Privacy Statement

Last updated: 2026-05-26  ·  Version 2.0

This page explains what personal information True Delta collects, how we use it, and what rights you have over it.

1. Who we are

True Delta is currently operated by Cohen Allingham as a sole trader, based in Christchurch, New Zealand. A New Zealand company is in the process of being registered. When that registration completes, this statement will be updated promptly to reflect the new entity name and NZBN.

For the purposes of the New Zealand Privacy Act 2020, the data controller is Cohen Allingham trading as True Delta. For the purposes of the EU and UK GDPR where they apply, the same person is the data controller.

2. What personal information we collect

We collect personal information in three situations.

Contact form submissions

When you submit the form, we collect the email address you provide and the message you write. The email address is required for us to reply; the message body is whatever you choose to send.

Aggregate website analytics

We use Vercel Web Analytics to measure aggregate site traffic (pages viewed, country of origin, device category, Web Vitals timings). Vercel Web Analytics does not use cookies. Unique visitors are identified by a hash derived from the incoming request, which Vercel automatically discards after 24 hours. See Vercel’s own description at vercel.com/docs/analytics/privacy-policy.

Hosting and email delivery logs

Our hosting provider (Vercel) and our transactional email provider (Resend) retain standard request and delivery metadata, including IP address, user agent, timestamps, and email envelope details. This is normal infrastructure logging and is required to operate the site and to send and deliver email reliably.

We do not load third-party advertising trackers, marketing pixels (LinkedIn Insight, Meta Pixel, Google Ads, etc.), or session replay scripts.

3. Why we collect it, and our lawful basis

Under the New Zealand Privacy Act 2020 (Information Privacy Principle 1) we collect contact form data to respond to your inquiry, and analytics data to understand and improve the website. Both are necessary for those purposes.

Under the EU and UK GDPR (Article 6), where they apply:

  • Processing of contact form data is based on legitimate interests (Article 6(1)(f)): responding to inbound business inquiries is a legitimate business interest, balanced against the limited privacy impact of processing the information you yourself chose to send.
  • Processing of analytics data is also based on legitimate interests for operating and improving the site, in a privacy-preserving (cookieless, aggregate) form.

We do not use your information for automated decision-making or profiling that produces legal or similarly significant effects.

4. Who we share it with

The following parties act as processors on our behalf, under contractual safeguards in their respective Data Processing Agreements:

  • Resend (resend.com) processes the email send. Resend retains metadata, email address and message content, IP address, location, operating system, browser, device, email client, and spam complaints, in accordance with their published retention practices.
  • Vercel (vercel.com) provides hosting and analytics. Vercel retains standard request logs.

Both Resend and Vercel are certified under the EU-US Data Privacy Framework. Vercel is additionally certified under the Swiss-US Data Privacy Framework.

We do not currently use a CRM or any other system to store contact form submissions beyond the cohen@truedelta.co.nz inbox. If we add one, this statement will be updated to reflect the addition.

We do not sell, rent, or share your personal information for marketing purposes.

5. International transfers

Resend and Vercel store and process data in the United States. Under New Zealand IPP 12, these transfers are permitted because Resend and Vercel act as service providers processing data on our behalf, and are bound by their Data Processing Agreements. Under GDPR Article 44 and following, the transfers rely on each provider’s EU-US Data Privacy Framework certification.

6. How long we keep it

  • Contact form messages are kept for 24 months from the date of last contact with you, then deleted, unless an engagement has resulted, in which case engagement records are kept for as long as required by NZ tax and business records law (typically seven years).
  • Aggregate analytics data is retained by Vercel in aggregated form per Vercel’s retention practices.

You can ask us to delete your contact information earlier than this, subject to any legal records-retention requirement.

7. Your rights

Under the New Zealand Privacy Act 2020, you have the right to:

  • Ask what personal information we hold about you (access, IPP 6)
  • Ask us to correct it (IPP 7)
  • Ask us to delete it (where legally appropriate)
  • Complain to the Office of the Privacy Commissioner (privacy.org.nz)

We will respond within 20 working days of receiving a verified request, as required by the Privacy Act 2020 (currently section 44 for access requests).

Under the EU and UK GDPR, where they apply, you also have the right to:

  • Access (Article 15)
  • Rectification (Article 16)
  • Erasure (Article 17)
  • Restriction of processing (Article 18)
  • Data portability (Article 20, where the legal basis is contract or consent)
  • Object to processing (Article 21), including any processing based on our legitimate interests
  • Withdraw consent (where consent was the basis)
  • Not be subject to solely automated decision-making (Article 22). We do not do this.
  • Lodge a complaint with your local supervisory authority. A directory of EU/EEA Data Protection Authorities is available from the European Data Protection Board: edpb.europa.eu/about-edpb/about-edpb/members_en

We will respond within one month of receiving a verified GDPR request, as required by Article 12.

To exercise any of these rights, email cohen@truedelta.co.nz. We may need to verify your identity before responding.

8. EU representative (Article 27 GDPR)

We do not currently have an EU representative designated under Article 27. We rely on the exemption in Article 27(2)(a): our processing of EU personal data is occasional, does not include large-scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of natural persons. If our processing changes and the exemption no longer applies, we will designate a representative.

9. Cookies

This site is designed not to set cookies, and this is verified periodically. Vercel Web Analytics, the only analytics tool we use, is cookieless. It identifies unique visitors using a hash derived from request metadata that is discarded after 24 hours, not cookies.

If we add a feature in future that requires cookies (for example a login system, a preference-saving feature, or a third-party widget), we will update this statement and add a cookie notice to the site before activating it.

10. Data breaches

If we become aware of a privacy breach that is likely to cause serious harm, we will notify the Office of the Privacy Commissioner and any affected individuals as soon as practicable, in line with Part 6 of the Privacy Act 2020 (and GDPR Article 33, where applicable: within 72 hours of becoming aware).

11. Changes to this statement

If we change how we handle personal information, we will update this page, revise the “Last updated” date, and bump the version number. We may notify previous contacts of material changes where appropriate.

12. Contact

For any question about this statement or your personal information: cohen@truedelta.co.nz

© 2026 Cohen Allingham  ·  Last reviewed: 2026-05-26