GIWAHS — trading as Whaitiri Black Limited Whaitiri Black Limited · Review draft
/ GIWAHS Founder Vault · Review draft

GIWAHS Privacy Policy

Document: 24 · Legal & Compliance Pack Version: 1.0 – Founder Draft (pre-publication) Status: Authored by AI under Doc 09 Autonomous Execution Standard. MUST be reviewed and signed off by qualified legal counsel in the applicable jurisdictions (NZ, EU/UK, US, AU) before being published on giwahs.com. Effective Date: To be inserted on publication. Last Updated: To be inserted on publication. Cross-references: Docs 25 (Terms of Service), 26 (Founding Partner Terms), 27 (Refund & Cancellation Policy).


1. Who We Are

Whaitiri Black Limited, a company incorporated in New Zealand, trading as GIWAHS (“Whaitiri Black”, “the Company”, “GIWAHS”, “we”, “us”, “our”) operates the platform available at https://giwahs.com (the “Platform”) — a fashion, product, and factory intelligence ecosystem connecting brands, suppliers, manufacturers, sourcing professionals, and innovators.

The data controller for the personal information processed under this Policy is:

Whaitiri Black Limited (trading as GIWAHS) Registered office address: to be inserted on publication. Director and Privacy Officer: Jay Elkington Email: privacy@giwahs.com

If you are in the European Economic Area, the United Kingdom, or another jurisdiction that requires the appointment of a local representative or Data Protection Officer, the relevant contact will be listed at https://giwahs.com/legal/dpo when published.

2. Scope of This Policy

This Policy describes how we collect, use, share, store, and protect personal information when you: - visit https://giwahs.com or any GIWAHS subdomain; - create or use a GIWAHS account (including Founding Partner accounts); - submit a Request for Quote (RFQ), supplier profile, verification document, message, or other content via the Platform; - communicate with us by email, support ticket, or any other channel; or - attend a sales call, demo, or webinar hosted by GIWAHS.

It does not apply to third-party websites linked from the Platform — those websites operate under their own privacy policies.

3. Information We Collect

3.1 Information you provide

3.2 Information collected automatically

3.3 Information from third parties

3.4 Sensitive information

We do not intentionally collect special-category data (race, religion, health, political views, biometrics, etc.). Please do not upload such information through the Platform. If you upload such data inadvertently, you may request its deletion under Section 8.

4. How We Use Your Information

We process personal information for the following purposes, on the legal bases shown:

Purpose Legal basis (GDPR / UK GDPR)
Create and operate your account; authenticate logins Contract
Provide the Platform, RFQ matching, supplier discovery, and Founding Partner benefits Contract
Process subscriptions, invoices, taxes, refunds Contract; legal obligation
Verify supplier identity and certifications Legitimate interests (platform integrity, fraud prevention); contract
Send transactional emails (receipts, renewal reminders, payment failures, founder welcome pack) Contract
Send marketing / product-update emails Consent (opt-in), withdrawable at any time
Provide customer support and respond to enquiries Contract; legitimate interests
Detect, prevent, and investigate fraud, abuse, or security incidents Legitimate interests; legal obligation
Comply with legal, tax, and regulatory obligations Legal obligation
Improve and develop the Platform (aggregated, de-identified usage analytics) Legitimate interests
Defend, exercise, or establish legal claims Legitimate interests; legal claims

We do not sell personal information. We do not use personal information for automated decision-making that produces legal or similarly significant effects on you without human review.

5. Sharing of Personal Information

We share personal information only with:

We never sell or rent personal information to data brokers or advertisers.

6. International Transfers

GIWAHS is a global platform. Personal information may be transferred to, stored in, and processed in countries outside your country of residence (including the United States, the European Union, the United Kingdom, Australia, and New Zealand).

Where we transfer personal data from the EEA, the UK, or Switzerland to a country not deemed adequate, we rely on: - the European Commission’s Standard Contractual Clauses (Module 2 or Module 3, as applicable); - the UK International Data Transfer Addendum; and - supplementary technical and organisational measures (encryption in transit and at rest, access controls, logging).

A copy of the transfer mechanism applicable to your data is available on written request to privacy@giwahs.com.

7. Data Retention

Data category Retention period
Active account data For the lifetime of your account, plus 30 days after account closure
Billing / invoice records 7 years from issue date (tax / accounting obligation)
Founding Partner allocation records (founder member number, tier, anniversary date) For the lifetime of the Founding Partner Programme plus 7 years
RFQ submissions and supplier quotes 3 years from last activity, unless required longer by legal claim
Verification documents For the duration of the verification status, plus 2 years after expiry or withdrawal
Support tickets and call recordings 2 years from resolution
Email logs (sent, bounce, complaint) 18 months
Cron and audit logs 13 months
Marketing opt-outs and suppression lists Indefinite (to honour your opt-out)

After the retention period, data is irreversibly deleted or de-identified.

8. Your Rights

Depending on your jurisdiction (EEA, UK, US states with applicable laws such as California, Colorado, Virginia, Connecticut, Utah, Texas; Brazil; Australia; New Zealand; etc.), you may have the right to:

To exercise any right, email privacy@giwahs.com from the email address on file or via your account’s Settings → Privacy → Data Requests panel (once enabled). We will respond within 30 days (or such shorter period as the law requires) and may need to verify your identity first.

You may also designate an authorised agent to act on your behalf, subject to verification.

9. Cookies and Similar Technologies

We use a small number of cookies and similar technologies for: - Strictly necessary purposes (session, authentication, security, CSRF protection) — these cannot be disabled. - Functional purposes (remembering preferences, language, theme). - Analytics — only if explicitly enabled in the future and only with your consent where required by law. Currently disabled on production.

A full cookie list, including provider, purpose, and lifetime, is available at https://giwahs.com/legal/cookies when published. You can manage non-essential cookies through the cookie banner or your browser settings.

10. Children’s Privacy

The Platform is intended for business users aged 18 or older. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact privacy@giwahs.com and we will delete it promptly.

11. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including: - TLS 1.2+ in transit and AES-256 at rest; - least-privilege access controls and audit logging; - role-based access; row-level security policies in our database; - regular dependency and vulnerability scanning; - incident response procedures; - background checks for engineers with production access.

No system is perfectly secure. If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timelines required by applicable law (e.g., 72 hours under GDPR).

12. California, Colorado, Virginia, Connecticut, Utah, Texas, and Other US State Disclosures

13. Australia (Privacy Act 1988) and New Zealand (Privacy Act 2020) Disclosures

We are bound by the Australian Privacy Principles and the New Zealand Information Privacy Principles. Complaints may be lodged with the Office of the Australian Information Commissioner (oaic.gov.au) or the Office of the New Zealand Privacy Commissioner (privacy.org.nz). We will respond to such complaints within the statutory timeframes.

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified by email and/or in-app banner at least 14 days before they take effect. The “Last Updated” date at the top of this Policy reflects the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

15. Contact Us


End of Document 24.