Privacy Policy

Publicly Available Charity Data

The majority of data on CivicNZ comes from publicly available sources, primarily the New Zealand Charities Register (charities.govt.nz). This includes:

• Charity names, registration numbers, and registration status
• Financial information from annual returns (income, expenditure, assets)
• Officer names (as publicly listed on the Charities Register)
• Charitable purposes and activities
• Sector classifications

This information is already public and we do not collect any private charity data that is not already publicly accessible.

Account Information

When you create an account, we collect:

• Email address
• Name (optional)
• Organisation affiliation (if claiming a charity profile)
• Password (stored securely using industry-standard encryption)

Usage Information

We automatically collect certain information when you use our service:

• Pages visited and features used
• Search queries (to improve search functionality)
• Device type and browser information
• IP address (for security and fraud prevention)

We use your information to:

• Provide and improve our services
• Process your subscription and payments
• Send you service-related communications (e.g., deadline reminders, score alerts)
• Send you marketing communications (only with your consent)
• Analyse usage patterns to improve our platform
• Prevent fraud and ensure security
• Comply with legal obligations

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of sensitive data at rest
• Secure password hashing
• Regular security assessments
• Access controls and authentication
• Secure cloud infrastructure (Railway)

Under the New Zealand Privacy Act 2020, you have the following rights:

• Right to access: You can request a copy of the personal information we hold about you
• Right to correction: You can request that we correct any inaccurate information
• Right to deletion: You can request deletion of your account and associated personal information
• Right to withdraw consent: You can withdraw consent for marketing communications at any time

To exercise any of these rights, please contact us at the email address below. We will respond to your request within 20 working days as required by the Privacy Act.

We retain your personal information for as long as necessary to provide our services and comply with legal obligations:

• Account data: Retained while your account is active, plus 12 months after deletion
• Payment records: Retained for 7 years for tax and legal compliance
• Usage logs: Retained for 12 months
• Public charity data: Retained indefinitely (as it is public information)

We use the following third-party services that may process your data:

• Railway: Cloud hosting infrastructure
• Stripe: Payment processing (if applicable)
• OpenAI: AI-powered features (queries are not stored by OpenAI for training)

Each of these providers has their own privacy policies and we ensure they meet appropriate data protection standards.

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us: