GIWAHS Privacy Policy
Document: 24 · Legal & Compliance Pack Version: 1.0 – Founder Draft (pre-publication) Status: Authored by AI under Doc 09 Autonomous Execution Standard. MUST be reviewed and signed off by qualified legal counsel in the applicable jurisdictions (NZ, EU/UK, US, AU) before being published on giwahs.com. Effective Date: To be inserted on publication. Last Updated: To be inserted on publication. Cross-references: Docs 25 (Terms of Service), 26 (Founding Partner Terms), 27 (Refund & Cancellation Policy).
1. Who We Are
Whaitiri Black Limited, a company incorporated in New Zealand, trading as GIWAHS (“Whaitiri Black”, “the Company”, “GIWAHS”, “we”, “us”, “our”) operates the platform available at https://giwahs.com (the “Platform”) — a fashion, product, and factory intelligence ecosystem connecting brands, suppliers, manufacturers, sourcing professionals, and innovators.
The data controller for the personal information processed under this Policy is:
Whaitiri Black Limited (trading as GIWAHS) Registered office address: to be inserted on publication. Director and Privacy Officer: Jay Elkington Email: privacy@giwahs.com
If you are in the European Economic Area, the United Kingdom, or another jurisdiction that requires the appointment of a local representative or Data Protection Officer, the relevant contact will be listed at https://giwahs.com/legal/dpo when published.
2. Scope of This Policy
This Policy describes how we collect, use, share, store, and protect personal information when you: - visit https://giwahs.com or any GIWAHS subdomain; - create or use a GIWAHS account (including Founding Partner accounts); - submit a Request for Quote (RFQ), supplier profile, verification document, message, or other content via the Platform; - communicate with us by email, support ticket, or any other channel; or - attend a sales call, demo, or webinar hosted by GIWAHS.
It does not apply to third-party websites linked from the Platform — those websites operate under their own privacy policies.
3. Information We Collect
3.1 Information you provide
- Account information: name, business email, password (hashed; we never store the plaintext), organisation name, role/title, country, phone number (optional).
- Billing information: billing address, tax/VAT number where applicable. Card numbers and full payment details are collected and stored by Stripe, our payment processor — GIWAHS never sees or stores your full card number. We receive only a Stripe customer reference, the last four digits of the card, the brand, and the expiry month/year.
- Supplier verification documents: business registration, certifications (ISO, BSCI, WRAP, etc.), audit reports, factory photos, banking confirmation letters, and any other documents you voluntarily upload to verify your organisation.
- RFQ content: product specifications, target prices, quantities, target markets, lead times, attachments, and any commentary you submit.
- Communications: messages between you and other users, support tickets, sales-call notes, recorded demo sessions (only if you explicitly consent to recording at the start of the call).
- Marketing preferences: email subscriptions, opt-in/opt-out choices.
3.2 Information collected automatically
- Usage data: pages visited, features used, search queries within the Platform, click streams, timestamps, session duration.
- Device and network data: IP address, browser type and version, operating system, device identifiers, time zone, referring URL.
- Cookies and similar technologies: see Section 9 below.
3.3 Information from third parties
- Identity verification providers (where we engage one in future): pass/fail signal and reference ID only.
- Stripe: subscription status, invoice metadata, payment status (succeeded / failed / refunded), customer portal events.
- Resend (transactional email): delivery, bounce, and complaint events for emails we send you.
- Supabase Auth (our authentication infrastructure): account creation events, login timestamps, password-reset events.
- Analytics providers (only if
REACT_APP_ANALYTICS_PROVIDERis enabled — currently disabled): anonymised behavioural events. - Publicly available business data, where used to pre-populate or verify supplier profiles (e.g., public companies register).
3.4 Sensitive information
We do not intentionally collect special-category data (race, religion, health, political views, biometrics, etc.). Please do not upload such information through the Platform. If you upload such data inadvertently, you may request its deletion under Section 8.
4. How We Use Your Information
We process personal information for the following purposes, on the legal bases shown:
| Purpose | Legal basis (GDPR / UK GDPR) |
|---|---|
| Create and operate your account; authenticate logins | Contract |
| Provide the Platform, RFQ matching, supplier discovery, and Founding Partner benefits | Contract |
| Process subscriptions, invoices, taxes, refunds | Contract; legal obligation |
| Verify supplier identity and certifications | Legitimate interests (platform integrity, fraud prevention); contract |
| Send transactional emails (receipts, renewal reminders, payment failures, founder welcome pack) | Contract |
| Send marketing / product-update emails | Consent (opt-in), withdrawable at any time |
| Provide customer support and respond to enquiries | Contract; legitimate interests |
| Detect, prevent, and investigate fraud, abuse, or security incidents | Legitimate interests; legal obligation |
| Comply with legal, tax, and regulatory obligations | Legal obligation |
| Improve and develop the Platform (aggregated, de-identified usage analytics) | Legitimate interests |
| Defend, exercise, or establish legal claims | Legitimate interests; legal claims |
We do not sell personal information. We do not use personal information for automated decision-making that produces legal or similarly significant effects on you without human review.
