Privacy Policy

Effective Date: June 23, 2026

Intuto Limited ("we", "us", or "our") operates the website at https://www.intuto.com (the "Website") and provides a cloud-based learning management system platform (the "Platform") to client organisations ("Clients").

This Privacy Policy explains how we collect, use, store, and protect personal information. It applies in two distinct contexts, and our role differs between them:

(a) Website and Business Operations: When you visit our Website, submit an enquiry, request a demo, or interact with us as a prospect or customer contact, we act as the Data Controller of your personal information. This means we determine the purposes and means of processing your data. This Privacy Policy governs that processing directly.

(b) Learning Platform (LMS) Operated on Behalf of Clients: When our Platform is used by a Client organisation to deliver learning to its members or learners, we act as a Data Processor on behalf of that Client. The Client is the Data Controller of its learners' personal information. We process that data only on the Client's instructions, as set out in our Terms of Use and any applicable Data Processing Agreement. Learners seeking information about how their data is handled within a specific Client's learning platform should contact that Client directly, as their organisation's privacy policy governs that relationship.

Where this Policy refers to "you," it refers to website visitors, prospects, and account contacts in context (a). References to "Clients" or "learners" in relation to the Platform refer to context (b).

Definitions

Client means an organisation that has entered into an agreement with us to use the Platform to deliver online learning to its members, employees, or other authorised learners.

Cookies are small pieces of data stored on your device used to operate and improve the Website.

Data Controller means the person or organisation that determines the purposes and means of processing personal information. Where we act as Data Controller, this Privacy Policy applies directly.

Data Processor means a person or organisation that processes personal information on behalf of and under the instructions of a Data Controller. Where we act as Data Processor for a Client, the Client's instructions and any applicable Data Processing Agreement govern our processing.

Personal Data means information about an identifiable, living individual.

Platform means the Intuto learning management system, accessible by Clients and their authorised learners.

Service means the Website and the Platform together.

Sub-processor means a third party engaged by us to process personal information on our behalf in connection with the Service.

Usage Data means data collected automatically from your use of the Website, such as IP address, browser type, pages visited, and time spent.

Website means https://www.intuto.com.

Information Collection and Use

We collect different categories of personal information depending on the context of your interaction with us.

(a) Website and Business Operations — Intuto as Data Controller

When you visit our Website, request a demo, submit an enquiry, or interact with us as a prospect or account contact, we may collect the following:

Information you provide directly:

  • First name and last name
  • Email address
  • Organisation or company name
  • Job title or role
  • Phone number (where provided)
  • Country of operation

Usage Data collected automatically:

We automatically collect information about how the Website is accessed and used. This may include your IP address, browser type and version, the pages you visit, the time and date of your visit, time spent on pages, and other diagnostic data.

Cookies and Tracking Technologies:

We use cookies and similar tracking technologies to operate and improve the Website. You can instruct your browser to refuse cookies, though some areas of the Website may not function correctly if you do. We use:

  • Session Cookies to operate the Website
  • Preference Cookies to remember your settings
  • Security Cookies for security purposes
  • Analytics Cookies to understand how the Website is used (via Google Analytics)

You can opt out of Google Analytics tracking by installing the Google Analytics opt-out browser add-on.

Marketing Communications:

We may use your contact details to send you information about Intuto's services, updates, and resources that may be of interest to you. You may opt out at any time by following the unsubscribe link in any email we send or by contacting us at support@intuto.com.

(b) Learning Platform (LMS) — Intuto as Data Processor

When our Platform is used by a Client to deliver learning to its members or learners, we collect and process personal information on the Client's behalf. Under standard Platform operation, this is limited to:

  • First name
  • Last name
  • Email address
  • Course engagement data, including module completion status, assessment scores, CPD points accrued, time-on-platform records, and certificate generation records

The Client is the Data Controller of this information. Clients are responsible for ensuring that any additional personal information they configure or upload to the Platform is collected with appropriate consent and in compliance with applicable privacy law. If you are a learner with questions about how your data is handled within a specific learning programme, please contact the organisation that provides your training directly.

Single Sign-On (SSO) Authentication:
The Platform supports optional login via Google and Facebook. If you choose to authenticate using one of these services, the provider will share your name and email address with us solely for the purpose of verifying your identity and creating or accessing your account. We do not receive your password or any data beyond what is necessary for authentication.

Use of Data

(a) Website and Business Operations — Intuto as Data Controller

We use the personal information we collect about you for the following purposes:

  • To respond to your enquiry or demo request
  • To provide and maintain our Website
  • To send you information about Intuto's services, updates, and resources, where you have consented or where we have a legitimate interest in doing so
  • To process payments and maintain financial records
  • To monitor and analyse Website usage to improve our service
  • To detect, prevent, and address technical issues and security threats
  • To comply with our legal obligations
(b) Learning Platform — Intuto as Data Processor

Where we process learner personal information on behalf of a Client, we do so only for the purpose of delivering the Platform services to that Client, in accordance with the Client's instructions and our Terms of Use. We do not use learner personal information for our own marketing purposes or for any purpose beyond delivering the service the Client has engaged us to provide.

