Legal

Privacy Policy

We respect your privacy. This policy explains how Instilligent Limited collects, uses, and protects personal information in accordance with the New Zealand Privacy Act 2020.

Operator Instilligent Limited
NZBN 9429051796284
Privacy Contact privacy@instilligent.com
Effective Date 25 March 2026
Governing Law Privacy Act 2020 (NZ)

1. Who we are

Modular Compliance (modularcompliance.com) is a product of Instilligent Limited, a New Zealand registered company (NZBN: 9429051796284). In this policy, "we", "us", and "our" refers to Instilligent Limited as the operator of Modular Compliance.

We are an agency as defined by the Privacy Act 2020, and we are subject to the Information Privacy Principles (IPPs) set out in that Act.

For any privacy-related queries, requests, or complaints, contact our Privacy Officer at privacy@instilligent.com. We will acknowledge your request within 3 working days and respond substantively within 20 working days, as required by the Privacy Act 2020.

2. Information we collect (IPP 1)

We collect personal information only for lawful purposes connected with our functions and activities, and only where it is necessary for those purposes.

Account and identity information

  • Name and email address (required to create an account)
  • Organisation name and job title
  • Password (stored as a one-way hash — we do not store your password in plain text)

Billing information

  • Payment card details — collected and processed by Stripe, Inc. We do not store full card numbers on our servers. Stripe handles PCI-DSS compliance for payment data.
  • Billing address and invoice records

Compliance data you enter

  • Business compliance records, documents, hazard registers, incident reports, and related data that you upload or create within the platform
  • Team member names and email addresses you add to your organisation

Usage and technical data

  • IP address, browser type, operating system, and device type
  • Pages visited, features used, and timestamps of actions (collected via Google Analytics 4)
  • Session logs and error reports for platform stability

3. How we collect information (IPP 2)

We collect personal information directly from you when you:

  • Create an account on Modular Compliance
  • Enter compliance data or upload documents within the platform
  • Add team members to your organisation
  • Contact us by email or through our website
  • Subscribe to or manage a billing plan via Stripe

We also collect limited technical and analytics data automatically when you use our website and platform (see Section 8 — Third-party services).

We do not collect personal information from third parties or public sources without your knowledge, except where required by law.

4. Collection notice (IPP 3)

At or before the time we collect personal information, or as soon as practicable thereafter, we will take steps reasonable in the circumstances to ensure you are aware of:

  • The fact that the information is being collected
  • The purpose for which it is being collected
  • Your right to access and correct your information
  • Any third parties to whom we routinely disclose information
  • Whether collection is voluntary or mandatory

This policy serves as the primary collection notice. Additional notices may appear at relevant points in our platform (such as forms and account creation flows).

5. How we use your information (IPP 10)

We use personal information only for the purpose for which it was collected, or for a directly related purpose. Specifically, we use your information to:

  • Provide and operate the Modular Compliance platform
  • Process your subscription payments via Stripe
  • Generate AI-powered compliance insights using the Anthropic Claude API
  • Send you transactional emails (account confirmations, alerts, invoice receipts)
  • Respond to support requests and enquiries
  • Improve platform features and fix technical issues
  • Comply with our own legal obligations under NZ law

We do not use your information for marketing purposes without your explicit consent. We do not sell personal information to any third party.

6. Storage and security (IPP 5)

We take reasonable steps to protect personal information against loss, misuse, unauthorised access, disclosure, alteration, or destruction.

Data storage

All platform data — including your account information and compliance records — is stored on Railway infrastructure in the US-West region (United States). As Railway servers are located outside New Zealand, your personal information is transferred to the United States as part of normal platform operation. We ensure appropriate contractual and technical safeguards are in place with Railway.

Security measures

  • All data is encrypted in transit using TLS 1.2 or higher
  • Data at rest is encrypted using AES-256 on Railway infrastructure
  • Passwords are stored as bcrypt hashes — we cannot recover your password
  • Access to production systems is restricted to authorised personnel
  • Audit logs record all access to personal data

Data retention

We retain your compliance records and audit trail for 7 years from the date of creation, reflecting the retention requirements of NZ health and safety, employment, AML/CFT, and privacy legislation. Account data is retained for the duration of your subscription and for 12 months following account closure, after which it is permanently deleted.

7. Disclosure of personal information (IPP 11)

We do not disclose personal information to third parties except as described below.

Service providers

We share personal information with third-party service providers solely to the extent necessary to operate the platform:

Provider Purpose Data shared Location
Railway Platform infrastructure and database hosting All platform data US-West (USA)
Stripe, Inc. Payment processing and subscription management Name, email, billing address, payment card data USA
Anthropic (Claude API) AI-powered compliance insights and analysis Compliance record text (de-identified where possible) USA
Google Analytics 4 (G-NQZ08PD0MJ) Website usage analytics Anonymised IP, browser/device type, page views USA

All providers are subject to contractual data protection obligations. We have applied IP anonymisation to our Google Analytics configuration.

