PRIVACY POLICY

Roost is a New Zealand financial advice and mortgage services business. We are licensed by the Financial Markets Authority (FMA) as a Financial Advice Provider (FAP).

Our services include:

• Home loan and mortgage advice.

Different services require different information. This policy explains our approach across all the services we provide.

Personal information is information about an identifiable person. We only collect personal information we need to provide our services, meet our legal obligations, and run our business.

Depending on what you are asking us to do, this may include your:

• name and date of birth.
• contact details, such as your email address, postal address and phone number.
• identity documents (for example, passport or driver's licence), where we are required to verify your identity under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act).
• financial circumstances, goals, risk tolerance and preferences.
• details of any product or service you have arranged through us.
• the reason you contacted us, and any records of our meetings, calls or correspondence with you.
• your communication and marketing preferences.

We mainly collect this information directly from you — for example, when you speak to us by phone or video call (such as Microsoft Teams, Zoom or Skype), email or write to us, use our website or online forms, complete forms when you become a client, or take part in an event, campaign or promotion we run.

If it isn't obvious that we're collecting personal information from you, we will do our best to make it clear.

Where full privacy information cannot be displayed on a particular channel (for example, certain social media platforms), we provide a link to this Privacy Policy on our website at www.roost.co.nz.

Sometimes we collect personal information about you from someone other than you. We may receive information from:

• publicly available sources.
• your professional advisers — e.g. accountant, solicitor, or a previous financial adviser — with your consent where required.
• business partners, product providers and service providers we work with.
• identity verification, credit reporting and fraud prevention providers.

Our Indirect Collection Source Schedule sets out the common third parties we collect from, the information involved, the purpose of collection, and who the information may be shared with. You can access the current schedule at www.roost.co.nz or request a copy from [email protected].

We also use service providers to store or process personal information on our behalf. Those provider arrangements are managed separately from our indirect collection practices.

When we collect personal information about you from someone else, we will take reasonable steps to let you know — what we have collected, where it came from, why we need it, who we may share it with, the legal basis (if any) for the collection, and your right to access and correct it. We will tell you either when we first contact you or as soon as we reasonably can after receiving the information.

In some limited situations, the Privacy Act allows us not to notify you — for example, where you already know, where the information is publicly available, where telling you isn't reasonably practicable, where we are required or permitted by law to collect the information without notifying you, or where notifying you would prejudice a lawful purpose such as fraud prevention or a legal investigation. Even then, we will handle your information carefully and in line with this policy.

Where required, we will only collect personal information from other people or organisations with your consent. We are not responsible for the privacy or security practices of third parties who provide information to us.

We may use your personal information to:

• check whether you are eligible for the products or services we offer.
• provide advice and deliver the services you have asked for.
• facilitate transactions and applications with product providers, including lenders and insurers.
• respond to your questions and requests.
• communicate with you about our services, newsletters and events, where you have agreed to receive them.
• meet our legal and regulatory obligations.
• maintain and improve our services, systems, and business operations.

We also have an obligation to retain and, where required, disclose personal information to regulators and similar bodies. See "Who we may share your information with" below.

When you visit our website or interact with our social media pages, we may use cookies and similar technologies to understand how our sites are used and to improve your experience. Cookies are small pieces of information stored on your device or browser. They help us recognise you when you come back and make our sites work better for you. You can manage cookies through your browser settings.

Information collected through cookies may include:

• the date and time of your visit.
• the pages you view and how you arrived at our site.
• how you navigate and interact with our site.
• your approximate location.
• information about the device you are using.
• your IP address and browser type.

Cookies allow us to improve your experience and support analytics. They do not access your hard drive or run programs on your device.

We will never ask you to share personal information publicly on social media. If we need personal information from you, we will ask you to provide it through a private or secure channel.

Most of your information is stored electronically — on our own systems or with trusted third-party cloud service providers. A small amount of information may still be held in paper files. We take reasonable steps to keep your information secure and prevent unauthorised access, use, modification or disclosure, using a combination of physical, electronic and procedural safeguards.

Our key security measures include:

• Access to information systems is controlled through identity and access management.
• Our buildings are secured with a combination of locks, monitored alarms and cameras to prevent unauthorised access.
• Employees are bound by internal information security policies and are required to keep information secure.
• Employees are required to complete training about information security and privacy.
• When we send information overseas or use service providers to process or store information, we put arrangements in place to protect your information.
• We regularly monitor and review our compliance (and our service providers' compliance) with internal policies and industry best practice.

We cannot guarantee that your information will never be accessed by an unauthorised person. If we give you passwords or other security credentials, please keep them confidential and let us know straight away if you think they have been compromised.

Cloud-based service providers

We use third-party service providers to store and process most of the information we collect. We use Dropbox servers located in the United States or Australia, MyCRM servers located in Australia, and Microsoft 365 servers based in New Zealand. We ensure that our cloud-based service providers are subject to appropriate security and information handling arrangements and that the information stored or processed by them remains subject to confidentiality obligations.

How long we keep your information

We take reasonable steps to destroy or permanently de-identify personal information once we no longer need it for any legal, regulatory or legitimate business purpose.

Where the information relates to financial advice or services we have provided, we are required by law to keep it for at least seven years. After this time, provided that the personal information is no longer relevant to any service we are providing you, we will take reasonable steps to safely destroy or de-identify any personal information.

If there is a privacy breach

We work hard to keep your information safe, but no system is perfect. If we experience a privacy breach that is likely to cause serious harm, we will act quickly to contain it, reduce the harm, and — where appropriate — notify the people affected and the Office of the Privacy Commissioner, in line with our legal obligations.

We may share your personal information where it is needed to provide the services you have asked for, where the Privacy Act allows us to, where you have agreed, or where we are required or authorised by law to do so. We will never sell your personal information.

We may share your information with:

• Other advisers and team members within Roost, where this helps us deliver the services you have asked for.
• Compliance and professional services providers, including Strategi Limited (Auckland, New Zealand), who conduct compliance reviews and assist us in meeting our regulatory obligations.
• Cloud storage and business systems, including Dropbox (United States or Australia) and Microsoft 365 (New Zealand), which we use to store and manage client information and business records.
• Customer relationship management (CRM) systems, including MyCRM (Australia), which manages client contact information and interactions.
• Lenders, insurers and other product providers, where we are arranging a home loan, insurance policy or other financial product on your behalf.
• Our external dispute resolution scheme — the Insurance & Financial Services Ombudsman Scheme (IFSO), Wellington, New Zealand — where we cannot resolve a complaint directly with you.
• Credit reporting and debt collecting organisations in New Zealand.
• Regulators and government agencies, including the Financial Markets Authority (FMA), the Office of the Privacy Commissioner, and Inland Revenue, where we are required to do so.
• Lenders and other referral partners we work with in New Zealand. See our publicly available disclosures for the list of product providers and referral partners.

Our Indirect Collection Source Schedule sets out the specific information about common third parties to whom we may disclose your information.

Sending your information overseas

Some of our service providers — including Dropbox (United States or Australia) and MyCRM (Australia) — store or process information outside New Zealand.

When your information is sent overseas, we take reasonable steps to make sure it is protected to standards comparable to those in New Zealand, including through contractual confidentiality and security arrangements. If we can't ensure appropriate protection, we will let you know and seek your consent before sending your information overseas.

You have the right to ask us to:

• confirm whether we hold personal information about you.
• give you access to that information.
• correct any information that is out of date, incomplete or wrong.

To make a request, contact us at [email protected] or write to us at 14 Wiltshire Street, Arrowtown, Queenstown Lakes 9302. We will respond within 20 working days.

If you have questions or concerns about this policy or how we handle your personal information, please contact us:

Email: [email protected]
Phone: (03) 441 2227 | 0800 4 Roost
Post: 14 Wiltshire Street, Arrowtown, Queenstown Lakes 9302

We will acknowledge your complaint within three working days and aim to resolve it within five working days. If it is going to take longer, we will keep you informed and give you a date by which you can reasonably expect a response.

If you are not satisfied with our response, you can contact the Office of the Privacy Commissioner:

Office of the Privacy Commissioner
PO Box 10-094, Wellington 6140, New Zealand
Phone: 0800 803 909
Email: [email protected]
Website: www.privacy.org.nz

We may update this policy from time to time. The current version is always available on our website at www.roost.co.nz/privacy-policy.html. We will notify you of material changes by email or a notice on our website.

Last updated: April 2026