At a glance
Citizen Test is an independent, New Zealand-based study guide for the new citizenship test. We collect your email address if you sign up for updates, and your name, email address, and message if you write to us through the contact form. We don't run analytics, we don't set cookies, and we don't sell or rent your data.
We handle personal information under the New Zealand Privacy Act 2020. The full detail is below. It's longer than the summary, but everything's in plain language.
Who we are
This site is operated as CitizenTest.co.nz, an independent New Zealand-based study guide. We are the agency responsible for this site under the Privacy Act 2020.
- Site: citizentest.co.nz
- Privacy contact: privacy@citizentest.co.nz
- Postal address: available on request via the privacy contact above.
Citizen Test is independent. It is not affiliated with or endorsed by the New Zealand Government, Te Tari Taiwhenua / the Department of Internal Affairs, or any minister or agency.
The law that applies
We handle personal information under the Privacy Act 2020 and its 13 Information Privacy Principles (IPPs). When we send you email, we follow the Unsolicited Electronic Messages Act 2007. The Fair Trading Act 1986 and Consumer Guarantees Act 1993 also apply where you use our site as an individual.
What we collect, why, and where it's stored
| What | Why | Where |
|---|---|---|
| Your email address and a short label noting which page you signed up from. | To send you a confirmation email, then occasional updates about the citizenship test. We only send what you signed up for. | Stored in our database (Supabase, United States). |
| Contact form: your name, email, optional subject, and message. | To read your message and reply. | Stored in our database (Supabase, United States). |
| Contact form: your IP address and browser User-Agent string (truncated to 500 characters). | To detect spam and rate-limit submissions (we allow three messages per ten minutes). | Stored alongside the contact message. |
| Standard server request data (IP address, request path, timestamp). | Logged automatically by our hosting provider for any visit to any page. This happens for every website you visit. | Vercel (United States). |
| Trust badge interaction (Shielded Site). | A small badge in our footer is loaded from shielded.co.nz; if you click it, the widget loads from a New Zealand CDN. | Shielded.co.nz (New Zealand). |
How long we keep it
We don't keep personal information for longer than is reasonably needed for the purposes above (IPP 9). Our retention rules are:
- Active subscribers (you confirmed your email and haven't unsubscribed): we keep your record while the list is active. If you stop opening emails for an extended period, or we close the list, we'll delete your record within 12 months of your last interaction.
- Unconfirmed signups (you signed up but didn't click the confirmation link): we delete the record after 30 days.
- Unsubscribed records: we delete your plaintext email within 30 days of you unsubscribing. We may keep a one-way hash of your address only as a suppression record so we don't accidentally add you back.
- Contact-form messages we've replied to or actioned: kept for 12 months, then deleted.
- Spam / no-action contact-form messages: kept for 90 days, then deleted.
- IP address and User-Agent attached to contact messages: stripped after 30 days. The message text is kept under the rules above; the IP/UA are only kept for the rate-limit window plus a short triage buffer.
- Server request logs: kept for whatever period our host (Vercel) retains them by default.
We are rolling out the automated purge process that enforces these windows. If you'd like your data deleted sooner than the schedule above, email privacy@citizentest.co.nz and we'll do it.
Who we share it with (sub-processors)
We don't sell your data, and we don't share it with advertising networks (we don't run any). We do rely on a small number of service providers to run the site. Each one only sees what they need to do their job.
| Provider | Role | Data they see | Where |
|---|---|---|---|
| Supabase | Database hosting | Subscriber records and contact messages. | United States (us-east-1) |
| Resend | Email delivery | Your email address and the body of any email we send you. | United States |
| Vercel | Web hosting | Standard request logs (IP address, path, timestamp) for every visit. | United States |
| Shielded Site | Site-verification badge in the footer | Loaded on demand; sees your IP and User-Agent if you click the badge. | New Zealand |
Fonts are self-hosted on this site, so loading the site does not send your IP to Google or any other font CDN.
Sending information overseas
Some of the providers above are based outside New Zealand. Where personal information is transferred to them, we've taken reasonable steps under Information Privacy Principle 12 to ensure your data is protected by comparable safeguards, typically through each provider's data protection agreement and standard contractual clauses.
How we keep your data safe
No system is perfectly secure, but we apply reasonable safeguards (IPP 5):
- All traffic to and from the site is encrypted in transit (HTTPS / TLS).
- Database access is locked to a server-side service-role key. Public access to our tables is denied via Row-Level Security; the service role is the only path to read or write your data.
- Service credentials are stored in our hosting provider's environment, not in source code.
- Email confirmation and unsubscribe tokens are random 24-byte values.
- The contact form is rate-limited (three messages per ten minutes per IP) and includes a basic bot honeypot.
Your rights
Under the Privacy Act 2020, you have rights over the personal information we hold about you:
- Access (IPP 6): you can ask what information we hold about you.
- Correction (IPP 7): you can ask us to correct it if it's wrong.
- Withdraw consent: you can unsubscribe from emails at any time using the link in any email we send you. We honour unsubscribe requests within five working days, as required by the Unsolicited Electronic Messages Act 2007.
- Deletion: you can ask us to delete your record sooner than our retention schedule.
To exercise any of these rights, email privacy@citizentest.co.nz. We aim to respond within 20 working days, in line with the timeframe in the Privacy Act.
If you're not satisfied with our response, you have the right to make a complaint to the Office of the Privacy Commissioner: privacy.org.nz, 0800 803 909, or enquiries@privacy.org.nz.
Privacy breaches
If a privacy breach happens and is likely to cause serious harm, we'll notify the Office of the Privacy Commissioner and the affected individuals as soon as practicable, in line with Part 6 of the Privacy Act 2020.
Cookies and tracking
We don't set any cookies. We don't run analytics, retargeting pixels, ad networks, or session-recording tools. We don't use local storage or session storage.
The Shielded Site badge in our footer is loaded only when you click it. Standard server logging by our host (Vercel) records IP addresses and request data. That's normal for any website.
Children
This site is intended for people 16 years or older. We don't knowingly collect personal information from anyone under 16. If you believe a child has signed up for our emails or sent us a contact message, please email privacy@citizentest.co.nz and we'll delete the record.
Future features
We're planning to add a practice-quiz feature in 2027. When the quiz launches, it may involve storing answers, progress, or results. Before that ships, we'll update this policy to describe what's collected and why, and we'll note the change in our news feed.
Changes to this policy
We'll update this policy as the site evolves. Material changes will bump the "Last updated" date at the top of this page and be noted in our news feed. Subscribers will get an email if the change materially affects how we handle their data.
Contact us
For any privacy-related question or request, email privacy@citizentest.co.nz. We aim to respond within 20 working days.
Effective from .