Privacy Policy

1. Who We Are

FYN Limited ("FYN", "we", "us", "our") is a New Zealand-registered financial advice provider operating as a credit intermediary and mortgage broker. We are licensed under the Financial Markets Conduct Act 2013 (FMA Class 2 FAP, FSP1009679) and registered on the Financial Service Providers Register (FSPR).

We are an agency as defined under the Privacy Act 2020 and are bound by the Information Privacy Principles (IPPs) set out in that Act, including the obligations introduced by IPP3A.

2. What Personal Information We Collect

We collect personal information that is reasonably necessary for the purposes described in this policy. This may include:

• Identity information: Full name, date of birth, government-issued ID (driver licence, passport number)
• Contact details: Email address, phone number, residential and postal address
• Financial information: Income, employment details, expenses, existing debts, assets, bank statements, credit history, and credit score
• Loan application details: Loan purpose, amount requested, preferred term, security offered
• Vehicle or asset details: Where applicable, details of the asset being financed
• Business information: For commercial lending — NZBN, trading history, financial statements, GST returns
• Communications: Records of emails, phone calls, and messages between you and FYN
• Website usage data: IP address, browser type, pages visited, referral source (via cookies — see Section 10)

We only collect information that is necessary for our services. We do not collect sensitive information (such as health or ethnicity data) unless you voluntarily provide it and it is directly relevant to your application.

3. How We Collect Your Information

We collect personal information in the following ways:

• Directly from you via our website enquiry forms, phone calls, or email
• From lenders or third parties you have authorised us to communicate with
• From credit reporting agencies (e.g. Equifax, Centrix) when you authorise a credit check
• From publicly available sources such as the Companies Register or FSPR
• Through your bank statements or financial data shared directly with us
• Via cookies and analytics tools on our website (see Section 10)

We will always tell you when we are collecting your information, why we are collecting it, and what we intend to do with it — in accordance with IPP3 of the Privacy Act 2020.

4. IPP3A — Collection from Third-Party Sources

Information Privacy Principle 3A (IPP3A), introduced by the Privacy Act 2020, requires agencies to take reasonable steps to ensure that individuals are aware when their personal information is collected from a source other than the individual themselves.

What IPP3A Requires of FYN

Where we collect your personal information from a third party (such as a credit bureau, a referring lender, or a public register), we must — unless an exception applies — take reasonable steps to ensure you are aware of:

• The fact that we have collected your information
• The source from which it was collected
• The purpose for which it was collected
• Any intended recipient or class of recipients of the information
• Your rights to access and correct that information
• The name and contact details of our organisation

Third-Party Sources We May Use

• Credit reporting agencies (e.g. Equifax NZ, Centrix) — for credit assessments where you have provided consent
• Lending partners — lenders on our panel may share application outcome or pre-assessment data with us
• Companies Register / FSPR — for verifying business or professional credentials
• Your employer or accountant — only where you have specifically authorised us to contact them
• Open banking data providers — where you consent to share transaction data

How We Notify You

Where we collect information about you from a third-party source, we will notify you as soon as practicable — typically at the time of your first interaction with us, or via email if the collection occurs after initial contact. This notification will include the details required under IPP3A.

Exceptions

The notification requirement under IPP3A does not apply where:

• It would prejudice the purposes for which the information was collected
• Notification is not reasonably practicable in the circumstances
• The information will not be used in a form that identifies you
• The collection is authorised by law

5. How We Use Your Information

We use your personal information for the following purposes (in accordance with IPP10 and IPP11):

• Assessing your eligibility for finance products and matching you with suitable lenders
• Preparing and submitting loan applications on your behalf
• Communicating with you about your application, options, and outcomes
• Complying with our legal obligations under the Financial Markets Conduct Act 2013, Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT), and related legislation
• Verifying your identity as required under AML/CFT obligations
• Improving our services and website experience
• Sending you relevant communications (where you have consented)
• Resolving complaints or disputes

We will not use your personal information for any purpose that is incompatible with the purpose for which it was collected without your consent.

6. Disclosure and Sharing of Information

We may share your personal information with:

• Lending partners: Lenders on our panel to whom we submit your application or enquiry — you will be informed of which lenders are involved before any application is submitted
• Credit reporting agencies: Where you authorise a credit check as part of a loan assessment
• Our service providers: Third parties who assist us in operating our business (e.g. cloud hosting, CRM software, email services) — bound by confidentiality obligations
• Regulators and government agencies: Where required by law (e.g. Financial Markets Authority, Police, IRD)
• AML/CFT compliance bodies: Where disclosure is required under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

7. Offshore Disclosure (IPP12)

Under IPP12 of the Privacy Act 2020, we are required to take reasonable steps to ensure that personal information we disclose to overseas recipients is protected in a manner comparable to the Privacy Act 2020.

Some of our service providers (such as cloud hosting or software platforms) may store or process data in overseas jurisdictions including Australia, the United States, or the European Union. Where this occurs:

• We only use providers who meet appropriate data protection standards
• We ensure contractual protections are in place where required
• We will inform you if your information is to be disclosed to an overseas recipient who may not be subject to comparable privacy protections, and obtain your authorisation where required

8. Storage and Security

We take reasonable steps to protect your personal information from loss, unauthorised access, use, modification, or disclosure (IPP5). These measures include:

• Secure, encrypted storage of digital records
• Access controls limiting information to authorised staff only
• Use of reputable, security-certified cloud service providers
• Regular review of our security practices

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. We will securely destroy or de-identify information once it is no longer required (IPP9).

9. Your Rights

Under the Privacy Act 2020, you have the following rights:

To exercise any of these rights, please contact our Privacy Officer at info@fyn.co.nz. We will respond within 20 working days as required by the Privacy Act 2020.

Privacy Breach Notification

If a privacy breach occurs that is likely to cause serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as soon as practicable, in accordance with our obligations under Part 7 of the Privacy Act 2020.

10. Cookies and Website Analytics

Our website uses cookies and similar tracking technologies to improve user experience and analyse site performance. These may include:

• Essential cookies: Required for the website to function correctly
• Analytics cookies: Used to understand how visitors interact with our website (e.g. Google Analytics). Data collected is aggregated and anonymised where possible
• Marketing cookies: Used to show relevant advertising on other platforms — only with your consent

You may disable cookies through your browser settings. Note that disabling cookies may affect the functionality of our website. By continuing to use our site, you consent to our use of essential cookies.

11. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a person under 18, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we provide. When we make material changes, we will update the "Last reviewed" date at the top of this page. We encourage you to review this policy periodically.

Continued use of our services following any update constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal information, please contact our Privacy Officer: