1. Data handling principles
DocuServices NZ, operated by GOV PAPERS SL, applies the following data handling principles to all personal data we process:
- Lawfulness, fairness and transparency — we process data only on a valid legal basis and communicate clearly how data is used
- Purpose limitation — data is collected for specified, explicit and legitimate purposes and not processed in ways incompatible with those purposes
- Data minimisation — we collect only what is necessary for the stated purpose
- Accuracy — we take reasonable steps to ensure data is accurate and up to date
- Storage limitation — data is kept only for as long as necessary
- Integrity and confidentiality — we apply appropriate technical and organisational security measures
- Accountability — GOV PAPERS SL takes responsibility for compliance with these principles
2. Data collection points
Personal data is collected through the following channels:
- Contact forms and email enquiries — name, email address, enquiry content and, where relevant, marriage certificate details and use case
- Service purchases — name, email address, billing address and payment transaction reference collected at the time of purchase. Full payment card data is transmitted directly to our payment processor and is not stored on our servers.
- Postal address — collected as a billing address for paid services
- Technical website data — session cookies, IP address and browser data collected automatically for security and site functionality
We do not request or accept copies of official identity documents, NZ certificates or passports through our website. Our data validation service is information-based and does not require document uploads.
3. Storage and security
Personal data is stored on servers located within the European Economic Area (EEA) or in countries with an adequate level of protection as determined by the European Commission. We apply the following security measures:
- HTTPS encryption for all web communications
- Access restricted to authorised personnel only
- Password-protected systems with multi-factor authentication where applicable
- Regular review of access controls and security settings
- No storage of sensitive personal data beyond what is strictly necessary
4. Internal access controls
Access to personal data is limited to those GOV PAPERS SL personnel and contractors who require it to carry out their role. Access is granted on a need-to-know basis and is reviewed periodically. All personnel who handle personal data are bound by confidentiality obligations.
5. Data retention and deletion
We retain personal data only for as long as is necessary:
- Enquiry and contact records: up to 2 years from last contact, unless deletion is requested earlier
- Technical/session logs: up to 13 months
- Consent records: for the duration of the consent plus a reasonable additional period for audit purposes
- Payment and billing records (name, billing address, transaction reference, amount): minimum 5 years as required by Spanish and EU tax and accounting law. Card numbers and full payment credentials are never stored by us.
- Purchase and service records: retained for the duration of the service relationship plus the applicable legal accounting period
At the end of the applicable retention period, data is securely deleted or anonymised so that it can no longer identify an individual.
You may request early deletion of your personal data at any time by emailing [email protected], subject to any legal obligation to retain specific records.
6. Incident response
In the event of a personal data breach that poses a risk to users' rights and freedoms, GOV PAPERS SL will:
- Notify the Spanish DPA (AEPD) within 72 hours of becoming aware, as required by GDPR Article 33
- Notify affected individuals without undue delay where the breach is likely to result in high risk, as required by GDPR Article 34
- Document the breach, its effects and the remedial actions taken
If you believe your data has been compromised, contact us immediately at [email protected].
7. Payment processor
Payments for DocuServices NZ services are processed by a third-party payment provider operating under PCI DSS (Payment Card Industry Data Security Standard) requirements. When you make a payment:
- Your card details are submitted directly to the payment processor via an encrypted connection
- We receive only a transaction reference, the last 4 digits of the card (where provided by the processor), billing name and billing address
- Full card numbers, CVV codes and card authentication data are never transmitted to or stored on our systems
The payment processor acts as an independent data controller for the purpose of processing your payment. Their own privacy policy and terms apply to the processing of your card data.
8. Sub-processors and third parties
We use a limited number of trusted third-party service providers (sub-processors) for hosting, email infrastructure and technical operations. All sub-processors are bound by data processing agreements that require them to process data only on our instructions and apply appropriate security measures. We do not sell personal data to any third party.
For any questions about how your data is handled, please contact: [email protected]
Postal: GOV PAPERS SL, Gran Via de les Corts Catalanes 672, 08010 Barcelona, Spain
You may also lodge a complaint with the AEPD at aepd.es.