General Data Protection Regulation (GDPR)

If you are a resident of the European Economic Area (EEA) or the United Kingdom, you have certain data protection rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679) and, for UK residents, the UK General Data Protection Regulation as retained in UK law. We aim to take reasonable steps to allow you to exercise those rights.

Legal Basis for Processing

Where we act as Data Controller, our legal basis for collecting and using your personal information depends on the data and the context in which we collect it. We may process your personal information because:

  • It is necessary to perform a contract with you or to take steps at your request before entering into a contract
  • You have given your consent
  • It is in our legitimate interests and those interests are not overridden by your rights
  • We are required to comply with a legal obligation

Your Rights

If you are located in the EEA or the United Kingdom, you have the right to access, correct, or request deletion of your personal information, object to or request restriction of processing, and request portability of your data. You also have the right to withdraw consent at any time where we rely on consent as our legal basis.

To exercise any of these rights, please contact us at support@intuto.com.

If you are an EEA resident, you have the right to complain to your local data protection authority. If you are a UK resident, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

Learners in Client Platforms

If you are a learner accessing a Client's learning platform and wish to exercise your data rights in relation to your learning records, please contact the Client organisation directly. As Data Processor, we act on the Client's instructions in relation to learner data and will assist the Client in responding to verified data subject requests.

Your US Consumer Privacy Rights

If you are a resident of California or another US state with applicable consumer privacy legislation, you may have the following rights:

  • The Right to Know: The right to request information about what personal information we collect, use, disclose, and share.
  • The Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
  • The Right to Opt-Out: The right to opt out of the sale or sharing of your personal information. Intuto does not sell your personal information.
  • The Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise these rights, contact us at support@intuto.com. We will verify your request and respond within the timeframe required by applicable law.

Canadian Residents

If you are a resident of Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, including the right to access and correct your personal information and to withdraw consent to certain processing. Please contact us at support@intuto.com to exercise these rights.

Data Deletion Rights

Website and Business Contact Data

If you have interacted with Intuto as a website visitor, prospect, or business contact and wish to request deletion of your personal information held by us, you may do so at any time by emailing support@intuto.com with the subject line "Data Deletion Request." Please include your full name and the email address associated with your interaction. If you authenticated using Facebook Login or Google, please include that in your request.

We will acknowledge your request within five (5) business days and complete the deletion within thirty (30) days, except where retention is required by law or necessary to resolve a dispute or enforce our agreements.

Learner Data in a Client's Platform

If you are a learner enrolled in a Client's learning platform and wish to request deletion of your learning records or personal information held within that platform, please contact the Client organisation directly. The Client is the Data Controller of that data and is responsible for handling data subject requests. Intuto will assist the Client in actioning verified deletion requests in accordance with our Terms of Use.

Please note that deleting your learner data may remove your access to the platform and any associated course completion records, certificates, or CPD history. We recommend confirming with your organisation whether deletion may affect any compliance or certification requirements before submitting a request.

Retention of Data

(a) Website and Business Operations Data

We retain personal information collected in the course of our website and business operations for as long as is necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, resolve disputes, and enforce our agreements. Where you have consented to receiving marketing communications from us, we will retain your contact details until you withdraw that consent or we determine the information is no longer accurate or relevant.

(b) Learner Data in a Client's Platform

We retain learner personal information processed on behalf of a Client for the duration of that Client's subscription to the Platform. On termination or expiry of a Client's subscription:

  • The Client has a period of ninety (90) days to export their data in a common electronic format (the "Active Extraction Window")
  • Following expiry of the Active Extraction Window, data is moved to an encrypted backup partition and retained for a further twelve (12) months
  • After twelve (12) months from the end of the Active Extraction Window, all Client data is permanently and irreversibly deleted from our infrastructure

Clients with regulatory, professional body, or statutory obligations to retain training completion or CPD records beyond these periods are responsible for exporting and retaining their own copies prior to termination. We recommend seeking independent advice on applicable data retention obligations before initiating a termination or non-renewal.

Transfer of Data

LMS Platform Data

All personal information processed through the Platform on behalf of our Clients — including learner names, email addresses, and course engagement records — is hosted exclusively on Microsoft Azure cloud infrastructure located in Auckland, New Zealand. We do not operate secondary or redundant data hosting regions in any other jurisdiction, and we will not transfer Client data outside of New Zealand without the relevant Client's prior written consent.

Website and Operational Data

To operate our website and business, we engage third-party Sub-processors located primarily in the United States and Australia. These Sub-processors may process limited operational data such as website analytics, email communications, payment processing, and support ticketing. A complete and current list of our Sub-processors, including their location and the data categories they access, is available at www.intuto.com/privacy/sub-processors.

We take all steps reasonably necessary to ensure that any transfer of data to Sub-processors is conducted securely and in accordance with this Privacy Policy and applicable privacy law.

