Consumer and website privacy notice

We are Bachcare Limited. Our registered office is Level 26, PWC Tower, 15 Customs Street West, Auckland 1010, New Zealand.

We are part of a wider Group of companies called Forge Holiday Group which includes Forge Holiday Group Ltd, Forest Holidays Limited and Sykes Cottages Limited whose registered office are One City Place, Queens Road, Chester, CH1 3BQ United Kingdom. We share some services such as Technology, Cyber Security, Legal, and Marketing. We have Group information sharing agreements in place to govern this information sharing.

If you need to get in touch with our Privacy Officer, the easiest way to do it is by email: privacy@bachcare.co.nz

We collect personal data when you:

• Book a holiday with us.

• Visit our website.

• Contact us by phone, email, live chat, social media, or other channels.

• Enter competitions or respond to surveys.

We may collect:

• Your name, address, email, phone number, title, and country of residence.

• Details of other people in your travel party. Before providing us with such personal information you must tell them that you have given us their data, the purpose for which their data has been collected and refer them to this privacy policy

• Social media identifiers if you interact with us online.

• Information from public sources to help verify your identity.

• Technical data like your IP address, browser type, device info, and location settings.

• Marketing preferences, cookie consents, and how you use our website or app.

If you book through a third-party site (like Airbnb or Booking.com), we receive your data from them. What we get depends on their privacy policy.

If you provide information about children, you're responsible for getting the right consent from them or their parent/guardian.

Special category data

In the course of providing our services, we may occasionally collect special category data, such as information about your or a member of your travel party's health. This may include details you provide to us about accessibility requirements for accommodation or health-related reasons for cancelling a booking. We will only collect and use this information:

• With your explicit consent, or

• Where there is a legal basis to do so, such as protecting vital interests or complying with public health obligations.

We treat all such data with the highest level of confidentiality and only use it for the purpose for which it was provided.

We use your personal data for the following purposes:

Managing Your Booking

We use your data to:

• Process your holiday booking.

• Support the rental agreement between you and the property owner.

• Share your details with the property owner (who is a separate data controller).

Account and Customer Portal Access

We use your data to:

• Create and manage your account.

• Give you access to your bookings, feedback, and personalised offers via our website.

Customer Service and Complaints

We use your data to:

• Respond to enquiries and complaints.

• Mediate between you and property owners if issues arise during your stay.

• Verify facts using call recordings or chat transcripts.

• Operate our global property restriction policy.

Global Booking Restrictions

In rare cases we process your personal data to operate our global restrictions policy. This means that if you have breached our booking terms or policy (for example, due to serious misconduct, fraudulent activity, or behaviour that poses a risk to property or safety), we may restrict you from making future bookings across our brands.

This includes:

• Identifying serious misconduct or fraudulent activity.

• Applying restrictions across all brands to protect property and safety.

• Maintaining records of breaches to prevent repeat incidents.

Know Your Customer (KYC) Checks

Very occasionally we carry out KYC checks to verify customer identity and prevent financial crime.

This includes:

• Collecting and validating identification documents where required.

• Using third-party verification tools to confirm identity and reduce fraud risk.

Payments and Financial Management

We use your data to:

• Manage payments, fees, and refunds.

• Recover debts, which may involve third-party agencies.

Marketing and Promotions

We use your data to:

• Send you marketing communications about future bookings, offers, and related products.

• Personalise advertising and promotional content.

• Run competitions and loyalty schemes.

You can withdraw your consent or object to marketing communication at any time via unsubscribe links or your customer portal.

Legal & Regulatory Compliance and Business Operations

We may process your data to:

• Comply with Financial, Legal and Audit obligations.

• Carry out internal and external audits, staff training, and internal reporting.

• Prepare financial accounts and aggregated data for public disclosure.

• Cooperate with regulators and public authorities (e.g. IRD, police, local councils).

Security and Business Operations

We use your data to:

• Maintain cybersecurity and protect our systems from threats

• Monitor and prevent fraud or unauthorised access

• Ensure the availability and integrity of our IT infrastructure.

• Support business continuity and disaster recovery planning

• Manage internal governance, risk and compliance processes.

Data Analytics & Behaviour Analysis & Website Usage

We use data analytics to help us understand how customers interact with our services, improve our offerings, and make informed business decisions.

This includes:

• Analysing how people use our website and app (e.g. pages visited, time spent, clicks).

• Using cookie and tracking technologies to understand browsing behaviour (where consent is given).

• Aggregating booking and customer service data to identify trends and improve performance.

• Using our data warehouse to combine and analyse data from multiple sources (e.g. bookings, feedback, marketing responses, customer service interactions) to: Improve customer experience, forecast demand and plan resources, Personalise offers and communications, monitor business performance and support strategic decisions.

User Experience and Market Research

We may invite you to take part in research or surveys to improve our services. We'll provide more details at the time.

Artificial Intelligence (AI) and Automated Tools

We use AI technologies to improve and personalise our services, customer experience, and operational efficiency. This includes:

• Chatbots and Virtual Assistants: If you contact us via live chat or certain digital channels, you may interact with an AI-powered chatbot. We will always make it clear when you are communicating with an AI tool.

• Call Transcription and Analysis: Calls to our customer service teams may be recorded, transcribed, and analysed using AI tools. This helps us improve service quality, resolve issues, and train our AI systems.

• Review and Feedback Analysis: We use AI to scan and analyse customer reviews and feedback to identify trends and improve our services.

• Training AI Models: We may use anonymised or pseudonymised call transcripts and interaction data to train and improve our AI tools.

• Transparency: We are committed to being open about our use of AI. We will always let you know when you are interacting with an AI system.

Property Owners

We'll share some of your personal information (like your name, contact telephone or email address) with the owner of the property you have booked. This ensures they know you are coming to get ready for you and can provide timely assistance during your stay should you require it.

If you make a complaint about the property or leave a review following your stay, the content of your complaint or review may be shared with the property owner. This is necessary to help them understand and respond to feedback, address any issues raised, and improve the quality of their accommodation and service.

Important: When you book a property, you have a contract with us as the booking agent and a contract with the owner of the property, the owner becomes a separate data controller for any personal data they receive about you (for example, your name or contact details). This means they have their own legal responsibilities under data protection law to keep your information secure and use it only for lawful purposes.

Other Group companies

Other companies in the Forge Holiday Group may receive your personal data when necessary for the provision of shared services.

IT service providers

Our technology is often hosted in the cloud, and we use a number of service providers such as our cloud hosting providers, CRM provider, security software providers to support our websites and other technology stacks.

Professional advisors

We use external auditors, legal advisors, insurers and banks among others who will sometimes receive your personal information.

Public authorities

This may include law enforcement bodies, the courts, regulators, government and local government bodies and agencies, IRD and other public bodies.

Payment services providers

We use specialist companies to process payment card details.

Marketing partners

We use many service providers to assist in our marketing efforts,

Third party booking platforms

These include but are not limited to AirBnB, Vrbo, Booking.com, TripAdvisor, Expedia and similar companies. They may pass the information on to other advertising partners.

Purchasers or potential purchasers of our business

Third parties whom we may choose to sell, transfer, or merge parts of our business or our assets. If a change of ownership happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.

Where our Group provides shared services on behalf of Bachcare, this may involve the transfer of data to the United Kingdom. Whenever we transfer your personal data internationally, we make sure it is protected in line with UK GDPR requirements

We also use some trusted service providers located outside the UK. For example, the United States – where we use a range of technology or infrastructure providers.

We only transfer personal data where necessary for our services, and we ensure appropriate technical, contractual and legal safeguards are in place to protect your rights.

We keep most customer data for six years after the end of the financial year in which your last booking took place. This is to meet our legal, accounting, and insurance obligations, and to help us respond to any queries or complaints.

In some cases, we may keep data for longer if required by law or if there is an ongoing dispute or debt.

Right to access

You can ask to see the personal data we hold about you.

Right to correction

You can ask us to correct personal information that is inaccurate or incomplete.

Right to object to direct marketing

You can ask us to stop sending you marketing communications at any time.

You also have the right to complain to us

If you're unhappy with how we've handled your personal information, we'll do our best to resolve your concerns quickly and fairly.

Please send an email to privacy@bachcare.co.nz.

You always have the right to complain to the regulator. In New Zealand this is the Office of the Privacy Commissioner. You can find their details at privacy.org.nz or on 0800 803 909.

The Office of the Privacy Commissioner generally asks that you raise your concern with us first and give us a reasonable opportunity to respond. We would also appreciate the opportunity to try to resolve your complaint directly, as we prefer to resolve matters quickly, fairly and amicably where we can.

For marketing and recommendations purposes we may process your data in ways that tell us what you are likely to want to see from us and products that may interest you. We may also make certain offers available to you on this basis. This profiling is automated and may use Machine Learning or Artificial Intelligence tools to give us the results.

We always record the date on which the privacy policy has been changed at the top of this page. You can ask us for copies of previous privacy policies and when they were effective from at any time. When we change our purposes for processing your data we will let you know either through this privacy policy or by sending you a direct communication if we think it has a large impact on you. Regular communications may indicate when we have updated this policy and ask you to take a look at it.

Our website may include links to and from third-party websites, social media, plug-ins and applications. By clicking on these links or enabling connections you may be allowing third parties to collect or share your personal data. We have no control over these third-party websites, plug-ins or applications and are not responsible for their privacy policies, therefore you should also read their privacy policies to understand what personal data they collect about you and how they use it.

We are Bachcare Limited. Our registered office is Level 26, PWC Tower, 15 Customs Street West, Auckland 1010, New Zealand.

We are part of a wider Group of companies called Forge Holiday Group which includes Forge Holiday Group Ltd, Forest Holidays Limited and Sykes Cottages Limited whose registered office are One City Place, Queens Road, Chester, CH1 3BQ United Kingdom. We share some services such as Technology, Cyber Security, Legal, and Marketing. We have Group information sharing agreements in place to govern this information sharing.

If you need to get in touch with our Privacy Officer, the easiest way to do it is by email: privacy@bachcare.co.nz

We collect personal information when you:

• Register as an owner or enquire about letting your property, attend one of our events or webinars.

• Communicate with us by phone, email, live chat, or social media.

• Use our owner portal, website or app.

• Respond to surveys or marketing campaigns.

What we collect may include:

• Your name, address, email, phone number, and country of residence.

• Financial details such as bank account information, tax status, GST numbers.

• Property details including address, photos, and service preferences.

• Technical data like IP address, browser type, and device information.

• Marketing preferences and cookie consents.

We may also collect information from public sources (e.g., Companies Office, Land Registry).

We also collect identity verification information from you as required by the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, including a government-issued identity document, a live selfie and biometric information generated from a facial comparison of that selfie against your identity document.

This may be carried out using a third party electronic identity verification service. It is your decision whether you wish to provide your biometric information to us via this process. If you do not consent to us collecting and disclosing your biometric information using this process, you will need to contact us (by email: kyc@bachcare.co.nz) to use an alternative method to complete your identity verification.

Managing Your Account and Property Listing

We use your data to:

Set up and maintain your owner account. Manage your property listing and ensure accurate details. Communicate with you about your property and bookings, complaints, property issues and reviews.

Providing Services

We use your data to: Facilitate bookings and manage rental agreements.

Coordinate managed services (e.g., cleaning, maintenance). Introduce you to insurance partners if requested. Send you essential updates about our terms, business operations or changes to short term holiday let legislation or requirements.

Owner Portal and App Access

We use your data to:

Provide updates and tools to manage your property.

Marketing and Promotions

We use your data to: Send marketing communications about new services, offers, and industry updates. Personalise advertising and promotional content.

You can withdraw consent or update preferences anytime via your owner portal or by contacting us.

Financial Management

We use your data to: Process payments, fees, and refunds.

Manage debt recovery, which may involve third-party agencies.

Business Acquisitions

If you are a customer of a business we acquire, we may continue to process your data in line with that business's privacy policy.

Legal & Regulatory Compliance and Business Operations

We may process your data to:

• Comply with Financial, Legal and Audit obligations.

• Verify your identity as required by the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, including by processing your biometric information through an automated comparison of a live selfie against your identity document photograph.

• Carry out internal and external audits, staff training, and internal reporting.

• Prepare financial accounts and aggregated data for public disclosure.

• Cooperate with regulators and public authorities (e.g. IRD, police, local councils).

Security and Business Operations

We use your data to:

• Maintain cybersecurity and protect our systems from threats

• Monitor and prevent fraud or unauthorised access

• Ensure the availability and integrity of our IT infrastructure.

• Support business continuity and disaster recovery planning

• Manage internal governance, risk and compliance processes.

Data Analytics & Behaviour Analysis, Website & App Usage

We use data analytics to help us understand how customers interact with our services, improve our offerings, and make informed business decisions.

This includes:

• Analysing how people use our website and app (e.g. pages visited, time spent, clicks).

• Using cookie and tracking technologies to understand browsing behaviour (where consent is given).

• Aggregating booking and customer service data to identify trends and improve performance.

• Using our data warehouse to combine and analyse data from multiple sources (e.g. bookings, feedback, marketing responses, customer service interactions) to: Improve customer experience, forecast demand and plan resources, personalise offers and communications, monitor business performance and support strategic decisions.

User Experience and Market Research

We may invite you to take part in research or surveys to improve owner engagement and our services.

