What we will do
- Collect from iCloud, Google Workspace, Microsoft 365, messaging platforms (e.g. WhatsApp, Signal, Telegram) and social media accounts where we have the account holder's informed consent or another lawful basis.
- Act under a court order, subpoena, search warrant or production notice where one is in force.
- Use vendor-supported acquisition and takeout mechanisms (e.g. Apple Data & Privacy, Google Takeout, Microsoft 365 eDiscovery, vendor APIs) with valid credentials supplied by the account holder.
- Document the lawful basis on the matter file before collection commences.
What we will not do
- Bypass account security, two-factor authentication or device protections.
- Steal, guess or crack passwords belonging to another person.
- Access another person's cloud account without their consent or proper legal authority.
- Use stolen, leaked or unlawfully obtained credentials.
- Use techniques that would breach the Criminal Code Act 1995 (Cth), the Crimes Act 1914 (Cth), state computer-misuse offences or equivalent New Zealand offences.
Joint accounts and shared devices
For accounts or devices with more than one lawful user, we may proceed where one user with authority instructs us, unless the shared user's privacy rights or a court order require otherwise. We will raise these issues at intake.
If authority is unclear
If lawful authority cannot be established, we will decline the work. We will not proceed on assurances alone where the circumstances suggest the authority is in dispute.