Privacy & Cookies Policy

1. Why this policy exists

A small Cook Islands hotel that voluntarily meets international privacy standards.

The Cook Islands has not yet enacted its own comprehensive privacy legislation. We could leave it at that — but we’d rather not. So we’ve chosen to comply voluntarily with the privacy laws that protect our guests in their home countries.

This policy reflects the requirements of:

• The New Zealand Privacy Act 2020 — including all 13 Information Privacy Principles, mandatory breach reporting, and overseas disclosure rules
• The European Union General Data Protection Regulation (GDPR) — for guests resident in the EU
• The UK General Data Protection Regulation (UK-GDPR) — for guests resident in the United Kingdom
• The California Consumer Privacy Act (CCPA) — for residents of California, USA
• The Australian Privacy Act 1988 — for guests resident in Australia

Whichever country you’re booking from, your personal information is handled to standards that protect you. This policy is also reviewed annually to keep it current with regulatory change.

2. What information we collect

Information you give us, plus a small amount we collect automatically when you visit.

Information you give us directly

When you make a booking, ask a question, or sign up for the Kia Orana Club, you may provide us with:

• Your name, postal address, email address, and phone number
• Payment information (card name, number, expiry, CVC) for completing your booking
• Passport details and dates of birth, where required for guest registration
• Dietary requirements, accessibility needs, or other preferences relevant to your stay
• The names and details of travel companions you’re booking for

You can choose not to provide some information, but certain things (your name and payment details, for example) are required to complete a booking.

Information about your travel companions

If you book a stay for someone else, we’ll need their personal information too. By providing it, you confirm they’ve agreed to you sharing it with us. Please share this Privacy Policy with them so they understand how we’ll handle their data.

Information from third parties

We may also receive your information from:

• Online travel agents (Booking.com, Expedia, Agoda, Airbnb, etc.) when you book through them
• Travel agents booking on your behalf
• Our payment processors and partner platforms (limited to what’s needed to complete the transaction)

Information we collect automatically

When you visit our website, we automatically collect basic technical information: your IP address, the type of browser and device you’re using, and which pages you visit. This helps us improve the website, prevent fraud, and personalise your experience. See Section 6 on cookies and tracking.

3. How we use your information

To take your booking, run our business, and stay in touch — nothing more.

Your billing details are used solely to process your booking. We use your other information to:

• Provide the accommodation, services, and information you ask for
• Send booking confirmations, travel updates, and arrival/departure logistics
• Manage your account — including invoices, payments, and notifications
• Respond to your questions, requests, and feedback
• Improve our services, the website, and the Kia Orana Club programme
• Send you offers, promotions, and travel-related information (you can opt out at any time)
• Resolve disputes, troubleshoot problems, and prevent fraud or illegal activity
• Comply with our legal obligations

Under GDPR and UK-GDPR, our legal bases for processing your information are: (a) the necessity of completing the contract you have with us (your booking), (b) our legitimate interests as a hotel business, (c) your consent for marketing communications, and (d) compliance with our legal obligations.

4. Who we share your information with

A small number of trusted partners. We do not sell your data to anyone.

Booking platforms (OTAs)

If you book through an online travel agent — Booking.com, Expedia, Agoda, Airbnb, Trip.com, or similar — that platform shares your booking details with us. We share back only what’s needed to complete your stay.

Service providers

We work with carefully selected third-party providers who help us operate. They include:

• Payment processors — to handle credit card transactions securely
• Property management software (Newbook) — for guest records and bookings
• Accounting software (Xero) — for financial records
• Email and CRM platforms (ActiveCampaign) — for the Kia Orana Club
• Website infrastructure (Squarespace, hosting providers) — for the website you’re reading now

Each is contractually bound to handle your data confidentially and use it only for the service they provide to us. None are permitted to sell or repurpose your data.

Government and law enforcement

We may need to disclose personal information to government, customs, or immigration authorities — for example, when required by Cook Islands or New Zealand law, or to comply with court orders or legal processes.

In the event of a business transfer

If our business is sold or merged, your personal information may be transferred to the new owner as part of that transaction. The new owner would be required to honour the terms of this policy.

What we do not do

We do not sell your personal information to advertisers, data brokers, or third-party marketers. We may share aggregated, anonymised data (e.g., total website visitor numbers) with partners or investors — this data does not identify you personally.

5. Your rights

Whichever country’s laws apply to you, you have these rights. We honour all of them.

Under the various laws we voluntarily comply with, you have the right to:

• Access your information — ask us what personal information we hold about you. We’ll respond within 30 days. There’s no charge.
• Correct your information — ask us to update or fix any information that’s inaccurate or out of date.
• Erase your information — ask us to delete your data, subject to our legal obligation to retain certain records (e.g., financial records for tax purposes).
• Restrict or object to processing — ask us to stop using your data for specific purposes (such as marketing).
• Data portability — ask us to provide your data in a machine-readable format you can transfer to another service.
• Withdraw consent — if we’re processing your data based on your consent (e.g., for marketing emails), you can withdraw that consent at any time.
• Lodge a complaint — with your local privacy regulator if you believe we’ve mishandled your information. Contact details for the New Zealand Office of the Privacy Commissioner are at privacy.org.nz.
• Opt out of marketing emails — via the unsubscribe link in any marketing email, or by contacting our Privacy Officer.

To exercise any of these rights, contact our Privacy Officer using the details in Section 14.

6. Cookies and tracking technologies

Small text files that help the site work properly — and let us understand what’s useful.

Cookies are tiny text files that websites store on your computer or phone. We use them to:

• Recognise your browser as a returning visitor and remember your preferences
• Personalise content and offers based on what seems to interest you
• Measure how well our website features and email communications are working

You can refuse cookies through your browser settings. Most browsers have a Help section explaining how. If you turn cookies off completely, some parts of this website — particularly the booking process — may not work properly.

