Privacy Policy

The SHEPHERD Leadership Assessment  ·  shepherd360.org
Version 1.1  ·  Last updated 14 June 2026

This Privacy Policy explains how the SHEPHERD Leadership Assessment (“the Service”, “we”, “us” or “our”) collects, uses, stores, discloses and protects your personal information. The Service is operated by Jan De Lange (“the Operator”) and is based on the book SHEPHERD Leadership. We are committed to handling your personal information in accordance with the New Zealand Privacy Act 2020 and the thirteen Information Privacy Principles (IPPs) it sets out.

By creating an account, completing an assessment, or otherwise using the Service, you acknowledge that you have read and understood this Policy. Please read it carefully, and in particular section 12 (Data retention, backups and our limitation of responsibility).

Our commitment to you

Your information is never made public, and your assessment results and report remain private to you. We will never sell your information, and we will never share it with any outside party for that party’s own purposes. The only parties who ever receive your information are the trusted service providers strictly necessary to run the Service (listed in section 8), any reviewers you personally choose to invite, and — only where the law requires it — a lawful authority. Beyond that, your information stays private. We will always do our very best to protect it.

1. Who is responsible for your information

The Operator is the “agency” responsible for your personal information under the Privacy Act 2020. We have appointed a Privacy Officer who is responsible for ensuring our compliance with this Policy and with the Act. You can contact the Privacy Officer using the details in section 20.

2. Scope of this Policy

This Policy applies to personal information we collect through the Service, including through the website at shepherd360.org, the registration process, the assessments you complete, and any 360-degree feedback collected on your behalf. It does not apply to third-party websites or services that we link to or rely on, each of which has its own privacy policy (see section 8).

3. The personal information we collect

We may collect and hold the following categories of personal information:

  • Account information — your name, email address, and a securely hashed version of your password (we never store your password in readable form).
  • Profile information — the church, charity or organisation you are associated with, and your role (for example, elder, pastor, board chair, staff member or volunteer). These fields are optional.
  • Assessment information — your responses to assessment questions, your scores, the assessment type and date, and the leadership development report generated for you.
  • 360-degree feedback information — where you invite others to provide feedback, we collect the name, email address, relationship and ratings of those reviewers. If you are a reviewer, we collect the responses you submit.
  • Transaction information — records of payments or access codes used to unlock assessments. Card payments are processed by Stripe; we do not collect or store your full card details (see section 16).
  • Technical information — limited technical data necessary to operate the Service securely, such as session cookies and server logs.

4. How we collect your information (IPPs 1, 2 & 4)

We collect personal information directly from you when you register, complete an assessment, invite reviewers, or contact us. Where you invite a reviewer, we collect that reviewer’s information from you, and you confirm that you have a reasonable basis for providing it. We collect information only by lawful and fair means, and only what is reasonably necessary for the purposes described below.

5. Why we collect and use your information (IPPs 1 & 10)

We collect and use your personal information to:

  • create and administer your account, and verify your email address;
  • provide the assessment, calculate your scores, and generate your leadership development report;
  • facilitate 360-degree feedback that you choose to request;
  • process payments and redeem access codes;
  • send you service-related emails, such as verification, password reset, and report notifications;
  • respond to your enquiries and provide support;
  • maintain the security, integrity and proper functioning of the Service; and
  • comply with our legal obligations.

We will not use your personal information for a purpose other than those described above unless you would reasonably expect it, you have authorised it, or the use is otherwise permitted under the Privacy Act 2020.

6. How your report is generated

Every assessment automatically generates a standard report entirely on our own server, from a fixed library of feedback written by Jan De Lange and drawn from the books The SHEPHERD Leadership Model and Christian Leaders in Governance. This report is assembled by matching your scores to the relevant book-based feedback. No personal data, names, or identifying information is transmitted outside our server to produce the standard report.

You may also choose to generate an enhanced report. If you select this option, your anonymous dimension scores and individual question ratings are sent to Anthropic (the provider of the Claude AI service) to produce a deeper, personalised analysis. We never send your name, email address, church, organisation, role, or any other personal details to Anthropic — only the numeric scores from your completed assessment. Anthropic processes this data under its own privacy policy. By choosing the enhanced report you acknowledge and consent to this limited, anonymous transmission. You may always use the standard report without choosing the enhanced option.

Both reports are development aids and are not substitutes for professional, pastoral, legal or financial advice.

7. When we disclose your information (IPP 11)

We do not sell your personal information, and we do not share it for marketing purposes. We disclose your information only as necessary to operate the Service or where permitted or required by law, including to the trusted service providers in section 8, and:

  • to the reviewers you choose to invite (and, to you, the aggregated results they submit);
  • where you have authorised the disclosure;
  • where disclosure is necessary to prevent or lessen a serious threat to someone’s life, health or safety; or
  • where we are required to do so by law or a lawful request from an authority.

