Privacy Policy

Section 1

Who We Are

This Privacy Policy applies to Instilligent Limited, a company registered in New Zealand.

• Company name: Instilligent Limited
• NZBN: 9429051796284
• Registered office: Auckland, New Zealand
• Privacy contact: privacy@instilligent.com

Instilligent Limited is the Privacy Act agency responsible for the personal information described in this policy. We operate as an AI consultancy and product studio, building and delivering software products and consulting services for regulated industries.

This policy applies to all websites, applications, and services operated directly by Instilligent Limited under the instilligent.com domain and any sub-domains, as well as the products listed in Section 2. Individual products may also publish their own supplemental privacy notices where additional or different practices apply.

Section 2

Products Covered

This policy covers the following Instilligent Limited products and services. Each product may collect and process personal information differently, as described in this policy and any product-specific notices.

Live Products

• instilligent.com — Corporate website and primary web presence
• Modular Compliance (modularcompliance.com) — AI-powered compliance management platform for NZ and Australian SMEs
• Our New Normal (ournewnormal.co.nz) — AI-powered content platform

Products in Development

• R3 Fleet — Fleet management SaaS platform
• Sociamonials — Social media management platform

Consulting Services

• AI Consulting & Delivery — Technology consulting and specialist contracting services delivered to client organisations

Where we act as a data processor on behalf of a client organisation (for example, when providing consulting services), the client's own privacy policy and data processing agreements govern the use of personal information we handle on their behalf. This policy covers Instilligent Limited's activities as a data controller.

Section 3

Information We Collect

Information You Provide Directly

We collect information you give us voluntarily, including:

• Name and email address (contact forms, account registration, newsletter sign-up)
• Business name and role (when relevant to service delivery)
• Payment information (processed via Stripe — we do not store card numbers)
• Messages, enquiries, and correspondence you send us
• Account credentials for products that require login
• Profile information you choose to provide within our products

Information Collected Automatically

When you visit our websites or use our products, we may collect:

• IP address and approximate geographic location
• Browser type, operating system, and device information
• Pages visited, time spent, and navigation patterns
• Referring website and search terms used to find us
• Feature usage and product interaction data
• Error logs and performance data

Information From Third Parties

We may receive information about you from third parties, including:

• Payment processors (transaction confirmation, payment status)
• Analytics providers (aggregated usage and traffic data)
• Directory services where you have registered a profile that is connected to our platform

Sensitive Information

We do not intentionally collect sensitive personal information (as defined under the Privacy Act 2020, including health information, financial account details beyond what is necessary for payment processing, or information about criminal history) unless it is directly necessary for a specific service and you have provided explicit consent. If a specific product requires sensitive information, the relevant product privacy notice will describe this.

Section 4

How We Use Information

We use personal information for purposes that are consistent with why it was collected. These include:

Service Delivery

• Providing, operating, and improving our products and services
• Processing transactions and managing accounts
• Responding to enquiries and providing customer support
• Delivering consulting and advisory services

Communications

• Sending transactional emails (account confirmation, receipts, password reset)
• Sending service updates and important notices
• Marketing communications where you have opted in or where we have a legitimate interest and provide an easy opt-out

Product Improvement

• Analysing usage patterns to improve features and user experience
• Debugging errors and improving performance
• Research and development of new features

Legal and Compliance

• Complying with our legal obligations under NZ law
• Protecting our legal rights and enforcing our terms of service
• Preventing fraud, abuse, and unauthorised use

We will not use your personal information for purposes that are incompatible with why it was collected, unless we have your consent or are required to do so by law (Information Privacy Principle 10).

Section 5

Third-Party Services

We use the following third-party services to operate our products. Each of these services may process personal information as part of their function. We have listed the primary services, their purpose, the data they process, and the privacy policies you can consult for more information.

Service	Purpose	Data Processed	Location
Google Analytics 4 (GA4)	Website analytics and usage measurement	IP address (anonymised), pages visited, device/browser, session data	USA (Google LLC)
Stripe	Payment processing	Name, email, payment card details (processed by Stripe; we receive confirmation only)	USA (Stripe, Inc.)
Cloudflare	CDN, DDoS protection, DNS, Pages hosting	IP address, request metadata, cached content	Global (Cloudflare, Inc., USA)
Railway	Application hosting and infrastructure	Application data, logs, user data stored in hosted databases	USA (West region, Railway Corp.)
Resend	Transactional email delivery	Email address, email content (transactional messages)	USA (Resend, Inc.)
Brilliant Directories	Directory platform (used for certain products)	Profile data, name, email, business information	USA (Dallas, Texas, Brilliant Directories LLC)

We select third-party providers with care and, where possible, enter into data processing agreements. However, each provider operates under its own privacy policy. We encourage you to review the privacy policies of these services if you have concerns about how they handle your information.

We do not sell personal information to third parties and do not use personal information for purposes unrelated to our services.

Section 6

Offshore Disclosure (IPP 12)

Under Information Privacy Principle 12 of the New Zealand Privacy Act 2020, we are required to disclose when personal information is sent offshore and to take reasonable steps to ensure it receives comparable protection to that required under New Zealand law.

Instilligent Limited operates with infrastructure and third-party services that process personal information outside of New Zealand. The primary offshore locations are:

Additional offshore processing occurs via Cloudflare (global CDN, USA-headquartered), Google Analytics 4 (USA), Stripe (USA), and Resend (USA) as described in Section 5.

