Privacy Policy
Last updated: June 2026
Modica Group Limited (Modica, we, us or our) is a communications-platform-as-a-service (CPaaS) provider.
This Policy explains how we collect, use, store, share and protect personal information when we provide our services, run our websites and work with customers, suppliers and partners.
It covers personal information about customers, their representatives and authorised users, website visitors, suppliers, and End Users whose information we handle. If EU or UK data protection laws apply, our Data Processing Schedule also applies.
Quick Read
- We use personal information to provide and secure our services, process payments, check identity where required, comply with law, support customers and improve products.
- Our customers often give us End User information. They usually have the direct relationship with those End Users and are responsible for telling them how their information is used. We support customers with privacy requests and incidents.
- We share information only when needed, including with service providers, payment providers, identity verification providers, telecommunications carriers, messaging partners and regulators.
- Some information may be sent, stored or accessed overseas. We use contractual and other safeguards required by New Zealand, Australian and EU or UK privacy laws that apply.
- You can ask us to access or correct your information, or make a privacy complaint.
Who this Policy covers
- Customers are organisations or individuals that buy, use or white-label Modica services.
- Authorised users are people who use or manage a customer account, such as account owners, administrators, technical users, billing contacts and staff.
- End Users are people who interact with our customers through Modica services, such as message recipients, people who reply to messages, or people who make payments using our services.
- Visitors are people who visit our websites, attend events, contact us or receive marketing communications.
What we collect, why we use it and who we share it with
Personal information means information about an identified person, or a person who is reasonably identifiable. In this Policy, it also includes personal data under EU or UK data protection laws where those laws apply.
The below table gives a practical summary of our main information flows. More detail about payments, identity checks, overseas transfers, security and your rights appears later in this Policy.
| When this applies | What we collect | Why we use it | Who we may share it with |
|---|---|---|---|
| Customer accounts and authorised users | Names, roles, organisation details, contact details, account settings, API credentials, billing contacts, support tickets and correspondence. | Set up and manage accounts; provide, bill, support and improve services; send service, security and legal notices; manage contracts and disputes. | Modica group companies, staff who need access, hosting/security/support providers, payment providers, professional advisers and regulators when required. |
| CPaaS messaging and End User information | Message content; sender and recipient details; phone numbers; Sender IDs; timestamps; delivery receipts; campaign data; opt-out records; routing, traffic, abuse and security logs. | Route and deliver messages; provide reports; manage opt-outs; troubleshoot; prevent spam, fraud and abuse; secure the platform; meet telco and legal requirements. | The customer that controls the information; carriers, aggregators, network operators and messaging partners; hosting/security/support providers; regulators or law enforcement where required. |
| Payments | Bank account details for direct debit, payer and payee details, transaction amounts, dates, payment status, merchant IDs, payment consents, payment-provider identifiers and related records. | Process and settle payments; manage billing, refunds, disputes and fraud checks; keep tax, accounting, audit and regulatory records. | Payment Providers such as Stripe and BlinkPay, banks, third-party payors, payment networks, auditors, regulators and service providers. |
| Sender ID, identity and compliance checks | Identity document details, verification results, name, date of birth, address, organisation and authority to act, and information needed for customer due diligence or fraud prevention. | Verify the person acting for an organisation; meet telco, payment, regulatory and carrier obligations; prevent fraudulent or unauthorised use of accounts, Sender IDs or services. | Identity verification providers such as GBG ANZ and Stripe, carriers, payment providers, regulators and service providers as needed. |
| Websites, marketing and events | Contact details, event registrations, preferences, survey responses, unsubscribe records, IP address, device/browser information, pages visited and cookie data. | Run our websites; manage events and enquiries; send marketing where the law allows; respect opt-outs; understand and improve content and services; secure our sites. | Website, analytics, marketing, event and communications providers, and Modica staff who need access. |
| Suppliers, partners and resellers | Business contact details, contract records, due diligence information and correspondence. | Manage relationships, contracts, risk, compliance, services and payments. | Service providers, advisers, regulators, customers or partners where needed to deliver services or meet obligations. |
We do not sell mailing lists or mobile information to third parties for their own marketing.
Customers and End Users
Our customers decide what End User information they put into Modica services and why. Customers are responsible for giving privacy notices, getting any required consent or other legal basis, and using our services in a lawful way.
Modica processes End User information to provide the services as instructed by customers, but we may also have direct privacy obligations under the law that applies. If an End User contacts us about information we hold for a customer, we will usually refer the request to the customer and help the customer respond, unless the law requires us to respond directly.
Cookies and similar technologies
We may use cookies and similar technologies to run our websites and services, keep them secure, remember preferences, understand usage and improve the user experience. You can control cookies through your browser, although some features may not work if cookies are blocked.
Other sharing rules that apply
We may also share personal information where reasonably needed to protect Modica’s rights, property, systems, customers, End Users or the public, or to complete or evaluate a merger, acquisition, financing, reorganisation or sale of all or part of our business or assets.
We require service providers that process personal information for us to use it only for authorised purposes and to protect it with appropriate confidentiality, privacy and security safeguards.
Payments
We use third-party providers such as Stripe and BlinkPay to process payments and provide payment-related services (Payment Providers).
When you use payment-related services, we and our Payment Providers may collect and use payment and transaction information, including through cookies and similar technologies. Payment Providers may handle some information as independent organisations under their own privacy policies and may share information with banks, payment networks, regulators or other parties needed to process, authenticate, settle, dispute, refund or report transactions.
