1. Introduction
Comply Copilot Limited (we, us, our) complies with the New Zealand Privacy Act 2020 (the Act) when dealing with personal information. Personal information is information about an identifiable individual (a natural person).
This policy sets out how we collect, use, disclose, and protect your personal information when you use our website, platform, and related services (collectively, the Services).
This policy does not limit or exclude any of your rights under the Act. If you wish to seek further information on the Act, see www.privacy.org.nz.
2. Changes to This Policy
We may change this policy by uploading a revised policy onto our website. The change will apply from the date that we upload the revised policy. We encourage you to review this policy periodically.
This policy was last updated on 28 March 2026.
3. Who We Collect Personal Information From
We collect personal information about you from:
you, when you provide that personal information to us, including via our website, through any registration or subscription process, through any contact with us (e.g. telephone call, email, or online form), or when you purchase or use our Services;
your organisation, where you are an authorised user or contact person for one of our business customers;
third parties where you have authorised this or the information is publicly available; and
social authentication providers (Google or Microsoft) where you choose to sign in using those services.
If possible, we will collect personal information from you directly.
4. Types of Personal Information We Collect
4.1 Information about our customers and their users
When you sign up for or use our Services, we may collect:
your name, job title, and role;
your email address, phone number, and other contact details;
your organisation’s name and business address;
project address details associated with your use of our Services;
account credentials and authentication information (including social sign-in tokens from Google or Microsoft); and
billing and payment information (processed via third-party payment providers).
4.2 Information processed on behalf of our customers (End-User Data)
Our customers may submit data to us through the Services for the purpose of compliance document and report generation. This data may include personal information about our customers’ own clients (End-User Data). We process End-User Data on behalf of, and under the instructions of, our customers. Our customers are responsible for ensuring that they have obtained appropriate consents or authorisations for the collection and disclosure of End-User Data to us.
End-User Data is stored in our database for the purpose of document and report generation processing. It is not readily made available to third parties for processing, except where it is processed using our AI-powered features as described in section 8 below.
We do not ordinarily use End-User Data for our own purposes. The scope and nature of End-User Data is determined by our customer, and its use is governed by the contract between us and that customer. If you have any concerns about how one of our customers is handling your personal information through our platform, you should contact that customer directly in the first instance.
4.3 Information received outside our platform
From time to time, customers may provide us with personal information outside of our platform, for example via email or messaging services such as Slack. Where this occurs, that information may be held temporarily on our local devices or within those third-party communication platforms. We take reasonable steps to transfer such information into our secure systems promptly and to delete local copies once they are no longer required. However, residual copies may remain within email accounts, messaging histories, or device backups.
4.4 Information collected automatically
When you visit our website or use our Services, we may automatically collect:
your IP address, browser type, operating system, and device information;
pages visited, links clicked, and other usage and engagement data;
error and performance data captured by our bug monitoring tools (Sentry), which may include technical identifiers or contextual information about your session; and
information collected through cookies, pixels, and similar technologies (see section 12 below).
5. Why We Collect Your Personal Information
The following table sets out the purposes for which we collect your personal information, the categories of personal information involved, and why we need it for each purpose.
Account creation and management
Information involved: Name, email, contact details, organisation name, authentication credentials.
Why we need it: To register you as a user, verify your identity, and manage your account on our platform.
Providing our Services
Information involved: Contact details, project address details, End-User Data submitted by customers.
Why we need it: To deliver our compliance document and report generation services to you and your organisation.
AI-powered features
Information involved: End-User Data and project data submitted through the platform.
Why we need it: To process data using third-party AI services in order to generate outputs within our Services (see section 8).
Customer support
Information involved: Name, email, contact details, technical and usage information.
Why we need it: To respond to your enquiries, troubleshoot issues, and provide technical support via Sentry and Slack.
Customer relationship management
Information involved: Name, email, contact details, organisation name, communication history.
Why we need it: To manage our relationship with you and your organisation, including through HubSpot.
Marketing communications
Information involved: Name, email, marketing preferences.
Why we need it: To send you information about our Services where you have opted in or we are otherwise permitted to do so.
Analytics and service improvement
Information involved: IP address, browser type, device information, usage and engagement data.
Why we need it: To understand how visitors use our website and Services so we can improve them, including through Amplitude.
Bug monitoring and error tracking
Information involved: Technical identifiers, session data, error logs.
Why we need it: To identify, diagnose, and resolve bugs, errors, and performance issues using Sentry.
