“Because one copy is never enough. Control-C safeguards your Xero ledgers, Cin7 inventory, and XPM workflows, captured, searchable, and recoverable when the cloud isn’t.”

Legal

Control-C GDPR Statement

How we keep EU and UK personal data compliant in New Zealand data centers.

Download GDPR statement Contact DPO

Control-C Privacy & Data Protection Statement

(GDPR & New Zealand Privacy Act 2020)

Our approach

We treat personal data with care. That means collecting only what we need, storing it securely, and giving people clear control over how their information is used. Our hosting and operations follow both the EU/UK GDPR and the New Zealand Privacy Act 2020.

1. Who we are (Data Controller)

Control-C Limited
Level 2, 142 Broadway
Newmarket, Auckland 1023
New Zealand

We act as the data controller for all personal data processed through our products, website, and support channels.

Privacy Officer / Security Officer
Matthew Crosswell
[email protected]

2. EU/EEA representative

Control-C has appointed the following EU/EEA representative for data protection matters:

EU/EEA representative
Matthew Crosswell
Montpellier, Hérault, France 34000
[email protected]

3. What we collect

We collect only the information needed to operate our services safely and reliably, including:

  • Name, role, company, and contact details.
  • Account, billing, and transactional information.
  • Technical information (for example, IP address, device, browser, and logs).
  • Service usage data.
  • Optional analytics and cookie data (with consent).
  • Biometric or location data: only with explicit consent and only when strictly required.

4. Why we process personal data

We process data for the following purposes:

  • Providing and maintaining our backup and continuity services.
  • Customer support and account management.
  • Product development and service improvements.
  • Security, fraud prevention, and monitoring.
  • Compliance with legal and contractual obligations.
  • Optional marketing updates (only with consent).

We do not sell personal data.

Depending on context, we process data under:

  • Contractual necessity: to provide and support our services.
  • Consent: for marketing or optional analytics.
  • Legitimate interests: service security, debugging, and preventing abuse.
  • Legal obligations: tax, accounting, and regulatory requirements.
  • Explicit consent: for any sensitive or biometric data (rare).

You may withdraw consent at any time.

6. Hosting locations and transfers (EU → New Zealand)

All service data, including EU personal data, is stored in secure New Zealand data centers:

  • Primary: Wellington.
  • Secondary: Auckland (failover).

New Zealand holds a full adequacy decision from both the UK Government and the European Commission, meaning EU/UK personal data may be transferred to New Zealand without additional safeguards.

Where we use vendors in non-adequate jurisdictions, we apply:

  • Standard Contractual Clauses (SCCs); or
  • A legally recognized equivalent safeguard.

We do not rely on AWS or large cloud providers for hosting infrastructure.

7. Sub-processors and vendors

We work with a small number of service providers. They only receive the data necessary to perform their role.

Typical categories include:

  • Data center providers (ISO 27001–certified, New Zealand–based).
  • Email delivery services.
  • Monitoring and logging tools.
  • Customer support systems.
  • Backup and replication tooling.

A current list of sub-processors is maintained at:
https://control-c.com/subprocessors

8. Retention periods

We retain data only as long as required:

  • Account data: retained for the duration of the account; typically deleted within 90 days of closure.
  • Billing data: stored for 7 years to meet legal obligations.
  • Support logs: retained for 12–24 months depending on purpose.
  • Backups: retained according to customer configuration (typically 30–90 days).
  • Analytics and cookies: retained based on consent and expiry settings.

You can request deletion at any time, subject to our legal obligations and technical feasibility.

9. Your rights (GDPR and NZ Privacy Act)

You have the right to:

  • Access your data.
  • Correct inaccurate or incomplete data.
  • Request deletion (“right to be forgotten”).
  • Restrict or object to processing.
  • Withdraw consent.
  • Request data portability.
  • Not be subject to automated decisions without human review where required by law.
  • Lodge a complaint with a supervisory authority (see below).

To exercise your rights, contact [email protected].

10. Automated decision-making and AI

If we use AI or automated decision-making in any part of our service, we ensure:

  • Transparency about how decisions are made.
  • Clear explanations of relevant criteria.
  • A route to human review.
  • Regular checks for bias and fairness.
  • No decisions that produce significant effects without human involvement, unless permitted by law and subject to safeguards.

We do not conduct automated profiling that meaningfully affects your rights without explicit notice.

11. Cookies and analytics

Essential cookies are used to operate our website and ensure security.

Non-essential cookies (for example, analytics or marketing) are only used with consent. You may withdraw or change cookie preferences at any time via the cookie panel on our website or browser settings, where available.

12. Security measures

We use technical and organizational safeguards, including:

  • Encryption in transit and at rest (where applicable).
  • Physical and logical access controls.
  • Multi-factor authentication.
  • Network isolation and least-privilege policies.
  • Continuous monitoring.
  • Regular security reviews and third-party audits.
  • Vendor due diligence and data processing agreements (DPAs).

13. Data breach notifications

If a personal data breach occurs:

  • Under GDPR, we notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours, unless the risk to individuals is low.
  • Under the New Zealand Privacy Act 2020, we notify the Office of the Privacy Commissioner and affected individuals if the breach is likely to cause serious harm.

New Zealand notifications typically use the Office of the Privacy Commissioner’s “NotifyUs” system.

14. Supervisory authorities (your right to complain)

If you are in the EU/EEA, you may lodge a complaint with your local supervisory authority or the authority of your habitual residence.

For individuals in New Zealand, complaints may be made to the Office of the Privacy Commissioner.

15. Contact

Questions about this statement or your data rights can be sent to:

Privacy Officer / Security Officer
Matthew Crosswell
[email protected]
Control-C Limited
Level 2, 142 Broadway
Newmarket, Auckland 1023
New Zealand

Last updated: December 1, 2025