Skip to main content

Privacy Policy

How we collect, use, and protect your personal information.
Last updated: 31 March 2026

1. Introduction

RIVER Group Ltd (t/a RIVER) (“we”, “us”, “our”) is committed to protecting the privacy of individuals whose personal information we collect. This Privacy Policy explains how we collect, use, store, and disclose personal information in accordance with the New Zealand Privacy Act 2020 and, where applicable, the Australian Privacy Principles (APPs).

This policy applies to personal information collected through our website (rivergroup.ai), our services, and our business interactions. For information about how we handle data during client engagements, please also refer to our Terms of Engagement and Security & Governance pages.

2. Information We Collect

Website visitors

When you visit our website, we may collect:

  • Usage data: pages visited, time spent, referral source, browser type, device type, and approximate location (country or region level).
  • Cookies and similar technologies: functional cookies for site preferences, and analytics cookies where you have consented (see section 8).

Contact and enquiry forms

When you contact us or submit a form, we collect:

  • Contact details: name, email address, phone number, company name.
  • Enquiry information: your message, service interest, and any other information you choose to provide.

Client engagements

During client engagements, we may process additional personal information as required to deliver the agreed services. This is governed by the terms of the specific engagement (Proposal/SOW) and our Terms of Engagement.

Business contacts

We collect professional contact details of individuals we interact with in a business context (e.g., name, job title, email, phone) for relationship management and communication purposes.

3. How We Use Your Information

We use personal information for the following purposes:

  • Responding to enquiries: to reply to your contact form submissions and questions.
  • Service delivery: to deliver the professional services agreed in client engagements.
  • Website improvement: to understand how our website is used and improve the experience.
  • Business communication: to send relevant updates about our services (you can opt out at any time).
  • Legal compliance: to comply with applicable laws and regulations.

We do not sell personal information. We do not use personal information for purposes unrelated to those described above without your consent.

4. AI-Specific Data Handling

As an enterprise AI partner, we take additional care with data that flows through AI systems:

  • No training on your data: we do not use client data or personal information to train public AI models. Where third-party AI services are used, we use configurations designed to prevent provider training on client data.
  • Purpose limitation: data processed through AI systems is used only to deliver the agreed services and for no other purpose.
  • Human oversight: AI outputs that affect individuals are subject to appropriate human review. We do not make automated decisions that have legal or significant effects on individuals without human oversight.
  • Transparency: when AI processes personal information as part of a client engagement, this is disclosed and governed by the engagement terms.

For more detail on AI governance controls, see our Security & Governance page.

5. Who We Share Information With

We may share personal information with the following parties, only to the extent necessary for the purposes described above:

  • Service providers: trusted third parties who help us operate our website and business (e.g., hosting, analytics, email services). These providers are bound by confidentiality obligations.
  • AI service providers: where third-party AI services are used to deliver client engagements, as agreed in the Proposal/SOW. We use configurations designed to prevent training on client data.
  • Professional advisors: legal, accounting, or insurance advisors as needed.
  • Legal requirements: where required by law, court order, or regulatory authority.

We do not sell, rent, or trade personal information to third parties for marketing purposes.

6. Data Security

We take reasonable steps to protect personal information from unauthorised access, modification, disclosure, or destruction. Our security measures include:

  • Encryption in transit (TLS) and at rest where supported;
  • Role-based access controls with least-privilege principles;
  • Regular review of access permissions;
  • Secure credential and secret management;
  • Incident response procedures for confirmed security incidents.

For more detail, see our Security & Governance page.

7. Your Rights Under the NZ Privacy Act 2020

Under the New Zealand Privacy Act 2020, you have the right to:

  • Access: request access to personal information we hold about you (Information Privacy Principle 6).
  • Correction: request correction of personal information that is inaccurate, incomplete, or misleading (Information Privacy Principle 7).
  • Know the purpose: be told why your personal information is being collected and how it will be used (Information Privacy Principle 3).
  • Complain: make a complaint to the Office of the Privacy Commissioner if you believe your privacy has been interfered with.

To exercise any of these rights, please contact us using the details in section 12 below. We will respond to access and correction requests within 20 working days, as required by the Privacy Act 2020.

Australian residents: if you are located in Australia, you may also have rights under the Australian Privacy Principles (APPs). Please contact us to discuss your specific requirements.

8. Cookies and Tracking

Our website uses the following types of cookies:

  • Essential cookies: required for the website to function (e.g., session management, security). These cannot be disabled.
  • Analytics cookies: help us understand how visitors use our website. We use privacy-friendly analytics that do not track individuals across websites.
  • Preference cookies: remember your settings (e.g., theme preference).

We do not use advertising or remarketing cookies. We do not build advertising profiles based on your browsing activity.

9. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes described in this policy:

  • Contact enquiries: retained for up to 24 months after your last interaction, then securely deleted.
  • Client engagement data: retained for the duration of the engagement plus any period required by law or contractual obligation.
  • Analytics data: aggregated and anonymised. Individual session data is not retained long-term.
  • Business contacts: retained while we have an active business relationship or until you ask us to remove your details.

10. International Data Transfers

Our primary operations are in New Zealand. Some of our service providers may store or process data in other jurisdictions (e.g., Australia, the United States). Where personal information is transferred internationally, we take reasonable steps to ensure it is protected to a comparable standard, including:

  • selecting providers with appropriate privacy and security practices;
  • using contractual protections where appropriate;
  • offering sovereign/local hosting options for client engagements where required.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be noted with an updated “Last updated” date at the top of this page. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have a concern about how your personal information has been handled, please contact us:

You may also contact the Office of the Privacy Commissioner: