Skip to content
Privacy Register and Additional Privacy Info
Privacy Register and Additional Privacy Info
Terms of Service
Authority to Uplift
Share
Explore

Privacy Register and Additional Privacy Info

Welcome to YJ Consulting.
We value your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our
website
,
Notion
or download our app (coming soon).
Please read this Privacy Policy carefully to understand our views and practices regarding your personal data and how we will treat it. You can find an overview
here
.

Privacy Policy

For a simplified overview of our Privacy Policy, please view:
Privacy Policy | Overview
The information contained on this page has been reconciled against our canonical site policy and aligned to the Independent privacy evaluation checklist. It maps concrete policy statements and processes to the Trust Framework Rules (Rule 12) and relevant Privacy Act 2020 obligations.

1. Information We Collect

1.1 Personal Information

We may collect the following personal information:
Name
Email address
Phone number
Shipping address
Billing address
Payment information (e.g., credit card details)

1.2 Non-Personal Information

We may also collect non-personal information about you, including:
Browser type
Device type
IP address
Browsing behaviour (e.g., pages viewed, links clicked)
Contact
YJ Consulting if you have any questions about this Privacy Policy.
Access our Terms and Conditions here:
Terms & Conditions

3. Compliance alignment summary

Responsible person for privacy is identified and contactable
Staff and contractor training is required and scoped to role sensitivity
A public-facing privacy statement exists and is referenced here
Internal Privacy Policy provided to personnel and change-notified
Documented Privacy Incident Response Plan exists and covers notifiable and non-notifiable events, roles, escalation, containment, and reporting to OPC and TFA
Privacy Incident Register exists and is reviewed with process updates
Privacy Impact Assessment (PIA) is required, approved, and reviewed on a 2-year or service-change cadence, and takes relevant Codes of Practice into account

4. Evaluation details

Provider: Crescellere Limited trading as YJ Consulting
Service name: Professional consulting services at
consultyj.com
Template version: V2.1

5. Responsible person for privacy

(Rule 12(5))
Nominated privacy contact: Steffanie Zhang
privacy@consultyj.com
Role: Privacy Lead responsible for privacy governance and incident coordination
Alternative contact:
info@consultyj.com

6. Privacy training

(Rule 12(6))
Training is mandatory for employees and contractors with access to our clients’ personal information
Training content includes lawful purpose and use, access and correction handling, storage and disclosure standards, and complaint/incident handling and reporting to the privacy contact
Training is role-based and refreshed annually, with earlier refreshers after material policy or process changes

7. Privacy statement

(Rules 12(1) and 12(11))
Tracker scope: Google Analytics only
Cookie notice: Uses Notion’s default cookie banner and controls on Notion-hosted pages, as well as Wordpress cookies and controls on Our website
Public privacy statement is this page
A concise website notice links users here and to cookie controls

8. Privacy Policy provided to personnel

(Rules 12(6)-(7))
An internal Privacy Policy is issued to all personnel and made available in the company handbook and knowledge base
Change notification: personnel are notified of policy updates and must acknowledge material changes
Policy covers: lawful purposes and uses, access and correction requests, storage and disclosure, and privacy complaints and incidents procedures

9. Privacy Incident Response Plan

(Rules 12(8)-(9); Reg 20; Privacy Act 2020 Part 6)
Owner: Privacy Lead (@Steff Zhang) • Contact:
privacy@consultyj.com
• Alternate:
info@consultyj.com
Scope: All YJ Consulting operations, systems, people, suppliers, and client engagements.
Objective: Rapid containment, accurate assessment, lawful notification, and measurable learning.

9.1 Definitions and scope

Privacy incident: Any event that compromises, is suspected to compromise, or risks compromising personal information confidentiality, integrity, or availability.
Notifiable privacy breach: Likely to cause serious harm to affected individuals per Privacy Act 2020. Requires notification to OPC and affected individuals.
Systems covered: Website, email, productivity suites, storage, CRM/knowledge bases, client data rooms, and supplier-managed services used by YJ Consulting.

9.2 Roles and responsibilities

Privacy Lead (Incident Manager): Coordinates end-to-end response, decision maker on notifiability, approves notifications, owns regulator liaison.
Technical Lead: Performs containment and forensics support, preserves evidence, coordinates with suppliers.
Account/Engagement Lead: Client communications, scope and data mapping, contractual impact check.
Communications Lead: Drafts internal and external notices using approved templates.
All personnel: Immediately report incidents, preserve evidence, do not delete or disclose externally without authorisation.

