ProVisas Immigration Advisers

Privacy

Last updated:

This page explains what personal information Provisas collects about you, how we use it, who has access to it, where it's stored, how long we keep it, and your rights under the New Zealand Privacy Act 2020. If anything here isn't clear, ask your adviser — privacy isn't optional, and it isn't paperwork.

1. Who we are

Provisas is the trading name of Professional Visa Solutions Limited, an Auckland-based immigration advisory firm licensed by the Immigration Advisers Authority of New Zealand. Inder Singh (IAA Licence 201301110) is the firm's Principal Adviser and acts as Provisas's Privacy Officer.

You can contact the Privacy Officer at:

2. What we collect

We collect personal information you give us directly, plus information we generate during your engagement.

Directly from you

  • Identity and contact details — name, date of birth, nationality, address, phone, email
  • Travel and visa history — current and past passports, prior visa records
  • Qualifications — degrees, professional registrations, transcripts
  • Employment — offer letters, contracts, payslips, references
  • Family details where partner or family visas apply — relationship evidence, dependent details
  • Health and character documents where INZ requires them
  • Payment information — bank details, card information processed through Xero

Generated during your engagement

  • Case notes from consultations and case work
  • Meeting transcripts where you consent to recording
  • Correspondence between you, INZ, and your adviser
  • Draft and final application documents

From third parties (only with your consent or where the law authorises it)

  • Information from INZ regarding your application status
  • Information from third parties named in your case (e.g., employers providing employment evidence)

Website visitors

If you submit our eligibility check, contact form, or book a consultation, we collect the information you submit. With your consent, we also collect basic analytics (page views, referring source, browser type) via Google Analytics 4 and Meta Pixel — see Section 10 for details and how to opt out.

3. How we use it

We use your information to:

  • Assess your eligibility for New Zealand visas under current INZ policy
  • Prepare and lodge applications with INZ on your behalf
  • Respond to INZ queries and Potentially Prejudicial Information letters
  • Communicate case progress to you
  • Process payments for our services and INZ fees
  • Meet our regulatory obligations as IAA-licensed advisers (record-keeping, complaints handling, audit response)
  • Improve our services in aggregate — we may use anonymised, non-identifiable patterns to refine how we operate. Your individual data is never used to train AI models.

Information Privacy Principle 1 (New Zealand Privacy Act 2020) requires us to collect information only for a lawful purpose connected with our functions. The purposes above are those purposes.

4. How we use AI with your information

We use AI to support — never replace — the work of your IAA-licensed adviser. Every AI-generated output that reaches you or INZ has been reviewed, edited, and signed by a licensed human. This commitment is part of our engagement letter framework (see /engagement-letter).

Specifically:

  • Drafting. We use AI to propose drafts of correspondence, INZ submissions, and case notes. Your adviser reviews, edits, and signs every draft before it leaves Provisas.
  • Meeting transcription. With your consent at the start of each consultation, we may record and transcribe meetings using an AI transcription service. Transcripts go into your case file for accuracy. You may decline transcription at any consultation.
  • Document analysis on a local inference server. Your case documents (passport, qualifications, employment records, references) are processed on a private inference server located in New Zealand. No cloud-based AI service has access to your personal information through this pathway.
  • Anonymisation safeguard. When we use cloud-based AI for non-personal research (for example, looking up an INZ policy interpretation), any personal information is removed from the prompt before it leaves our infrastructure. We currently apply this through adviser-led manual review; we are building an automated tokenisation gateway to replace manual review with a deterministic privacy boundary. Either way, personal data does not cross the network in cloud AI requests.
  • No model training. Your personal information is never used to train AI models. The AI tools we use do not learn from your case.
  • Audit logs. Every AI-assisted output and every retrieval from our local inference server is logged. You can request a list of AI-assisted outputs relating to your case at any time.

Your rights regarding AI use:

  • Opt out of any specific AI use (drafting, transcription, document analysis) while remaining engaged
  • Withdraw consent for transcription at any point — past transcripts remain in your file, future consultations follow your new preference
  • Request the audit list of AI-assisted outputs touching your case

5. Who has access

Inside Provisas

  • Your assigned IAA-licensed adviser
  • Other named IAA-licensed advisers on the Provisas team where case work requires it (see /engagement-letter for the full list)
  • Supporting Provisas staff (administration, accounts) under written confidentiality obligations

Outside Provisas

  • Immigration New Zealand, where we lodge applications and respond to queries on your behalf
  • Our accountants (Xero), for billing reconciliation — they see your name and invoice details, not your case substance
  • Our regulator, the Immigration Advisers Authority of New Zealand, where they audit our records as part of our licensing
  • Anyone you give us written consent to share information with (e.g., a fee-paying employer where you've agreed to broader information sharing)

We do not sell or rent your information to anyone. We do not share your information with third parties for marketing purposes.

Information Privacy Principle 11 limits when we may disclose your personal information. Our practice follows those limits.

