respond as soon as reasonably practicable, and in any case no later than 20 working days after receiving your request, consistent with section 44(1) of that Act, and we may extend that period as the law permits (for example, under section 41 where the request is for a large quantity of information or requires consultation). For requests under the GDPR or UK GDPR we will respond within one month, extendable as those regulations permit.

We may need to verify your identity before we action a request. If the request relates to Personal Information held by us as a Client’s agent (see section 2.2), we may refer the request to the Client, who is the agency / controller, and we will tell you we have done so.

14.5 Refusal of a request

We may refuse a request where the law permits (for example, where a request is frivolous or vexatious, or where compliance would breach another person’s privacy). Where we refuse, we will explain why and tell you how to escalate.

15. Children

See section 3.10.

16. International clients and data subjects

Octavius is based in New Zealand. We provide Services to clients and data subjects internationally. Where the law of your country gives you additional rights or imposes additional obligations on us, those will apply to the extent the law requires.

We have specifically considered, and where applicable comply with:

• the Privacy Act 2020 (NZ);
• the Australian Privacy Principles under the Privacy Act 1988 (Cth);
• the GDPR (EU Regulation 2016/679) and the UK GDPR, to the extent we process data of EU or UK data subjects;
• the Unsolicited Electronic Messages Act 2007 (NZ);
• the SPAM Act 2003 (Cth);
• the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), to the extent they apply to California residents in our records.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is published at octavius.ai/privacy-policy with the “Last updated” date.

For material adverse changes affecting an existing Client engagement, we will give the Client 30 days’ written notice consistent with Terms of Service clause 26.2.

18. Complaints

If you are not happy with how we have handled your Personal Information, please contact us first using the details in section 19. We will investigate your complaint and respond within 20 working days, or sooner if the law requires.

If you are not satisfied with our response, you can complain to:

• New Zealand: Office of the Privacy Commissioner, privacy.org.nz / 0800 803 909.
• Australia: Office of the Australian Information Commissioner, oaic.gov.au / 1300 363 992.
• United Kingdom: Information Commissioner’s Office, ico.org.uk / 0303 123 1113.
• European Union: the supervisory authority in your country of residence.

19. Privacy Officer and contact

Our nominated Privacy Officer is:

Titus Mulquiney
Privacy Officer, Octavius AI
Smile Tactics Limited
Email: [email protected]
General email: [email protected]
Phone: +64 9 888 0666
Postal address: Suite 7, 651 Whangaparaoa Road, Stanmore Bay, Whangaparaoa 0932, New Zealand

20. Definitions

Capitalised terms not defined in this Privacy Policy have the meaning given in the Octavius AI Terms of Service available at octavius.ai/terms.

In this Privacy Policy:

• “Personal Information” has the meaning given in the Privacy Act 2020, and in equivalent terms means “personal data” (GDPR / UK GDPR) or “personal information” (Australian Privacy Principles).
• “Privacy Act 2020” means the Privacy Act 2020 (New Zealand), as amended.
• “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.
• “UK GDPR” means the UK General Data Protection Regulation as defined in the Data Protection Act 2018 (UK).
• “IPP” means an Information Privacy Principle set out in section 22 of the Privacy Act 2020.
• “APP” means an Australian Privacy Principle set out in Schedule 1 of the Privacy Act 1988 (Cth).

Schedule A: Material sub-processors

Octavius engages the following categories of sub-processor to provide the Services. Specific providers within each category may change from time to time; the current list is maintained here. We will update this Schedule when we add a material sub-processor.

A.1 AI model providers

A.2 Platform, communications, and infrastructure

A.3 Marketing, content, and outreach

A.4 Operations and team tooling

A.5 Data and enrichment