Legal disclosure

We may disclose personal information where we are required to do so by law, court order, or regulatory requirement in New Zealand. We will notify you of such a disclosure where we are legally permitted to do so.

Business transfers

If Instilligent Limited is acquired or merges with another entity, personal information may be transferred as part of that transaction. We will notify affected users and they will retain their rights under the Privacy Act 2020.

8. Overseas disclosure (IPP 12)

Your personal information is transferred to and processed in the United States by Railway, Stripe, Anthropic, and Google (as described in Section 7). The United States does not have an equivalent privacy regime to New Zealand's Privacy Act 2020.

By using Modular Compliance, you acknowledge that your information will be transferred overseas. We take reasonable steps to ensure that these overseas recipients protect your personal information to a standard comparable to the Privacy Act 2020, including through data processing agreements and standard contractual clauses.

If you have concerns about overseas transfer of your data, please contact us at privacy@instilligent.com before using the platform.

9. Your right to access and correct your information (IPP 6 & 7)

Under the Privacy Act 2020, you have the right to:

  • Access the personal information we hold about you
  • Correct any personal information that is inaccurate, incomplete, or misleading
  • Request deletion of your personal information (subject to our legal retention obligations)
  • Know whether we hold personal information about you

To make an access or correction request, email privacy@instilligent.com with your name, email address, and the nature of your request. We will respond within 20 working days. In some cases, we may need to verify your identity before processing your request.

We may refuse access or correction in circumstances set out in the Privacy Act 2020 (for example, where doing so would prejudice the maintenance of the law). If we refuse, we will tell you the reason and advise you of your right to complain to the Privacy Commissioner.

10. Information Privacy Principles (IPP 1–12)

The following table summarises how our practices align with all 12 IPPs under the Privacy Act 2020:

IPP 1 – Purpose of collection Collect only for lawful, connected purposes. See Section 2.
IPP 2 – Source of information Collect directly from individuals where practicable. See Section 3.
IPP 3 – Collection from subject Notify individuals at collection. See Section 4.
IPP 4 – Manner of collection Collect by lawful means, not unreasonably intrusively.
IPP 5 – Storage and security Protect personal information with reasonable security measures. See Section 6.
IPP 6 – Access to personal information Individuals may request access to their personal information. See Section 9.
IPP 7 – Correction of personal information Individuals may request correction of inaccurate information. See Section 9.
IPP 8 – Accuracy Take reasonable steps to ensure information is accurate and up to date.
IPP 9 – Retention Do not retain longer than necessary (7-year audit trail for legal compliance). See Section 6.
IPP 10 – Use of information Use only for collected purpose or directly related purpose. See Section 5.
IPP 11 – Disclosure Disclose only in accordance with purpose or with consent. See Section 7.
IPP 12 – Unique identifiers Do not require individuals to disclose government identifiers unless required for the service.

11. Cookies and analytics

Our website uses cookies and Google Analytics 4 (GA4, property ID: G-NQZ08PD0MJ) to collect anonymised usage data. We have configured GA4 with IP anonymisation enabled.

Cookies we use

  • Strictly necessary cookies: Required for authentication and platform security (session tokens). These cannot be disabled.
  • Analytics cookies (Google Analytics): Used to understand how visitors use our website. These are optional — you may opt out via your browser settings or using the Google Analytics Opt-out Browser Add-on.

We do not use advertising or tracking cookies for marketing purposes.

12. Privacy breach notification

If we become aware of a privacy breach that poses a risk of harm to an individual, we will:

  • Notify the affected individual(s) as soon as practicable
  • Notify the Privacy Commissioner within the timeframe required by the Privacy Act 2020
  • Take immediate steps to contain the breach and prevent further harm

If you believe your personal information held by us has been compromised, please notify us immediately at privacy@instilligent.com.

13. Complaints

If you believe we have breached the Privacy Act 2020 in relation to your personal information, please contact us first at privacy@instilligent.com. We will investigate and respond within 20 working days.

If you are not satisfied with our response, you may complain to the New Zealand Privacy Commissioner:

  • Website: privacy.org.nz
  • Phone: 0800 803 909 (NZ only)
  • Email: enquiries@privacy.org.nz

14. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify subscribers by email at least 14 days before the change takes effect.

Your continued use of Modular Compliance after any changes to this policy constitutes your acceptance of those changes.

Contact us

For any privacy questions, access requests, correction requests, or complaints:

Instilligent Limited — Privacy Officer
Email: privacy@instilligent.com
General: info@instilligent.com
NZBN: 9429051796284
Website: instilligent.com