Privacy Policy

Effective: 4 May 2026 · Last updated: 4 May 2026

This Privacy Policy explains how Kahu Logic Limited (NZBN 9429053390776) (“Kahu Logic”, “we”, “us”, “our”) collects, uses, shares, and protects personal information when you visit kahulogic.com, contact us, or use the Kahu Logic platform (the “Service”).

It is designed to align with the Privacy Act 2020 (New Zealand) and the thirteen Information Privacy Principles, the Privacy Act 1988 (Commonwealth of Australia) and the Australian Privacy Principles, the Unsolicited Electronic Messages Act 2007 (NZ), and the Spam Act 2003 (Cth).

1. Who we are

Kahu Logic Limited is a New Zealand company (NZBN 9429053390776) that provides an AI-assisted platform for small businesses to build websites, run marketing, manage customer relationships, and operate day-to-day. We serve customers in New Zealand and Australia. Our service is delivered from infrastructure hosted in New Zealand, with an Australian mirror for redundancy.

For the purposes of the Privacy Act 2020 (NZ) and the Privacy Act 1988 (Cth), Kahu Logic is the agency or entity responsible for the personal information described in this Policy.

2. Information we collect

We only collect personal information that we genuinely need to deliver, support, secure, or improve the Service. The categories below describe what we collect and how it reaches us.

2.1 Information you give us directly

  • Account information — name, business name, email address, phone number, role, country, and timezone.
  • Billing information — billing address, GST/ABN/NZBN where supplied, and the last four digits of the payment method (full card numbers are handled by our payment processor and never reach our servers).
  • Content you upload — website copy, brand assets, product or service catalogues, contact lists you choose to import, campaign drafts, voice notes you send to the AI, and any other material you place inside the Service.
  • Support correspondence — messages you send us by email, in-app chat, or contact form.

2.2 Information we collect automatically

  • Device and connection data — IP address, browser type and version, operating system, screen size, language, and referring URL.
  • Usage data — pages viewed, features used, the time and duration of your session, error logs, and similar technical telemetry.
  • Cookie data — described in section 6.

2.3 Information from third parties

If you choose to connect third-party services (for example, Google Business Profile, Google Ads, a Meta Pixel, or a payment processor), we receive information from those services that you have authorised to share. We only receive data within the scope of the connection you approved.

3. How we use your information

We use personal information for the following purposes:

  • Providing the Service — creating and maintaining your account, hosting your website, drafting and scheduling marketing content, storing your customer records, and processing the operations you ask the Service to perform.
  • Billing and accounts — charging your payment method, issuing receipts and tax invoices, and resolving disputes.
  • Support — replying to questions, investigating issues, and improving documentation.
  • Security and abuse prevention — detecting fraud, blocking abuse, and protecting the integrity of the Service.
  • Service improvement — understanding which features are used and how, fixing bugs, and developing new functionality. We use aggregated and de-identified data wherever possible.
  • Legal and regulatory obligations — meeting our obligations under New Zealand and Australian law, including tax, accounting, and lawful requests from authorities.
  • Direct marketing — sending you product news, updates, or offers, on the basis described in section 13.

We will not use your personal information for a purpose that is materially different from the ones above without first telling you and, where required, obtaining your consent.

4. Use of artificial intelligence

The Service uses AI models — some operated by Kahu Logic, some accessed through third-party providers — to draft websites, write marketing content, summarise customer conversations, and similar tasks.

4.1 We do not train shared models on your data

We do not use your business’s content, customer records, or campaign history to train AI models that are shared with other customers or made publicly available. Your data stays scoped to your account.

4.2 Per-customer context

To produce useful output, the AI is given context about your business — your existing site copy, brand voice, products, and similar inputs you have supplied. This context is held in your account and is not visible to other customers.

4.3 Third-party model providers

When we use a third-party model provider (for example, to draft text or generate an image), the relevant prompt and any context required for that prompt is sent to the provider for processing. We choose providers that contractually agree not to retain or train on customer data sent to their inference APIs. Current providers and their roles are listed in our Cookies and Subprocessors reference.

4.4 Approval gate

The Service does not publish, post, or send AI-generated content on your behalf without your approval, unless you explicitly opt into auto-approval for a specific surface.

5. Sharing of personal information

We do not sell personal information. We share personal information only in the following circumstances:

  • Service providers and subprocessors — cloud hosting, AI model providers, payment processors, email delivery providers, error monitoring, and similar suppliers that help us operate the Service. They are bound by confidentiality and data-protection obligations and may only use the data to perform the service we contracted them for.
  • Integrations you connect — if you authorise an integration (for example, with Google Ads or a CRM), we share data with that integration only as you direct.
  • Business transfers — if Kahu Logic is involved in a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to the same protections set out here.
  • Legal compliance — where we are required by law, or where we reasonably believe disclosure is necessary to protect rights, property, or safety.