When transferring information offshore, we take reasonable steps to ensure that the overseas recipient is subject to privacy obligations comparable to those in the New Zealand Privacy Act 2020, including through:

• Selecting providers based in jurisdictions with comparable privacy frameworks (such as the USA under applicable Federal and State laws)
• Entering into data processing agreements with key providers where available
• Reviewing provider privacy policies and security certifications

You may contact us at privacy@instilligent.com if you wish to obtain more information about the safeguards we have in place for offshore transfers.

Section 7

Cookies & Tracking

We use cookies and similar tracking technologies on our websites and products. Cookies are small data files stored on your device that help us operate our services and understand how they are used.

Types of Cookies We Use

Essential Cookies

These cookies are necessary for our websites and products to function. They cannot be disabled without breaking functionality.

• Session cookies to maintain your login state
• Security cookies (CSRF protection, fraud prevention)
• Load balancing and infrastructure cookies

Analytics Cookies

We use Google Analytics 4 to measure how our websites are used. GA4 sets cookies to track sessions, pages visited, and user behaviour in aggregate. IP addresses are anonymised where possible. You can opt out of Google Analytics tracking by:

• Installing the Google Analytics opt-out browser add-on
• Using browser privacy settings or a privacy-focused browser extension
• Enabling "Do Not Track" (note: not all systems honour this signal)

Functional Cookies

These cookies remember your preferences and settings (such as language or display preferences) to improve your experience.

Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when cookies are set. Disabling certain cookies may affect the functionality of our websites and products. Please consult your browser's help documentation for instructions on managing cookies.

Section 8

Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention practices are:

• Account data: Retained for the duration of your account and for up to 3 years after account closure, unless you request deletion sooner
• Transaction records: Retained for 7 years for financial and tax compliance purposes
• Contact form submissions: Retained for up to 2 years unless an ongoing business relationship develops
• Analytics data: Retained by Google Analytics 4 for up to 14 months (our configured retention period)
• Email records: Transactional email logs retained for up to 90 days by our email provider; our own records retained in line with relevant account data
• Security logs: Retained for up to 12 months for security incident investigation purposes
• Compliance product data: Retained as specified in the Modular Compliance Privacy Policy and applicable data processing agreements

When personal information is no longer required, we take reasonable steps to destroy or de-identify it in a secure manner (Information Privacy Principle 9).

Section 9

Your Rights Under the Privacy Act 2020

Under the New Zealand Privacy Act 2020, you have the following rights in relation to personal information we hold about you:

Right of Access (IPP 6)

You have the right to request access to personal information we hold about you. We will respond to access requests within 20 working days. We may charge a reasonable fee for providing access in certain circumstances.

Right of Correction (IPP 7)

If you believe personal information we hold about you is inaccurate, incomplete, or misleading, you may request that we correct it. We will respond within 20 working days and either make the correction or explain why we are not making it.

Right to Raise a Complaint

If you believe we have breached the Privacy Act 2020, you may:

• Contact us directly at privacy@instilligent.com — we aim to resolve complaints within 10 working days
• Make a complaint to the Office of the Privacy Commissioner if you are not satisfied with our response

Opting Out of Marketing

You may opt out of marketing communications at any time by:

• Clicking the unsubscribe link in any marketing email
• Emailing us at privacy@instilligent.com
• Updating your preferences in your account settings (where available)

Opting out of marketing will not affect transactional or service-related communications, which we may still send as necessary.

Requesting Deletion

You may request deletion of your personal information. We will comply where we are not legally required to retain it. Some information may be retained for legal compliance, financial records, or security purposes even after a deletion request.

To exercise any of these rights, contact us at privacy@instilligent.com with your request. We may need to verify your identity before processing your request.

Section 10

Children & COPPA Notice

Our primary products and consulting services are designed for adults and business users. We do not knowingly collect personal information from children under the age of 13.

Users under 16 should not use our products without parental or guardian consent. If you become aware that a child has provided us with personal information without parental consent, please contact us immediately at privacy@instilligent.com.

Section 11

Security

We take the security of personal information seriously and implement reasonable technical and organisational measures to protect it from unauthorised access, disclosure, alteration, or destruction (Information Privacy Principle 5).

Our security measures include:

• Encryption of data in transit (HTTPS/TLS for all web traffic)
• Encryption of sensitive data at rest where applicable
• Access controls limiting who can access personal information within our systems
• Use of established, security-reviewed infrastructure providers
• Regular review of our security practices

No system is completely secure. While we strive to protect your information, we cannot guarantee absolute security. If we become aware of a data breach that is likely to cause serious harm, we will notify affected individuals and the Office of the Privacy Commissioner in accordance with the Privacy Act 2020's mandatory breach notification requirements.

If you become aware of any security vulnerability or incident related to our systems, please report it to privacy@instilligent.com.

Section 12

Changes to This Policy

We may update this Privacy Policy from time to time as our products evolve, services change, or legal requirements are updated. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Where practical, notify registered users via email or in-product notification
• Keep the previous version accessible on request

We encourage you to review this policy periodically. Continued use of our products and services after a change to this policy constitutes acceptance of the updated terms.

Section 13

Contact Us

For any privacy-related queries, access requests, correction requests, complaints, or general questions about this policy, please contact our privacy team: