I

Privacy Policy

Effective Date: 22 March 2026 · Last Updated: 14 April 2026 · Version 1.2

This Privacy Policy explains how Innora Technology NZ Limited, trading as Innora Property ("we", "us", "our"), collects, uses, discloses, and protects your information in accordance with the Privacy Act 2020 (New Zealand) and the Privacy Amendment Bill 2026. It applies to our website, APIs, and AI-powered property intelligence services.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Data: Full name, email address, phone number, password (hashed), and role selection (developer, planner, agent, or buyer) during registration and profile setup.
  • Professional Profile: Company/organisation name, job title, physical/postal address, NZBN (NZ Business Number), planning firm name, and REAA licence number — collected based on your selected role to provide relevant services.
  • Property Search Data: Addresses, parcel IDs, and specific property criteria you input to generate reports.
  • Project Data: Site diary entries, defect logs, construction photos, voice recordings, schedule milestones, and cost tracking data you create within project workspaces.
  • Payment Data: Billing address and payment card details (processed securely via Stripe; we do not store full card numbers).
  • User-Generated Content: Notes, saved configurations, compliance documents, s92 response drafts, and custom inputs for AI report generation.

1.2 Information Collected Indirectly (Third-Party Sources)

We collect property data from authorised third-party sources to populate our reports:

  • Government Data: LINZ, Stats NZ, Ministry of Education (MOE)
  • Council Data: Auckland Council, Christchurch City Council (public ArcGIS endpoints)
  • Commercial Data: Trade Me API (sold price data), NIWA (natural hazards), Watercare

Under the Privacy Amendment Bill 2026 (IPP 3A), we take reasonable steps to ensure you are aware when we hold information collected from third parties.

2. How We Use Information

We use your information solely to provide our services and improve platform accuracy. We do not sell your personal data.

  • Service Delivery: Generating AVM estimates, AI reports, hazard assessments, and suburb summaries
  • Compliance Checking: Running MDRS/NES-DMRU compliance engines and DC calculations
  • Payment Processing: Verifying and processing transactions via Stripe
  • Communication: Service updates, security alerts, or requested property briefs
  • System Security: Monitoring for abuse, fraud, or technical errors (via Sentry and Cloudflare Turnstile)

3. Data Sources & Attribution

Innora Property relies on authoritative public and commercial datasets. We comply with all attribution licences:

  • LINZ: Parcels, DVR, and Addresses — sourced under the CC-BY 4.0 International licence. Crown copyright reserved.
  • OpenStreetMap: Map data © OSM Contributors — Open Database License (ODbL)
  • Stats NZ: Census 2023 data — Crown copyright, CC-BY 4.0
  • Auckland / Christchurch Council: Zoning, overlays, flood, and valuations from public ArcGIS servers
  • Trade Me: Sold data via OAuth API under commercial terms; for display within our reports only

All AVM estimates and AI-generated content are derived from these sources. We do not alter the underlying government data.

4. AI Processing of Data

4.1 AI Transparency

Our platform utilises AI models (including DeepSeek, Anthropic Claude, and OpenRouter models) to generate property insights. All AI-generated sections are clearly labelled. While our reports are AI-generated, compliance tools (MDRS, DC calculator, s92 engine) use deterministic rule-based logic.

4.2 AI Training Policy

We do not use your personal data or property search queries to train our AI models.

We use pre-trained models provided by third-party API providers. User prompts and generated reports are processed to provide the service but are not ingested into underlying model weights for retraining.

4.3 AI Processing Subcontractors

By using our service, you consent to processing by overseas AI providers including DeepSeek (PRC), Anthropic (USA), and local Ollama instances (NZ). We maintain contractual safeguards ensuring IPP 5 (security) compliance, though PRC/US privacy laws may differ from NZ.

We do not send personally identifiable information (your name, email, or phone number) in the prompt text sent to AI models. Only property data (addresses, coordinates, zoning codes) is included.

4.4 Algorithmic Transparency

Innora uses ensemble AI routing. Your query may be processed by multiple models. A processing log showing which backend generated specific outputs is available upon request for privacy verification purposes. Contact privacy@innora.properties.