6. Cookies and tracking technologies

Our website uses cookies and similar technologies to keep you signed in, remember your preferences, measure traffic, and (with your consent) understand how the Service is used so we can improve it. A full breakdown is set out in our Cookie Policy.

You can disable non-essential cookies through your browser settings or the cookie banner on first visit. Essential cookies cannot be disabled because the Service will not function without them.

7. Collection and use of Google user data

If you connect a Google product to the Service — including Google Business Profile, Google Analytics, Google Tag Manager, Google Search Console, or Google Ads — we receive only the scopes of data you grant during the Google authorisation flow.

7.1 What we use Google data for

We use the Google data you connect strictly to provide the features you have asked us to provide. For example:

  • Reading Google Analytics traffic data to show it back to you inside the Service.
  • Creating, updating, or pausing campaigns inside Google Ads when you ask us to.
  • Updating your Google Business Profile listing when you change your business details inside the Service.
  • Deploying tags through your Google Tag Manager container that you have delegated us access to.

7.2 What we will not do with Google data

  • We will not transfer Google user data to any third party except as necessary to provide or improve the user-facing features that you have requested, and only with your consent.
  • We will not use Google user data to serve ads, including remarketing, personalised, or interest-based advertising.
  • We will not allow humans to read Google user data unless we have your explicit consent, it is required for security purposes (such as investigating abuse), or we are compelled to do so by law.
  • We will not use Google user data to develop, improve, or train generalised or non-personalised AI or machine-learning models.

7.3 Disconnecting Google access

You can revoke our access to your Google products at any time from your Google Account permissions page (myaccount.google.com/permissions) or by contacting us. After disconnection we delete the related access tokens and stop processing the Google data they unlocked.

Kahu Logic’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

8. How long we keep your information

We keep personal information only for as long as we need it for the purposes set out in this Policy, or for as long as we are required to keep it by law. Typical retention periods:

  • Active account data — for as long as your account is open.
  • Billing records and tax invoices — for at least seven years after the last transaction, to meet New Zealand and Australian tax-record requirements.
  • Support correspondence — up to three years after the last interaction.
  • Backups and logs — up to ninety days, after which they are overwritten in the normal rotation.

When you close your account, we delete or de-identify your active data within thirty days, except for items we are legally required to retain.

9. Security

We take reasonable steps to protect personal information from loss, misuse, unauthorised access, modification, or disclosure. Our safeguards include:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest.
  • Strict access controls and least-privilege role assignments for staff.
  • Multi-factor authentication on administrative systems.
  • Regular software updates, monitoring, and incident-response procedures.
  • Hosting in tier-3 or equivalent data-centre environments.

No system is perfectly secure. If we become aware of a privacy breach that is likely to cause serious harm, we will notify the affected individuals and the Office of the Privacy Commissioner (NZ) and/or the Office of the Australian Information Commissioner, as required.

10. Children and minors

The Service is intended for use by businesses and adults aged sixteen years or older. We do not knowingly collect personal information from children under sixteen. If you believe a child has provided us with personal information, please contact us so we can investigate and, if appropriate, delete it.

11. International data transfers

Your personal information is primarily stored on infrastructure located in New Zealand, with an Australian mirror. Some of our service providers (for example, AI model providers and email delivery services) operate from outside New Zealand and Australia, including from the United States and the European Union.

When we transfer personal information outside New Zealand, we take reasonable steps to ensure the recipient is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act 2020 (NZ). For Australian residents, transfers are made on the same basis as Australian Privacy Principle 8.

12. Your privacy rights

You have the following rights in relation to your personal information:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to correct information that is inaccurate, out of date, incomplete, or misleading.
  • Deletion — ask us to delete information we no longer need to keep.
  • Export — ask us to export your account’s data in a machine-readable format.
  • Withdraw consent — where we rely on your consent, withdraw it at any time.
  • Object or restrict — object to a particular use of your information or ask us to restrict it.

To exercise any of these rights, contact us at [email protected]. We will respond within twenty working days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner in New Zealand (privacy.org.nz) or the Office of the Australian Information Commissioner (oaic.gov.au).

13. Direct marketing and opt-out

We may send you product news, updates, and offers by email. Every marketing email contains an unsubscribe link, in line with the Unsolicited Electronic Messages Act 2007 (NZ) and the Spam Act 2003 (Cth). You can opt out of marketing at any time by clicking the link or contacting us. Operational messages (for example, billing receipts or service notices) are not marketing and will continue to be sent.

14. Updates to this Policy

We may update this Policy from time to time as the Service evolves or as the law changes. The “Last updated” date at the top tells you when the latest version took effect. If we make material changes, we will tell you by email or through an in-product notice before the changes take effect.

15. How to contact us

For any privacy question, request, or complaint, please contact:

Kahu Logic Limited
Email: [email protected]
NZBN: 9429053390776