Privacy Policy

SMX Privacy Policy

SMX Limited and its related bodies corporate (collectively referred to in this privacy policy as "SMX", "we", "us" or "our") are committed to privacy. This policy explains how we collect and use your personal information, the legal basis for processing it, what we use it for, and who we share it with. It also explains how you may seek to access or correct your personal information, exercise any other statutory right, or make a privacy complaint. 

By using our website and/or services or otherwise providing SMX with personal information, you acknowledge that you have been informed of the processing of your personal information in accordance with this privacy policy. If you do not accept the terms of this privacy policy, you should not use our website or services. 

General Website and Service Usage 

When you access the SMX website, Portal, Webmail, or other services, we may collect and store information about that use. This information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system, message headers, and other usage information, including a history of the pages you view. We use this information to operate, maintain, secure, and improve our website and services, to understand how many people have accessed the site, what they completed whilst on the site, and what errors occurred. 

Cookies Policy 

The SMX website, portal, and webmail use cookies to distinguish you from other users of our services. Cookies are pieces of information that a website transfers to your device to store and sometimes track information about your use of that website. 

SMX may use third parties to analyse traffic at our website and may use cookies to do this. The information collected for such analysis is anonymous. SMX does not track users when they cross to third-party websites. 

For more information on the use of cookies, please refer to our Cookie Policy. 

External Websites 

The SMX website may contain links to websites owned and operated by other organisations. When you click on one of these links, you are moving to another website. While we reviewed linked sites at the time of posting the link and only provide a link if we believe the content might be of interest to our users, the content of those linked sites is the responsibility of the organisation owning and/or operating the site. SMX is not responsible for the content of any linked site. We encourage you to read the privacy policies of any linked site as its privacy practices may differ from ours. 

Collection of Personal Information from You 

The ways in which SMX may collect personal information directly from you include: 

• Information that you provide to us at the time of signup, including name, address, email address, phone number, and employer; 

• Messages or comments you submit to SMX via our website through the Contact page, Case Study page, News page, Product page, or Support Enquiry Form, or via sales@smxemail.com, info@smxemail.com, or privacy@smxemail.com; 

• Application forms, identification documentation, or other documents that you may complete or provide to SMX; and 

• Face-to-face meetings, interviews, and telephone conversations. 

If you do not provide us with the information we request, SMX may not be able to respond to your requests, verify your identity, protect against fraud, process your application, or provide services to you. 

Collection of Personal Information from Other Sources 

Sometimes we collect information about you from other sources. We may collect information that is publicly available (for example, from public registers or social media) or made available by third parties. We do this where: 

• Messages pass through the SMX filtering services — in this case, we collect the metadata contained in those messages, including sender, recipient, time, and subject, and store it in log files on our systems; 

• We distribute or arrange products on behalf of others, including our business partners; 

• We need information from third parties about an application you make through us; 

• We need information for fraud prevention purposes; or 

• We cannot get hold of you and need to update your contact details. 

Your right to be notified of indirect collection — NZ IPP 3A 

Where SMX collects personal information about you from a source other than yourself, and the Privacy Amendment Act 2025 applies, we will take reasonable steps to notify you of that collection as soon as reasonably practicable after collecting the information, unless a statutory exception applies. This obligation applies to personal information collected indirectly on or after 1 May 2026. 

That notification will, where applicable, include: 

• the fact that the information has been collected; 

• the purpose of the collection; 

• the identity and contact details of SMX; 

• the intended recipients of the information; 

• any law that requires or authorises the collection; 

• the consequences of the information not being collected, where relevant; and 

• your right to request access to and correction of that information. 

Exceptions may apply where, for example, you have already been informed of all relevant matters, notification would prejudice the purpose of collection, or another agency has already given the required notice on SMX's behalf. Where we rely on another party to deliver this notice, SMX remains responsible for ensuring the notice was actually provided. 

How We Use and Process the Personal Information We Collect About You and on What Legal Basis 

We use and process your information in a lawful manner for the following purposes: 

• to verify your identity and enable communication with you, whenever necessary in the context of our services and products; 

• for the performance of a contract with you — namely to deliver our services and products, meet our obligations, and pursue our rights (including billing and support services) — or to take steps at your request before entering into a contract; 

• in connection with our legitimate interests (except where they are overridden by your interests or fundamental rights and freedoms), including: 

• performing or entering into a contract with a legal entity you represent; 

• identifying opportunities to improve our services, detecting and correcting errors, and developing new services and products; 

• running our business and performing administrative and operational tasks, including engaging subcontractors and third-party service providers such as website developers, cloud storage providers, and payment processors; 

• promoting our business, services, and products through marketing, newsletters, and corporate events; and 

• defending our positions and pursuing legal claims before courts or other bodies where SMX is a party; 

• for any other purpose to which you have given your explicit consent, such as to process your requests or answer your enquiries; and 

• where we are required to do so by applicable laws, regulations, or binding codes. 

