NZ Privacy Policy

NZ Privacy Policy

1. Background:

At humm®group it is important to us that we manage your Personal Information securely and consistently with relevant legislation, including the Privacy Act 2020 (Privacy Act) as well as the Credit Reporting Privacy Code (the Code) (where applicable). This Policy outlines how humm group and its related entities, including Columbus Financial Services Limited (the issuer of Q Mastercard®, Flight Centre Mastercard® and Farmers Mastercard®), Consumer Finance Limited (the issuer of Q Card), Retail Financial Services Limited (the issuer of Farmers Finance Card), Flexigroup (New Zealand) Limited, flexicommercial limited, humm (NZ) Limited, Consumer Insurance Services Limited, Flexi Financial Services Limited, Flexi Finance Limited, hummpro Limited, bundll (NZ) Limited, Flexigroup NZ SPV1 Limited, Flexigroup NZ SPV2 Limited, Flexigroup NZ SPV3 Limited, collectively referred to in this policy as the humm Entities or “we”/ “us”/ “our”, collect, disclose, use, store, or otherwise handle Personal Information. “Related Companies” has the meaning set out in the Companies Act 1993. This Policy is effective as at 7 October 2025. Sometimes we will update it – you can always find a current version on our website.

This Policy explains:

  • the kinds of Personal Information (as defined in the Privacy Act) we collect, and the purposes for which we do that;
  • how we manage the Personal Information once we collect it;
  • how you can seek access to and correction or deletion of your Personal Information; and
  • if necessary, how you can make a complaint relating to our handling of your Personal Information.

This Policy applies to our customers, guarantors of customers, employees and contractors and to any other individuals who contact us with respect to any of our products, whether in relation to the provision of credit or otherwise. As such, not all of this Policy may be applicable to you.

2. What is Personal Information:
Personal Information has the meaning set out in the Privacy Act, being information about an identifiable individual (for example, your name and date of birth) (Personal Information). It also includes Credit Information as defined in the Credit Reporting Privacy Code 2004 (for example your payment history, amount of credit extended and credit scores) (Credit Information).

3. Personal Information:
We may collect Personal Information about you depending on the circumstances in which the product or service is being provided. This information can include:

  • key Personal Information such as your full name, gender, date of birth, residential, business and postal addresses, telephone numbers, email and other electronic addresses, driver’s license number, passport number;
  • financial credit and related information such as:
  • your occupation, income and expenses, assets, dependents, financial and business dealings and other relevant events;
  • bank account and bank/credit card details (including card number, account number and expiration date);
  • your transaction/repayment history with us and our associated, or relevant third parties (and the capacity in which you dealt with us or them); and
  • the amount of credit extended by other lenders, credit scores and any information obtained in order to carry out a credit check.
  • other relevant information – depending on the circumstances, this may also include health and medical information (e.g. if it is relevant to a hardship request), membership of professional bodies, tax file number information (other government identifiers such as passport or driver’s license number, e.g. if required to verify your identity);
  • transactional information – information relating to your use of our product(s), including transaction location and spend information, and about your interactions with us, including when you call or otherwise correspond with us, products you may have used, payment history;
  • behavioural biometric data which includes behavioural analytics on how you use and access our websites and mobile apps;
  • online/device information – information collected if you use our websites, apps and social media profiles which can include: your social media handles; session data that is automatically collected and transmitted by our apps, such as your device IP address and geolocation data (using GPS data of your device, the nearest Wi-Fi access points and mobile networks), the operating system and browser your device used to view the website or app, brand and model of your device, unique identifiers of your device, name and parameters of your network connection, time, duration and date of your visit and pages you viewed, device call history, and information and metadata about other applications installed on your device including application names, application identifiers and version, device identifier and checksum. If you do not wish to provide us with your Personal Information (including Credit Information), we may not be able to provide our products or services to you, respond or assist with your queries or may not be able to provide you with full access to all features of our products or services.

4. How we collect your Personal Information:
We will generally collect your Personal Information directly from you (or from someone who is acting on your behalf). This includes collecting information from your device/s when you access our websites, apps or social media profiles and contact our call centre. When you visit our websites, mobile application or social media platforms, we and other third parties may use cookies and similar tracking technologies (please see section 11) to collect information about your device and browsing behaviour. However, there are also certain instances in which we will collect information about you from third parties, particularly where it is unreasonable or impracticable to collect it directly from you. Other third parties that we may collect your information from include:

  • other agents, retailers, dealers and brokers;
  • for Flight Centre Mastercard customers, this includes other agencies directly involved in providing Flight Centre Mastercard and its benefits, in particular Flight Centre (in relation to your Flight Centre Rewards);
  • our agents, retailers, dealers and brokers;
  • your co-applicant (if any);
  • other humm Entities that may have information about you;
  • credit reporting agencies and other credit providers who may have Credit Information about you relevant to us,
  • including to check your credit and to assess your credit worthiness, on an ongoing basis;
  • relevant credit reporting agencies and other identification service providers who may have identification information about you, for the purpose of fulfilling our requirements under Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) legislation;
  • other agencies involved in (or in partnership with humm in connection with) the provision of the relevant product or service being obtained from us;
  • publicly available sources (e.g. internet sources or a search of white pages);
  • service providers, including: debt collection agencies, introducers, private investigators, professional advisers;
  • data and analytics products providers who provide us with access to credit related data;
  • public and subscriber only databases;
  • any person considered necessary in our view to execute your instructions; and
  • government authorities.

We may also use this information to provide you with details of our Services that may be relevant to you, and to ask for your opinion of our Services from time to time. We may communicate with you by email and other electronic means.

5. How we use your Personal Information:
Personal Information we collect about you will only be held, used and disclosed as is reasonably necessary for our business purposes and as permitted by law. Purposes for which we will usually hold, use and disclose your Personal Information, depending on the circumstances and the nature and products and services you are obtaining from us, include:

  • Providing products and services to you:
  • deciding whether to provide a product applied for or service requested (this might include evaluating your credit worthiness, in line with responsible lending requirements, or deciding whether to accept you as a guarantor);
  • providing other related products or services to you by us, e.g. where we provide you with credit to make a purchase or where our product is a payment service, that includes arranging for the purchase to be paid for or the payment to be made or by a third party, e.g. by Mastercard/Mastercard’s partners/service providers, and for Flight Centre Mastercard customers, this includes related arrangements provided by Flight Centre and Flight Centre’s related entities;
  • managing the products and services that we and/or relevant Mastercard Service providers provide you (for Flight Centre Mastercard customers, this includes managing the products and services that Flight Centre provides in relation to the Flight Centre Mastercard product; for Farmers Mastercard customers, this includes managing the products and services that Farmers provides in relation to the Farmers Mastercard product);
  • providing or attributing loyalty points or benefits to you under a loyalty or other program that you are a member of (whether with us or a third party);
  • identifying you and your device so that we can make our services available to you;
  • ensuring the safety of using our apps and other services;
  • the ongoing monitoring of credit worthiness;
  • detecting and preventing instances of fraud, unlawful conduct, and other risks to you or our products and services;
  • ensuring fast and accurate approval and processing of payment transactions;
  • responding to certain enquiries relating to any insurance policy offered by us or a third-party service provider in connection with our products or services;
  • dispute and complaint resolution, and assisting other credit providers to do the same; and
  • enforcing our rights, including the collection of outstanding payments and, where necessary, initiating legal proceedings.
  • Complying with our obligations:
  • ongoing participation in the credit reporting system by providing Credit Information to credit reporting agencies – (information disclosed by us to credit reporting agencies may be listed in their systems, used by them to provide their credit reporting services or other information services, and supplied to their customers on an ongoing basis in line with the Code);
  • assisting customers in meeting their credit related obligations;
  • dealing with serious credit infringements and assisting other credit providers to do the same;
  • verifying your identity as may be required from time to time by the AML/CFT;
  • providing your behavioural biometric data to a third party for the purposes of digital identity protection and fraud prevention;
  • verifying your identity using electronic sources. In order to do so, we will ask you for your details (such as your name, address and date of birth) and details of your identification documents, which will be passed to external organisations in order to electronically match your information with identification data on their databases;
  • complying with New Zealand laws and regulations that may specifically require us to collect your Personal Information, and any overseas laws where collecting your information is necessary for us to comply with our obligations; and
  • sharing with law enforcement agencies where we reasonably believe it is necessary to comply with the law or in order to assist in the prevention, detection or investigation of fraud, money laundering or other criminal offences.
  • Assisting us to manage our business:
  • undertaking review and maintenance of our systems and infrastructure;
  • ensuring the safety of using our website and apps, and of the services provided;
  • customer data analytics, which may be provided to or shared with any retailer or entity with which we have an alliance or partnership arrangement.
  • improving the products and services we provide you. This may include for example using Personal Information, including transaction data, to obtain customer insights and monitor customer trends;
  • improving the quality of the apps and services provided by us;
  • undertaking research and development regarding potential future products and services;
  • undertaking securitisation activities and other activities relating to funding and capital requirements;
  • compiling statistical data, e.g. credit scoring information;
  • for training, quality control and verification purposes; and
  • for recruitment purposes, including assessing a candidate’s suitability for a position with us.
  • Marketing products or services to you:
  • enabling our associated entities and selected other entities (for Flight Centre Mastercard customers, this includes but is not limited to Flight Centre and Flight Centre’s related entities) to promote their products and services to customers;
  • marketing products and services provided by us and our related entities including by sending notifications, requests and other information about the services provided by us;
  • providing you with information about other products and services, including those of selected third parties (for Flight Centre Mastercard customers this includes but is not limited to Flight Centre and Flight Centre’s related entities), including by mail, email and telephone (including SMS) for example, information about other services provided by, selected third parties, our related entities or any of our retailer partners (and for Flight Centre Mastercard customers, this includes Flight Centre or Flight Centre’s related entities); and
  • developing an understanding of the products and services you may be interested in receiving from us, our related entities (and for Flight Centre Mastercard customers, from Flight Centre or Flight Centre’s related entities).