8. Service providers we rely on

We use the following third-party providers to deliver the Service. Each handles your information under its own privacy terms:

  • Elestio — secure hosting and database storage for the Service.
  • Stripe — payment processing for paid assessments.
  • Google (Gmail / Google Workspace) — delivery of service-related emails.
  • Anthropic — AI processing for the optional enhanced report only. When you choose the enhanced report, your anonymous scores (no personal details) are sent to Anthropic. If you use only the standard report, nothing is sent to Anthropic. See section 6 for full details.

9. Sending information outside New Zealand (IPP 12)

Some of the providers listed above store or process information on servers located outside New Zealand. Where we disclose your personal information to an overseas party, we take reasonable steps to ensure it is subject to comparable privacy safeguards, or we rely on an exception permitted under the Privacy Act 2020 (for example, where the disclosure is necessary to provide the service you have requested). By using the Service, you acknowledge that your information may be stored and processed overseas.

10. Security of your information (IPP 5)

We take reasonable steps to protect your personal information against loss, unauthorised access, use, modification or disclosure. These steps include encrypting data in transit using HTTPS, hashing passwords, restricting administrative access, and hosting on infrastructure that applies industry-standard safeguards. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Notifiable privacy breaches

If a privacy breach occurs that we believe has caused, or is likely to cause, serious harm, we will notify the affected individuals and the Office of the Privacy Commissioner as required by the Privacy Act 2020.

12. Data retention, backups and our limitation of responsibility (IPP 9)

We retain your personal information only for as long as is reasonably necessary for the purposes described in this Policy, or as required by law. We may delete inactive accounts and their associated data from time to time.

The Service is provided on an “as is” and “as available” basis. We do not warrant or guarantee that your data, reports or assessments will be stored permanently, will remain continuously available, or will not be lost, corrupted or deleted. Data may become unavailable or be lost due to technical failure, service interruption, account deletion, or events beyond our reasonable control.

You are responsible for keeping your own backups. We strongly encourage you to download and securely retain your own copy of every report and assessment (for example, the PDF report) as soon as it is generated. To the maximum extent permitted by law, we accept no responsibility or liability for any loss of, or inability to access, your data, reports or assessments, or for any loss or damage arising from your reliance on the continued availability of the Service.

Nothing in this Policy excludes, restricts or modifies any right or remedy, or any guarantee, warranty or other term implied or imposed by law (including the Privacy Act 2020 and, where it applies, the Consumer Guarantees Act 1993) that cannot lawfully be excluded or limited.

13. Accessing and correcting your information (IPPs 6 & 7)

You have the right to request access to the personal information we hold about you, and to request correction of any information that is inaccurate, out of date, incomplete or misleading. You can update much of your profile information directly in your account, or contact our Privacy Officer. We will respond to requests as soon as reasonably practicable and within the timeframes set by the Privacy Act 2020. You may also ask us to delete your account and associated personal information, subject to any legal retention obligations.

14. Accuracy of your information (IPP 8)

We take reasonable steps to ensure that personal information is accurate, complete and up to date before we use it. Please help us by keeping your account information current.

15. Unique identifiers (IPP 13)

We assign an internal account identifier to operate the Service. We do not use government or other external unique identifiers as your account identifier, and we will not require you to disclose a unique identifier assigned by another agency except as permitted by law.

16. Payments

Payments for paid assessments are processed securely by Stripe. We do not receive or store your full card number, CVC or other sensitive cardholder data. Your use of Stripe is subject to Stripe’s own privacy policy and terms.

17. Cookies and session data

We use a single essential session cookie to keep you logged in and to protect against cross-site request forgery. This cookie is necessary for the Service to function and does not track you across other websites. We do not use third-party advertising or analytics cookies.

18. Children and young people

The Service is intended for adults in leadership, governance or staff roles. It is not directed at children. If you believe a child has provided us with personal information, please contact our Privacy Officer so we can address it.

19. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the version number and date at the top of this page. Your continued use of the Service after a change takes effect constitutes your acceptance of the updated Policy.

20. How to contact us

If you have any questions, requests or concerns about this Policy or about how we handle your personal information, please contact our Privacy Officer:

Privacy Officer — The SHEPHERD Leadership Assessment
Email: jan@coatnz.org
Website: shepherd360.org

21. Complaints

If you are not satisfied with how we have handled your personal information or a privacy request, you may complain to the Office of the Privacy Commissioner:

Office of the Privacy Commissioner
Website: privacy.org.nz
Phone: 0800 803 909

By creating an account and ticking the consent box at registration, you confirm that you have read and agree to this Privacy Policy, including section 12, and that you are responsible for keeping your own backups of your reports and assessments.

Back