No, they did not in any way break the law. As they wrote themselves:
> I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.
Under New Zealand's Crimes Act, all unauthorised access is illegal. This has been used in court to cover places where someone was not pre-approved, rather than just a policy that gives an implied acceptance. It has also been used where someone has accidentally gained access via insecured systems.
I would not be so confident in stating that they did not break the law.
Any half-decent VDP will have a safe harbour clause. Otherwise ot isn't a true VDP but rather just contact details.
So far, the courts have ruled that you need to be specifically approved, by name, before any works begin. There is no safe harbour here. Your policy does not overrule the law. You need a pre-existing relationship with the company, before you begin to look for vulnerabilities.