Artificial Intelligence (AI) and Automated Tools

We use AI technologies to improve our services, customer experience, and operational efficiency. This includes:

• Chatbots and Virtual Assistants: If you contact us via live chat or certain digital channels, you may interact with an AI-powered chatbot. We will always make it clear when you are communicating with an AI tool.

• Call Transcription and Analysis: Calls to our customer service teams may be recorded, transcribed, and analysed using AI tools. This helps us improve service quality, resolve issues, and train our AI systems.

Guests

We may share some of your details (such as your name, phone or email address) with guests when required and on request. When guests stay at your property, you are also a data controller for their personal data (for example, when you receive their names or contact details). This means you must handle that data lawfully and securely.

Other Group companies

Other companies in the Forge Holiday Group may receive your personal data either when necessary for the provision of shared services.

IT service providers

Our technology is often hosted in the cloud, and we use a number of service providers such as our cloud hosting providers, CRM provider, security software providers to support our websites and other technology stacks.

We share your identity verification information with our identity verification service providers to carry out the checks we are required to complete under law. This processing is carried out by our identity verification service providers outside New Zealand, in jurisdictions with privacy protections comparable to New Zealand law, and your information will not be used by those providers for any purpose other than completing your identity verification.

Professional advisors

We use external auditors, legal advisors, insurers and banks among others who will sometimes receive your personal information.

Public authorities

This may include law enforcement bodies, the courts, regulators, government and local government bodies and agencies, IRD and other public bodies.

Payment services providers

We use specialist companies to process payment card details.

Marketing partners

We use many service providers to assist in our marketing efforts,

Purchasers or potential purchasers of our business

Third parties whom we may choose to sell, transfer, or merge parts of our business or our assets. If a change of ownership happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.

Where our Group provides shared services on behalf of Bachcare, this may involve the transfer of data to the United Kingdom. Whenever we transfer your personal data internationally, we make sure it is protected in line with UK GDPR requirements

We also use some trusted service providers located outside the UK. For example, the United States – where we use a range of technology or infrastructure providers.

We only transfer personal data where necessary for our services, and we ensure appropriate technical, contractual and legal safeguards are in place to protect your rights.

We keep most owner data (including biometric data collected for identity verification purposes) for six years after the end of the financial year in which your last booking took place. This is to meet our legal, accounting, and insurance obligations, and to help us respond to any queries or complaints.

In some cases, we may keep data for longer if required by law or if there is an ongoing dispute or debt.

We take reasonable steps to keep personal information in our possession safe from loss or misuse and to protect the security or integrity of our website and our business. Any biometric information you provide to us is encrypted and access is restricted to authorised staff members only.

We have assessed the scope, extent and degree of privacy risk from the biometric processing referred to in this privacy policy and have determined that the benefit of achieving the lawful purpose through this process outweighs any privacy risk.

Right to access

You can ask to see the personal data we hold about you.

Right to correction

You can ask us to correct inaccurate or incomplete personal data.

Right to object to direct marketing

You can ask us to stop sending you marketing communications at any time.

You also have the right to complain to us

If you're unhappy with how we've handled your personal data, we'll do our best to resolve your concerns quickly and fairly.

Please send an email to privacy@bachcare.co.nz.

You always have the right to complain to the regulator. In New Zealand this is the Office of the Privacy Commissioner. You can find their details at privacy.org.nz or on 0800 803 909.

The Office of the Privacy Commissioner generally asks that you raise your concern with us first and give us a reasonable opportunity to respond. We would also appreciate the opportunity to try to resolve your complaint directly, as we prefer to resolve matters quickly, fairly and amicably where we can.

For marketing and recommendations purposes we may process your data in ways that tell us what you are likely to want to see from us and products that may interest you. We may also make certain offers available to you on this basis. This profiling is automated and may use Machine Learning or Artificial Intelligence tools to give us the results.

We always record the date on which the privacy policy has been changed at the top of this page. You can ask us for copies of previous privacy policies and when they were effective from at any time. When we change our purposes for processing your data we will let you know either through this privacy policy or by sending you a direct communication if we think it has a large impact on you. Regular communications may indicate when we have updated this policy and ask you to take a look at it.

Our website may include links to and from third-party websites, social media, plug-ins and applications. By clicking on these links or enabling connections you may be allowing third parties to collect or share your personal data. We have no control over these third-party websites, plug-ins or applications and are not responsible for their privacy policies, therefore you should also read their privacy policies to understand what personal data they collect about you and how they use it.