Tokoroa Alpine Club

Privacy Policy

How we collect, use, and protect your personal information.

Effective 1 April 2026 — Last updated 1 April 2026

1. Who We Are

The Tokoroa Alpine Club Incorporated (“TAC”, “we”, “us”, “our”) is a not-for-profit incorporated society registered in New Zealand. We operate Waldvogel Lodge at Iwikau Village, Mt Ruapehu, and this booking and membership management system (“the System”).

We are committed to protecting your personal information and complying with the New Zealand Privacy Act 2020 and its 13 Information Privacy Principles (IPPs).

2. What Information We Collect

We collect the following categories of personal information:

  • Identity and contact details: First and last name, email address, phone number, date of birth.
  • Account credentials: Hashed password (we never store your password in plain text).
  • Booking information: Dates of stay, guest names and age groups, member/non-member status.
  • Payment information: Payment status, Stripe payment reference IDs. We do notstore full card numbers — payment card data is handled directly by Stripe.
  • Membership information: Membership subscription status, season year, Xero invoice references.
  • Chore roster data: Chore assignments linked to your lodge stays.
  • Communication records: Emails sent to you by the system (booking confirmations, reminders, notifications).
  • System usage logs: IP addresses and request logs for security and troubleshooting purposes.

We collect only the information necessary for managing club membership and lodge bookings (IPP 1 — Purpose of collection).

3. How We Collect Information

We collect your information:

  • Directly from you when you register an account, make a booking, or contact us.
  • From Xero, our accounting platform, when we import membership and subscription information.
  • Automatically through the System when you log in and use the booking features.

Where we collect information from you, we will tell you why we are collecting it at the point of collection (IPP 3 — Collection of information from subject).

4. How We Use Your Information

We use your personal information to:

  • Create and manage your member account.
  • Process and manage lodge bookings.
  • Process payments and issue refunds through Stripe.
  • Manage membership subscriptions and invoicing through Xero.
  • Send you booking confirmations, reminders, and other transactional emails.
  • Assign chore roster duties during your lodge stays.
  • Maintain financial and membership records as required by law.
  • Ensure the security and integrity of the System.

We will only use your information for the purposes for which it was collected, or for directly related purposes (IPP 10 — Limits on use of personal information).

5. Who We Share Your Information With

We share your personal information with the following third-party service providers where necessary to operate the System:

  • Stripe Inc.— Payment processing. Stripe receives payment card details and processes transactions on our behalf. Stripe is PCI-DSS compliant. See Stripe's Privacy Policy.
  • Xero Limited— Accounting and invoicing. Your name, email, and membership subscription status are synchronised with Xero to manage invoices and verify membership. Xero is headquartered in New Zealand. See Xero's Privacy Policy.
  • Amazon Web Services (AWS) — Simple Email Service (SES)— Transactional email delivery. Your email address is used to send you booking confirmations and notifications. AWS SES operates within AWS's secure infrastructure. See AWS Privacy Notice.
  • Amazon Web Services (AWS) — Lightsail and S3— Our application and database are hosted on AWS Lightsail in the Asia Pacific (Sydney) region. Automated database backups are stored in AWS S3. Your data remains within AWS infrastructure.

We do not sell, rent, or trade your personal information to any third party for marketing or other unrelated purposes (IPP 11 — Limits on disclosure of personal information).

Where we disclose information to overseas recipients (Stripe, AWS), we take reasonable steps to ensure those recipients are required to protect the information consistently with the Privacy Act 2020 (IPP 12 — Disclosure of information outside New Zealand).

6. How We Store and Protect Your Information

  • Your data is stored in a PostgreSQL database hosted on AWS Lightsail in the Asia Pacific (Sydney) region.
  • Passwords are hashed using bcrypt before storage — we cannot see your password.
  • Sensitive tokens (such as Xero OAuth tokens) are encrypted using AES-256-GCM before storage.
  • All communication between your browser and our servers uses HTTPS with automatic TLS certificates.
  • Database backups are encrypted and stored in AWS S3 with restricted access.
  • We use security headers (Content Security Policy, HSTS, etc.) to protect against common web attacks.

We take reasonable steps to protect your personal information from unauthorised access, disclosure, or misuse (IPP 5 — Storage and security of personal information).

7. How Long We Keep Your Information

  • Active member accounts: Retained for as long as you remain a member or have an active account.
  • Booking and payment records: Retained for 7 years as required by New Zealand tax law (Income Tax Act 2007).
  • Email logs: Retained for 90 days for troubleshooting, then automatically deleted.
  • System audit logs: Retained for 90 days, then automatically pruned.
  • Password reset and verification tokens:Automatically deleted after use or expiry (1–24 hours).

We do not keep personal information for longer than is necessary for the purpose for which it was collected (IPP 9 — Retention of personal information).

8. Your Rights

Under the Privacy Act 2020, you have the right to:

  • Access your information (IPP 6): Request a copy of the personal information we hold about you. You can download your data from your Profile page.
  • Correct your information (IPP 7): Request that inaccurate information be corrected. You can update your profile details directly, or contact us for assistance.
  • Request deletion: Request deletion of your account and personal data from your Profile page. Note that some financial records must be retained for legal compliance.
  • Complain: If you believe we have breached the Privacy Act 2020, you may complain to us first, or directly to the Office of the Privacy Commissioner.

9. Cookies and Tracking

This System uses a single session cookie to keep you logged in. This cookie contains an encrypted session token and no personal information. We do not use advertising cookies, third-party tracking, or analytics cookies. The session cookie expires after 8 hours of inactivity or when you sign out.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Continued use of the System after any changes constitutes acceptance of the updated policy.

11. Contact Our Privacy Officer

For any questions or concerns about this Privacy Policy, or to exercise your privacy rights, please contact our Privacy Officer:

Privacy Officer

Tokoroa Alpine Club Incorporated

secretary@tokoroa.org.nz

Or use our contact form.