Security and fraud prevention
Information involved: IP address, traffic data, access logs.
Why we need it: To protect our platform from unauthorised access, attacks, and other security threats, including through Cloudflare.
Billing and payment
Information involved: Name, contact details, billing information.
Why we need it: To bill you and collect payments owed to us, including authorising and processing transactions.
Legal compliance and enforcement
Information involved: Any category as required.
Why we need it: To comply with legal obligations, enforce our rights, and defend against claims.
6. How We Use Your Personal Information
In addition to the purposes set out in the table in section 5 above, we will use your personal information:
to verify your identity and manage your account;
to authenticate your access via social sign-in providers (Google or Microsoft);
to provide our Services to you and your organisation;
to process compliance documents and reports on behalf of our customers;
to communicate with you about your account, the Services, and any support requests;
to send you marketing and promotional communications where you have opted in or we are otherwise permitted to do so (you can opt out at any time);
to analyse and improve our Services, including through aggregated and anonymised usage data;
to monitor website engagement and performance using analytics tools;
to identify, diagnose, and resolve bugs, errors, and performance issues in our Services;
to prevent unauthorised access, attacks, or other security threats to our systems;
to protect and enforce our legal rights and interests, including defending any claim;
to comply with our legal and regulatory obligations; and
for any other purpose authorised by you or the Act.
7. Disclosing Your Personal Information
We may disclose your personal information to:
any person within our organisation who needs access to perform their role;
approved third-party service providers who help us deliver and support our Services (listed in the table in section 7.1 below);
third-party artificial intelligence providers as described in section 8;
professional advisers, including lawyers, accountants, and auditors;
a person who can require us to supply your personal information (e.g. a regulatory authority);
any other person authorised by the Act or another law (e.g. a law enforcement agency); and
any other person authorised by you.
We may disclose or use aggregated or de-identified data for any purpose.
We may also transfer your information in the case of a sale, merger, consolidation, liquidation, reorganisation, or acquisition of our business.
7.1 Third-party service providers
We use the following third-party service providers to help deliver our Services. Each provider has been reviewed for appropriate security and compliance measures.
Amazon Web Services (AWS)
Purpose: Cloud infrastructure and data hosting
Data location: Sydney
HubSpot
Purpose: Customer relationship management
Data location: Sydney
Amplitude
Purpose: Website and product analytics
Data location: United States
Sentry
Purpose: Bug monitoring, error tracking, and customer support
Data location: United States
Slack
Purpose: Internal communications and customer support
Data location: United States
Cloudflare
Purpose: Content delivery, security, and DDoS protection
Data location: APAC
In addition to the providers listed above, we use third-party artificial intelligence providers as described separately in section 8 below.
8. Use of Artificial Intelligence
Our Services include AI-powered features that utilise third-party artificial intelligence platforms. When you use these features, certain data (which may include End-User Data submitted by our customers) may be sent to one or more third-party AI providers for processing. This data is used solely for the purpose of generating outputs within our Services.
8.1 AI provider selection and security
We select AI providers that maintain robust security and compliance certifications appropriate to the nature of the data being processed. Our current AI providers hold the following certifications and compliance frameworks:
ISO 27001 (Information Security Management);
ISO 42001 (Artificial Intelligence Management System);
SOC 2 Type I and Type II;
HIPAA-ready configuration with Business Associate Agreement (BAA) support;
SOC 1 and SOC 3;
ISO 9001 (Quality Management), ISO 27017 (Cloud Security), ISO 27018 (Protection of Personal Data in the Cloud), and ISO 27701 (Privacy Information Management);
FedRAMP High authorisation;
PCI DSS; and
compliance support for GDPR, COPPA, and FERPA.
We require that our AI providers do not use your data to train their general-purpose models, subject to the applicable data processing terms in place with each provider. We regularly review our AI providers’ security posture and compliance certifications.
8.2 Data processing and overseas transfer
AI providers may process data on infrastructure located outside New Zealand, including in the United States and other jurisdictions. By using AI-powered features of our Services, you acknowledge that data may be processed by our AI providers’ infrastructure overseas. Section 9 of this policy sets out how we manage overseas disclosures.
We may change or add AI providers from time to time. Where we do so, we will ensure that any new provider meets equivalent or higher security and compliance standards. Material changes to our AI providers will be reflected in updates to this policy.
9. Overseas Disclosure of Personal Information
Some of the third parties we work with (as listed in sections 7.1 and 8) store or process personal information outside New Zealand, including in the United States, the European Union, and the Asia-Pacific region.
