Privacy Policy

Last updated: 2026-04-15

1.1.

Effective Date: from 30/01/2026

This Privacy Policy (“Policy”) explains how Southern Vector Limited (NZBN 9429052764448) of 26 Applefield Road, Northwood, Christchurch, 8051, New Zealand (“SAAS First”, “we”, “our”, “us”) collects, uses, discloses, and protects personal information when you visit our websites or use any SAAS First software-as-a-service products, mobile or desktop applications, APIs, and related services (collectively, the “Service”).

We are committed to comply with the New Zealand Privacy Act 2020 (including the Information Privacy Principles (“IPPs”), the Privacy Regulations 2020, the Unsolicited Electronic Messages Act 2007 (“UEM Act”), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the 'GDPR') and all other applicable privacy laws. If you do not agree with this Policy, please do not use the Service.

──────────────────────────────────────

  1. WHO WE ARE & CONTACT DETAILS

──────────────────────────────────────

  • Controller (for SAAS First’s own data-processing): Southern Vector Limited
  • Address: 1 Koru Lane, Leamington, Cambridge 3432, New Zealand
  • E-mail: [email protected]
  • Privacy Officer: Tamas Ham-Szabo / director

If you are an end-user of an organisation that is our customer, SAAS First acts as a data processor—please contact the relevant organisation (the “Controller”) first.

EU representative of the Controller: 

  • GBD Software as a Service Private Limited Company, GBD Ltd.
  • Address: 6065 Lakitelek, Szikra tanya 93. 1021, Hungary
  • E-mail: [email protected]
  • Data Protection Officer: Gergely Hajnal, dr.

──────────────────────────────────────

  1. WHAT INFORMATION WE COLLECT

──────────────────────────────────────

2.1 Information you provide directly

  • Account details – name, business email, phone, company, address, GST/Tax ID, password, profile photo.
  • Lead & form data – same as above plus optional LinkedIn, social URLs, additional contact numbers.
  • Customer Data – any data or content (files, chat messages, lists, custom fields, etc.) you or your users upload or import.
  • Marketing/demo/support enquiries.

2.2 Information automatically collected

  • Device & usage – IP address, browser/OS, device type, referrer, approximate geo-location (IP-derived, if enabled), language.
  • Event & activity logs – pages viewed, clicks, feature use, session timing, UTM parameters, cookies/pixels, session-replay, audit trails.
  • Notification & board history, profile edits, security logs.

2.3 Information from third parties

  • Lead enrichment & verification tools 
  • Payment processors (Stripe) — tokenised payment details and invoice status.
  • Integrations you enable (e.g., CRM, messaging, analytics).

2.4 Sensitive (“special-category”) data

We do not intentionally collect special-category data (health, union, race, biometric, etc.) and instruct customers not to upload such data unless strictly necessary and all legal requirements are met. If you choose to upload such data you are solely responsible for obtaining the required consents or authorisations and notifying us if additional safeguards are needed.

2.5 Unique identifiers (IPP 13)

We assign only those unique identifiers that are strictly necessary for authentication or account security (e.g., workspace ID, user ID). We never use NZ Government identifiers (e.g., IRD Number, NZBN) in a way that is inconsistent with IPP 13.

──────────────────────────────────────

  1. HOW WE USE YOUR INFORMATION

──────────────────────────────────────

We process personal information only for the purposes listed below or as otherwise permitted by law:

  1. Provide, operate, maintain, and improve the Service and each enabled Module.
  2. Authenticate users, administer accounts, and enforce workspace permissions.
  3. Process transactions and issue GST-compliant invoices.
  4. Communicate with you about the Service (service notices, security alerts, updates).
  5. Send marketing material – only with your consent or where otherwise lawful (Section 5).
  6. Conduct analytics, diagnostics, debugging, and product development.
  7. Ensure security, fraud-prevention and service integrity.
  8. Comply with legal obligations or respond to lawful requests and disputes.

──────────────────────────────────────

  1. LEGAL BASES FOR PROCESSING

──────────────────────────────────────

  • Contractual necessity – to deliver the Service you request.
  • Consent – for marketing emails, non-essential cookies, and any optional data you supply.
  • Legitimate interests – to secure and improve the Service, provided these interests are not overridden by your rights.
  • Legal obligation – tax, record-keeping, fraud detection.



──────────────────────────────────────

  1. MARKETING COMMUNICATIONS & UEM ACT

──────────────────────────────────────

  • We send electronic marketing messages only with valid consent, an applicable business-to-business exemption, or another lawful basis as permitted by the Unsolicited Electronic Messages Act 2007 and comparable overseas laws.
  • All marketing e-mails include our contact details and a functional unsubscribe link.
  • You may withdraw consent at any time by clicking the link, changing in-app settings, or emailing us.
  • If you use our Marketing, Inbox or Lead to Deal Modules to message third parties, You assume full and exclusive responsibility for obtaining and recording the necessary consents and honouring all opt-out requests.

