Privacy Policy

Save over 40% on access to 6 great Auckland attractions with Discover Auckland Pass. Book now and see Auckland Museum, Auckland Zoo, Auckland Art Gallery, MOTAT, New Zealand Maritime Museum and Stardome, at one easy price - $75 for adults and $40 for children.

The easy to reach locations are all marked on the map below.

OVERVIEW of this Policy and Commitments to Privacy at Auckland Multi Pass Limited

At Auckland Multi Pass Limited (operating as Discover Auckland Pass) (“we“, “us“, “our“), we collect and use personal data about consumers who buy the Discover Auckland Pass. Personal data is any information that can be used to identify you as an individual. The protection of your personal data is very important to us, and we understand our responsibilities to handle your personal data with care, to keep it secure and to comply with legal requirements.

The purpose of this privacy policy (“Policy“) is to provide a clear explanation of when, why and how we collect and use personal data. We have designed it to be as user friendly as possible, and have labelled sections to make it easy for you to find the information that is most relevant to you. 

Please read this Policy carefully. It provides important information about how we use personal data and explains your legal rights. This Policy is not intended to override any rights you might have available under applicable data protection laws.

We will make changes to this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will make sure that you are aware of any significant changes by sending an email message to the email address you most recently provided to us or by posting a notice on each relevant website so that you are aware of the impact to the data processing activities before you continue to engage. We encourage you to regularly check back and review this policy so that you will always know what information we collect, how we use it, and who we share it with.

Contents

    1. WHO is responsible for looking after your personal data?
    2. WHAT personal data do we collect?
    3. WHEN do we collect your personal data?
    4. What PURPOSES do we USE your personal data for and what is the LEGAL BASIS?
    5. Who do we SHARE your personal data with?
    6. Direct Marketing.
    7. Profiling.
    8. How long do we keep your personal data?
    9. What are your rights?
    10. Contact and complaints

 

  • APPENDIX 1 – GLOSSARY

 

  1. WHO is responsible for looking after your personal data?

Auckland Multi Pass Ltd (“AKMP“) is a New Zealand based company, with a registered office at 48 Broadway, Newmarket, Auckland 1023, which operates multi pass products, and is retailing the Discover Auckland Pass. The entity at AKMP which collects the data is our Data Manager, who can be contacted using the details set in section 10 below.

  1. WHAT personal data do we collect?

In relation to potential customers, historic customers and current customers and attraction visitors (“consumers“), we collect the following data:

  • Information that you provide by filling in forms on our site in order to purchase a Discover Auckland Pass (“DAP”), and any information you subsequently update on our site.
  • Details of any concerns if you contact us with a query or issue.
  • When you complete a survey to tell us how your experience of DAP attractions was and how we can improve, although you do not have to respond to them.
  • Details of transactions you carry out through our site and of the fulfilment of your purchases including your credit/debit card details.
  • Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.
  • Your name and email address in order to contact you with details of your booking or in the unlikely event that we need to contact you urgently about your booking.
  • Your marketing preferences, record of permissions or marketing objections, website data, device data including IP addresses and details about your browsing history, browser type, and session frequency and cookies.
  1. WHEN do we collect your personal data?
  • We will collect information from you directly when you purchase a DAP ticket or where you complete a survey, or where you contact us with questions or suggestions. We may indirectly collect data when you use the DAP website.
  1. What PURPOSES do we USE your personal data for and what is the LEGAL BASIS?

We will use your personal data to:

  • ensure that content from our site is presented in the most effective manner for you and for your computer.
  • provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
  • carry out our obligations arising from any contracts entered into between you and us.
  • notify you about changes to our service.

We may also send you marketing materials (where we have appropriate permissions as explained in more detail below under Section 6)This process is likely to include profiling, and more information is provided at Section 7 of this Policy about this. We will also need to use your personal data for purposes associated with our legal and regulatory obligations.

We have to establish a legal ground to use your personal data, so we will make sure that we only use your personal data for the purposes set out in this Section 4 where we are satisfied that:

  • our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to manage your booking for entry tickets to an attraction), or
  • our use of your personal data is necessary to support ‘Legitimate Interests’ that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is always carried out in a way that is proportionate, and that respects your privacy rights.

Before collecting and/or using any special categories of data we will establish an additional lawful ground to those set out above which will allow us to use that information. This additional exemption will typically be:

  • your explicit consent
  • the establishment, exercise or defence by us or third parties of legal claims; or
  • a specific exemption provided under New Zealand law.

 

PLEASE NOTE. If you provide your consent or explicit consent to allow us to process your personal data or your special categories of data, you can withdraw your consent to such processing at any time. However, you should be aware that if you choose to withdraw your consent we will tell you more about the possible consequences.