Australian Clients

For Clients whose principal operations are in Australia, learner personal information will be held in New Zealand. The New Zealand Privacy Act 2020 provides protections for personal information that are substantially similar to those required under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles. This means that Australian Clients can rely on the overseas recipient exception under APP 8.2(b) without requiring individual learner consent to the New Zealand transfer.

Disclosure of Data

Business Transaction

If Intuto Limited is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

Disclosure for Law Enforcement

Under certain circumstances, Intuto Limited may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Legal Requirements

Intuto Limited may disclose your Personal Data in the good faith belief that such action is necessary to:

  • To comply with a legal obligation
  • To protect and defend the rights or property of Intuto Limited
  • To prevent or investigate possible wrongdoing in connection with the Service
  • To protect the personal safety of users of the Service or the public
  • To protect against legal liability

Security of Data

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration, or destruction. Our Platform is hosted on ISO 27001-certified Microsoft Azure infrastructure in Auckland, New Zealand. All data in transit is encrypted via HTTPS and all data at rest is protected with infrastructure-level encryption. Access to our systems is restricted using private endpoints, virtual networks, and role-based access controls.


We are currently working towards SOC 2 certification in partnership with Drata. You can view our real-time security and compliance status at our public Trust Centre: app.drata.com/trust/20ad3897-fd67-4e10-a5ca-278d8bbda521


No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable means to protect your personal information, we cannot guarantee absolute security. For guidance on steps your organisation can take to protect your data, please visit our Trust and Security page at www.intuto.com/security.

Data Breach Notification

(a) Website and Business Operations Data — Intuto as Data Controller

In the event we become aware of a confirmed or reasonably suspected unauthorised access to, disclosure of, or loss of personal information for which we act as Data Controller, and where that breach is likely to result in a risk to the rights and freedoms of the individuals affected, we will notify the affected individuals without undue delay and, where required by applicable law, notify the relevant regulatory authority. We will take all necessary steps to investigate the breach, remediate the situation, and implement measures to prevent recurrence.

(b) Learning Platform Data — Intuto as Data Processor

In the event we become aware of a confirmed or reasonably suspected unauthorised access to, disclosure of, or loss of learner personal information stored within the Platform that is likely to result in serious harm to the individuals affected, we will notify the relevant Client in writing within seventy-two (72) hours of becoming aware of the breach. Such notification will include, to the extent then known:

  • A description of the nature of the breach
  • The categories and approximate volume of personal information affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

The Client remains solely responsible for determining and meeting its own notification obligations to affected learners and relevant regulatory authorities under applicable privacy law.

If you suspect a breach or have any concerns about the security of your data, please contact us immediately at support@intuto.com.

"Do Not Track" Signals

We do not support Do Not Track ("DNT"). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.

You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

For information about how to manage cookies and tracking, please see our Information Collection section above.

Service Providers and Sub-processors

We engage third-party companies and individuals to facilitate our Service, provide components of the Service on our behalf, and assist us in analysing how the Service is used. These organisations are our Sub-processors. They have access only to the personal information necessary to perform their specific functions and are required to maintain appropriate security measures and handle data in accordance with applicable privacy law.

Authentication Services

The Platform supports optional login via Google and Facebook. Where you choose to authenticate using one of these services, the provider shares only your name and email address with us for the purpose of verifying your identity. We do not receive your password or any additional data.

Analytics

We use Google Analytics to monitor and analyse website traffic. You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on available at tools.google.com/dlpage/gaoptout.

Payments

We use third-party services for payment processing. We do not store payment card details. Our primary payment processors are:

  • Stripe: Privacy policy at stripe.com/en-nz/privacy
  • Xero: Privacy notice at xero.com/nz/legal/privacy

Full Sub-processor List

For a complete and current list of all Sub-processors Intuto uses, including their location, purpose, and the data categories they access, please visit our dedicated Sub-processors page at www.intuto.com/privacy/sub-processors.

Links to Other Sites

Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Children’s Privacy

Our Website is not directed at children and we do not knowingly collect personal information from anyone under the age of 13 through our Website. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@intuto.com and we will take steps to remove that information.


For residents of the European Economic Area and the United Kingdom, the minimum age for consent to data processing for online services is 16, or such lower age as is permitted under national implementing legislation (which must be no lower than 13). Where a Client's learning platform is used to deliver training to individuals under the age of 16 in the EEA or UK, the Client is responsible as Data Controller for ensuring that appropriate parental or guardian consent has been obtained prior to enrolment.


Clients operating learning programmes that include participants under the age of 18 in any jurisdiction are responsible for ensuring compliance with applicable laws governing the processing of minors' personal information.

 

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated Policy on this page and, where appropriate, notifying you by email or via a prominent notice on the Website prior to the change taking effect. The effective date at the top of this Policy will be updated accordingly. We encourage you to review this Policy periodically.

Contact Us

f you have any questions about this Privacy Policy or about how we handle your personal information, please contact us: