About Boston Hunt.

About Boston Hunt.

Meet our team.

Meet our team.

Documents

Documents

Our Impact

A Comprehensive Guide to New Zealand’s Biometric Processing Privacy Code and How ORTUS AI Ensures Business Compliance


The New Zealand Privacy Commissioner has issued the Biometric Processing Privacy Code (the Code), effective 3 November 2025. This landmark legislation, which has the force of law, replaces the general Information Privacy Principles of the Privacy Act for any agency using automated biometric processes. For New Zealand businesses, this is a critical development that demands proactive preparation to maintain customer trust, avoid compliance risks, and ensure a smooth transition by the deadline of 3 August 2026.


ORTUS AI's product suite is uniquely positioned to help New Zealand businesses not only achieve compliance but also leverage technology in a responsible, ethical, and effective manner.


This document provides a comprehensive overview of the Code’s key obligations and details how the ORTUS AI product suite is specifically designed to address each requirement, ensuring your business is ready for the new regulatory landscape.


Understanding the Key Obligations of the New Code


The Code introduces several critical obligations that go beyond standard privacy principles. For businesses, these can be complex, and a well-thought-out approach is required.


1. Necessity and Proportionality: The Code's core principle is that any use of biometrics must be truly necessary, effective, and proportionate to a lawful purpose. This requires an evidence-based decision-making process. Businesses must be prepared to show that the benefits of using biometrics clearly outweigh the privacy risks, and that less intrusive alternatives (like improved staffing, store design, or traditional surveillance) would not be as effective in practice.


2. Transparency and Consent: Transparency is a cornerstone of the Code. Businesses must clearly and conspicuously inform individuals about the use of a biometric system before or at the time of collection. This notification must explain what data is being collected, why, how it will be used, what alternatives are available, and where an individual can access the business's proportionality assessment.


3. Data Security and Safeguards: The Code mandates robust security measures to protect biometric data from misuse, loss, or unauthorized access. This includes secure storage, strict access controls, and prompt deletion of data when no longer needed. The Code also requires transparent governance processes, which includes clear policies and staff training.


4. Bias and Accuracy Concerns: The Code addresses the risk of bias and inaccuracy in biometric systems. It explicitly limits particularly intrusive uses like predicting emotions or inferring sensitive characteristics such as ethnicity or sex. Businesses must ensure their systems are reliable, tested for fairness, and do not lead to discriminatory outcomes.


5. Cultural and Social Considerations: The Code places a specific emphasis on assessing the cultural and social impacts of biometric technologies, particularly in relation to Māori and other communities. This requires businesses to be mindful of how their systems may affect different groups and to ensure fair and equitable outcomes for all. Data sovereignty and the potential for a surveilled society are key concerns the Code aims to address.


How ORTUS AI Addresses These Obligations

The ORTUS AI product suite provides a comprehensive and ethical framework for navigating these requirements. By focusing on data minimization and a privacy-by-design approach, ORTUS AI helps businesses achieve their goals while building a foundation of trust and compliance.


1. Addressing Necessity and Proportionality with Non-Intrusive Analytics

ORTUS AI provides the biometric-specific guardrails required by the Code by first offering a suite of powerful, non-biometric analytical tools. This allows a business to establish a solid, data-driven case for any future need for biometrics.


  • ORTUS Live & X.ZONE: These modules empower businesses with granular data on foot traffic, dwell time, and visitor flow. Businesses can use these insights to optimize store layouts, manage queues at checkouts, and improve customer flow. This data helps prove that a business is using the least intrusive methods to address issues, satisfying the necessity test before even considering biometrics.


  • Case-by-Case Justification: If a business's primary objective is to combat crime, they can first deploy ORTUS AI’s non-biometric people and vehicle detection and tracking. If data shows that crime persists despite these measures, the documented evidence can be used to justify the necessity of a biometric solution for a specific, lawful purpose—a key requirement of the Code.


2. Ensuring Transparency and Consent through Integrated Design


ORTUS AI’s architecture facilitates the clear and conspicuous notification required by the Code.


