This is a Tautoru view, not a settled position.
Personal information engages the Privacy Act 2020 the moment it is about an identifiable person, and a name is not needed for information to be personal. That can sound like a wall, but the analysis is more workable than the blanket warnings suggest, and it starts before any question of overseas transfer. Minimise first: prefer public or synthetic material, strip direct identifiers, summarise rather than upload, and split a task so the tool sees only what it needs. De-identification has to be real; relabelling someone "Client A" is no use if the surrounding facts still point to a known person. If no personal information goes in and none comes out, the privacy question largely falls away, though confidentiality, privilege and other duties may still apply.
What decides most cases is not whether the server is overseas. It is whether the provider is handling the information only for you, or can also use it for its own purposes. Section 11 of the Act says that where a provider holds information for or on behalf of your organisation, for safekeeping or processing, the information is treated as held by you and not by the provider. A provider in that position is a processor or agent: the transfer is generally not a "disclosure" at all, IPP 11 and IPP 12 will not be engaged, and your central obligations become IPP 5 security and a sound contract. This is the same footing as the email, document storage and practice-management systems that already hold large amounts of personal information offshore on your behalf. We do not treat saving a file to a cloud drive as a privacy breach, because the provider holds it for us and makes no use of its own.
The thing that puts a provider on that footing is a single, checkable fact: it does not use your inputs for its own purposes, and above all does not train its models on them. That assurance can come two ways, and both count. On a business plan it is usually contractual: the terms say your data is not used for training and is processed only to provide the service. On a consumer plan it is increasingly a setting, a model-training toggle you can switch off. Either way the substance is the same: the provider is processing your material for you, not mining it for itself. The meaningful dividing line is own-purpose use, not consumer versus enterprise. A contractual no-train assurance is firmer than a setting, because it is enforceable and does not change when you next open the app, so an enterprise or API arrangement stays the stronger home for anything sensitive; but a consumer plan with training switched off is no longer the thing the Privacy Act tells you to avoid.
Where the provider does make its own use of your inputs, by training on them, by product analytics beyond running the service, by sharing with affiliates or for advertising, it is no longer a mere processor. It is receiving a disclosure in its own right, and if it sits offshore, IPP 12 is squarely engaged. The routes through IPP 12 are then narrow. The cleanest is to be back in the processor position above, where it does not arise. Failing that, IPP 12(1)(f) allows the transfer where you have reasonable grounds to believe the recipient is bound to protect the information with safeguards comparable, overall, to the Privacy Act, in practice a data-processing agreement, for which the Privacy Commissioner publishes model clauses. Relying instead on generic overseas law being "comparable" is usually weak, and express informed authorisation, telling each person their information may go to a recipient that will not protect it to New Zealand standards, is rarely workable for documents full of other people's information. So the hard case for personal information is the tool that trains on what you type with no real way to turn it off, not the consumer tier as such.
Two qualifications. First, some information carries more risk and deserves more care whatever the plan: health, financial, employment, children's and biometric information, and anything otherwise regulated, warrant senior approval and a privacy impact assessment before they go near a general-purpose tool. Second, a no-train footing is a floor and not a substitute for the rest of the analysis; you still want real security, sensible retention, and a provider you would be comfortable naming. But once those are in place, it is difficult to see what more you can usefully demand. Vast amounts of personal information already sit with the same handful of overseas providers, in email, calendars, document stores and practice-management systems, held for us under exactly this processor logic. An AI tool that does not train on your inputs is the same kind of arrangement, and holding it to a standard we apply to nothing else we use is hard to defend.
Our view
The cross-border rule is real, but it is narrower and far more workable than "never put personal information into an overseas tool". The safeguard that matters is a no-training footing, by contract on a business plan or by switching training off on a consumer one, backed by sound security and retention. With that in place the provider is processing your material for you rather than taking it for itself, and the Privacy Act is largely answered; demanding more, when the same information already lives with the same providers in your inbox and document store, is not realistic. Keep personal information out of tools that train on what you type and give you no way to stop them; take advice and complete a privacy impact assessment for high-risk, sensitive, regulated or large-scale uses; and do the section 11 and IPP 12 analysis honestly. How the principles apply to your information, your provider and your use is a question for your own judgment, on your own facts.