Who we are and what this Policy covers
ConsentIQ Limited is a New Zealand company that provides a decision-support and workflow tool to assist building industry professionals with New Zealand building consent applications. This Policy describes how we handle personal information when you use our platform and services, and how we handle personal information about other people that may be contained in the data you upload.
"Personal information" means information about an identifiable individual, as defined in the Privacy Act 2020.
The personal information we collect
Depending on how you use the platform, we may collect:
- Account and contact information — your name, email address, organisation or practice name, role, and the login credentials used to access your account.
- Billing information — payments are processed by Stripe. We receive limited transaction information (such as confirmation of payment, the subscription tier, and the last digits and type of card); we do not collect or store full card numbers.
- Usage and technical information — log data, IP address, device and browser information, and a record of your activity within the platform, collected automatically to operate and secure the service.
- Customer Data you upload — building consent documentation, plans, specifications, and project information. This material may contain personal information, including personal information about people who are not ConsentIQ users (see section 3).
- Communications — support requests, feedback, and other correspondence you send us.
Information we collect indirectly about other people
When you upload Customer Data to the platform, that data may contain personal information about individuals who are not our customers or users — for example, property and site owners, occupants, site addresses, and details of other parties connected to a consent application.
We collect this information indirectly — from you, rather than from the individuals it relates to. As our customer, you are responsible for ensuring that you have a lawful basis to collect that personal information and to provide it to us, and that you have given any privacy notices to those individuals that the Privacy Act 2020 requires.
We handle personal information about these third parties only to provide the platform to you and as otherwise described in this Policy. We do not use it to contact those individuals or for any independent purpose of our own. Where we use individual records to improve our platform, we first remove personal information so that the records are de-identified (see section 6).
How we collect personal information
We collect personal information:
- directly from you, when you create an account, subscribe, upload data, or contact us;
- automatically, through your use of the platform (including cookies and similar technologies — see section 12); and
- from our service providers, where necessary to operate the service (for example, payment confirmations from Stripe).
Why we collect it and how we use it
We collect and use personal information to:
- provide, operate, and maintain the platform and our services;
- authenticate users and manage accounts and subscriptions;
- process payments and administer billing;
- generate the outputs you request (such as checklists, gap reports, and response materials);
- provide support and respond to your enquiries;
- maintain the security and integrity of the platform and prevent misuse;
- improve and develop the platform and our underlying engine (see section 6);
- send you service-related communications; and
- comply with our legal obligations.
Improving our platform
We use de-identified individual records — for example, records where a user corrects, overrides, or flags an output — together with aggregated data, to improve and develop our rules engine and the accuracy of our platform. Before any individual record is used for this purpose, we remove personal information from it, including client names, site addresses, and owner details.
We do not sell personal information, and we do not share Customer Data with, or use it to train, any third-party artificial intelligence model or service.
Who we disclose personal information to
We disclose personal information to service providers who process it on our behalf, under contract and only as needed to deliver the platform:
- Supabase — database hosting (located in Sydney, Australia);
- Netlify — website and application hosting and content delivery;
- Stripe — payment processing;
- Anthropic — AI-assisted analysis features (processed in the United States); and
- Resend — transactional email delivery.
No analytics provider is currently engaged. We will update this Policy if one is added. We may also disclose personal information where we are required or authorised to do so by law, where necessary to protect the rights, safety, or property of ConsentIQ or others, or in connection with a sale, merger, or restructure of our business (in which case the recipient will be bound to handle the information consistently with this Policy).
Sending personal information overseas
Some personal information — including personal information about third parties contained in the Customer Data you upload — is stored or processed outside New Zealand:
- Australia — our database is hosted by Supabase in Sydney; and
- United States — AI-assisted analysis features are processed by Anthropic.
The information that may be transferred overseas includes account and usage information and, within Customer Data, information such as site addresses and owner details.
Where we disclose personal information to a person or entity outside New Zealand, we take reasonable steps — consistent with information privacy principle 12 of the Privacy Act 2020 — to ensure the recipient is required to protect that information with safeguards comparable to those under the Act. This may be because the recipient is subject to privacy laws that provide comparable protections (for example, Australia's Privacy Act 1988), or because the recipient is bound by contractual obligations to protect the information. By using the platform and uploading Customer Data, you authorise the storage and processing of personal information in these locations for the purposes described in this Policy.
Storing and protecting personal information
We take reasonable technical and organisational steps to protect personal information against loss, unauthorised access, use, modification, or disclosure — including encryption in transit, access controls, and authentication. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
If a privacy breach occurs that has caused, or is likely to cause, serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as required by the Privacy Act 2020.
How long we keep personal information
We keep personal information only for as long as it is needed for the purposes described in this Policy, or as required by law. After your subscription ends, we retain Customer Data for 30 days and then permanently delete it, except where we are required to retain certain records (such as billing records) for longer under applicable law.
Accessing and correcting your information
You have the right to request access to, and correction of, the personal information we hold about you. To make a request, contact us using the details in section 14. We may need to verify your identity before responding, and in limited circumstances we may decline a request where the Privacy Act 2020 permits us to do so (in which case we will explain why).
Where a request relates to personal information about a third party contained in Customer Data, that request should generally be directed to the customer who uploaded the data, as they control that information. We will assist where it is appropriate for us to do so.
Cookies and similar technologies
We use essential cookies and similar technologies to operate the platform — for example, to keep you signed in and maintain your session. We do not currently use analytics or advertising cookies. If this changes, we will update this Policy.
Children
The platform is a tool for building industry professionals and is not directed at or intended for children. We do not knowingly collect personal information from children.
Contact us
If you have any questions about this Policy, or wish to make a request about your personal information, please contact our Privacy Officer at hello@consentiq.nz.
Complaints
If you are not satisfied with how we have handled your personal information or a privacy request, please contact us first so we can try to resolve it. You also have the right to complain to the Office of the Privacy Commissioner at privacy.org.nz.
Changes to this Policy
We may update this Policy from time to time. Where changes are material, we will provide reasonable notice (for example, by email or in-platform notification). The version and effective date at the top of this page indicate when it was last updated. Continued use of the platform after an updated Policy takes effect constitutes acceptance of the updated Policy.