  • API-First Design: The platform's API-first design allows for seamless integration with existing in-store digital signage and customer-facing applications. This enables the creation of custom interfaces that clearly and conspicuously display required notices about data collection, the purpose, and any available alternatives, such as self-checkout or staffed tills.


  • Privacy Controls: ORTUS AI's flexible privacy controls allow businesses to manage sensitive data on a granular level. The platform can be configured to not collect or store sensitive biometric information, helping businesses build trust with their customers by demonstrating a commitment to privacy that goes beyond mere compliance.


3. Delivering Robust Data Security and Safeguards


ORTUS AI is built to meet and exceed the Code’s security requirements from the ground up.


  • Privacy by Design: At its core, ORTUS AI is built on a privacy by design philosophy. It ensures that no sensitive or uniquely identifiable information is collected or stored. The blurred + long exposure background images feature provides visual context to security teams without compromising an individual's identity, thereby mitigating the risk of unauthorized access to personal data.

  • Secure Access & Compliance: The platform offers Single Sign-On (SSO) integration with leading identity providers like Okta and Microsoft AD, along with granular user authorization (RBAC). This ensures that only authorized personnel can access the system. ORTUS AI's alignment with SOC 2 Type II and ISO 27001 standards provides a high level of assurance that the platform meets internationally recognized security practices, giving New Zealand businesses confidence in its data handling.


4. Mitigating Bias and Accuracy Concerns


The Code addresses the risks of bias, a significant concern. ORTUS AI’s approach to technology helps businesses navigate this ethically.


  • Primary Value Proposition: ORTUS AI’s primary value proposition is to provide actionable insights using non-biometric data. This approach inherently avoids the risk of bias associated with the profiling or categorization of individuals based on ethnicity, gender, or other sensitive characteristics. This directly addresses the Code's restrictions on intrusive uses of biometrics.

  • Continuous Improvement: The ORTUS AI roadmap includes ongoing development of new detection models and new tracking algorithms, demonstrating a commitment to continuously improving accuracy and reliability.


5. Respecting Cultural and Social Considerations


ORTUS AI's flexible architecture and deployment options are designed to respect cultural and social considerations, particularly in a diverse market like New Zealand.


  • On-Premise Deployment: The platform's support for off-line/on-premise deployments allows businesses to maintain full control over their data, keeping it entirely within their own secure networks. This addresses concerns around data sovereignty and is critical for building trust with communities who may be wary of having their information sent overseas.

  • Flexible Deployment & Controls: The platform can be deployed in a way that respects diverse organizational structures and community-specific data management policies, ensuring fair and equitable outcomes.

A Comprehensive Guide to New Zealand’s Biometric Processing Privacy Code and How ORTUS AI Ensures Business Compliance


The New Zealand Privacy Commissioner has issued the Biometric Processing Privacy Code (the Code), effective 3 November 2025. This landmark legislation, which has the force of law, replaces the general Information Privacy Principles of the Privacy Act for any agency using automated biometric processes. For New Zealand businesses, this is a critical development that demands proactive preparation to maintain customer trust, avoid compliance risks, and ensure a smooth transition by the deadline of 3 August 2026.


ORTUS AI's product suite is uniquely positioned to help New Zealand businesses not only achieve compliance but also leverage technology in a responsible, ethical, and effective manner.


This document provides a comprehensive overview of the Code’s key obligations and details how the ORTUS AI product suite is specifically designed to address each requirement, ensuring your business is ready for the new regulatory landscape.


Understanding the Key Obligations of the New Code


The Code introduces several critical obligations that go beyond standard privacy principles. For businesses, these can be complex, and a well-thought-out approach is required.


1. Necessity and Proportionality: The Code's core principle is that any use of biometrics must be truly necessary, effective, and proportionate to a lawful purpose. This requires an evidence-based decision-making process. Businesses must be prepared to show that the benefits of using biometrics clearly outweigh the privacy risks, and that less intrusive alternatives (like improved staffing, store design, or traditional surveillance) would not be as effective in practice.