Mobile apps: The apps only uses location data to help prevent fraudulent activity and protect our customers. We do not use location data for advertising or marketing purposes. This feature is essential to protect users from unauthorized access and is disclosed in our privacy policy.

Opting out/unsubscribing from marketing or promotional communications: If you do not want us to send you any marketing or promotional materials, you can opt out of these services by following the unsubscribe instructions in the promotional message itself, by changing your marketing preferences in your online product portal (if this service is available) or by calling our Customer Service team. If you do not want one of our third parties or retailer partners to send you marketing or promotional materials, you will need to opt out of these services with them directly. Important note on service and operational communications: Even if you opt out of marketing and promotional communications, there is certain service, operational and other correspondence that we will need to send you about the products and services we provide (as an example, we have a legal obligation to provide you with statements and make you aware of any changes to terms and conditions).

Opting Out or Unsubscribing from Marketing or Promotional Communications
If you no longer wish to receive marketing or promotional messages from us, you can opt out through the following methods, depending on the communication channel:

Email

  • Email: Click the “Unsubscribe” link located at the bottom of any promotional email.
  • Alternatively, you can update your marketing preferences by clicking on the “manage preferences” link located at the bottom of any promotional email.

SMS/Text Messages
• Reply with “STOP” to any promotional SMS to unsubscribe.

Social Media
• If promotion is sent via a social media platform, you may also manage your preferences within that platform’s settings.

Mail / Post / Other channels:
• Contact our Customer Service team to request removal from marketing list.

Third Parties and Retailer Partners
If you are receiving promotional communications from one of our third-party providers or retailer partners, you will need to opt out directly with them using their provided instructions.
________________________________________

Important Note on Service and Operational Communications

Even if you opt out of marketing and promotional messages, we will still send you essential service, operational, and legal communications related to the products and services you use. These may include:

  • Account statements
  • Updates to terms and conditions
  • Notifications required by law or regulation

6. Sharing your Personal Information to third parties (including overseas):
Where the Privacy Act permits it, we may share your Personal Information (including Credit Information) with third parties for the purposes outlined above. These external organisations will record, use and disclose your information in accordance with their own privacy policies and legal obligations. Some of the organisations to whom we may disclose your Personal Information (including your Credit Information or credit eligibility information) will be located overseas (known as cross border disclosure). The countries in which overseas recipients are currently located in include Australia, the Philippines and Ireland. Third parties that we may share your Personal Information with include:

