Privacy Policy
Effective: 7 May 2026 Version: 1.0
1. Who we are
Millwater Consulting ("Millwater", "we", "us", "our") is a privately-held AI consulting firm. Our principal contact for privacy questions is info@millwater.consulting. Our entities operate from offices in Auckland (New Zealand), Sydney (Australia), and Boulder (United States).
If you have a question about how we handle your information, write to info@millwater.consulting.
2. Scope
This policy explains how we collect, use, and protect personal information through our website (millwater.consulting), our marketing communications, and our consulting engagements. It does not apply to information about you on third-party platforms we don't control (LinkedIn, Twitter / X, etc.).
3. The information we collect
We collect three categories of personal information.
Information you give us directly. What you provide when you fill in our contact form, email us, book a meeting, or engage us for consulting work — typically your name, business email, company, role, and a description of what you'd like our help with. If we engage to work together, we'll collect additional information necessary to deliver the engagement.
Information collected automatically when you visit the site. Like most websites, we collect basic technical information when you visit millwater.consulting: device type, browser, approximate location (city / region, derived from IP), the pages you view, and the dates and times of your visits. We use this to keep the site running, measure aggregate traffic, and identify problems. The site is hosted on Framer; technical logging is performed by Framer and any analytics providers we configure.
Information from cookies and similar technologies. Our site uses essential cookies to function and may use analytics cookies to measure aggregate use. We do not currently use advertising cookies, profile-based retargeting, or third-party advertising trackers. You can disable cookies in your browser; some site features may not work as intended if you do.
We do not collect special categories of personal information (health, biometric, sexual orientation, political opinion, religious belief, trade union membership) through this website.
4. Why we collect it and what we do with it
We use personal information to:
respond to your enquiries and run our consulting engagements;
operate, secure, and improve our website;
send you marketing emails about our services where you have consented (or where we have a legitimate interest under applicable law) — every marketing email contains an unsubscribe link;
comply with legal obligations (tax, accounting, regulator requests, court orders); and
defend our legal rights if needed.
We do not sell personal information.
5. Lawful basis (visitors covered by GDPR / UK GDPR)
Where the EU or UK GDPR applies, our lawful bases for processing are:
Performance of a contract — when we are providing consulting services to you or your organisation;
Consent — when you opt in to marketing communications;
Legitimate interest — when we operate our website, respond to enquiries, and run our business, balanced against your rights and interests; and
Legal obligation — when the law requires us to retain or disclose information.
You can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
6. Who we share information with
We share personal information only with parties who help us run the business, or where we are legally required to.
Service providers. We use a small set of third-party providers to deliver our services. These include hosting and infrastructure (Framer for the website; AWS, Google Cloud, or Azure where engagements use those platforms), email and productivity (Google Workspace), customer relationship management, accounting, and legal advice. Each provider is bound by confidentiality and data-protection terms.
Sub-processors used in client engagements. When we deliver an engagement, the engagement letter or statement of work names the sub-processors involved and the data each receives. No sub-processor is engaged without your knowledge.
Legal disclosures. We may share information when required to by law, regulator, or court order, or to protect our legal rights.
Business changes. If Millwater is sold, merged, or restructured, personal information may transfer to the successor — subject to the same protections set out in this policy.
We do not sell, rent, or trade personal information.
7. International transfers
Millwater operates from New Zealand, Australia, and the United States. Where we transfer personal information across these jurisdictions, we apply appropriate safeguards — including standard contractual clauses, adequacy decisions where they exist, and equivalent contractual protections.
If you are based in the EU, UK, or another jurisdiction with restrictions on cross-border transfer, your information will be transferred only with safeguards that meet that jurisdiction's standard.
8. How we secure information
We apply reasonable technical and organisational safeguards to protect personal information, including:
encryption in transit (TLS) and at rest where applicable;
access controls limiting personal information to staff who need it;
regular review of our suppliers' security postures;
staff training on privacy and security; and
incident-response procedures if a breach is detected.
No transmission over the internet is perfectly secure. If we suffer a notifiable privacy breach, we will notify the relevant regulator and affected individuals as required by the applicable law.
9. How long we keep information
We keep personal information only for as long as we need it for the purposes set out in this policy, or for as long as the law requires us to. In practice:
Enquiry information: 24 months from last contact, then deleted or anonymised.
Engagement records: 7 years from completion (consistent with tax and professional retention obligations), then deleted or anonymised.
Marketing list: until you unsubscribe.
If you ask us to delete your information earlier, we will do so where the law permits.
10. Your rights
Depending on where you live, you have rights over your personal information. These typically include:
Access — to a copy of the information we hold about you;
Correction — to ask us to correct information that is wrong or out of date;
Deletion / erasure — to ask us to delete information, subject to limits set by law;
Restriction or objection — to ask us to stop or limit processing;
Portability — to receive your information in a portable format;
Withdraw consent — to withdraw consent for marketing or other consent-based processing;
Complain — to your local privacy regulator if you think we've handled your information badly.
To exercise any right, write to info@millwater.consulting. We will respond within the time required by your jurisdiction's law (30 calendar days under EU / UK GDPR; 20 working days under the NZ Privacy Act; 30 calendar days under the Australian Privacy Act; 45 calendar days under California's CCPA / CPRA — whichever applies to you).
The relevant supervisory authorities include:
New Zealand: Office of the Privacy Commissioner — privacy.org.nz
Australia: Office of the Australian Information Commissioner — oaic.gov.au
United States — California: California Privacy Protection Agency — cppa.ca.gov
United States — Colorado: Colorado Attorney General — coag.gov
EU / EEA: your national data-protection authority
United Kingdom: Information Commissioner's Office — ico.org.uk
11. Children
Our services are intended for businesses, not children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, write to info@millwater.consulting and we will delete it.
12. Changes to this policy
We will update this policy as our practices change or the law requires. The "Effective" date at the top of this page tells you when the current version was published. Material changes will be flagged on the homepage for at least 30 days. Prior versions are available on request.
13. Contact
For any privacy question or request, write to info@millwater.consulting.
Version 1.0 — published [DATE].