──────────────────────────────────────

  1. COOKIES & TRACKING TECHNOLOGIES

──────────────────────────────────────

We use first- and third-party cookies, pixels, and similar technologies for analytics, personalisation, and advertising.

  • Essential cookies (including those used for security and authentication) are strictly necessary for the operation of the Service and remain active at all times, based on our legitimate interest in ensuring the security and functionality of the Application.
  • Full details of each cookie/tool, purpose, expiry, and how to change preferences are set out in Cookieyes and non-essential cookies are set only with your consent, recorded via our CookieYes banner & preference centre.

──────────────────────────────────────

  1. DATA SHARING & DISCLOSURE

──────────────────────────────────────

7.1 No Sale of Personal Information

We do not sell personal information.

7.2 Sub-processors & Service Providers

We share information with trusted third-party service providers ("Sub-processors") who help us provide, secure, and improve the Service (including hosting, payment processing, analytics, customer support, and AI inference).

All Sub-processors are vetted for security and legally bound by written agreements that require: • Confidentiality and strict compliance with our instructions; 

  • Implementation of 'comparable safeguards' to IPP 12 and/or GDPR standards; 
  • Notification duties in the event of a data breach.
  • Use of data only as instructed by SAAS First;
  • Audit / monitoring rights.

You can ask for our current sub-processor list at [email protected].  Customers may object on reasonable privacy grounds; if unresolved they may disable the affected Module.

If you choose to use third-party integrations (e.g., connecting your CRM, Slack, or email provider to the Service), you direct us to share Customer Data with those third-party services. We are not responsible for the privacy practices or security of those third-party services once the data leaves our systems.

We may collect, use, and share aggregated or irreversibly anonymised data (which does not identify any individual) for any business purpose, including industry analysis, benchmarking, and marketing.

7.3 International Transfers (IPP 12)

Some data may be processed in or accessed from countries outside New Zealand (e.g., Australia, EU, US, Canada). We ensure comparable safeguards by:

  1. Written data-processing agreements incorporating NZ-approved or EU Standard Contractual Clauses; and/or
  2. Selecting providers in jurisdictions recognised as having equivalent privacy protections.

7.4 Law Enforcement & Business Transfers

We will disclose personal information where legally required, or in connection with a merger, acquisition, or sale of assets, subject to confidentiality protections.



──────────────────────────────────────

  1. AI & AUTOMATED PROCESSING

──────────────────────────────────────

8.1 Optional Nature & Control 

Our AI features are the "Milly" chatbot and  the “IQ” AI query builder. You have granular control to enable or disable these features at the Workspace level. If disabled, no Customer Data is transmitted to our AI Sub-processors.

8.2 Data Usage & No Training 

When AI features are enabled, we transmit specific data to our AI providers (e.g. Anthropic, Google Gemini, GBD Zrt.) solely for the purpose of generating a real-time response ("Inference").

Zero Retention for Training: We have ensured that our AI providers do not train their general foundation models with your data. 

Ephemeral Processing: Data sent for inference is processed transiently and is not stored by any AI provider after the response is generated, except as temporarily required for abuse monitoring (we store it for 30 days).

8.3 Accuracy & Liability Artificial Intelligence allows for probabilistic responses and may occasionally produce incorrect or misleading information ("hallucinations").

  • No Warranty: SAAS First makes no warranties regarding the accuracy, completeness, or reliability of AI-generated responses.
  • Human Oversight: As a Customer you are responsible for reviewing AI configurations and Knowledge Base sources to ensure accuracy. We recommend monitoring Milly's conversations periodically.

──────────────────────────────────────

  1. DATA SECURITY

──────────────────────────────────────

Our company operates in compliance with the ISO 27001:2022 standard regarding information security requirements and technology. We remain committed to utilizing state-of-the-art technologies to ensure the highest level of security. We implement reasonable technical and organisational measures, including:

  • Encryption in transit (TLS 1.2+) and at rest (server-level AES-256 for all new databases).
  • •Successfully implemented Information Security Management System with among other things  annual penetration testing, vulnerability scanning, and mandatory staff security training.
  • Role-based access, two-factor authentication (2FA) rollout across all internal systems.
  • Audit logs for user access and configuration changes.
  • Payments handled by PCI-DSS level 1 provider (Stripe); SAAS First never stores full card numbers.

No internet transmission or storage system is 100 % secure. You are responsible for keeping your passwords and devices secure.

──────────────────────────────────────

  1. DATA BREACH NOTIFICATION

──────────────────────────────────────

If we become aware of a notifiable privacy breach (as defined in the Privacy Act 2020) we will:

  1. Notify you and the NZ Office of the Privacy Commissioner (“OPC”) without undue delay and, where practicable, within 72 hours;
  2. Describe the nature of the breach, the categories and approximate number of individuals and records affected, likely consequences, containment measures, and steps taken or proposed to be taken to mitigate its effects like legal review, provider check etc.;
  3. Co-operate with you to meet any additional regulatory or contractual obligations arises from the Privacy Act 2020. 

