Privacy Policy

1. Who we are

KiwiPost AI is operated by Yaohui Zhang, trading as a sole trader based in New Zealand (the "Operator"). For privacy matters, the Operator is the agency responsible for handling your personal information under the Privacy Act 2020.

You can contact our Privacy Officer at: alanyang2026@gmail.com

2. Information we collect

We collect the following categories of personal information:

2.1 Information you provide directly

• Your business name, business type, and the post topics you enter when generating content.
• The generated posts you save to your history (Pro subscribers only).
• Communications you send to us (e.g. support emails).

2.2 Information collected indirectly (IPP 3A — effective 1 May 2026)

When you sign in using Google OAuth, we receive the following information from Google through our authentication provider, Clerk Inc.:

• Your email address
• Your name (as registered with Google)
• Your Google account avatar (profile image URL)
• A unique account identifier from Clerk

When you complete a payment, we receive the following indirect information from Stripe Payments NZ Limited:

• Your billing email address
• Your name and billing country
• The last four digits and brand of your payment card
• Your subscription status and renewal dates

We do not receive or store your full payment card details. All card information is handled directly by Stripe under its own privacy policy.

2.3 Technical and usage data

• Your IP address (used for rate limiting and the New Zealand-only restriction on the free tier).
• Browser type, device type, operating system, and language preference.
• Pages you visit, features you use, and the timestamps of these actions.

3. Why we collect your information (IPP 1)

We use your personal information only for the following purposes:

• Service delivery: Generating posts based on your inputs, saving your history, and showing it back to you on any device.
• Authentication: Verifying you are the same user across sessions and devices.
• Payments and subscription management: Processing your subscription, managing renewals, refunds, and cancellations.
• Service improvement: Aggregating anonymous usage statistics to improve features and reliability.
• Security and abuse prevention: Detecting fraud, spam, prompt-injection attempts, and other misuse.
• Legal compliance: Meeting our obligations under the Privacy Act 2020, Consumer Guarantees Act 1993, Fair Trading Act 1986, and tax law.

4. How AI processes your information

KiwiPost AI uses third-party large language models (currently OpenAI GPT-4o-mini, accessed via OpenRouter) to generate the social media posts and video scripts you request.

When you click "Generate", the following information is sent to OpenRouter for AI processing:

• Your business name, business type, and post topic.
• Your selected platform, tone, length, and other options.
• Your input is not associated with your account identity — only the prompt content is sent.

According to OpenRouter and OpenAI's policies, your prompts are not used to train AI models. Generated outputs are returned to you and stored in our database only if you are a Pro subscriber (in your post history).

We follow the New Zealand Responsible AI Guidance for Businesses published by the Ministry of Business, Innovation and Employment.

5. Who we share your information with (IPP 11)

We do not sell your personal information. We share it only with trusted third-party service providers who help us operate the Service. Each provider is contractually bound to maintain equivalent or stronger privacy protections than the Privacy Act 2020 requires.

We may also share your information when required by New Zealand law (for example, in response to a valid court order, statutory notice, or to comply with our tax and accounting obligations).

6. Cross-border data transfers (IPP 12)

Some of our service providers store and process your personal information outside of New Zealand (in Australia and the United States). Before transferring your information overseas, we confirm that the receiving country or organisation has comparable safeguards to those in the New Zealand Privacy Act 2020, or that the provider is contractually bound to apply equivalent protections.

By using our Service, you consent to your personal information being transferred to the locations listed in the table above.

7. How long we keep your information (IPP 9)

• Account data (email, name): for as long as you hold an account with us, plus 12 months after deletion to comply with tax and audit obligations.
• Post history (Pro subscribers): the most recent 50 entries are retained while your account is active. Older entries are automatically deleted.
• Subscription & payment records: 7 years, in compliance with the Tax Administration Act 1994.
• Server logs (IP addresses, browser data): up to 90 days for security and abuse-prevention purposes.
• Cancelled accounts: deleted within 30 days of request, except where law requires retention.

8. Security (IPP 5)

We protect your personal information using industry-standard technical and organisational safeguards, including:

• HTTPS / TLS 1.3 encryption for all data in transit.
• Database-level encryption at rest (AES-256).
• Strict access control: only the operator has administrative access.
• Cross-Site Request Forgery (CSRF) protection and prompt-injection defenses on all server endpoints.
• Webhook signature verification for all payment events.
• Rate limiting to prevent abuse and credential-stuffing attacks.

In the event of a serious privacy breach involving your personal information, we will notify you and the Office of the Privacy Commissioner without undue delay, in accordance with the Privacy Act 2020 (Part 6).

9. Your rights (IPPs 6, 7, 11)

You have the right to:

• Access the personal information we hold about you.
• Correct any information that is inaccurate or out of date.
• Delete your account and associated personal information (subject to legal retention requirements).
• Withdraw consent for non-essential processing at any time.
• Export your post history in a machine-readable format.
• Lodge a complaint with the New Zealand Office of the Privacy Commissioner if you believe we have breached your privacy.

To exercise any of these rights, email us at alanyang2026@gmail.com. We will respond within 20 working days as required by the Privacy Act 2020.

You can lodge a complaint directly with the Office of the Privacy Commissioner at privacy.org.nz or by phoning 0800 803 909.

10. Children's privacy

Our Service is intended for businesses and is not directed at children under 16. Pro subscriptions require you to be at least 18 years old to enter into a contract under New Zealand law.

If we learn that we have collected personal information from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Cookies and analytics

We use the following essential cookies and similar technologies:

• Authentication cookies set by Clerk to keep you signed in. These are strictly necessary for the Service to work.
• Anonymous analytics via Vercel Analytics (aggregated page views, no personal identifiers).
• localStorage for storing your language preference and Service Worker cache.

We do not use third-party advertising cookies or trackers. New Zealand does not currently require a cookie banner under the Privacy Act 2020, but we believe in transparency regardless.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated to active account holders by email at least 14 days before they take effect.

13. Contact us

If you have any questions, concerns, or requests about this Privacy Policy or how we handle your personal information, please contact our Privacy Officer: