API Terms of Use (New Zealand)

An API Terms of Use in New Zealand sets the binding terms on which customers may use the product, website, or service and allocates rights and liabilities under the Companies Act 1993. It defines the service scope, SLA, pricing, data-protection duties, and liability allocation between provider and customer.

In New Zealand, API Terms of Use are governed by the Contract and Commercial Law Act 2017 (CCLA), which provides the legal framework for electronically executed contracts and commercial arrangements, and the Copyright Act 1994, which protects the software, algorithms, and documentation underlying the API. Together, these statutes provide strong protection for API providers and create enforceable obligations for API users.

The modern New Zealand technology ecosystem relies heavily on APIs. Banking APIs enable open banking under the Open Banking framework championed by Payments NZ. Government APIs provide access to data from Statistics New Zealand, Land Information New Zealand (LINZ), and the Ministry of Business, Innovation and Employment (MBIE). Telecommunications providers offer APIs for messaging, authentication, and network services. Weather data providers, mapping services, agricultural data platforms, and health technology companies all operate APIs that form the backbone of New Zealand’s digital economy.

The Privacy Act 2020 is a critical consideration for API providers in New Zealand. Where an API collects, processes, or provides access to personal information about identifiable individuals, both the Provider and the User must comply with the 13 Information Privacy Principles (IPPs). IPP 1 governs the collection of personal information; IPP 5 requires appropriate security measures; IPP 10 limits the use of personal information; and IPP 11 restricts disclosure to unauthorised parties. The Privacy Act 2020 also introduced mandatory privacy breach notification, which applies to any organisation that experiences a breach involving personal information that is likely to cause serious harm.

For New Zealand API providers that serve international users, additional considerations apply. The CCLA confirms that electronic contracts with overseas users are enforceable under New Zealand law, but providers should also consider whether their API may be subject to overseas regulations such as the EU General Data Protection Regulation (GDPR) for EU-based users, or the Australian Privacy Act 1988 for Australian users. API Terms of Use should address the governing law and jurisdiction applicable to disputes, specify how cross-border personal information transfers are handled in accordance with IPP 12, and clarify any export control obligations.

The Harmful Digital Communications Act 2015 (HDCA) is also relevant to API providers whose APIs may be used to send messages or publish content. The HDCA prohibits the sending of digital communications that are threatening, harassing, or offensive. API Terms of Use should expressly prohibit Users from using the API for any activity that would constitute a harmful digital communication under the HDCA. The Fair Trading Act 1986 also prohibits misleading representations, and API Terms of Use should confirm that the description of the API’s capabilities is accurate and not misleading.

API Terms of Use are required whenever an organisation makes an API available to external users, whether on a free, freemium, or paid basis. The nature of the API, the intended user base, and the type of data or services provided will all influence the content of the Terms, but the fundamental need for a clear, binding agreement exists in all cases.

Software companies and SaaS providers are the most common users of API Terms of Use in New Zealand. When a software business offers an API that allows third-party developers to integrate with its platform, the Terms define the scope of the licence, the technical constraints on API usage (such as rate limits), the intellectual property rights in the API, and the grounds for suspension or termination of access. Without clear Terms, the Provider has limited legal recourse against Users who misuse the API, circumvent rate limits, or use the data in unauthorised ways.

Data providers and analytics platforms that offer access to datasets through an API must address both intellectual property and privacy obligations in their Terms. Where the data includes personal information about identifiable individuals, the Terms must reflect the requirements of the Privacy Act 2020. Data platforms in the agricultural, environmental, health, and financial sectors often have additional regulatory obligations that should be reflected in the API Terms of Use.

Financial services companies offering open banking APIs under the Payments NZ framework must confirm that their Terms comply with applicable financial services legislation, including the Financial Markets Conduct Act 2013 and the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act). Where the API provides access to customer account data or enables payment initiation, the Terms must also address liability for fraudulent or unauthorised transactions.

Government agencies and publicly funded research organisations that provide APIs for access to public data — such as LINZ property data, Statistics NZ datasets, or environmental monitoring data — need API Terms of Use that reflect both the public interest in open data and the organisation’s legal obligations regarding data accuracy, intellectual property, and privacy. The New Zealand Government Open Access and Licensing framework (NZGOAL) provides guidance on licensing government data, and API Terms should align with this framework where applicable.

E-commerce platforms, marketplaces, and logistics providers that offer APIs to merchants, suppliers, or logistics partners need Terms that address the commercial relationship as well as the technical constraints. These Terms should include provisions on the use of transaction data, liability for errors in API data that affect customer orders or deliveries, and the process for updating or deprecating API versions. A formal deprecation policy, incorporated into the Terms or published separately, helps Users plan for API version changes.

A thorough API Terms of Use document for use in New Zealand should include the following key provisions.

The API description clause provides a clear and accurate description of the API’s functionality, the data or services it provides, and the technical format of responses (such as JSON or XML). Accuracy in this clause is essential under the Fair Trading Act 1986, which prohibits misleading representations about services. The clause should also note that the Provider may update or modify the API from time to time and specify the notice process for material changes.

The access and credentials clause sets out how Users obtain access to the API (for example, through an API key, OAuth 2.0 token, or certificate), the User’s obligations regarding the security of their credentials, and the consequences of failing to secure those credentials. It should also address rate limits and usage quotas, which are critical for managing the Provider’s infrastructure costs and confirming fair access for all Users.

The permitted uses clause grants the User a limited licence to access and use the API for specified purposes. The licence should be described as non-exclusive, non-transferable, and revocable to preserve the Provider’s ability to terminate access if the User breaches the Terms. The clause should specify any restrictions on sublicensing or reselling API access, which are common concerns for Providers offering commercial APIs.

The prohibited uses clause lists the activities that are expressly not permitted. Common prohibitions include reverse engineering the API, circumventing security controls, using the API to transmit malware, scraping data beyond agreed limits, using the API to build a competing service, and using the API in a manner that violates New Zealand law. This clause should reference the Harmful Digital Communications Act 2015, the Privacy Act 2020, and the Fair Trading Act 1986 where relevant.

The intellectual property clause confirms that the Provider owns all copyright and other IP in the API, its documentation, and its underlying technology, and that no ownership rights are transferred to Users. It should also address User-generated content or feedback submitted in connection with the API, and grant the Provider a licence to use such feedback without compensation.

The privacy clause addresses the Provider’s collection of usage data from API calls and the User’s own obligations when using the API to process personal information. It should reference the Privacy Act 2020 and the Information Privacy Principles (IPPs) and direct Users to the Provider’s full Privacy Policy.

The limitation of liability clause caps the Provider’s exposure to claims arising from the provision of the API. New Zealand law permits limitation of liability clauses between business users, subject to the Consumer Guarantees Act 1993 and the Fair Trading Act 1986 where applicable. The clause should exclude indirect and consequential losses and cap total liability at a defined amount.

The termination and suspension clause specifies the circumstances under which the Provider may revoke API access, including breach of the Terms, non-payment of fees, or conduct that jeopardises the security or performance of the API. The governing law clause confirms that the Terms are governed by New Zealand law, including the CCLA and the Copyright Act 1994, and specifies the courts of New Zealand as having jurisdiction over disputes. The forms-legal.com API Terms of Use (New Zealand) provides a ready-to-use template that meets New Zealand legal requirements.