──────────────────────────────────────

  1. DATA RETENTION & DESTRUCTION (IPP 9)

──────────────────────────────────────

We keep personal information only as long as necessary for the purposes set out in this Policy or to comply with legal requirements. Our criteria include: statutory retention periods, limitation-of-action timeframes, tax rules, and business needs. All information can be found in the Retention table (Annex I).

We review retention schedules annually. When data is no longer required, we securely delete or irreversibly anonymise it. 

──────────────────────────────────────

  1. YOUR RIGHTS (IPPs 6–8; 12)

──────────────────────────────────────

Subject to verification and legal exceptions, you have the right to:

  • Access – know whether we hold personal information about you and obtain a copy.
  • Correction – request correction of inaccurate or incomplete data. If we refuse, you may provide a statement of correction which we will attach to the record.
  • Deletion – request erasure where lawful. Some records (e.g., invoices, security logs) may be retained where legally required.
  • Withdraw consent – for marketing or cookies at any time.
  • Object / restrict certain processing.
  • Data portability – obtain a copy of your information in a structured, commonly used format.
  • Overseas disclosure information – ask which countries or organisations have access to your data.

To exercise any right, use in-app tools or contact us at [email protected]. We will respond within 20 working days (Privacy Regulations 2020).

──────────────────────────────────────

  1. CLIENT / END-USER DATA (PROCESSOR ROLE)

──────────────────────────────────────

When a customer uploads or generates data about their end-users, the customer is the Controller and SAAS First is a Processor. We:

  • Process that data only on the customer’s documented instructions;
  • Provide technical and organisational measures to protect it;
  • Assist the customer with privacy requests and audits;
  • Enter into a Data Processing Addendum (DPA) 
  • End-users should direct privacy enquiries to the relevant customer.

──────────────────────────────────────

  1. UNIQUE IDENTIFIERS

──────────────────────────────────────

See Section 2.5 above.

──────────────────────────────────────

  1. CHILDREN’S PRIVACY

──────────────────────────────────────

The Service is intended for business users aged 18 or older. We do not knowingly collect information from minors. If you believe a child has provided us with personal information, please contact us for deletion.

──────────────────────────────────────

  1. THIRD-PARTY LINKS & SERVICES

──────────────────────────────────────

The Service may link to or integrate with third-party services (payment, social media, AI, knowledge-base content). Their privacy practices are governed by their own policies. We are not responsible for such practices.

──────────────────────────────────────

  1. CHANGES TO THIS POLICY

──────────────────────────────────────

We may update this Policy at any time. Material changes will be announced by e-mail or an in-app banner and will take effect 30 days after notice unless required sooner by law. 

──────────────────────────────────────

  1. QUERIES, CONCERNS & COMPLAINTS

──────────────────────────────────────

Please contact our Privacy Officer at [email protected] or the postal address above. If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner (www.privacy.org.nz).

Annex I

RETENTION TABLE

Data Category

Examples / Subitems

Retention Period

Legal Bases

Primary Purpose

Account & Identity Data

Name, business email, password (hashed), profile photo, company address, GST/Tax ID.

Duration of agreement + 3 years of inactivity.

Contractual Necessity; Legitimate Interests

Service provision; Authentication; User management.

Financial & Transaction Records

Invoices, transaction logs, payment status, Stripe tokens (Note: full card numbers are NOT stored).

7 Years from the end of the taxable period.

Legal Obligation (NZ GST Act 1985)

Tax compliance; Audit; Dispute resolution.

Customer Content (CRM & Inbox)

Chat messages, emails, file uploads, contact lists, custom fields imported by the user.

Duration of agreement + Grace Period (e.g., 60 days) OR until Account deletion.

Contractual Necessity (Performance of Service)

Core service functionality (Inbox, CRM).

Technical & Security Logs

IP addresses, browser type, login history, audit trails, API access logs.

Up to 3 Years (Policy Sec 11).

Legitimate Interests; Legal Obligation (Security)

Security monitoring; Fraud prevention; Debugging.

Analytics & Session Data

Page views, click-streams, feature usage metrics, Hotjar session replays.

24 Months

Legitimate Interests; Consent (Cookies)

Product improvement; UX analysis.

Marketing & Lead Data

Email addresses for newsletters, webinar registrations, demo requests.

Until Consent Withdrawn (Unsubscribe) or 2 years of no engagement.

Consent

Marketing communications; Sales outreach.

AI & Inference Data

Message context sent to LLMs (Gemini/Anthropic), query history.

Transient / Short-term (Context window only).

Contractual Necessity; Legitimate Interests

Providing AI answers (Milly).

Backups (Disaster Recovery)

Database snapshots, full system backups.

5 days.

Legitimate Interests

Business continuity; Disaster recovery.

Sensitive / Special Category Data

Health data, race, biometric data (if uploaded by client against advice).

Immediate Deletion upon detection.

N/A (Processing prohibited by policy)

N/A