NZ Solar Centre

How We Protect Your Data (Compliance with the Privacy Act 2020)

Posted by author-avatar
0
How We Protect Your Data (Compliance with the Privacy Act 2020)

Here is the short version: when you ask us for solar quotes, your details go to a maximum of three installers we have personally vetted, and to nobody else. We do not sell your name and number to a pool of five, ten, or fifteen competing companies. We are not a lead-generation auction. Under the Privacy Act 2020, you have a legal right to know who holds your information and why, and the Office of the Privacy Commissioner enforces that right. We treat those obligations as the floor, not the ceiling. Your data stays inside a closed loop you can see the edges of, and you can ask us to delete it at any time.

That probably sounds like the kind of thing every website says. So let us show you the actual mechanics, because the difference between a genuine privacy promise and a meaningless one is in the plumbing, not the marketing.

Why this matters more in solar than almost anywhere else

If you have ever filled in a "get a free solar quote" form online, you will know what happens next. Your phone rings. Then it rings again. Then a different company emails. By the end of the week you have had six calls from five firms you have never heard of, all reading from the same script.

That is not an accident. It is the business model. A lot of solar websites in New Zealand are not solar companies at all. They are lead brokers. They collect your contact details and sell them, often to multiple installers at once, sometimes more than once. The more buyers per lead, the more the broker earns. You are the product.

We think that is a rotten deal for the homeowner, and frankly it produces worse outcomes. When five firms are racing to call you first, the conversation is about closing you, not about whether solar even makes sense for your roof. We built our whole approach to be the opposite of that, and we explain the full philosophy behind it in our promise to New Zealand homeowners.

What the Privacy Act 2020 actually requires

The Privacy Act 2020 came into force on 1 December 2020 and replaced the 1993 Act. It is administered by the Office of the Privacy Commissioner, and it sets out 13 Information Privacy Principles (IPPs) that any organisation collecting personal information must follow.

You do not need to memorise all 13, but a few are worth knowing because they are exactly the ones lead brokers tend to stretch:

  • IPP 1 and 2: we can only collect personal information for a lawful purpose connected to what we do, and we should collect it directly from you.
  • IPP 3: when we collect it, we have to tell you why, who will receive it, and that you can access and correct it.
  • IPP 10: we can only use your information for the purpose we collected it for. We collected it to get you solar quotes. We cannot quietly repurpose it to sell you a heat pump, a kitchen, or anything else.
  • IPP 11: we have strict limits on disclosing your information to anyone else.
  • IPP 12: tight rules apply if information is sent outside New Zealand.

Since the 2020 Act, organisations also have to report serious privacy breaches to the Privacy Commissioner and to affected people. There are real consequences now, not just a polite letter.

The honest truth is that selling your contact details to multiple installers is not automatically illegal under the Act, provided a company buries a line about it in their privacy policy and you tick the box. That is the loophole. Compliance with the law and respect for the homeowner are two different bars, and a surprising number of operators clear the first while sailing straight past the second.

What "closed ecosystem" actually means here

We use the phrase "closed ecosystem" and we want to be precise about it, because vague reassurance is worth nothing.

Here is the closed loop, start to finish:

  • You tell us about your roof, your power use, and how to reach you.
  • We match you with up to three installers from our vetted list who actually service your region and suit your situation.
  • Those installers contact you and quote.
  • Nobody else gets your details. Not a fourth installer, not a finance company, not an "energy partner", not an advertising network.

The number three is deliberate. It is enough to give you a genuine comparison on price and approach, and few enough that you are not drowning in calls. If we only sent you one quote, you could not compare. If we sent your details to ten, we would be doing the exact thing we built this place to avoid.

The installers we pass you to have been through our checks first, which we lay out step by step in our 13-step installer vetting process. Part of being on that list is agreeing to use your details only to quote your job. If an installer in our network ever misused homeowner information, they would be off the list. That is the leverage a closed ecosystem gives you that an open auction never can.

The unique bit: why "we don't sell your data" and "we don't share your data" are not the same thing

This is the part almost nobody explains, and it is where homeowners get caught.

