Legal

Privacy Policy

Effective date: 20 March 2026

Introduction

WorkX Limited (we, us, our) complies with the New Zealand Privacy Act 2020 (the Act) when dealing with personal information. Personal information is information about an identifiable individual (a natural person), school, group, organisation or business.

This policy sets out how we collect, use, disclose and protect your personal information. It does not limit or exclude any of your rights under the Act. For further information on the Act, see www.privacy.org.nz.

Changes to This Policy

We may change this policy by uploading a revised version to our website at workx.co.nz/privacy. Changes apply from the date the revised policy is uploaded. We will notify users of any significant changes via the platform.

Who We Collect Personal Information From

We collect personal information about you from:

  • You, when you provide it directly — including via the WorkX platform, through any registration or account setup process, through contact with us by email or phone, or when you use our services
  • Your school, where your school administrator creates or manages your account on your behalf
  • KAMAR (for schools using our optional KAMAR sync) — student data is transferred automatically from your school's student management system nightly, as authorised by the school
  • Third parties where you have authorised this, or where the information is publicly available

Where possible, we collect personal information directly from you.

How We Use Your Personal Information

We use your personal information to:

  • Verify your identity and manage your account
  • Provide work-based learning management services to you and your school
  • Manage student placements, employer relationships and programme records
  • Generate government-required reporting for the Ministry of Education
  • Communicate with you regarding your account, placements or enquiries
  • Improve the WorkX platform based on usage patterns and feedback
  • Bill schools and collect payments owed
  • Conduct anonymised research and statistical analysis
  • Protect and enforce our legal rights and interests
  • Comply with legal and regulatory obligations

What Personal Information We Collect

Depending on your role, we may collect the following:

Students

  • Name, National Student Number (NSN), year level, form class
  • Date of birth, gender, ethnicity, iwi
  • School email address and mobile number
  • Assessment results and attendance
  • Placement and programme records, diary entries, milestones
  • Documents related to work-based learning (permission forms, workplace agreements)

Teachers and administrators

  • Name, email address, school affiliation, role

Employers

  • Name, business name, contact details, placement records

We do not collect student passwords, medical records, financial data, or pastoral notes through the KAMAR sync or otherwise unless explicitly required for the service.

Camera and Media Access

The WorkX platform and mobile app may request access to a device's camera or media storage to enable user-initiated features such as uploading profile photos or documents.

  • Camera access is only used when explicitly initiated by the user
  • WorkX does not capture images, video or audio without the user's knowledge or action
  • Any images or files uploaded are securely stored and accessible only to authorised users in accordance with role-based access controls
  • Media content is used solely for the educational and administrative purposes intended by the user

Disclosing Your Personal Information

We may disclose your personal information to:

  • Trusted third-party service providers who assist in delivering our services, including cloud hosting and infrastructure providers, under strict confidentiality obligations
  • Government or law enforcement agencies where required by law or to protect our legal rights
  • Any person authorised by you

We do not sell or rent personal information to third parties. We do not share personal information with advertisers.

Our platform is hosted on servers located in New Zealand. Some third-party service providers (such as cloud infrastructure services) may process data outside New Zealand. Where this occurs, we ensure comparable privacy protections are in place in accordance with the Act.

KAMAR Student Data Sync

Schools using KAMAR as their student management system may enable an optional nightly data sync with WorkX. When this is enabled:

  • Student data is transferred automatically from KAMAR to WorkX each night between 2am and 5am
  • Only the fields listed in the school's KAMAR Data Processing MoU are transferred
  • The school is responsible for ensuring appropriate consent has been obtained from students and caregivers before enabling the sync
  • Data transferred via KAMAR is subject to all provisions of this Privacy Policy
  • Schools may disable the sync at any time by contacting support@workx.co.nz

Protecting Your Personal Information

We take the security of personal information seriously. Our security measures include:

  • Encryption of all personal information in transit (HTTPS/TLS) and at rest
  • Strict role-based access controls limiting access to authorised personnel only
  • Regular security assessments to identify and address vulnerabilities
  • An incident response plan to address any data breach promptly

In the event of a data breach affecting your personal information, we will notify you within 72 hours and take immediate remedial action.

