Legal

Privacy Policy

Last updated: March 2026

ShiftCurve Ltd ("we", "us", "our") is committed to protecting the privacy of our clients and website visitors. This policy explains how we collect, use, store, and protect your personal information in accordance with the New Zealand Privacy Act 2020.

Information We Collect

  • Contact details - name, email, phone number, and business details provided via our contact form or direct engagement
  • Project data - documents, financials, legal materials, and other inputs you provide for document generation
  • Website analytics - anonymised usage data collected via Google Analytics (GA4)
  • We do not use cookies beyond essential functionality required for the site to operate

How We Use Your Data

  • To deliver the services you have engaged us for, including document generation and website builds
  • To communicate with you about your project
  • To improve our services using aggregate, anonymised patterns only

Important commitments

  • We do NOT use your data to train AI models
  • We do NOT sell or share your data with third parties

Where Your Data Is Stored

  • Supabase - hosted on AWS infrastructure in the Asia-Pacific region
  • Google Workspace - email communications
  • All data is encrypted at rest and in transit

Data Retention

  • Project data is retained for 90 days after project completion to allow for revision requests
  • After 90 days, source data is deleted unless you request extended retention
  • Final delivered documents remain yours permanently
  • You can request a full data export or deletion at any time

Your Rights (NZ Privacy Act 2020)

Under the New Zealand Privacy Act 2020, you have the right to:

  • Access your personal information
  • Request correction of inaccurate information
  • Request deletion of your data
  • Know how your data is being used

For any privacy requests, contact us at privacy@shiftcurve.co.nz

If you are not satisfied with our response, you can complain to the NZ Privacy Commissioner at privacy.org.nz

Data Breach Notification

In the event of a data breach that poses a risk of harm, we will notify affected parties and the NZ Privacy Commissioner as required by the Privacy Act 2020.

Third-Party Services

We use the following third-party services in the course of delivering our work:

Google Analytics (GA4)

Anonymised website analytics

Anthropic (Claude AI)

Document processing via commercial API. API data is never used for model training. Logs are automatically deleted after 7 days per Anthropic's commercial API policy.

Vercel

Website hosting

Supabase

Database and file storage

AI-Specific Data Handling

  • We use Anthropic's commercial API, which is excluded from model training. API logs are automatically deleted after 7 days per Anthropic's data retention policy
  • We do not fine-tune or train AI models on client data
  • AI-generated outputs are reviewed by a human before delivery
  • You own all outputs generated from your data

Questions about this policy? Contact us at privacy@shiftcurve.co.nz or visit our contact page.