2. Transparency and Consent: Transparency is a cornerstone of the Code. Businesses must clearly and conspicuously inform individuals about the use of a biometric system before or at the time of collection. This notification must explain what data is being collected, why, how it will be used, what alternatives are available, and where an individual can access the business's proportionality assessment.


3. Data Security and Safeguards: The Code mandates robust security measures to protect biometric data from misuse, loss, or unauthorized access. This includes secure storage, strict access controls, and prompt deletion of data when no longer needed. The Code also requires transparent governance processes, which includes clear policies and staff training.


4. Bias and Accuracy Concerns: The Code addresses the risk of bias and inaccuracy in biometric systems. It explicitly limits particularly intrusive uses like predicting emotions or inferring sensitive characteristics such as ethnicity or sex. Businesses must ensure their systems are reliable, tested for fairness, and do not lead to discriminatory outcomes.


5. Cultural and Social Considerations: The Code places a specific emphasis on assessing the cultural and social impacts of biometric technologies, particularly in relation to Māori and other communities. This requires businesses to be mindful of how their systems may affect different groups and to ensure fair and equitable outcomes for all. Data sovereignty and the potential for a surveilled society are key concerns the Code aims to address.


How ORTUS AI Addresses These Obligations

The ORTUS AI product suite provides a comprehensive and ethical framework for navigating these requirements. By focusing on data minimization and a privacy-by-design approach, ORTUS AI helps businesses achieve their goals while building a foundation of trust and compliance.


1. Addressing Necessity and Proportionality with Non-Intrusive Analytics

ORTUS AI provides the biometric-specific guardrails required by the Code by first offering a suite of powerful, non-biometric analytical tools. This allows a business to establish a solid, data-driven case for any future need for biometrics.


  • ORTUS Live & X.ZONE: These modules empower businesses with granular data on foot traffic, dwell time, and visitor flow. Businesses can use these insights to optimize store layouts, manage queues at checkouts, and improve customer flow. This data helps prove that a business is using the least intrusive methods to address issues, satisfying the necessity test before even considering biometrics.


  • Case-by-Case Justification: If a business's primary objective is to combat crime, they can first deploy ORTUS AI’s non-biometric people and vehicle detection and tracking. If data shows that crime persists despite these measures, the documented evidence can be used to justify the necessity of a biometric solution for a specific, lawful purpose—a key requirement of the Code.


2. Ensuring Transparency and Consent through Integrated Design


ORTUS AI’s architecture facilitates the clear and conspicuous notification required by the Code.


  • API-First Design: The platform's API-first design allows for seamless integration with existing in-store digital signage and customer-facing applications. This enables the creation of custom interfaces that clearly and conspicuously display required notices about data collection, the purpose, and any available alternatives, such as self-checkout or staffed tills.


  • Privacy Controls: ORTUS AI's flexible privacy controls allow businesses to manage sensitive data on a granular level. The platform can be configured to not collect or store sensitive biometric information, helping businesses build trust with their customers by demonstrating a commitment to privacy that goes beyond mere compliance.


3. Delivering Robust Data Security and Safeguards


ORTUS AI is built to meet and exceed the Code’s security requirements from the ground up.


  • Privacy by Design: At its core, ORTUS AI is built on a privacy by design philosophy. It ensures that no sensitive or uniquely identifiable information is collected or stored. The blurred + long exposure background images feature provides visual context to security teams without compromising an individual's identity, thereby mitigating the risk of unauthorized access to personal data.

  • Secure Access & Compliance: The platform offers Single Sign-On (SSO) integration with leading identity providers like Okta and Microsoft AD, along with granular user authorization (RBAC). This ensures that only authorized personnel can access the system. ORTUS AI's alignment with SOC 2 Type II and ISO 27001 standards provides a high level of assurance that the platform meets internationally recognized security practices, giving New Zealand businesses confidence in its data handling.