Other tracking technologies

We may also use Local Shared Objects (sometimes called “flash cookies”) to remember settings, and Web beacons (tiny invisible images) to understand traffic patterns and measure email open rates. None of these can access information on your device beyond what you’ve provided to us through this site.

7. How we keep your information safe

Practical security measures — honestly described.

No website can guarantee absolute security, but we’ve put practical safeguards in place to meet the requirements of IPP 5 (NZ Privacy Act) and equivalent provisions in GDPR and other regulations:

• Only authorised staff can access personal information, and only when needed for their work
• We use firewalls and intrusion detection systems
• Payment details are processed through encrypted, PCI-DSS-compliant payment systems — we do not store full credit card numbers on our servers
• Staff are trained in privacy and security practices
• We review our security practices regularly

If you ever suspect your account or information has been compromised, please contact our Privacy Officer immediately so we can investigate and respond.

8. How long we keep your information

No longer than we need to — in line with NZ Privacy Act IPP 9.

We keep your personal information only as long as necessary for the purposes for which it was collected, plus any period required by law:

• Booking and stay records: Retained for 7 years to comply with Cook Islands tax law and accounting obligations
• Payment information: Full card details are not stored on our systems — they pass through our PCI-compliant payment processor. Transaction records are kept for up to 2 months after collection
• Marketing preferences: Retained until you unsubscribe or ask to be removed from our mailing list
• Website analytics: Aggregated, non-identifying data may be retained indefinitely; identifiable visit data is typically retained for up to 12 months

When information is no longer needed, it is securely deleted or anonymised.

9. International transfers of your information

Where your data lives, and what protects it (NZ Privacy Act IPP 12 / GDPR Chapter V).

Some of our service providers operate servers outside the Cook Islands — including in New Zealand, Australia, the European Union, the United Kingdom, and the United States. This is the nature of cloud-based services like Squarespace, Newbook, Xero, and ActiveCampaign.

Before transferring your information overseas, we take reasonable steps to ensure the recipient handles your data to a standard equivalent to what we promise here:

• We use providers based in countries that have privacy laws comparable to or stricter than the NZ Privacy Act 2020
• For EU and UK data, we rely on Standard Contractual Clauses (SCCs) or equivalent legal mechanisms approved under GDPR and UK-GDPR
• Each provider is contractually committed to confidentiality and to using your data only as we authorise

By using our services, you understand that your information may be transferred outside the Cook Islands as described.

10. Privacy breaches

If something goes wrong, we tell you and the regulator.

Despite our best efforts, no system is entirely immune to security incidents. If a privacy breach occurs that causes, or is likely to cause, serious harm to affected individuals, we will:

• Notify the New Zealand Office of the Privacy Commissioner as soon as possible after becoming aware of the breach (NZ Privacy Act 2020 mandatory notification requirement)
• Notify affected individuals directly — describing the breach, what data was involved, what we’re doing about it, and what (if anything) you should do
• Notify other regulators if required — for example, EU supervisory authorities under GDPR (within 72 hours where applicable)
• Take immediate steps to contain the breach and prevent recurrence

You can report a privacy concern to us at any time using the contact details below.

11. Drone policy

To protect guest privacy, our property is a No Drone Zone.

This applies to all 13 villas, the saltwater pool, the spa pool area, the gardens, the Café and Reception Villa, and parking areas. Guests who breach this policy may be asked to leave the property, with no refund.

Cook Islands drone rules apply to the wider area

If you wish to fly a drone elsewhere on Rarotonga, you must comply with the Cook Islands Civil Aviation Rules (CICAR) Part 101. The core rules every drone operator must follow are:

• Distance from airports: Stay at least 4 km (2.5 miles) from any aerodrome or airport. On islands as small as Rarotonga and Aitutaki, this exclusion zone covers a significant portion of the inhabitable land — including the area around Kia Orana Villas, which is only 4 minutes from Rarotonga Airport.
• Altitude limit: Do not fly higher than 122 metres (400 feet) above ground level.
• Consent required: You must obtain prior consent before flying over any person or private property.
• Visual line of sight: The drone must remain visible to your naked eye at all times. No flying solely via goggles or monitors.
• Daylight only: Flights are permitted only during daylight hours and in suitable weather conditions.

Permits and licensing

• Recreational use: A permit is generally not required for recreational “for fun” flying. However, because most of Rarotonga and Aitutaki sit within “controlled airspace”, you usually still need authorisation from Air Traffic Services before you can take off.
• Commercial use: A formal permit from the Ministry of Transport is mandatory for any professional filming or photography. Applications should be submitted at least 3 business days in advance.

For full details, current requirements, and the permit application process, see the Cook Islands Ministry of Transport — Drones page.

12. Privacy Officer

A real person, accountable for getting this right.

In line with the NZ Privacy Act 2020 and equivalent provisions in GDPR, we have a designated Privacy Officer responsible for:

• Ensuring this policy is followed in practice
• Responding to data subject access requests, correction requests, and erasure requests
• Investigating any privacy concerns or breaches
• Handling notifications to regulators when required
• Reviewing this policy annually for currency

Our Privacy Officer is Ross Holmes, Director. Contact details below.

13. Changes to this policy

We’ll tell you when anything important changes.

We may update this Privacy Policy from time to time — for example, to reflect changes in how we operate or to keep up with regulatory change. If we make material changes — changes that affect how we use or share your information — we’ll let you know either by email (if we have your address) or by posting a clear notice on this website at least 30 days before the change takes effect.

The version you’re reading is current as of the date shown at the bottom of this page.

14. How to contact us

Any privacy question, request, or concern — we’d like to hear from you.