It is not unusual for the processing of your personal information to be based on multiple legal grounds simultaneously. For example, when we inform you about security updates, we may do so both under an existing contract and in pursuit of our legitimate interests in securing our systems. 

Direct Marketing 

SMX does not sell or give out your email address, send spam, or send unsolicited direct marketing material or other unsolicited electronic messages. SMX may occasionally send important announcements regarding SMX or its services and products to our existing clients. 

If you have provided your consent to receiving direct marketing or newsletters, you can withdraw it without detriment at any time by contacting us at privacy@smxemail.com or by clicking on the unsubscribe link in our electronic communications. 

Sharing Your Information 

SMX applies a strict need-to-know approach to personal information. Within our organisation, personal information is only accessed by those departments and personnel responsible for the relevant data processing operations. 

We may share your information with other organisations or persons outside SMX consistent with the purposes described in this policy. This may include: 

• regulatory or enforcement authorities, where a legal obligation requires disclosure; 

• our professional advisers, where required to provide advice in service of our legitimate interests; and/or 

• third-party service providers to whom we may outsource certain processing operations in the course of our business, such as IT platforms, storage providers, software developers, and payment processors. 

Where we engage third parties to process personal information on our behalf, we require appropriate contractual, technical, and organisational safeguards to be in place. 

Data Analytics 

In some cases, the information we hold may be processed by our data analytics systems. This information is not used to identify you as an individual. It is collated into aggregate results or classifications to assist us in improving our services and to operate, maintain, develop, test, and upgrade our systems and infrastructure. The aggregated data contains no unique identifying information and is only used as a whole. 

Transfer of Your Information to Other Countries and Third-Party Service Providers 

As SMX operates on a global scale, personal information you provide to us may be transferred, processed, used, or stored by SMX or our third-party service providers in countries other than New Zealand. 

Where SMX engages third-party service providers to carry out processing activities on its behalf, SMX will ensure that appropriate technical and organisational measures are in place and that those third parties are bound by obligations consistent with this privacy policy and meet the necessary legal requirements. 

If you have any concerns regarding the overseas transfer of your personal information, please contact us at privacy@smxemail.com. Please note that if you object to overseas transfer, we may not be able to provide the services you have requested in whole or in part. 

Security and Retention Policy 

SMX regards the security of your personal information as paramount and takes reasonable and appropriate steps to protect it from misuse, loss, and unauthorised access, modification, or unlawful disclosure, in accordance with applicable privacy laws — including the New Zealand Privacy Act 2020, the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and the GDPR where applicable. 

We will keep personal information, including personal information stored in log files, for as long as we maintain our relationship with you or as otherwise required for our business operations or any applicable laws, including to enforce our rights, for fraud prevention, to identify or resolve legal claims, and for proper record-keeping purposes. We store log files, which may contain your personal information, for at least two years to satisfy these purposes. When personal information is no longer required, SMX will take reasonable steps to destroy or de-identify it in accordance with APP 11.2 and applicable NZ and GDPR requirements. 

Although SMX endeavours to provide a secure environment and restricts SMX personnel access to personal information, the internet is not a secure environment by nature. Information transmitted to SMX over the internet cannot be guaranteed to be completely secure or error-free, and SMX is not responsible for the security of transmission. If you send an email to SMX over the internet, you are accepting the associated risks. 

In the event of a security breach leading to accidental loss, disclosure, or access to your personal information, SMX will comply with all applicable notification obligations, including mandatory reporting under the New Zealand Privacy Act 2020, the Australian Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), and the GDPR where applicable. 

Your Rights 

You agree that, subject to any applicable privacy laws, any personal information you give to SMX will be accurate, correct, and up to date, and that when acting on behalf of a business or other person, you are authorised to provide such information. You must inform us if any of your personal information changes. 

You have a right to request access to and/or correction of your personal information and, where provided by applicable law, to receive a copy of it or have it transferred to another party. If we cannot make a correction, you have the right to provide us with a statement of the correction sought and request that we attach it to your personal information. 

To request access, correction, or a copy of your personal information, or for questions about this policy, please contact us at privacy@smxemail.com. 

We may need to verify your identity to respond to your request. We will respond within the period permitted under applicable privacy laws and will generally give access and/or make a correction unless an exemption applies. If we cannot give access or make a correction, we will tell you why in writing and advise how you can make a complaint. 

The collection and processing of personal information is subject to the General Data Protection Regulation (EU) 2016/679 (GDPR) for all EU member states plus Iceland, Liechtenstein, and Norway. For the purpose of GDPR, SMX acts as a data controller, and this policy includes the information required to be provided to individual in these countries under Articles 13 and 14 of the GDPR. 

International Transfers from the EEA 

Where SMX or our service providers transfer your personal information outside the EEA, we will do so only where appropriate protections are in place under GDPR. The transfer mechanisms we rely on are as follows: 

• New Zealand, Belgium, France, and Germany: We rely on adequacy decisions adopted by the European Commission. 

• Australia: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission with controllers and/or processors located in Australia. 