9.3 Severity and notifiability matrix

S0 Near miss: No personal data exposure. Track and fix.
S1 Low: Limited personal data, promptly contained, unlikely serious harm. Internal notice only.
S2 Medium: Personal data exposed to limited unauthorised party, harm uncertain. Triage for notifiability within 48 hours.
S3 High (Notifiable likely): Sensitive data or broad exposure, indicators of serious harm. Notify OPC and individuals as required.
Determinants of serious harm (consider together):
Data sensitivity and volume
Security controls in place (e.g., encryption at rest/in transit)
Who accessed/received the data and likelihood of misuse
Whether the data is recoverable or has been published
Potential harm types: financial loss, identity risk, physical safety, discrimination, distress

9.4 6-Step incident workflow (target clock starts at detection)

1. Detect and report (T+0–1h)
Any staff or supplier reports to
privacy@consultyj.com
and logs in the Privacy Incident Register.
Capture initial facts using the Triage Form.
2. Contain and preserve (T+0–4h)
Isolate affected accounts, revoke tokens/API keys, rotate credentials, disable sharing links.
Quarantine malicious artifacts, block indicators of compromise.
Preserve evidence: export system logs, email headers, access logs, timestamped screenshots. Do not alter source data.
3. Assess impact and notifiability (T+4–24h)
Map data subjects, categories of personal information, jurisdictions, and contractual duties.
Apply severity matrix and serious harm test. Document rationale.
Decide if notifiable under Privacy Act 2020. If uncertain, treat as likely and escalate.
4. Remediate and eradicate (T+24–48h)
Remove malware, close vulnerabilities, correct misconfigurations, revoke persistence.
Coordinate with suppliers for corrective actions and assurances.
5. Notify (if notifiable) (as soon as practicable; without undue delay)
OPC notification: submit via OPC online form with facts, harms, and mitigations.
Affected individuals: clear, plain-language notice and recommended protective steps.
Contracted clients/partners: per contract SLAs and regulatory requirements.
6. Learn and improve (within 10 business days)
Post-incident review (PIR) with actions, owners, and due dates.
Update policies, controls, and training. Track to closure.

9.5 Communication and notification artefacts

Triage Form fields: reporter, timestamp, system, description, indicators, data types, estimated records, attachments.
Decision log: notifiability rationale, alternatives considered, approvals.

9.6 Evidence handling and forensics

Chain of custody: unique evidence IDs, hash values (where feasible), custodian, timestamps.
Store evidence in a restricted incident folder with least-privilege access.
Avoid production system changes until evidence captured unless immediate safety requires.

9.7 Supplier and subcontractor management

Require suppliers to notify YJ Consulting of incidents affecting our data within 24 hours.
Maintain a contact roster and escalation paths for key suppliers.
Obtain written incident summaries and corrective action attestations post-event.

9.8 Data subject rights during incidents

Continue to honour access, correction, and deletion requests where safe and lawful.
If fulfilment would aggravate risk, record justification and defer with explanation to the requester.

9.9 Recordkeeping and metrics

Record every incident and near miss in the Privacy Incident Register with severity, root cause, and actions.
Metrics reviewed quarterly: time-to-detect, time-to-contain, time-to-notify, recurrence by cause, training coverage.

9.10 Training and exercises

Onboarding and annual refresher training covering this plan and reporting duties.
Tabletop exercise at least annually with one supplier-involved scenario.

9.11 Quick-reference playbooks

Email misdirect
Immediate: recall if available, contact unintended recipient requesting deletion and non-use, disable link access.
Assess data sensitivity and likelihood of further disclosure. Consider notifiability.
Lost or stolen device
Immediate: remote lock/wipe, revoke tokens, rotate passwords.
Verify encryption status and last backup. Assess exposed data and notifiability.
Cloud file oversharing (public link / wrong permissions)
Immediate: revoke public links, correct permissions, review access logs.
Determine exposure window and access events. Assess notifiability.
Credential compromise / phishing
Immediate: reset credentials, enforce MFA, block sender domain/URLs, run containment across related systems.
Review mail rules, OAuth grants, and API tokens.
Supplier breach
Immediate: obtain details and containment status, disable integrations if needed.
Assess contractual and regulatory notifications.

9.12 Retention

Incident records, evidence, and notifications retained for 7 years unless legal hold requires longer.

9.13 Governance

Plan owner: Privacy Lead. Review at least annually or after any notifiable breach.
Change control: updates recorded with version, date, approver, and summary of changes.

10. Privacy Incident Register

(Rules 12(9)-(10))
A register records all incidents and near misses
The register is reviewed regularly and drives policy and process improvements
Link: Our Incident Register will be maintained alongside our canonical Privacy Policy here →
Privacy Policy | Overview
Privacy Incident Register

11. Privacy Impact Assessment

(Rule 12(2)-(4))
A PIA is required for services in scope for accreditation and must be approved by the provider
The PIA describes the service, information held and collected, purposes, information flows, storage and disposal controls, identified risks, and mitigating controls
Review: at least every 2 years from last review, or earlier on service change
Codes of Practice: any relevant Codes are explicitly considered per Privacy Act s32

12. Information used to inform this alignment

Provider application responses and attachments
Internal policy documents and training materials
PIA and risk assessments
Last updated: 10 November 2025
This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.
We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:
Account means a unique account created for You to access our Service or parts of our Service.
Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Crescellere Limited, 64 Bob Charles Drive.
Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
Country refers to: New Zealand
Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
Personal Data is any information that relates to an identified or identifiable individual.
Service refers to the Website.
Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analysing how the Service is used.
Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Website refers to YJ Consulting, accessible from
https://consultyj.com
You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data
While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:
Want to print your doc?
This is not the way.
Try clicking the ··· in the right corner or using a keyboard shortcut (
CtrlP
) instead.