Privacy Policy

Last updated: 2025-05-16

This Privacy Policy (“Policy”) explains how SAAS First Limited (NZBN 9429052764448) of 1 Koru Lane, Leamington, Cambridge 3432, New Zealand (“SAAS First”, “we”, “our”, “us”) collects, uses, discloses, and protects personal information when you visit our websites or use any SAAS First software-as-a-service products, mobile or desktop applications, APIs, and related services (collectively, the “Service”).

We are committed to complying with the New Zealand Privacy Act 2020 (including the Information Privacy Principles (“IPPs”)), the Privacy Regulations 2020, the Unsolicited Electronic Messages Act 2007 (“UEM Act”), and all other applicable privacy laws. If you do not agree with this Policy, please do not use the Service.

WHO WE ARE & CONTACT DETAILS

  • Controller (for SAAS First’s own data-processing): SAAS First Limited
  • Address: 1 Koru Lane, Leamington, Cambridge 3432, New Zealand
  • E-mail: [email protected]
  • Privacy Officer: Tamas Ham-Szabo / director

If you are an end-user of an organisation that is our customer, SAAS First acts as a data processor—please contact the relevant organisation (the “Controller”) first.

WHAT INFORMATION WE COLLECT

Information you provide directly

  • Account details – name, business email, phone, company, address, GST/Tax ID, password, profile photo.
  • Lead & form data – same as above plus optional LinkedIn, social URLs, additional contact numbers.
  • Customer Data – any data or content (files, chat messages, lists, custom fields, etc.) you or your users upload or import.
  • Marketing/demo/support enquiries.

Information automatically collected

  • Device & usage – IP address, browser/OS, device type, referrer, approximate geo-location (IP-derived, if enabled), language.
  • Event & activity logs – pages viewed, clicks, feature use, session timing, UTM parameters, cookies/pixels, session-replay (Hotjar), audit trails.
  • Notification & board history, profile edits, security logs.

Information from third parties

  • Lead enrichment & verification tools (e.g., Apollo.io, Instantly, LinkedIn, OneAway (El-Mina Services Ltd)).
  • Payment processors (Stripe) — tokenised payment details and invoice status.
  • Integrations you enable (e.g., CRM, messaging, analytics).

Sensitive (“special-category”) data

We do not intentionally collect special-category data (health, union, race, biometric, etc.) and instruct customers not to upload such data unless strictly necessary and all legal requirements are met. If you choose to upload such data you are solely responsible for obtaining the required consents or authorisations and notifying us if additional safeguards are needed.

Unique identifiers (IPP 13)

We assign only those unique identifiers that are strictly necessary for authentication or account security (e.g., workspace ID, user ID). We never use NZ Government identifiers (e.g., IRD Number, NZBN) in a way that is inconsistent with IPP 13.

HOW WE USE YOUR INFORMATION

We process personal information only for the purposes listed below or as otherwise permitted by law:

  1. Provide, operate, maintain, and improve the Service and each enabled Module.
  2. Authenticate users, administer accounts, and enforce workspace permissions.
  3. Process transactions and issue GST-compliant invoices.
  4. Communicate with you about the Service (service notices, security alerts, updates).
  5. Send marketing material – only with your consent or where otherwise lawful (Section 5).
  6. Conduct analytics, diagnostics, debugging, and product development.
  7. Ensure security, fraud-prevention and service integrity.
  8. Comply with legal obligations or respond to lawful requests and disputes.

LEGAL BASES FOR PROCESSING

  • Contractual necessity – to deliver the Service you request.
  • Consent – for marketing emails, non-essential cookies, and any optional data you supply.
  • Legitimate interests – to secure and improve the Service, provided these interests are not overridden by your rights.
  • Legal obligation – tax, record-keeping, fraud detection.

MARKETING COMMUNICATIONS & UEM ACT

  • We send electronic marketing messages only with valid consent, an applicable business-to-business exemption, or another lawful basis as permitted by the Unsolicited Electronic Messages Act 2007 and comparable overseas laws.
  • All marketing e-mails include our contact details and a functional unsubscribe link.
  • You may withdraw consent at any time by clicking the link, changing in-app settings, or emailing us.
  • If you use our Marketing, Inbox or Lead to Deal Modules to message third parties, you are responsible for obtaining and recording the necessary consents and honouring all opt-out requests.

COOKIES & TRACKING TECHNOLOGIES

We use first- and third-party cookies, pixels, and similar technologies (Google Analytics, Meta Pixel, LinkedIn, Bing, Hotjar, Apollo.io) for analytics, personalisation, and advertising.

  • Essential cookies (security, authentication) are always active.
  • Non-essential cookies are set only with your consent, recorded via our CookieYes banner & preference centre.
  • Full details of each cookie/tool, purpose, expiry, and how to change preferences are set out in our Cookie Policy at https://saasfirst.com/cookies.

DATA SHARING & DISCLOSURE

No Sale of Personal Information

We do not sell personal information.