• United States: We rely on the EU-US Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023, where the US recipient is certified under the DPF. For US recipients not certified under the DPF, we rely on European Commission-approved Standard Contractual Clauses or other applicable transfer mechanisms. For more information on the DPF, please visit https://www.dataprivacyframework.gov. 

For any other countries not covered above, we will ensure that personal data is only transferred with appropriate protections in place, such as adequacy decisions or Standard Contractual Clauses. 

To find out whether the European Commission has deemed a particular country adequate, please visit the European Commission's data protection website (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en). 

Please note that overseas organisations may be required to disclose information we share with them under applicable foreign law. 

To obtain a copy of the appropriate safeguards in place for transfers outside the EEA, please contact us at privacy@smxemail.com. 

Your Rights Under GDPR 

If you are in the EEA, you have, under the conditions laid down in the GDPR, the right to: 

• request information about the processing of your personal data ("right to be informed"); 

• request access to your personal data ("right of access"); 

• request rectification of inaccurate personal data ("right to rectification"); 

• request erasure of your personal data ("right to erasure" or "right to be forgotten"); 

• request restriction of processing ("right to restriction"); 

• object to the processing of your personal data ("right to object"); 

• receive a copy of your personal data in a machine-readable format and have it transmitted to another controller ("right to data portability"); 

• withdraw your consent where consent is relied upon; 

• request human intervention in connection with automated decision-making where relevant; and 

• lodge a complaint with the competent supervisory authority ("right to lodge a complaint"). 

We may need to verify your identity before responding to your request. If we refuse any request, we will write to explain why and advise how you can make a complaint. 

Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal. SMX may also be entitled to continue processing on other legal grounds. 

You may submit any of the requests above or make a complaint by contacting us at privacy@smxemail.com, by phone or post using the contact details in the "Contact Us" section, or by contacting our Data Protection Representative below. 

SMX's Data Protection Representative 

SMX Limited and SMX Australia Pty Ltd, each processing the personal data of individuals in the European Union in either the role of data controller or data processor, have appointed DPR Group as their Data Protection Representative for the purposes of GDPR. 

DPR Group has locations in each EU member state. To raise a question or exercise your rights in respect of your personal data under GDPR, you may: 

• Send an email to DPR Group at datainquiry@dpr.eu.com, quoting "SMX Limited" or "SMX Australia Pty Ltd" in the subject line; 

• Contact DPR Group via their online webform at https://www.dpr.eu.com/datarequest; or 

• Mail your enquiry to DPR Group at the address listed in the "Contact Us" section below. 

Additional Information for Individuals in Australia 

If you are in Australia, the collection, use, and disclosure of your personal information is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). SMX complies with the APPs in handling your personal information. 

Where SMX is aware of a data breach that is likely to result in serious harm to individuals whose information is involved, SMX will comply with its mandatory notification obligations under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth), including notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals where required. 

If you are in Australia and would like more information about your rights and SMX's obligations under the Privacy Act 1988 (Cth), or if you would like to make a privacy complaint, you may contact the: 

Office of the Australian Information Commissioner 

GPO Box 5218, Sydney NSW 2001 

Phone: 1300 363 992 

Email: enquiries@oaic.gov.au 

Website: https://www.oaic.gov.au/privacy 

Contact Us 

If you would like further information about this privacy policy, have concerns about the collection, use, or disclosure of your personal information, or wish to exercise any of your rights under applicable legislation, please contact our Privacy Officer: 

 — SMX Privacy Officer 

PO Box 5447, Wellesley St, Auckland 1141, New Zealand 

Phone: +64 (0)800 769 769 

Email: privacy@smxemail.com 

 

Controller's Representative for EU/EEA: 

DATA PROTECTION REPRESENTATIVE LIMITED (trading as "DPR Group") 

Office 29, Clifton House, Fitzwilliam Street Lower, Dublin, Ireland 

Email: contact@dpr.eu.com 

Website: https://www.dpr.eu.com/datarequest  

 

Controller's Representative for Switzerland: 

DataRep 

Leutschenbachstrasse 95, Zurich 8050, Switzerland 

Email: datarequest@datarep.com 

Website: https://www.datarep.com/datarequest 

 

If you are in New Zealand and would like more information about your rights and SMX's obligations under the New Zealand Privacy Act 2020, or if you would like to make a privacy complaint, you may contact the: 

Office of the Privacy Commissioner 

PO Box 10 094, The Terrace, Wellington 6143 

Phone: 0800 803 909 

Email: investigations@privacy.org.nz 

Website: https://www.privacy.org.nz/about-us/contact/ 

 

If you are in the EEA and would like to make a privacy complaint or learn more about your rights under GDPR, you may contact the supervisory authority in your EU member state. Contact details for EU data protection authorities are available on the European Commission's website.  

(https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-are-data-protection-authorities-dpas-and-how-do-i-contact-them_en) 

Policy Updates 

Any updates or amendments to this privacy policy will be posted on this page. Any amendments will take effect immediately from the date they are posted, unless those amendments are substantial, in which case we will provide you with at least 14 days' notice by email prior to the changes taking effect. 

Last update: June 2026