Privacy policy
Your society's information deserves careful handling
This policy explains how SocietyHub NZ Limited collects, uses, stores, and shares personal information when you use SocietyHub. It also explains your rights under the New Zealand Privacy Act 2020.
Last updated: 12 June 2026
Encrypted
Encryption in transit and at rest
Privacy Act 2020
Built around New Zealand privacy principles
Stored in New Zealand
Core society records hosted on Catalyst Cloud
AI sanitisation
Email addresses removed from AI Assistant queries
1. Who we are and what this policy covers
SocietyHub NZ Limited provides administration, governance, and compliance tools for New Zealand societies. We are responsible for personal information collected directly through our website, accounts, support channels, and public forms.
A society using SocietyHub controls the member and officer information it enters. We process that information on the society's instructions so we can provide the service. Society administrators are responsible for ensuring they have a lawful purpose for entering and using that information.
2. Information we collect
We collect only the information reasonably needed to provide and protect SocietyHub.
Account and contact information
This may include your name, email address, role, authentication details, and communications with us.
Society and member information
This may include society registration details, officer and member records, addresses, contact details, governance information, constitutions, meeting records, compliance tasks, and documents uploaded by authorised users.
Financial and billing information
SocietyHub may hold society transaction records entered into the service. Stripe processes payment card and subscription payment details for us. We do not store complete payment card numbers.
Usage and technical information
We collect limited service usage, security, device, and diagnostic information needed to operate, secure, and improve SocietyHub. Our self-hosted Umami analytics service provides aggregate website usage information.
AI interactions
When you choose to use an AI-assisted feature, we process the query, relevant conversation context, and the society context needed to answer it. Do not include personal information that is not needed for your question.
3. How we use information
We use information to:
- provide SocietyHub's administration, governance, and compliance features;
- create and manage accounts, permissions, subscriptions, and billing;
- send account, security, support, and service communications;
- respond to support requests and resolve technical problems;
- protect SocietyHub, its users, and society information from misuse;
- maintain records required by law; and
- understand and improve service reliability and usability.
We do not sell personal information or use it for unrelated advertising. We use and disclose personal information only for the purpose for which it was collected, a directly related purpose, with permission, or where the law allows or requires it.
4. Where and how we store information
Your society's core records, including member information, meeting records, documents, and financial records entered into SocietyHub, are stored on Catalyst Cloud infrastructure in New Zealand. Encrypted backups of those records are also kept in New Zealand.
We use access controls, encryption in transit, encryption at rest, backups, logging, and other technical and organisational measures appropriate to the information we hold. No online service can guarantee absolute security, but we work to prevent unauthorised access, loss, misuse, or disclosure.
Some limited information is processed offshore when you use the AI Assistant, make a payment, receive transactional email, or use a Cloudflare-protected public form. Those services are described below.
5. Service providers and disclosures
We share information with service providers only where needed to deliver, secure, or support SocietyHub. We require providers to protect the information they process.
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Catalyst Cloud | Application hosting, database, file storage, and encrypted backups | New Zealand | New Zealand infrastructure, access controls, and encryption |
| Google Vertex AI | AI Assistant and AI-assisted document processing | Australia (australia-southeast1 / Sydney) | Google Cloud Data Processing Addendum, contractual transfer safeguards, encryption, and no model training without permission |
| Stripe | Subscription billing and payment processing | United States and other Stripe processing locations | Stripe Data Processing Agreement and PCI DSS controls |
| Resend | Transactional email, including account and service messages | United States and other Resend processing locations | Limited to information needed to send and deliver messages |
| Cloudflare | Bot protection on public forms | Global network | Used only on protected public forms and subject to Cloudflare data safeguards |
| NZ Companies Office | NZBN and society register lookups | New Zealand | Public register data only |
We may also disclose information where required by law, to protect someone's safety, to investigate misuse, or as part of a business transfer where appropriate privacy protections remain in place.
6. AI Assistant and AI-assisted features
SocietyHub uses Google Vertex AI to provide the AI Assistant and some document-drafting features. AI-powered features use Google Cloud's Vertex AI service, processed in Google's australia-southeast1 (Sydney, Australia) region. Google Cloud's terms state that customer data is not used to train or fine-tune AI models without the customer's prior permission or instruction.
For AI Assistant conversations, SocietyHub removes email addresses from user messages in the browser and repeats that check on our server before sending the conversation to Vertex AI. This reduces risk, but automated sanitisation cannot identify every kind of personal information. Avoid entering names, phone numbers, sensitive member details, or other personal information unless it is necessary.
Society context sent to the AI Assistant may include the society's name, registration number, address, purpose, governance settings, member count, and compliance-task summaries. Use of the AI Assistant is optional.
7. Overseas disclosure
Privacy Principle 12 of the Privacy Act 2020 governs disclosure of personal information outside New Zealand. Where an offshore provider processes personal information for us, we use contractual and technical safeguards appropriate to the provider and the information involved.
Offshore providers include Google Vertex AI for AI-assisted features, Stripe for payment processing, Resend for transactional email, and Cloudflare for bot protection. Their processing locations and safeguards are summarised above.
8. Retention and deletion
We keep personal information only for as long as it is needed for the purpose for which it was collected, to provide the service, or to meet legal and audit obligations.
- Active member information is retained while needed by the society, then anonymised three years after the member is deactivated or lapses.
- Financial records are retained for seven years where required for tax, audit, and record-keeping obligations.
- Eligible erasure requests are completed within 30 days. Information that must be retained by law or for legitimate audit records may be excluded.
- After a SocietyHub subscription ends, we will provide a reasonable opportunity to export society data before deleting or anonymising it, subject to legal retention requirements and backup cycles.
9. Your privacy rights
You may ask us for access to personal information we hold about you and request a correction if it is wrong. Depending on the information and our legal obligations, you may also ask us to delete or export it.
If your information was entered by a society, contact that society's administrator first. You can also contact us directly. We may need to verify your identity before acting on a request.
10. Security and privacy breaches
We monitor and maintain safeguards intended to protect information from loss, unauthorised access, misuse, alteration, or disclosure. Users must also protect their login details and grant access only to authorised people.
If a privacy breach has caused, or is likely to cause, serious harm, we will notify the Office of the Privacy Commissioner and affected people as soon as practicable, unless an exception applies.
11. Cookies and analytics
SocietyHub uses essential cookies to keep you signed in, protect sessions, remember settings, and provide requested features. Our self-hosted Umami analytics service runs on our New Zealand infrastructure and helps us understand aggregate website usage without selling information or sharing it with an advertising network.
Cloudflare Turnstile may process limited device and request information when it protects a public form from automated misuse.
12. Contact us or make a complaint
For privacy questions, access or correction requests, or concerns about how we handle information, email privacy@societyhub.co.nz. You may also email admin@societyhub.co.nz.
You can complain to the Office of the Privacy Commissioner at privacy.org.nz or by calling 0800 803 909.
13. Changes to this policy
We may update this policy when SocietyHub, our providers, or legal requirements change. We will publish the updated policy here and change the date at the top. We will give reasonable notice if a change materially affects how we handle personal information.