4. Mitigating Bias and Accuracy Concerns


The Code addresses the risks of bias, a significant concern. ORTUS AI’s approach to technology helps businesses navigate this ethically.


  • Primary Value Proposition: ORTUS AI’s primary value proposition is to provide actionable insights using non-biometric data. This approach inherently avoids the risk of bias associated with the profiling or categorization of individuals based on ethnicity, gender, or other sensitive characteristics. This directly addresses the Code's restrictions on intrusive uses of biometrics.

  • Continuous Improvement: The ORTUS AI roadmap includes ongoing development of new detection models and new tracking algorithms, demonstrating a commitment to continuously improving accuracy and reliability.


5. Respecting Cultural and Social Considerations


ORTUS AI's flexible architecture and deployment options are designed to respect cultural and social considerations, particularly in a diverse market like New Zealand.


  • On-Premise Deployment: The platform's support for off-line/on-premise deployments allows businesses to maintain full control over their data, keeping it entirely within their own secure networks. This addresses concerns around data sovereignty and is critical for building trust with communities who may be wary of having their information sent overseas.

  • Flexible Deployment & Controls: The platform can be deployed in a way that respects diverse organizational structures and community-specific data management policies, ensuring fair and equitable outcomes.

Ortus AI Privacy Statement

Effective Date: June 26, 2025

This Privacy Statement sets forth the policies and practices of SAV INTEL GROUP Limited, the legal entity and proprietary owner of the ORTUS AI VAS brand and all associated intellectual property, regarding the collection, use, protection, and disclosure of information in connection with your access and utilization of this website (hereinafter referred to as "the Website"). Our commitment to privacy is absolute, reflecting our dedication to robust data governance and the protection of intellectual assets.


1. Intellectual Property Rights and Content Management

The entirety of the content featured on this Website, including but not limited to all textual material, graphical elements, proprietary logos, distinctive designs, audio-visual components, software, and underlying code, constitutes the exclusive intellectual property of SAV INTEL GROUP Limited. Such intellectual property is safeguarded by applicable copyright laws, trademark laws, and other intellectual property statutes, both domestically within New Zealand and internationally.


Any unauthorized reproduction, dissemination, modification, or other unauthorized use of the content displayed on this Website is strictly prohibited. This prohibition encompasses, without limitation:


  • Copying and Reproduction: Duplication, downloading, or saving of any images, text, or other proprietary material for either personal non-commercial use or commercial exploitation without the express prior written consent of SAV INTEL GROUP Limited.

  • Public Dissemination: Distribution, sharing, or publishing of content on social media platforms, other websites, or any public-facing medium without explicit authorization.

  • Derivativation: Any alteration, adaptation, modification, or the creation of derivative works based upon the original material.

  • Commercial Exploitation and Training Data: The use of content for promotional, advertising, commercial, or machine learning purposes (including, but not limited to, the training of artificial intelligence models) without the explicit prior written consent of SAV INTEL GROUP Limited.


For inquiries pertaining to licensing, permissions, or any legitimate use of ORTUS AI intellectual property, please direct your correspondence to the designated contact address provided herein.


2. Collection and Processing of Information


In adherence to the Information Privacy Principles (IPPs) outlined in the New Zealand Privacy Act 2020, we restrict the collection of information to that which is necessary for the proper functioning and enhancement of the Website and our services.


  • Information Voluntarily Provided: This category includes personal information that you elect to provide directly to us, such as your name, email address, contact details, and any other data submitted via interactive forms, subscription services, or direct communications.

  • Automatically Collected Information: When you access the Website, certain technical information may be automatically recorded by our servers. This may include your Internet Protocol (IP) address, browser type, operating system, referring uniform resource locators (URLs), pages visited, and timestamps. This data is collected primarily for analytical purposes, enabling us to optimize the Website's performance and user experience. Such data is largely aggregated and anonymized, mitigating its direct association with identifiable individuals.

  • Cookies and Similar Technologies: The Website may utilize cookies or similar technologies to facilitate basic functionality and collect non-personal, aggregated usage data. We do not employ these technologies for extensive user profiling or cross-site tracking. Users retain the ability to manage cookie preferences through their web browser settings.