A privacy policy can say, in good faith, "we do not sell your personal information," and still pass your details to a dozen companies. How? Because legally, selling data and sharing data are different acts. A company can avoid the word "sell" by structuring the arrangement as a referral, a partnership, or a "panel" of installers who pay a membership fee rather than a per-lead price. No money changes hands for your specific record, so technically nothing was sold. Your phone still rings nine times.

So when you are reading any solar website's privacy policy, do not just search for the word "sell". Look for the answer to a sharper question: how many third parties can receive my details, and can I see who they are before I submit? If the policy says your information may be shared with "our partners", "selected providers", or "third parties who may contact you with offers", that is the tell. Vague plural nouns are where your data goes to multiply.

Our answer to that sharper question is a hard cap: a maximum of three named installers, all of whom you will know the identity of, and zero advertising or marketing third parties. We would rather lose your business than turn you into a lead someone else resells.

What we actually collect, and what we do not

We try to collect only what is genuinely needed to get you useful quotes. In practice that is:

  • Your name and contact details, so installers can reach you.
  • Your address or suburb, because it determines your sun hours, your roof, and which lines company you sit under (Vector in Auckland, Orion across Canterbury, Aurora down in Dunedin and Central Otago, and so on). Your network matters enormously for the maths.
  • Rough information about your power use and roof, so the quotes you get are realistic rather than generic.

We do not need, and do not ask for, your bank details, your IRD number, or anything else that has no business being in a solar enquiry. If you ever fill in a solar form that wants your bank account "to check finance eligibility" before you have even spoken to a human, close the tab. We cover that and a dozen other warning signs in our solar scam checklist.

Where your data lives and who can touch it

Information you give us is stored securely and access is limited to the people who actually need it to match you with installers. We do not maintain a giant database that we mine to retarget you with ads for years afterwards.

If any of your information is processed on systems hosted outside New Zealand (a lot of standard web tools are), the Privacy Act's IPP 12 still applies, which means we have to make sure comparable protections are in place. We would rather tell you that plainly than pretend every byte sits in a server room in Hamilton.

One genuinely useful development worth knowing about: New Zealand is rolling out a Consumer Data Right, beginning with banking and extending toward the energy sector. In time, this is designed to let you securely share your own electricity usage data with providers you choose, on your terms, rather than having it scattered around without your say. We explain what that means for solar shoppers in our piece on the Consumer Data Right for energy. It is a meaningful shift toward you owning your own data, and we are right behind it.

Your rights, and how to use them

Under the Privacy Act 2020 you have clear, free rights over the information we hold about you:

  • The right to access it. You can ask us what we hold about you, and we have to tell you (generally within 20 working days).
  • The right to correct it. If something is wrong, you can ask us to fix it.
  • The right to have it deleted. Ask us to remove your details and we will, unless we are legally required to keep something.
  • The right to complain. If you think we have mishandled your information, you can complain to us, and if you are not satisfied, escalate to the Office of the Privacy Commissioner, which can investigate at no cost to you.

To exercise any of these, you just contact us and ask. There is no form to buy, no hoop to jump through. That is the law working as intended, and we are glad to follow it.

How to vet any solar website's privacy practice in two minutes

Whether or not you ever use us, this is a practical skill worth having before you hand your number to anyone. Run through this quick check on any solar quote site:

  • Find the privacy policy before you fill in the form. If it is hard to find, that is information in itself.
  • Search the page for the words "partners", "third parties", and "providers". Count how many separate parties could end up with your details. If it is open-ended, assume the worst.
  • Look for a number. A trustworthy operator will tell you exactly how many companies will contact you. "Up to three" is a promise. "Selected partners" is a doorway.
  • Check who they actually are. Is the site an installer, a genuine matching service with a vetted list, or a faceless lead broker with no installers of its own? If you cannot tell what the business actually does, it is probably selling leads.
  • Look for a deletion and access promise. A company that respects the Privacy Act will mention your rights without being asked.

Do that, and you will dodge the worst of the spam before it ever starts.

Being honest about the limits

We will not pretend we can control everything. Once you choose to engage with an installer and sign up for their service, that installer becomes responsible for your information as their own customer, under their own privacy obligations. Our promise covers how we handle your data and the strict limits on who we pass it to. It cannot extend to a company you decide to do business with afterwards, although the fact that they came through our vetted network means they have already agreed to play fairly.