5. Data Storage & Security

We implement industry-standard security measures to protect your data (IPP 5):

  • Database: Data stored securely using Supabase (hosted on AWS). Encrypted at rest and in transit (TLS 1.2+).
  • Error Monitoring: Sentry receives error logs with limited debugging context; excludes raw payment credentials.
  • Bot Protection: Cloudflare Turnstile verifies human presence without invasive tracking.
  • Retention: Account data retained while subscription is active. Upon deletion, personal identifiers are anonymised or deleted within 30 days (IPP 9).
  • Payment Security: Payment processing handled entirely by Stripe. Innora does not store credit card PAN data.

6. Cookies & Analytics

  • Essential Cookies: Required for login, API authentication, and saving report preferences.
  • Analytics: We may use aggregated, anonymised analytics to understand usage trends. We do not use third-party tracking cookies for advertising.

7. Third-Party Services

We share data with the following processors who act on our behalf under contractual obligations:

  1. Supabase (AWS) — Primary database storage
  2. Stripe — Payment processing (governed by Stripe's privacy policy)
  3. OpenRouter / DeepSeek / Anthropic — AI inference providers. Requests sent via API keys; we do not include PII in AI prompts.
  4. ArcGIS / LINZ / Trade Me — Property data APIs
  5. Vercel — Application hosting and edge network
  6. Upstash (Redis) — Rate limiting and session management
  7. Sentry — Error monitoring
  8. Cloudflare — Bot protection (Turnstile)
  9. Resend — Transactional email delivery

8. Cross-Border Data Transfers

Innora Property is based in New Zealand. Our infrastructure and third-party processors may store or process data outside New Zealand (e.g., AWS in Sydney, AI providers in the USA and PRC).

Under IPP 12, we ensure that:

  1. The recipient country has comparable privacy safeguards; or
  2. You have consented to the transfer; or
  3. The transfer is necessary for performing the service contract.

By using our service, you acknowledge that data may be processed in Australia, the USA, PRC (for AI inference), or Singapore for technical processing. If geopolitical events make non-NZ AI backends unavailable, the platform switches to local Ollama processing with potentially reduced AI capabilities.

9. Your Rights Under Privacy Act 2020

  • Right of Access (IPP 6): You may request a copy of the personal information we hold about you.
  • Right to Correction (IPP 7): You may request correction of inaccurate personal information.
  • Right to Deletion: You may request deletion of your account and associated data.
  • Right to Explanation: You may request an explanation of how AI systems reached their conclusions for specific reports, including which AI backend processed your query and key data points used.
  • Complaint: If you believe we have breached your privacy, you may complain to us or the Office of the Privacy Commissioner.

To exercise these rights, contact privacy@innora.properties. We will respond within 20 working days.

10. Data Retention & Deletion

  • Active Accounts: Data retained while account is active.
  • Termination: Personal data deleted or anonymised within 30 days of account deletion.
  • Beta Feature Data: Inputs from beta features may be retained up to 90 days for debugging (vs. 7 days for production data).
  • Derived Data: Aggregated, non-identifiable statistical data (e.g., average AVM confidence scores) may be retained indefinitely for product improvement.

11. Data Breach Notification (Part 6A)

Under Part 6A of the Privacy Act 2020, we are required to notify affected individuals and the Office of the Privacy Commissioner if a privacy breach is likely to cause serious harm. We will:

  • Assess notifiable breaches as soon as practicable after becoming aware of the breach
  • Notify the Privacy Commissioner without unreasonable delay
  • Notify affected individuals as soon as practicable, describing the breach, the information involved, and steps we are taking
  • Maintain an internal breach register as required by section 115

To report a security concern: security@innora.properties

12. Children's Privacy

Our services are intended for users aged 16 and above. If under 18, use only with guardian supervision. We do not knowingly collect data from children under 16. If we discover such data has been collected, we will delete it immediately.

13. Changes to This Policy

We may update this policy to reflect changes in our technology or legal requirements (including implementation of the Privacy Amendment Bill 2026 provisions). We will notify users of significant changes via email or an in-app banner at least 30 days before changes take effect.

14. Contact Us

For privacy enquiries, data access requests, or to report a security concern:

Innora Technology NZ Limited — Privacy Officer
Email: privacy@innora.properties