3. Purpose of Information Utilisation


The information collected is processed for the following legitimate purposes:


  • Website Operation and Maintenance: To ensure the continuous and effective operation, maintenance, and security of the Website.

  • Responding to Inquiries: To facilitate communication and provide timely and relevant responses to inquiries submitted through the Website's contact mechanisms.

  • Analytical Review: To perform internal analyses of Website traffic and usage patterns, thereby informing improvements to content, functionality, and overall user experience.

  • Intellectual Property Protection: To safeguard the intellectual property rights and digital assets of SAV INTEL GROUP Limited, including the prevention of unauthorized access, misuse, or infringement.


4. Disclosure of Information


SAV INTEL GROUP Limited maintains a strict policy against the sale, trade, or unauthorized transfer of your personal information. Disclosure of information occurs only under the following limited circumstances:


  • Third-Party Service Providers: We may engage reputable third-party service providers to assist in the operation of the Website (e.g., hosting services). Such providers are contractually bound to maintain the confidentiality and security of any information accessed and are prohibited from using personal information for any purpose other than that for which they are engaged.

  • Legal and Regulatory Compliance: Disclosure may occur where mandated by applicable law, regulation, judicial order, or governmental request, or where deemed necessary to protect the legal rights, property, or safety of SAV INTEL GROUP Limited, its users, or the public.


5. Your Rights and Data Governance


In accordance with the New Zealand Privacy Act 2020, you possess certain rights concerning your personal information:


  • Right of Access: You have the right to request confirmation as to whether we hold personal information about you and to obtain access to such information, subject to applicable exceptions.

  • Right of Correction: You may request the correction of any inaccurate or incomplete personal information that we hold about you.

  • Right to Opt-Out: You may elect to opt-out of receiving certain communications from us by following the unsubscribe instructions provided in such communications or by contacting us directly.


All requests regarding these rights shall be processed in a timely manner, in compliance with statutory requirements.


6. Data Security Measures


SAV INTEL GROUP Limited implements reasonable technical and organisational security measures designed to protect personal information from unauthorised access, alteration, disclosure, or destruction. While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is entirely secure. Therefore, we cannot guarantee absolute security.


7. Data Retention


Personal information is retained only for as long as is necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Statement, or as required by legal or regulatory obligations. Upon the expiration of the retention period, personal information shall be securely deleted or anonymized.


8. Amendments to This Privacy Statement


SAV INTEL GROUP Limited reserves the right to amend or update this Privacy Statement at its sole discretion, reflecting changes in our operational practices or legal requirements. Any revisions will be effective immediately upon publication on the Website. We encourage users to periodically review this Statement to remain informed of our privacy practices.


9. Contact for Privacy Matters


For any questions, concerns, or requests pertaining to this Privacy Statement or the handling of your information by ORTUS AI, please contact us at:


[Your Contact Email Address]


Key points about this version:


  • NZ-Specific References: Explicitly mentions the Privacy Act 2020 and Information Privacy Principles (IPPs), which is crucial for New Zealand compliance.

  • Formal Tone: Uses legal phrases like "set forth," "hereinafter referred to," "encompasses, without limitation," "mandated by applicable law," and "sole discretion."

  • Clarity on Ownership: Reinforces SAV INTEL GROUP Limited as the legal entity and proprietary owner.

  • Refined "Forbidden Actions": Uses stronger terms like "expressly forbidden," "unauthorized replication, dissemination, manipulation," and specifically includes "machine learning (including AI training)" for clarity given your AI focus.

  • Data Minimisation: Reinforces the idea that data collection is "necessary for the proper functioning" and "restricted" to what is needed, aligning with IPP 1.

  • No Sale/Trade: Clearly states the non-disclosure policy in formal terms.

  • User Rights: Outlines the core rights (access, correction, opt-out) as per NZ privacy law.

  • Contact Information: Maintained as critical.