Our privacy policy
Cavell Leitch is committed to respecting your privacy.
This Privacy Policy (“Policy”) describes how Cavell Leitch (“We”, “Us” or “Our”) may collect, store, use and disclose Personal Information provided to us.
Last updated: 19 June 2026
Our commitment to your privacy
Cavell Leitch is committed to protecting your privacy and handling your personal information with care. This Privacy Policy explains how we collect, store, use and disclose personal information in accordance with the Privacy Act 2020 (New Zealand) and the Information Privacy Principles contained in that Act.
What is personal information?
Personal information is any information that relates to an identifiable individual. We collect personal information only for lawful purposes directly connected to our legal services.
Without limitation, we may collect the following personal information:
Name, address, email address and phone number;
Date of birth
Work information (such as job title, employer and work location);
Billing information (such as address for service and bank account details);
Identity documents (such as passport and driver license, collected for anti-money laundering and identity verification purposes); and
- Sensitive information, including health information, relationship and family information, and financial information, where relevant to the legal services you have engaged us to provide.
If you do not provide us with the personal information we request, we may be unable to provide you with our services.
How and when we collect personal information
We collect personal information whenever you engage with us, including when you:
Instruct us to provide legal services;
Contact us by phone, email, or through our website;
Attend our offices or meet with our staff; and
- Complete any form, agreement or questionnaire we provide.
We collect personal information directly from you wherever possible. In some circumstances, we may collect information from a third party — for example, from another party to a transaction, a court or government agency, a financial institution, or a referring professional. Where we collect information about you from a third-party source, we will take reasonable steps to notify you of this, including the source of the information and the purpose for which it was collected, consistent with Information Privacy Principle 3A (in force from 1 May 2026).
Cookies and online tools
Our website uses cookies and online analytics tools (including Google Analytics, Google Tag Manager and LinkedIn Insights Tag) to help us understand how visitors use our website. These tools collect aggregate, non-identifiable information such as page views and session duration. They do not collect information that identifies you personally.
You can manage your cookie preferences through your browser settings. If you disable certain cookies, some features of our website may not function as intended.
Our website is managed by Digital Refinery. They may collect technical information for the purposes of website administration, including diagnosing issues, improving performance and facilitating internal business operations. Any such collection is governed by their own privacy policy and is separate from the confidential client information you share with us in the course of obtaining legal services.
How we store personal information
We take all reasonable steps to protect personal information from loss, misuse, unauthorised access, modification, or disclosure.
Personal information may be stored:
In secure cloud-based electronic systems, including Microsoft OneDrive and Vbridge (Christchurch Airport data centre); or
- In hard copy at our Christchurch office premises or at the TIMG secure storage facility.
We also use a secure online payment gateway when taking payments.
No method of data storage or transmission over the internet is entirely secure. While we take all reasonable precautions, we cannot guarantee security.
Retention of information
We retain personal information only for as long as it is necessary for the purpose for which it was collected, or as required by law — including our obligations under the Lawyers and Conveyancers Act 2006, the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, and applicable professional rules. Once information is no longer required, we will take reasonable steps to destroy or de-identify it.
Overseas disclosure
Some of the third-party service providers we use store or process personal information outside New Zealand – for example, Microsoft (whose servers may be located in Australia and elsewhere). Where we disclose personal information to overseas recipients, we take reasonable steps to ensure that those recipients protect the information in a manner consistent with the Privacy Act 2020 and Information Privacy Principle 12. This includes relying on countries or providers that have been recognised as offering comparable protections, or contractual arrangements requiring equivalent protection.
How we use and disclose personal information
We will only use or disclose personal information for the following reasons:
The purpose for which it was collected;
A purpose authorised by you; or
A purpose required by law.
Where we engage third-party service providers (such as IT providers, document management services, or outsourced functions), we may share personal information with those providers. We require third parties to either comply with this Policy or maintain their own privacy policies that afford equivalent protection.
We collect, store, use and disclose personal information in accordance with the Privacy Act 2020 and the Policy.
Privacy breaches
A privacy breach occurs when personal information is lost, accessed, used, modified or disclosed in a way that is not authorised, or when access to personal information is lost in a way that prevents us from complying with our obligations under the Privacy Act 2020.
If a privacy breach occurs that we believe is likely to cause serious harm to any affected individual, we will notify both the affected individual(s) and the Office of the Privacy Commissioner as soon as reasonably practicable, in accordance with sections 113 to 120 of the Privacy Act 2020.
Your rights
Under the Privacy Act 2020, you have the right to:
Request access to any personal information we hold about you (Information Privacy Principle 6);
Request correction of personal information that is inaccurate, out of date, incomplete, misleading or irrelevant (Information Privacy Principle 7); and
Be notified of any privacy breach that is likely to cause you serious harm.
To exercise any of these rights, please contact our Privacy Officer at privacy@cavell.co.nz
We will respond to access or correction requests as soon as reasonably practicable, and in any event within 20 working days of receiving your request, as required by the Privacy Act 2020.
Privacy Officer
Cavell Leitch has a designated Privacy Officer responsible for overseeing compliance with the Privacy Act 2020 and this Policy. The Privacy Officer can be contacted at:
Email: privacy@cavell.co.nz
Post: The Privacy Officer, Cavell Leitch, PO Box 799 Christchurch 8140.
Complaints
If you have a concern or complaint about how we have collected, stored, used or disclosed your personal information, please contact us in the first instance at privacy@cavell.co.nz. We will investigate your complaint and aim to respond within 20 working days.
If you are not satisfied with our response, you may refer your complaint to the Office of the Privacy Commissioner:
Office of the Privacy Commissioner (Te Mana Matapono Matatapu)
Website: www.privacy.org.nz
Online complaint form: www.privacy.org.nz/your-rights/making-a-complaint-to-the-privacy-commissioner/
Phone: 0800 803 909
Post: PO Box 10094, The Terrace, Wellington 6143
Changes to this policy
We may update this policy from time to time to reflect changes in the law or our practices. The current version will always be available on this page. The ‘Last updated’ date at the top of this page indicates when the Policy was most recently revised.
Questions about this Policy should be directed to privacy@cavell.co.nz