We retain transaction records, such as amounts, dates and consents, for 7 years where needed to meet tax, accounting, regulatory, audit and dispute-management obligations.
You can learn more about Stripe and BlinkPay’s data practices through their privacy policies:
Sender ID and identity checks
Where a Sender ID, payment, regulatory or fraud-prevention rule requires an identity check, we may ask for information such as driver’s licence details, passport details, verification results, date of birth, address, organisation and authority to act.
We use this information to verify the person acting for an organisation, meet legal, regulatory, telecommunications, payment and carrier obligations, and prevent fraudulent, abusive or unauthorised use of Sender IDs, accounts or services.
Identity checks are completed through approved third-party identity service providers, including GBG ANZ Pty Ltd and Stripe. Before completing a check, you will have the opportunity to review the relevant provider’s privacy policy. Providing this information is voluntary, but if you do not provide it or do not consent to required checks, we may not be able to provide some services, such as a Sender ID application.
De-identified information
We may anonymise, aggregate or de-identify data for analytics, reporting, security, product improvement and customer insights. We may share aggregated or de-identified outputs with customers or third parties where the law and our contracts allow us to do so and the data is not reasonably capable of identifying an individual. If information can reasonably identify a person, we treat it as personal information.
Children and young people
Our websites and business services are not directed to children. Because customers may use our services to communicate with their own End Users, some customer-controlled content may relate to children or young people. Customers are responsible for making sure their collection and use of that information is lawful. If we learn that we have collected personal information from a child directly without a proper basis, we will take reasonable steps to delete it or handle it as required by law.
Marketing choices
You can opt out of marketing at any time by using the unsubscribe link in our messages or contacting us. We will still send service, security, billing and legal notices where needed to provide the services or meet our obligations.
Overseas disclosures and international transfers
We may send, store, access or disclose personal information overseas to provide our services, support our operations, route messages and work with group companies, carriers, payment providers, cloud providers and other service providers. For example, international messaging may require information to pass through, or be disclosed to, overseas carriers, aggregators or network operators.
Where we disclose personal information outside New Zealand or Australia, we take reasonable steps and use contractual or other safeguards required by privacy laws that apply, including New Zealand IPP 12, Australian APP 8 and, where applicable, EU or UK transfer mechanisms. Where practicable, we also aim to identify the countries or regions of likely overseas recipients.
Security
We protect personal information using technical and organisational measures. These include encryption in transit and at rest, role-based access controls, logging and monitoring, network and application security controls, vulnerability management, secure development practices, staff training, supplier risk management, backup and recovery processes, and incident response procedures. Modica maintains independent assurance for relevant services, including SOC 2 Type II reporting and IRAP assessment.
No system can remove every security risk. You are responsible for using the services securely, including managing user access, credentials, API keys, integrations and security settings available to you, and for following your agreement with Modica.
How long we keep personal information
We keep personal information only as long as we reasonably need it. This includes keeping information to provide services, maintain security and audit logs, meet legal, tax, accounting, telecommunications, payment and regulatory obligations, resolve disputes and enforce agreements.
Retention periods vary by data type and customer configuration. Where a specific timeframe applies, we describe it in this Policy or in our agreements. When information is no longer needed, we delete, de-identify or securely dispose of it. Some information may remain in encrypted backups or logs for a limited period and is subject to strict access controls.
Automated decisions and AI
We may use automated systems, including artificial intelligence or rules-based tools, to support security, fraud prevention, identity verification, message routing, service reliability, analytics and customer support. We do not currently use solely automated decisions that we expect to significantly affect an individual’s rights or interests without appropriate human oversight. If that changes, we will update this Policy and provide information required by the law that applies.
Privacy breaches and security incidents
If we become aware of a privacy breach or security incident involving accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to personal information, we will:
- notify the relevant customer in writing as soon as reasonably practicable and within any contractual or legal timeframe that applies;
- take steps to minimise harm and secure the information;
- help the relevant customer inform affected End Users where appropriate; and
- support any required engagement with the relevant privacy or data protection authority.
Where the law requires it, we will notify the New Zealand Privacy Commissioner, the OAIC or another relevant regulator, and affected individuals, where we are responsible for doing so.
Notifications will be sent to the contact details you provide, so you are responsible for keeping those details current. When we process End User information for a customer, the customer is generally responsible for meeting its own incident-notification obligations to End Users, but we will provide reasonable assistance. Modica’s notification or response does not mean Modica admits fault or liability.
Access, correction and complaints
You can ask to access or correct personal information we hold about you. You can also contact us if you have a privacy question, request or complaint. We may need to verify your identity before responding.
If your request relates to information we process for a customer, we may refer you to that customer or work with them to respond. We will respond within the time required by privacy laws that apply.
Contact us at privacy@modicagroup.com or by mail to:
- New Zealand: Modica Group Limited, Level 1, 40 Lady Elizabeth Lane, Wellington 6011, New Zealand.
- Australia: Modica Group Limited, 16 Nexus Way, Southport, QLD 4215, Australia.
This Policy does not affect your rights under New Zealand or Australian privacy laws. If you are not satisfied with our response, you may contact the Office of the New Zealand Privacy Commissioner at https://www.privacy.org.nz or the Office of the Australian Information Commissioner at https://www.oaic.gov.au.