Sub-processors & Service Providers

We share information only with trusted partners who help us provide or secure the Service (hosting, payment, analytics, support, AI processing). All partners sign agreements that include:

  • Confidentiality, IPP 12 “comparable safeguards”, and breach-notification duties;
  • Use of data only as instructed by SAAS First;
  • Audit / monitoring rights.

Our current sub-processor list is published at https://policies.saasfirst.com/annex-2. Customers may object on reasonable privacy grounds; if unresolved they may disable the affected Module.

International Transfers (IPP 12)

Some data may be processed in or accessed from countries outside New Zealand (e.g., Australia, EU, US, Canada). We ensure comparable safeguards by:

  1. Written data-processing agreements incorporating NZ-approved or EU Standard Contractual Clauses; and/or
  2. Selecting providers in jurisdictions recognised as having equivalent privacy protections.

Law Enforcement & Business Transfers

We will disclose personal information where legally required, or in connection with a merger, acquisition, or sale of assets, subject to confidentiality protections.

AI & AUTOMATED PROCESSING

  • AI features (chatbot “Milly”, AI query builder) are optional and can be disabled at the workspace level; when disabled no Customer Data is sent to AI providers.
  • When enabled, only the knowledge-base articles you flag and up to the last ten messages in an active conversation are sent for real-time inference only; data is not stored for model training.
  • Current AI providers: OpenAI (USA), Anthropic (USA), Google Gemini (USA). All are reflected in our sub-processor list.

DATA SECURITY

We implement reasonable technical and organisational measures, including:

  • Encryption in transit (TLS 1.2+) and at rest (server-level AES-256 for all new databases; legacy servers migrating by 31 Aug 2025).
  • ISO-aligned information-security programme with annual penetration testing, vulnerability scanning, and mandatory staff security training.
  • Role-based access, multi-factor authentication (MFA) rollout across all internal systems by 31 Aug 2025.
  • Audit logs for user access and configuration changes.
  • Payments handled by PCI-DSS level 1 provider (Stripe); SAAS First never stores full card numbers.

No internet transmission or storage system is 100 % secure. You are responsible for keeping your passwords and devices secure.

DATA BREACH NOTIFICATION

If we become aware of a notifiable privacy breach (as defined in the Privacy Act 2020) we will:

  1. Notify you and the NZ Office of the Privacy Commissioner (“OPC”) without undue delay and, where practicable, within 72 hours;
  2. Describe the nature of the breach, the categories and approximate number of individuals and records affected, likely consequences, containment measures, and steps taken or proposed to be taken to mitigate its effects;
  3. Co-operate with you to meet any additional regulatory or contractual obligations.

DATA RETENTION & DESTRUCTION (IPP 9)

We keep personal information only as long as necessary for the purposes set out in this Policy or to comply with legal requirements. Our criteria include: statutory retention periods, limitation-of-action timeframes, tax rules, and business needs. Typical periods:

  • Account/profile data – until deleted by you or 3 years of inactivity.
  • Event/activity & analytics logs – up to 3 years.
  • Backups – maximum 15 days.
  • Invoices & payment records – 7 years (GST Act 1985).

We review retention schedules annually. When data is no longer required, we securely delete or irreversibly anonymise it. Backups are overwritten after 5 days.

YOUR RIGHTS (IPPs 6–8; 12)

Subject to verification and legal exceptions, you have the right to:

  • Access – know whether we hold personal information about you and obtain a copy.
  • Correction – request correction of inaccurate or incomplete data. If we refuse, you may provide a statement of correction which we will attach to the record.
  • Deletion – request erasure where lawful. Some records (e.g., invoices, security logs) may be retained where legally required.
  • Withdraw consent – for marketing or cookies at any time.
  • Object / restrict certain processing.
  • Data portability – obtain a copy of your information in a structured, commonly used format.
  • Overseas disclosure information – ask which countries or organisations have access to your data.

To exercise any right, use in-app tools or contact us at [email protected]. We will respond within 20 working days (Privacy Regulations 2020).

CLIENT / END-USER DATA (PROCESSOR ROLE)

When a customer uploads or generates data about their end-users, the customer is the Controller and SAAS First is a Processor. We:

  • Process that data only on the customer’s documented instructions;
  • Provide technical and organisational measures to protect it;
  • Assist the customer with privacy requests and audits;
  • Enter into a Data Processing Addendum (DPA) on request (https://saasfirst.com/dpa). End-users should direct privacy enquiries to the relevant customer.

UNIQUE IDENTIFIERS

See Section 2.5 above.

CHILDREN’S PRIVACY

The Service is intended for business users aged 18 or older. We do not knowingly collect information from minors. If you believe a child has provided us with personal information, please contact us for deletion.

THIRD-PARTY LINKS & SERVICES

The Service may link to or integrate with third-party services (payment, social media, AI, knowledge-base content). Their privacy practices are governed by their own policies. We are not responsible for such practices.

CHANGES TO THIS POLICY

We may update this Policy at any time. Material changes will be announced by e-mail or an in-app banner and will take effect 30 days after notice unless required sooner by law. 

QUERIES, CONCERNS & COMPLAINTS

Please contact our Privacy Officer at [email protected] or the postal address above. If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner (www.privacy.org.nz).

ANNEXES