6. Where your data is stored

Provisas's operational stack is in mid-migration through to December 2026. During the transition, your data may sit in two systems:

Current (during transition)

  • Zoho One — case management, document storage (WorkDrive), and internal communications. Zoho data for this account is held in the United States. Zoho operates regionally; the Provisas Zoho One account is hosted on Zoho's US data centre.

After December 2026

  • Microsoft 365 — email, calendar, document storage (SharePoint). Microsoft 365 data for our region is held in Australia.

Throughout

  • Xero — accounting and invoicing. Xero data is held in Australia.
  • HubSpot — marketing CRM (used for leads and consultation booking; not case management). HubSpot data for our account is held in the United States.
  • Local inference server — used for AI-assisted document analysis and case-note drafting. Physically located in New Zealand. Never connected to cloud AI for client documents.

Cross-border disclosure (Information Privacy Principle 12)

Some of the providers above hold data outside New Zealand. Under IPP 12, we must ensure that where personal information goes overseas, the receiving party is subject to comparable privacy protections.

  • Microsoft (Australia) — Australia is recognised by the New Zealand Office of the Privacy Commissioner as having comparable privacy protections.
  • Xero (Australia) — same comparable-jurisdiction recognition.
  • HubSpot (United States) — we have a Data Processing Agreement with HubSpot that provides contractual protections equivalent to the Privacy Act 2020 requirements.
  • Zoho (United States) — we have a Data Processing Agreement with Zoho that provides contractual protections equivalent to Privacy Act 2020 requirements.

If you have questions about a specific cross-border disclosure, contact our Privacy Officer.

7. How long we keep your data

The Immigration Advisers Authority Code of Conduct 2014 requires us to retain client records for seven years from the date of our last action on a case. We follow this requirement.

After seven years:

  • Case files are securely destroyed
  • Digital records are deleted from active systems and any backups within a reasonable period
  • Required regulatory records (e.g., licensing audit material) may be retained longer where the IAA Code or other law requires it

Earlier deletion:

  • You can request deletion of records that are no longer subject to regulatory retention or active case requirements
  • We'll respond within 20 working days, confirming what can and cannot be deleted

8. Your rights under the Privacy Act 2020

You have these rights:

  • Access (IPP 6) — request a copy of the personal information we hold about you
  • Correction (IPP 7) — ask us to correct information that is wrong or out of date
  • Deletion — request deletion of records no longer subject to retention requirements (see Section 7)
  • Withdrawal of consent — withdraw consent for any specific AI use or any disclosure you previously consented to
  • Complaint — if you believe we have mishandled your information, complain to us first; if not resolved, escalate to the Office of the Privacy Commissioner

To exercise any of these rights, contact our Privacy Officer (Section 1 above). We'll respond within 20 working days for access and correction requests.

Office of the Privacy Commissioner — Te Mana Mātāpono Matatapu:

9. Security

We take security seriously. Our measures include:

  • Encryption in transit — all data moving between you, our systems, and our providers is protected with TLS
  • Encryption at rest — case documents and case notes are encrypted in our storage systems
  • Access controls — staff access to client information is limited to what each person needs to do their work
  • Audit logging — system access and AI-assisted retrievals are logged
  • Two-factor authentication on staff accounts
  • Local inference server isolation — client documents processed by AI never leave our infrastructure

No system is perfectly secure. If we become aware of a privacy breach that has caused or is likely to cause serious harm, we will notify affected clients and the Office of the Privacy Commissioner as required by the Privacy Act 2020.

10. Cookies and website analytics

Our website uses two third-party analytics tools, both gated by your explicit consent:

  • Google Analytics 4 — measures how visitors use the site (page views, traffic sources, anonymised location). Fires only after you click Accept in our consent banner.
  • Meta Pixel — measures the performance of any advertising campaigns we run on Facebook or Instagram. Fires only after you click Accept in our consent banner.

On your first visit, you'll see a consent banner asking your preference. Your choice persists across visits. You can revisit and change your choice at any time via the Cookie settings link in the footer.

We use only essential functional storage by default:

  • Form submission state during multi-step processes (eligibility check, contact form)
  • Mobile navigation drawer state
  • Your consent choice (so we don't keep asking)

These are not used to track or identify you across sessions.

If you choose Reject, neither Google Analytics nor Meta Pixel sees your visit — we honour your choice. If you choose Accept, these tools collect anonymous aggregate data about how visitors use our site, which helps us improve it.

No other third-party trackers run on this site.

11. Children

Provisas's services are for adults. Where minors are part of family migration applications, we handle their information only as necessary for those applications and only with the consent of a parent or guardian. We do not target marketing at minors and we do not collect minor data through our website forms.

12. Changes to this policy

We update this page when our practices change. The "Last updated" date at the top of the page reflects the most recent change.

If we make a material change — for example, adding a new AI use, changing where data is stored, or expanding what we collect — we will notify currently engaged clients by email before the change takes effect.

13. Contact

If you're not satisfied with our response to a privacy concern, you can complain to the Office of the Privacy Commissioner (Section 8 above).