  • your co-applicant (if any);
  • humm Entities based in New Zealand or overseas;
  • credit reporting agencies;
  • for Flight Centre Mastercard customers, this includes other agencies directly involved in providing Flight Centre Mastercard and its benefits, in particular Flight Centre (in relation to your Flight Centre Rewards);
  • entities that provide services to us such as mailing houses or call centre operators;
  • entities providing other services to us, including legal services, financial services, market research and data providers;
  • loyalty or other benefit partners that you hold a membership with;
  • third parties you authorize to facilitate card payments, such as Google Payment Service, Apple Pay or Garmin Pay;
  • our introducers, partners or any other entity with whom we have an alliance, and who we may share aggregate customer data analytics with;
  • our assignees or potential assignees, or where we act as an agent for, or otherwise on behalf of, another person, to the principal or that other person;
  • the supplier of any goods or services financed with credit we provide;
  • retailers, where the payment or credit service provided by us involves payments to the retailer for goods or services to be provided by them;
  • other financial institutions or entities such as banks and credit providers;
  • identification service and fraud prevention providers;
  • insurers, assessors, underwriters, brokers and other distributors;
  • government regulatory bodies in New Zealand and overseas;
  • guarantee or security providers;
  • organisations involved in debt assignment or securitisation arrangements;
  • debt collectors or other enforcement bodies;
  • entities who wish to be involved in our business, or acquire an interest in our business;
  • third parties you authorise to act on your behalf or that are otherwise connected with you (such as your accountant, legal representative, referee or an access seeker acting on your behalf to obtain your credit report); and
  • law enforcement agencies. In addition, although many of the retailers we deal with are in New Zealand, some of them are overseas. Therefore, when you ask us to make a payment to or to provide credit for a product or service from such a retailer, we will provide information to that retailer and also to banks and other financial institutions, who may also be overseas, who are involved in processing that payment. These entities are not our service providers, and we do not control how they manage your information.

7. Credit Reporting:
As described above, your consumer credit information may also be disclosed, where relevant. Where the Privacy Act permits it, we may disclose your credit information to credit reporting agencies for the purposes outlined above. Credit reporting agencies may include the information we provide to them in their reports in order for them to conduct an assessment of your credit worthiness. If you fail to meet your payment obligations to us in relation to consumer credit or commit a serious credit infringement, we may be entitled to disclose that information to credit reporting agencies. Credit reporting agencies must comply with the Credit Reporting Privacy Code – further information on the Code, and your rights with respect to the credit reporting system can be found at www.privacy.org.nz.

Disclosing and Collecting information from third parties
Your consumer credit information may also be disclosed & collected, where relevant, for the purposes described above in accordance with the Privacy Act. We collect information on your credit worthiness and identity from the Credit Reporting Agencies (CRBs) to assess your credit application. We also provide your account information to the CRB’s which enables them to conduct an assessment of your credit worthiness. If you fail to meet your payment obligations to us in relation to consumer credit or commit a serious credit infringement, we may be entitled to disclose that information to CRBs. Where you have entered into a financial hardship arrangement with us in relation to consumer credit, we may report the financial hardship arrangement to CRBs along with any repayment history information and financial hardship information in relation to the financial hardship arrangement.

The CRBs to whom we may disclose and collect your information include:

Centrix
Website: www.centrix.co,nz
Phone: 0800 236 874
Address: Attention: Centrix, PO Box 62512, Greenlane, Auckland 1546

Illion (An Experian company)
Website: https://www.creditcheck.illion.co.nz/
Phone: 0800 733 707
Address: Experian New Zealand, PO Box 9589, Newmarket, Auckland 1031

8. How we hold and protect your Personal Information:
We will hold your Personal Information in electric form on our systems but may hold some paper or other physical records. Service providers may also hold Personal Information for us. Your Personal Information is protected by various physical, electronic and procedural safeguards. Where a service provider holds your information, we require those service providers to adhere to our approved standards of security and confidentiality to ensure your Personal Information is protected. Staff who handle your Personal Information are provided with training on how to do so appropriately. Our procedures ensure that your Personal Information is only made available to staff where necessary. We will also only keep your Personal Information for as long as necessary to achieve the purpose for which it was collected or as required by law. If your Personal Information is no longer required by us, we will either destroy the information or remove any identifying information so that it can no longer be linked to you.

9. Access and Correction of your Personal Information:
You have the right to request access to and correction of any Personal Information we hold about you. You can request access to the Personal Information we hold about you subject to certain exceptions under the Privacy Act. You are entitled to specify how you wish to access your Personal Information, so long as this is reasonable and practicable. We take every step that is reasonably practicable to ensure that the Personal Information we collect, use and disclose is accurate, complete and up-to-date. If you want access to your Personal Information or to make a request for correction of Personal Information, you can contact us using the details below: Phone: 0800 444 827 or 09 525 8550 Email: [email protected] Address: Privacy Officer, humm (NZ) Limited, PO Box 90935, Victoria St West, Auckland 1142. We verify the identity of anyone requesting access to Personal Information to ensure that we do not provide that information to a person or people who do not have the right to access that information. If we do not agree to your request for correction or cannot provide you with access to certain Personal Information we hold about you for legal reasons, we will give you notice of this, outlining our reasons and what next steps you can take. We may charge you our reasonable costs of providing to you copies of your Personal Information and/or attaching a statement of correction to your Personal Information.