Where we disclose personal information to an overseas entity, we take reasonable steps to ensure that the recipient is subject to privacy laws or contractual obligations that provide comparable protections to those under the Act, or that another exception under the Act applies. Where an overseas entity holds or processes information solely on our behalf and does not use it for its own purposes, the overseas disclosure rules under the Act do not apply.
10. Protecting Your Personal Information
We take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse. These steps include:
access controls and authentication measures to restrict access to personal information;
encryption of data in transit and at rest;
use of Cloudflare for content delivery, DDoS protection, and web application security;
monitoring for unauthorised access or attacks using third-party security services, which may have access to logging and traffic data;
regular review of our security practices and infrastructure; and
contractual obligations on our third-party service providers to maintain appropriate security.
You also play an important role in protecting your personal information. You can assist our security measures by using a strong, unique password for your account and keeping it secure. If you suspect there has been any unauthorised access to or misuse of your personal information, please contact us immediately.
However, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.
11. Data Storage and Retention
We will retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements.
Data processed within our Services is stored on our cloud infrastructure (AWS) and is encrypted and backed up. In the event of data loss or corruption, backed-up data can be retrieved.
As noted in section 4.3, data may sometimes be held on local devices or within third-party communication platforms (such as email or Slack) where it has been provided to us outside of our platform. We take reasonable steps to transfer such data into our secure systems and to delete local copies when no longer required.
When personal information is no longer required, we will take reasonable steps to securely delete or de-identify it.
12. Cookies and Similar Technologies
We use cookies and similar tracking technologies (such as pixels and local storage) to monitor and analyse your use of our website and Services. Cookies are small text files placed on your device that help us recognise your browser and capture certain information.
We use cookies for the following purposes:
essential cookies that are necessary for the operation of our website and Services;
analytics cookies (including those used by Amplitude) that help us understand how visitors engage with our website so that we can improve it; and
functionality cookies that remember your preferences and settings.
You may disable cookies by changing the settings on your browser, although this may affect your ability to use some features of our website and Services.
13. Marketing Communications
Where we have your consent or are otherwise permitted by law, we may send you marketing or promotional communications about our Services by email or other electronic means. You can opt out of receiving these communications at any time by using the unsubscribe link in any marketing email, or by contacting us at hi@complycopilot.com.
Where you opt out of marketing communications, this will not affect any service-related communications that are necessary for us to deliver and manage the Services.
14. Accessing and Correcting Your Personal Information
Subject to certain grounds for refusal set out in the Act, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.
If we think a requested correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.
If you want to exercise either of these rights, please email us at hi@complycopilot.com. Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting).
We may charge you our reasonable costs of providing copies of your personal information or correcting that information.
15. What Happens If You Do Not Provide Your Personal Information
If you do not provide us with the personal information described in this policy, some or all of the following may occur:
we may not be able to create or manage your account on our platform;
we may not be able to provide our Services to you or your organisation, either to the same standard or at all;
we may not be able to respond to your enquiries or provide you with customer support;
we may not be able to communicate with you about updates, changes, or issues affecting the Services; and
your experience of our website may be limited, as we may not be able to personalise or optimise it for you.
Where it is lawful and practicable, you may choose not to identify yourself or to use a pseudonym when contacting us. However, if you do not provide the personal information we reasonably require, we may not be able to provide you with our Services.
16. Internet Use
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
If you follow a link on our website to another site, the owner of that site will have its own privacy policy relating to your personal information. We suggest you review their privacy policy before you provide any personal information. We are not responsible for the privacy practices of third-party websites.
We may use information about your use of our website and other systems to prevent unauthorised access or attacks on our platform. We may utilise services from one or more third-party suppliers (including Cloudflare and Sentry) to monitor use of our systems. These third-party suppliers may have access to monitoring, logging, and traffic information as well as information processed on our website and other systems.
17. Our Policy Towards Children
Our website and Services are designed for business users, and we do not sell our Services to children. We do not knowingly collect personal information from children under the age of 16.
If you become aware that a child under 16 has provided us with personal information, please contact us using the details in section 18 below. If we become aware that we have collected personal information from a child under 16, we will take prompt steps to delete that information.
18. Contacting Us
If you have any questions about this privacy policy, our privacy practices, or if you would like to request access to or correction of your personal information, you can contact us at:
Comply Copilot Limited
Email: hi@complycopilot.com