  1. Who do we SHARE your personal data with?

We share data with the DAP partners – Auckland Museum, Auckland Zoo, Auckland Art Gallery, New Zealand National Maritime Museum, MOTAT and Auckland Stardome & Planetarium.

We also, with your express permission, may share the data with third parties to provide you with ideas and opportunities to do more during your time in Auckland and New Zealand.

We also may share the data with third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal data, and include:

  • service providers, who help manage our IT and back office systems
  • solicitors and other professional services firms (including our auditors).

Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser.

  1. Direct Marketing

We may use your personal data to send you direct marketing communications about DAP, and with your express permission, related services.  This will be in the form of email.

Where we require explicit opt-in consent for direct marketing in accordance with the New Zealand Unsolicited Electronic Messages Act 2007 we will ask for your consent. You have a right to stop receiving direct marketing at any time – you can do this by following the opt-out links in electronic communications (such as emails), or by contacting us using the details in Section 10. 

  1. Profiling

Where we have permissions to send consumer marketing updates, we may use profiling to ensure that marketing materials are tailored to your preferences and to what we think you will be interested in.  In certain circumstances it will be possible to infer certain information about you from the result of profiling, which could include special categories of personal data, but we will not do this unless we have obtained your explicit consent to do so.

  1. How long do we keep your personal data?

We will retain your personal data for as long as is reasonably necessary to supply you with the functionality of DAP.  We will archive your data 12 months after your DAP product expires, and delete it after 3 years. Where we are required to do so to meet legal, regulatory, tax or accounting requirements, we will retain your personal data for longer periods of time, but only where permitted to do so, including so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a possibility of legal action relating to your personal data or dealings.

We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required and we do not have a legal requirement to retain it, we will ensure it is either securely deleted or stored in a way such that it is anonymised and the Personal Data is no longer used by the business.

  1. What are your rights?

You have a number of rights in relation to your personal data. In summary, you have the right to request: access to your data; rectification of any mistakes in our files; erasure of records where no longer required; restriction on the processing of your data; objection to the processing of your data; data portability; and various information in relation to any automated decision making and profiling or the basis for international transfers.  You also have the right to complain to your supervisory authority (further details of which are set out in Section 10 below).   These are defined in more detail as follows:

RIGHT WHAT THIS MEANS
Access You can ask us to:

  • confirm whether we are processing your personal data;
  • give you a copy of that data;
  • provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out automated decision making or profiling, to the extent that information has not already been provided to you in this Policy.
Rectification You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
Erasure / Right to be Forgotten You can ask us to erase your personal data, but only where:

  • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where the data processing was based on consent); or
  • it follows a successful right to object (see ‘Objection’ below); or
  • it has been processed unlawfully; or
  • it is necessary to comply with a legal obligation which DAP or AKMP is subject to.

We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims, in relation to the freedom of expression or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In the context of marketing, please note that we will maintain a suppression list if you have opted out from receiving marketing content to ensure that you do not receive any further communications.

Restriction You can ask us to restrict (i.e. keep but not use) your personal data, but only where:

  • its accuracy is contested (see ‘Rectification’ below), to allow us to verify its accuracy; or
  • the processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.
  • We can continue to use your personal data following a request for restriction, where:
  • we have your consent; or
  • to establish, exercise or defend legal claims; or
  • to protect the rights of another natural or legal person.
Portability You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another Data Controller, but in each case only where: the processing is based on your consent or the performance of a contract with you; and the processing is carried out by automated means.
Objection You can object to any processing of your personal data which has our ‘Legitimate Interests’ as its legal basis (see Appendix 1 for further details), if you believe your fundamental rights and freedoms outweigh our Legitimate Interests. Once you have objected, we have an opportunity to demonstrate that we have compelling Legitimate Interests which override your rights, however this does not apply as far as the objections refers to the use of personal data for direct marketing purposes.

 To exercise your rights you can contact us as set out in Section 10. Please note the following if you do wish to exercise these rights:

  • Identity. We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
  • Fees. We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances.
  • Timescales. We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
  1. Contact and complaints

The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following way: [email protected]   If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.  We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time. 

 

 APPENDIX 1 – GLOSSARY

Consumer: means an individual who will, who has, or who is purchasing Discover Auckland Pass.

Data Controller: means a natural or legal person which determines the means and purposes of processing of personal data.

Data Subject: means an individual whom the personal data is about.  

Legitimate Interests: this is a ground which can be used by organisations as a lawful basis of processing, for example where personal data is used in ways that could reasonably be expected, or there is a compelling reason for the processing.
Profiling: means to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an entertainment context, such as how likely you are to attend a certain event that we host.

Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support ‘cloud based’ IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.