10. Personal Information about other persons:
If you provide us with Personal Information about any other person, for example a referee, a co-applicant, a shareholder or beneficial owner, you confirm that, prior to disclosing information about them to us, you have received their consent to do so. You also confirm that, prior to disclosing their Personal Information to us, you have made them aware of:

  • the fact you are providing this information to us;
  • the reason you are providing their information; and
  • this Privacy Policy, including in particular our reasons for collecting, using and disclosing Personal Information and our contact details.

11. Cookies, Pixels & Ad measurement:

We use cookies and other tracking technologies to improve our digital services and provide you with relevant information and advertising. These technologies help us understand how people use our websites and applications, improve functionality, personalise content, and tailor our marketing activities.

What these technologies are:

  • Cookies are small text files stored on your device that allow us or third parties to recognise your browser when you return.
  • Pixels, tags, SDKs, and similar technologies (such as the Meta Pixel or mobile app SDKs) are small snippets of code that help us measure how you interact with our platforms, whether you take certain actions, and whether you have seen our advertising on other websites or apps.
  • Analytics tools such as Google Analytics collect information about website and mobile application usage, including site visits, device and browser details, general location, and aggregated demographic and interest information.

How we use them
We use cookies and related technologies for the following purposes:

Essential purposes: Some cookies are necessary to provide secure access to online services (e.g. logging in to your account).

Analytics: To understand how visitors use our sites and apps, on an aggregated and anonymised basis, so we can improve performance and customer experience.

Marketing and advertising: To deliver advertising that is more relevant to you, measure how effective our campaigns are, and ensure that the right types of offers are shown to you. This may include:

  • Services that provide reporting on how often our advertising is viewed on other websites or apps (such as Google Display Network Impression Reporting).
  • Services that help us understand demographic and interest information on an aggregated basis (such as Google Analytics Demographics and Interest Reporting).
  • Integrations between our analytics and advertising platforms (such as DoubleClick) that allow us to tailor advertising outside our website.
  • Remarketing services (such as Google Analytics, Facebook Pixel and Meta SDKs) that allow us to reach people who may be interested in our services based on anonymised usage activity.

Ad measurement services (such as Google Ads Enhanced Conversions and Meta’s Advanced Matching), which securely hash and transmit limited customer information (for example, an email address you provide) in encrypted form to measure and improve the effectiveness of our campaigns.

Your choices

You can manage or disable cookies in your browser or device settings. If you disable certain cookies, some features of our digital services may not work properly. You can also choose to opt out of interest-based advertising or personalised measurement tools directly with the providers of those services. More information about how these providers handle data can be found in their privacy policies (for example, Google’s Privacy Policy and Meta’s Privacy Policy).

We may update the technologies we use from time to time, but we will continue to ensure that your personal information is protected and handled in accordance with this Privacy Policy and applicable privacy law.

12. Links to other websites:
Our website or other communications to you may contain links to other websites. These websites may have their own privacy policies in relation to your Personal Information and we have no responsibility for linked websites, or their communications with you and provide them solely for your information and convenience. We encourage you to be aware when you leave our website and to read the privacy policy or statement of each and every website that you visit.
14. Privacy complaints, disputes and queries:
If you have any questions about this privacy policy and/or a concern or complaint about the way we have handled your

Personal Information, please contact us using the details below:
Phone: 0800 444 827 or 09 525 8550
Email: [email protected]
Address: Privacy Officer
humm (NZ) Limited
PO Box 90935
Victoria St West
Auckland 1142

Once we receive your complaint, we will respond to you within a reasonable period of time, usually within 20 working days. Please note, that where your complaint relates to your Credit Information, we may consult with a credit reporting body or other credit provider in order to investigate and resolve your complaint. Depending on the type of complaint, it may also be necessary for us to consult with other third parties. If your complaint is not handled satisfactorily by us, you may wish to contact the Privacy Commissioner at www.privacy.org.nz.