Data Storage and Retention

All data is stored securely on AWS servers. We retain personal information for as long as necessary to provide our services and meet legal obligations:

  • Active student and staff records are retained for the duration of the school's WorkX subscription
  • Programme and placement records may be retained for up to seven (7) years where financial or regulatory record-keeping obligations apply
  • On termination of a school's subscription, all personal data is permanently deleted within 30 days, unless a longer retention period is required by law
  • Schools may request deletion of specific student records at any time by contacting support@workx.co.nz

Your Rights

Under the Privacy Act 2020, you have the right to:

  • Request access to your personal information that we hold
  • Request correction of your personal information if it is inaccurate or incomplete
  • Withdraw consent for data collection and processing, subject to legal obligations to retain certain information

To exercise any of these rights, contact us using the details below. We may ask you to verify your identity before processing your request. We will respond within 20 working days. We may charge a reasonable fee for providing copies of personal information.

Internet Use

If you follow a link on our platform to another website, the owner of that site will have its own privacy policy. We suggest you review that policy before providing personal information.

Security and Data Protection Assurance

WorkX is a purpose-built SaaS platform supporting New Zealand schools to manage Gateway, Work Experience, Trade Academy, STAR, and related programmes. We understand the trust schools place in us when handling student and staff data, and we take that responsibility seriously.

1. Platform Infrastructure and Hosting

  • AWS-Powered Hosting: All WorkX data is stored securely on Amazon Web Services (AWS) servers — one of the world's most trusted and widely-used cloud platforms.
  • Built on Bubble.io: WorkX is currently developed on Bubble.io, a SOC 2 Type II certified platform, independently audited by Sensiba LLP.
  • DDoS Protection via Cloudflare: Bubble.io integrates Cloudflare alongside an in-house monitoring system to proactively detect and mitigate DDoS attacks.

2. Data Encryption and Transmission Security

  • Encryption in Transit: All data transmitted between your browser/device and WorkX is encrypted via HTTPS (TLS/SSL).
  • Encryption at Rest: Data stored on our servers is protected with AES-256 encryption — the same standard used by banks and government agencies worldwide.
  • Secure File Hosting: Files uploaded to the platform are stored securely with access controls preventing unauthorised viewing.
  • API Security: All external API requests are authenticated and authorised before any data is exchanged.

3. Your Data Belongs to You

  • All personal and school data remains the property of the school and each user associated with that school
  • Your data will never be shared or used by WorkX for any purpose other than providing the WorkX platform and app to you
  • WorkX has no rights or interests in your personally identifiable information
  • Anonymous, non-identifiable usage data may be used internally to improve the service

4. Access Controls and Privacy Rules

  • User Authentication: Bubble's authentication system uses password hashing, salting, and encryption, with support for two-factor authentication (2FA).
  • Role-Based Access Control: Granular privacy rules ensure users can only access the data they are authorised to view.
  • Activity Monitoring and Logs: Server-side logs capture platform interactions, enabling security monitoring and rapid response.

5. Compliance and Legal Framework

  • WorkX operates in full compliance with the New Zealand Privacy Act 2020
  • Our underlying platform (Bubble.io) is independently audited and certified to SOC 2 Type II standards
  • Bubble conducts annual penetration tests with third-party security providers
  • Any disputes are subject to the jurisdiction of New Zealand courts

6. Incident Response and Breach Notification

In the unlikely event of a data breach, WorkX will:

  • Promptly notify your school of the nature and full scope of any breach
  • Immediately initiate remedial actions consistent with industry standards
  • Take liability for any damage caused by data processing where WorkX has not complied with its obligations
  • Work transparently with your school throughout the resolution process

7. Shared Responsibility: What Schools Should Do

  • Ensure staff and students use strong, unique passwords for their WorkX accounts
  • Enable two-factor authentication where available
  • Only access WorkX on trusted devices and networks where possible
  • Report any suspicious activity or concerns to WorkX immediately
  • Ensure your school network and devices have appropriate security software and up-to-date operating systems

Contact Us

WorkX Limited

21b Cornwall Rd, Lyttelton, Christchurch 8082

support@workx.co.nz

021 221 9565

workx.co.nz/privacy