1.  INTRODUCTION

Last Updated: 5 March 2026

This Privacy Policy explains how Koru SaaS Limited T/A CaseCRM (“CaseCRM”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards your personal information when you:

• Visit our website (www.CaseCRM.co.nz)
• Interact with us
• Use our CaseCRM Service (cloud-based CRM platform tailored for immigration advisers and agencies)

This policy applies to data collected from individuals in New Zealand, the European Union, the United Kingdom, Switzerland, and elsewhere. It reflects our obligations under:

• New Zealand Privacy Act 2020
• European Union’s General Data Protection Regulation (GDPR)
• Immigration Act 2009 (NZ) and INZ compliance requirements
• Applicable international privacy frameworks

Please read this Privacy Policy carefully. If you have any questions or concerns, contact us at: info@CaseCRM.co.nz.

1. WHO WE ARE

Koru SaaS Limited T/A CaseCRM is a New Zealand registered company that provides software-as-a-service (SaaS) platforms specifically tailored for immigration case management, client relationship management, and visa application workflows.

Our primary website: www.CaseCRM.co.nz

This website and service is not intended for children. We do not knowingly collect data relating to minors.

Koru SaaS Privacy Policy 

1. INFORMATION WE COLLECT

We collect personal data that identifies you as an individual or relates to an identifiable individual. For immigration advisers, this specifically includes:

Identity Data – Name, title, company, login credentials, Immigration Adviser Licence Number

Contact Data – Email address, phone number, physical or billing address, passport details

Financial Data – Encrypted token data for payments (processed by third parties)

Transaction Data – Details of services purchased, payment history, visa application fees

Usage Data – How you use our immigration CRM, interactions with visa trackers and client portals

Technical Data – IP address, login data, browser type, time zone, device info

Profile Data – Preferences, feedback, immigration case notes, support communications

Tracking Data – Cookies, web beacons, pixels, mobile identifiers

Marketing & Communications Data – Preferences for immigration updates and compliance alerts

Immigration Client Data (when inputted by advisers):

• Visa application details (e.g., INZ form data, supporting documents)
• Biometric data (e.g., passport photos, fingerprints – only if uploaded)
• Employment and qualification documents
• Family and dependency information

Special Categories: We do not actively collect sensitive data (e.g., health, religious beliefs, criminal records) unless required for legitimate immigration purposes and with your explicit consent as the data controller. Any such data uploaded to client files is processed solely per your instructions and secured to the highest standards.

1. HOW WE COLLECT YOUR DATA

We collect data through:

• Direct interactions (account creation, support tickets, INZ form uploads)
• Automated technologies (cookies, analytics, immigration workflow logs)
• Third-party sources (payment processors, INZ APIs, verification partners)

Koru SaaS Privacy Policy 

1. HOW WE USE YOUR DATA

We use your personal data to:

• Provide immigration CRM services (case management, client portals, visa trackers)
• Process transactions and INZ filing fees
• Authenticate users and secure sensitive immigration data
• Communicate compliance updates, visa alerts, and support
• Conduct immigration industry research and feedback analysis
• Fulfill INZ, legal, and regulatory obligations

We never sell your personal data. Any use beyond these purposes requires your explicit consent.

1. DISCLOSURE OF YOUR INFORMATION

We may disclose your information:

• To trusted subprocessors (hosting, payments, INZ integrations)
• To Immigration New Zealand (INZ) or law enforcement when legally required
• To fulfill immigration compliance or contractual obligations
• In case of merger, acquisition, or asset transfer

All subprocessors adhere to NZ Privacy Act and GDPR standards.

1. INTERNATIONAL TRANSFERS

Your data (including immigration client files) may be stored or processed outside New Zealand, including Australia and other jurisdictions.

Where personal data is transferred internationally, CaseCRM ensures safeguards such as:

• Standard contractual clauses
• Adequacy decisions
• Data processing agreements with our technology partners and licensed platform providers

You consent to such transfers as outlined in our Terms of Service.

1. YOUR RIGHTS UNDER GDPR & NZ PRIVACY ACT

You have the right to:

Koru SaaS Privacy Policy 

• Access personal data we hold about you
• Request correction of inaccurate immigration data
• Request deletion (right to be forgotten – subject to INZ retention requirements)
• Restrict or object to processing
• Request data portability (e.g., export visa case files)
• Withdraw consent for processing
• Complain to the NZ Privacy Commissioner or relevant EU/UK authority

To exercise your rights, contact info@CaseCRM.co.nz. We may request verification (e.g., Immigration Adviser ID). Response within 30 days.

1. DATA RETENTION

• Active accounts: Retained as needed for immigration services
• Terminated accounts: Securely deleted within 90 days, except where INZ requires retention (up to 7 years for visa records)

• Biannual clean-up cycles for compliance

1. COOKIES & TRACKING TECHNOLOGIES

Cookies enable:

• Session continuity for visa form submissions
• User preferences (e.g., case dashboard layouts)
• Immigration workflow improvements
• Compliance analytics

Manage via browser settings. Blocking may affect INZ form functionality.

1. SECURITY MEASURES

We implement:

• Role-based access control (adviser vs. client portal)
• End-to-end encryption for immigration documents
• Firewall protection and regular INZ-compliance audits
• Monitoring of visa data access logs
• Integrated third-party technologies secured to industry standards

Koru SaaS Privacy Policy 

1. THIRD-PARTY SERVICES & SUBPROCESSORS

CaseCRM uses subprocessors to deliver its immigration CRM, including:

• Amazon Web Services – Secure cloud hosting for visa files
• Microsoft Azure – Data storage and backups
• Stripe & GoCardless – Payment processing
• Google Workspace – Secure email for INZ communications
• Licensed platform providers – Core CRM infrastructure (customized for immigration)
• Postmark – Transactional email delivery
• INZ APIs – Official visa application integrations

We maintain data processing agreements with all subprocessors and conduct annual compliance audits. Full list available upon request to info@CaseCRM.co.nz.

1. DATA SUBJECT REQUESTS ON BEHALF OF CLIENTS

If you are an immigration adviser using CaseCRM to manage your clients’ visa data:

• You remain the data controller
• We act as your data processor
• We support you in fulfilling client access requests, corrections, or deletions per INZ guidelines
• Contact info@CaseCRM.co.nz with client authorization

1. PRIVACY FRAMEWORK COMPLIANCE

CaseCRM adheres to:

• NZ Privacy Act 2020 (13 APPs)
• GDPR (Art. 28 processor obligations)
• Immigration Act 2009 (client data handling)
• Cross-border transfer safeguards

1. PRIVACY COMPLAINTS

Contact: info@CaseCRM.co.nz

Escalation:

• NZ Privacy Commissioner: https://www.privacy.org.nz/your-rights/making-a-complaint/
• EU/UK Data Protection Authority in your jurisdiction

Koru SaaS Privacy Policy 

1. CHANGES TO THIS POLICY

Updates posted at www.CaseCRM.co.nz/privacy. Significant changes emailed to registered advisers. Continued use indicates acceptance.

1. CONTACT US

Koru SaaS Limited T/A CaseCRM

Email: info@CaseCRM.co.nz

Website: www.CaseCRM.co.nz

Support: info@CaseCRM.co.nz

1. DEFINITIONS

• Personal Data: Information relating to an identifiable individual (including immigration clients)
• Processing: Any operation on personal data (e.g., visa form auto-population)
• Subprocessor: Third party processing data on behalf of CaseCRM
• Services: CaseCRM immigration CRM platform, website, and tools