Last updated: 1 June 2026. This page is written for a New Zealand business context and is not legal advice.
Contents
- Information we collect
- How we use information
- Portal, files, payments, AI, marketing, bookings, and domains
- Providers and overseas processing
- Security, retention, rights, and breach handling
1. Information we collect
- Identity and contact details, such as name, email, phone, business name, role, address, billing contact, referral code, staff/freelancer details, and account status.
- Account and authentication information, such as email verification, invite status, role, client or affiliate IDs, password metadata, login timestamps, session version, failed sign-in details, reset or confirmation tokens, and audit records.
- Business, website, project, quote, support, domain, and add-on details, including submitted notes, current website URLs, requested features, screenshots, logos, files, service priorities, budgets, approvals, and internal follow-up notes.
- Payment and billing records, including Stripe customer IDs, checkout/session references, invoice details, subscription status, payment status, manual payment links, transaction records, tax/GST information, payment method labels, Stripe fee references, and webhook records. We do not intentionally collect full payment card details.
- Referral and affiliate information, including referral clicks, referral leads, referral rewards, custom referral codes, payout method/status details, promotional activity logs, compliance notes, and affiliate resources used.
- Marketing and communication information, including contact lists, tags, campaign membership, template and campaign activity, delivery/open/click/bounce/complaint events, unsubscribe records, suppression status, and email automation logs.
- Booking information, including client name, email, phone, company, message, selected service, date/time, timezone, status, reminders, cancellation/reschedule tokens, Microsoft event IDs, and Teams join URLs where applicable.
- Technical and usage information, including IP address, user agent, browser, device type, operating system, language, timezone, referrer, URL captured, screen details, approximate location from network data, consent state, rate-limit events, logs, and security/audit events.
- AI and knowledge-search records, including prompt context, output summaries, feature used, model/gateway metadata, usage status, and related project or support metadata. We aim to avoid storing sensitive secrets in AI request metadata.
2. How we collect information
- Directly from you when you submit forms, register, sign in, verify email, upload files, request quotes, request support, request domains, book meetings, apply as an affiliate or freelancer, update settings, reply to emails, or use portal features.
- Automatically through the website, portal, cookies, session cookies, consent tools, Turnstile, rate limits, logs, analytics or cookie-intelligence records, and security systems.
- From service providers and integrations, such as Stripe, Cloudflare, Microsoft, Resend or other email providers, GitHub, domain/registrar providers, payment providers, analytics tools, and public business sources where relevant to a requested service.
- Where we collect personal information from another source, for example a referrer, provider, staff member, public business source, or imported portal user record, we aim to give notices required by Privacy Act 2020 information privacy principles, including indirect-collection notices where applicable.
- From internal team members when they record project progress, quote approvals, admin decisions, support classification, manual payment notes, affiliate review notes, audit events, or customer follow-up records.
3. How we use information
- To provide, quote, invoice, deliver, support, maintain, improve, secure, and administer website projects, custom builds, managed services, domain services, add-ons, bookings, support requests, and portal accounts.
- To verify identity, manage access, enforce roles, prevent fraud, detect abuse, operate Turnstile, apply rate limits, investigate security events, maintain audit logs, and protect customers and systems.
- To process payments, reconcile invoices, manage subscriptions, handle refunds or credits, track taxes/GST, link payments to quote requests, and maintain accounting records.
- To send transactional notices, account emails, invite emails, booking notices, quote updates, support responses, payment notifications, portal notices, security notices, and administrative messages.
- To send marketing or newsletter emails where we have a lawful basis, consent, or an existing relationship that permits it, and to honour unsubscribe, suppression, bounce, and complaint records.
- To operate AI-assisted features, knowledge search, maintenance summaries, admin assistance, website generation support, and quality-control workflows.
- To administer affiliate referrals, commission eligibility, duplicate checks, payout review, promotional compliance, resource distribution, and program changes.
- To comply with law, enforce legal terms, respond to disputes, preserve evidence, recover debts, support insurance, and meet tax/accounting obligations.
4. Portal, files, payments, AI, marketing, bookings, and domains
- Portal records may be stored in Cloudflare D1, private R2 storage, KV, Queues, Vectorize, audit logs, and related Cloudflare Workers infrastructure. File downloads may use short-lived signed URLs.
- Stripe handles card collection, hosted checkout, billing, customer portal, and webhook events. We store payment references and status records required to deliver, reconcile, and support paid services.
- Cloudflare Turnstile helps reduce form and login abuse. Missing or failed verification may stop form, login, quote, registration, or support submission.
- Workers AI and AI Gateway may process AI prompts and outputs for site assistance, admin assistance, copy suggestions, maintenance summaries, knowledge search, or studio workflows. Do not submit secrets or highly sensitive information into AI fields unless we have agreed a secure process.
- Marketing tools may create records for portal users and other contacts. Campaign emails should include an unsubscribe path, and contacts that are unsubscribed, bounced, complained, or suppressed should be skipped.
- Microsoft Graph may be used by an admin-connected calendar integration to create calendar-backed Teams meetings. Microsoft tokens are intended to stay encrypted server-side and not be sent to the browser.
- Domain search and domain request workflows may use Cloudflare Registrar or DNS-related APIs. Domain availability, pricing, registry rules, and renewal timing may change outside our control.
5. Disclosure and providers
We may disclose personal information to staff, contractors, freelancers, accountants, legal or security advisers, payment providers, email providers, hosting providers, analytics providers, AI/search providers, cloud infrastructure providers, domain/DNS/registrar providers, Microsoft, GitHub, Stripe, Cloudflare, Resend, and other providers needed for the relevant service. We may also disclose information where required or permitted by law, to protect rights or safety, to collect debts, or in connection with a business restructure.
Some providers process or store information outside New Zealand. Where information is disclosed overseas, we aim to use reputable providers, contractual safeguards, access controls, or comparable protections appropriate to the service.
6. Storage, security, and retention
- We use role-based access, HTTPS, HTTP-only session cookies, server-side Turnstile verification, private file storage, signed file links, rate limiting, audit logging, provider secrets, Stripe webhook signature checks, and encrypted Microsoft token storage where applicable.
- No online system is completely secure. You must avoid sharing passwords, payment card details, private keys, API secrets, or unnecessary sensitive information through forms, support notes, uploads, or AI prompts.
- We keep information for as long as needed for service delivery, support, security, audit, tax/accounting, legal, dispute, warranty, referral, and compliance purposes. We may retain backups, logs, invoices, payment records, and audit records after an account or project closes.
7. Access, correction, deletion, and complaints
You may request access to or correction of your personal information. You may also ask us to delete or restrict certain information, though we may need to keep records where required for legal, tax, accounting, security, dispute, payment, audit, or service-continuity reasons. If you have a privacy complaint, contact us first so we can try to resolve it.
8. Privacy incidents
If we become aware of a privacy breach, we will assess the nature of the information, likely harm, affected people, containment steps, provider involvement, and whether notification is required under the Privacy Act 2020. New Zealand guidance treats a breach as notifiable when it has caused, or is likely to cause, serious harm.