New privacy research reveals the alarming reach of our digital footprint, with some companies' client files extending to records of casual chats with staff, social media "friends" and deleted CVs.
Seventy-five media studies students made Privacy Act requests for data held on them by banks, social media companies and loyalty cards. It generated a treasure trove of personal information stored by companies such as Trade Me, FlyBuys and One Card - much of it without the individual's knowledge.
"One student was shocked to read, in her gym file, detailed notes on conversations she'd had with the receptionist, including information on her boyfriend and stress she's been experiencing about exams," says a report on the project.
Another found that a website kept a list of all the people she had claimed to be in a relationship with long after she had deleted the information.
"Likewise, a student found Trade Me Jobs stored information such as CVs and cover letters for a period of time after they had been 'deleted'."
Lecturer Kathleen Kuehn, who set the assignment in her third-year course on media, technology and surveillance at Victoria University in Wellington, said most students were surprised by the quantity and types of personal information held about them.
One found their bank held information on a conversation on "life's future plans and dreams", Dr Kuehn said.
"I wanted the students to analyse how they participate in different types or modes of surveillance in their everyday lives, and get them thinking about why privacy matters."
She also found that categorising people based on data collected about them could limit their opportunities.
Trade Me's communications and community officer, Paul Ford, said a privacy policy on the company's website explained that "we store information 'behind the scenes' in our database once the member has deleted it. This is held for a maximum of 62 days and then it is permanently deleted".
He said the policy's wording was being changed to clarify this, because it was at present vague.
The Office of the Privacy Commissioner received 824 complaints in the 2012/13 financial year. Typically more than 60 per cent of complaints are from people seeking access to their personal information.
NetSafe chief technology officer Sean Lyons said "deletion" of computer files meant different things to different people and users of a website should check its terms and conditions. "If you think you're deleting something, you possibly need to check what delete means."
Many people professed concern about privacy, but often easily waived it online. Joining a new website was when a user could most easily impose limits on sharing, he said. "It becomes hard to retroactively take that back and say, 'I don't want to do it'."
Digital footprint not easy to retrace
Courtney Reynolds knows she's striking a commercial deal with internet companies when she relinquishes her privacy online.
"The information I'm giving up, I'm giving up for a certain benefit," says the fourth-year Victoria University law and arts student. That payback includes services such as free messaging.
As part of a media studies assignment investigating a person's digital footprint, she wrote to one small business and two big ones, seeking her personal files.
The small one, a local gym, seemed unfamiliar with such a request but was co-operative and the regional manager quickly sent Miss Reynolds a copy of her gym contract.
"I have to scan in with my key ring each time I go to the gym. She [the manager] sent a screen shot of my window that pops up when I scan in. It's got the number of times I was at the gym - the days, dates and times I scanned in."
But with the big companies, Miss Reynolds was surprised at how little progress she made.
"You're spoken to by call centre operators and there's no way of getting to the people who deal with the information."
The 23-year-old says she is now clearer about who she will give her information to.
"I'm less willing to give information to the companies that are less willing to give it back."