Skip to main content
NZ · Privacy

Privacy — New Zealand

Caselaw operates under the Privacy Act 2020 for users in Aotearoa New Zealand. We follow each of the 13 Information Privacy Principles (IPPs) and accept the supervisory authority of the Office of the Privacy Commissioner (OPC). Effective 2026-05-03.

What we collect (IPP 1, 2, 3, 4)

  • Email address — collected directly from you for account, magic-link auth and transactional comms (IPP 2 — collection from individual concerned).
  • University, year-level, exam focus — only what you give us in the waitlist or settings (IPP 3 — purpose stated at the point of collection).
  • Salted IP hash — for abuse prevention and rate-limiting. Never raw IP, never enriched with third-party data brokers.
  • Reading history within Caselaw — drives flashcards and revision suggestions; never sold and never shared with advertisers.
  • Stripe customer / subscription state — handled by Stripe Inc.; we do not store payment card data on Caselaw infrastructure.
  • Crash + error logs — automatically captured via Vercel logs; retained 30 days, then auto-purged.

What we don't collect

  • Tracking cookies that follow you off the site.
  • Third-party advertising profiles. No Meta Pixel, no Google Ads tag, no LinkedIn Insights tag.
  • Card numbers — Stripe processes them; we never see them.
  • Voice / video / camera data — we have none of those features.
  • Biometric data of any kind.

Data residency + cross-border transfer (IPP 12)

Caselaw uses Supabase EU-WEST (Frankfurt, Germany) for primary storage and Vercel's edge network for delivery. Cross-border transfer out of New Zealand is permitted under IPP 12 because both jurisdictions provide privacy protections comparable to the Privacy Act 2020 (Germany under the EU GDPR; the United States, where some edge-cache nodes reside, under contractual safeguards aligned with OPC guidance). Anthropic processes prompts for the AI brief generator; no personal data is included in those prompts (case metadata only).

Your rights (IPPs 6, 7, 11, 12)

Under the Privacy Act 2020 you may:

  • Access — request a copy of personal information we hold about you (IPP 6).
  • Correct — request correction of inaccurate information (IPP 7).
  • Erase — close your account and delete associated data (covered by deletion of records once they are no longer needed under IPP 9).
  • Object — withdraw consent for marketing comms at any time.

Email [email protected]. We respond within 20 working days as required by s 40 of the Privacy Act. Unsatisfied? Lodge a complaint with the OPC.

Notifiable privacy breaches (Part 6)

Where a privacy breach has caused or is likely to cause serious harm, we notify the OPC and affected individuals as soon as practicable — target window is 72 hours of becoming aware, in line with NotifyUs guidance. Public disclosure follows on the company status page when appropriate.

Tax + payments

NZ GST (15%) is calculated and remitted via Stripe Tax for all taxable supplies to NZ residents. Currency is NZD; payment receipts are issued by Stripe Payments NZ Ltd (FSP1027007) on our behalf.

This regional privacy notice supplements our global privacy policy — read both. Effective 2026-05-03.