We also use ordinary website analytics to understand how people find and use the site, the same as nearly every business in the country. That is not the same as selling your identity, and we keep it to genuinely aggregate, non-creepy measurement.

And no system is perfect. The Privacy Act recognises this, which is why it focuses on reasonable safeguards and prompt, honest reporting if something goes wrong. If we ever had a serious breach, you would hear about it from us, not read about it later.

What it comes down to

The reason people get burned in solar is rarely the panels. It is the process. It starts the moment your details get sold into an auction and the calls begin. We built a closed loop precisely so that never happens to you: up to three vetted installers, named, no resale, full rights to access and delete, and the Privacy Act 2020 as the legal backbone underneath it all.

Where to go from here

If you want to see what good looks like in practice, the best next step is to run your own numbers with no contact details required at all using our solar cost and ROI calculator. From there, read up on how we choose who gets on our list in the first place through our installer vetting process, and the wider thinking behind it all in our promise to New Zealand homeowners.

When you are ready to talk to real people, you will know exactly who is on the other end of the line, and exactly what they can and cannot do with your details. That is the whole point.

Frequently Asked Questions

Do you sell my contact details to solar companies?

No. We pass your details to a maximum of three installers we have already vetted, and to nobody else. We are not a lead broker, we do not run an auction, and we do not earn money by reselling your information to a pool of competing firms.

How many companies will actually contact me?

Up to three, all from our vetted list, all servicing your region. We cap it deliberately so you get a genuine comparison without your phone ringing off the hook. If you would rather hear from fewer, just tell us.

What law protects my information in New Zealand?

The Privacy Act 2020, administered by the Office of the Privacy Commissioner. It sets out 13 Information Privacy Principles covering how organisations collect, use, store, and disclose your personal information, and it gives you the right to access, correct, and delete what is held about you.

Can I ask you to delete my data?

Yes. Just contact us and ask, and we will remove your details unless we are legally required to retain something specific. You also have the right to ask what we hold and to correct anything that is wrong, generally within 20 working days.

What information do you actually need from me?

Your name and contact details, your address or suburb (it determines your sun hours and which lines company you sit under), and rough information about your power use and roof. We never ask for bank details or your IRD number at the enquiry stage, and you should be wary of any solar site that does.

If a privacy policy says "we don't sell your data", am I safe?

Not necessarily. Selling and sharing data are legally different. A company can avoid the word "sell" while still passing your details to many "partners" through referral or panel arrangements. Look instead for a clear, capped number of named recipients, which is the real test.

Is my data sent overseas?

Some standard web tools are hosted outside New Zealand, and where that happens, IPP 12 of the Privacy Act still requires comparable protections to be in place. We keep offshore processing to ordinary infrastructure, not the resale of your identity, and we would rather be upfront about that than pretend otherwise.

What happens to my data after an installer quotes me?

Once you choose to deal directly with an installer, they become responsible for your information as their own customer under their own privacy obligations. Because they came through our vetted network, they have already agreed to handle homeowner details fairly, but their relationship with you from that point is theirs.

What if I think my information has been mishandled?

Contact us first so we can put it right. If you are not satisfied, you can complain to the Office of the Privacy Commissioner, which investigates privacy complaints at no cost to you. Since the 2020 Act, serious breaches must also be reported to the Commissioner and to affected people.

author-avatar

About Elizabeth Rangel

Elizabeth Rangel is the lead consumer advocate and resident energy nerd at NZ Solar. With a sharp eye for corporate jargon and a passion for renewable tech, Elizabeth’s mission is simple: to make solar energy accessible, transparent, and completely nonsense-free for every Kiwi homeowner. She knows that navigating export tariffs, battery specs, and installer quotes can feel like learning a second language. That’s why she writes with our signature "trustworthy shopkeeper" ethos—breaking down complex grid rules and ROI math as if she’s explaining it to a good friend over a flat white. Whether she’s exposing hidden margin games, comparing the latest dynamic energy tariffs, or decoding warranty fine print, Elizabeth is fiercely protective of your pocket. When she’s not crunching the numbers on the newest solar tech, you can usually find her chasing the sun around the Wellington coastline.

Newer
Understanding the Consumer Data Right (Open Banking for Energy)
Back to list
Older Our 13-Step Installer Vetting Process

Related Posts

    Leave a Reply