5. Sharing of Personal Information
We share personal information only with:
- Service providers (data processors) acting on our documented instructions and under written contracts. Current providers:
- Stripe, Inc. — payments, subscriptions, customer portal, tax (US-based; processes globally).
- Supabase, Inc. — database, authentication, edge functions, file storage (US-based; AWS regions configurable).
- Resend — transactional email delivery (US-based).
- Cloud infrastructure providers (AWS, Vercel, or equivalent) — hosting and CDN.
- Customer support tooling — only where deployed; will be disclosed here on activation.
- Other Platform users, strictly as required for the feature you initiate. For example, when you submit an RFQ to a supplier, the supplier sees the RFQ content and your organisation identity; suppliers do not receive your email address unless you choose to share it inside a message.
- Professional advisers (lawyers, accountants, auditors) under confidentiality obligations.
- Authorities and courts, where required by valid legal process, court order, or to protect the rights, property, or safety of GIWAHS, our users, or the public.
- Successors in interest, in connection with a merger, acquisition, financing, restructuring, or sale of all or substantially all of our assets, subject to confidentiality safeguards.
We never sell or rent personal information to data brokers or advertisers.
6. International Transfers
GIWAHS is a global platform. Personal information may be transferred to, stored in, and processed in countries outside your country of residence (including the United States, the European Union, the United Kingdom, Australia, and New Zealand).
Where we transfer personal data from the EEA, the UK, or Switzerland to a country not deemed adequate, we rely on: - the European Commission’s Standard Contractual Clauses (Module 2 or Module 3, as applicable); - the UK International Data Transfer Addendum; and - supplementary technical and organisational measures (encryption in transit and at rest, access controls, logging).
A copy of the transfer mechanism applicable to your data is available on written request to privacy@giwahs.com.
7. Data Retention
| Data category | Retention period |
|---|---|
| Active account data | For the lifetime of your account, plus 30 days after account closure |
| Billing / invoice records | 7 years from issue date (tax / accounting obligation) |
| Founding Partner allocation records (founder member number, tier, anniversary date) | For the lifetime of the Founding Partner Programme plus 7 years |
| RFQ submissions and supplier quotes | 3 years from last activity, unless required longer by legal claim |
| Verification documents | For the duration of the verification status, plus 2 years after expiry or withdrawal |
| Support tickets and call recordings | 2 years from resolution |
| Email logs (sent, bounce, complaint) | 18 months |
| Cron and audit logs | 13 months |
| Marketing opt-outs and suppression lists | Indefinite (to honour your opt-out) |
After the retention period, data is irreversibly deleted or de-identified.
8. Your Rights
Depending on your jurisdiction (EEA, UK, US states with applicable laws such as California, Colorado, Virginia, Connecticut, Utah, Texas; Brazil; Australia; New Zealand; etc.), you may have the right to:
- Access the personal information we hold about you.
- Rectify inaccurate or incomplete data.
- Delete your personal information (“right to erasure”), subject to legal retention exceptions.
- Restrict or object to certain processing.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent at any time, where processing is based on consent.
- Opt out of “sale” or “share” of personal information (where applicable — note GIWAHS does not sell personal information).
- Non-discrimination for exercising your rights.
- Lodge a complaint with your local supervisory authority (e.g., the Irish DPC, the UK ICO, the Office of the Australian Information Commissioner, the New Zealand Privacy Commissioner, or your US state Attorney General).
To exercise any right, email privacy@giwahs.com from the email address on file or via your account’s Settings → Privacy → Data Requests panel (once enabled). We will respond within 30 days (or such shorter period as the law requires) and may need to verify your identity first.
You may also designate an authorised agent to act on your behalf, subject to verification.
9. Cookies and Similar Technologies
We use a small number of cookies and similar technologies for: - Strictly necessary purposes (session, authentication, security, CSRF protection) — these cannot be disabled. - Functional purposes (remembering preferences, language, theme). - Analytics — only if explicitly enabled in the future and only with your consent where required by law. Currently disabled on production.
A full cookie list, including provider, purpose, and lifetime, is available at https://giwahs.com/legal/cookies when published. You can manage non-essential cookies through the cookie banner or your browser settings.
10. Children’s Privacy
The Platform is intended for business users aged 18 or older. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact privacy@giwahs.com and we will delete it promptly.
11. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information, including: - TLS 1.2+ in transit and AES-256 at rest; - least-privilege access controls and audit logging; - role-based access; row-level security policies in our database; - regular dependency and vulnerability scanning; - incident response procedures; - background checks for engineers with production access.
No system is perfectly secure. If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timelines required by applicable law (e.g., 72 hours under GDPR).
12. California, Colorado, Virginia, Connecticut, Utah, Texas, and Other US State Disclosures
- Categories of personal information collected: identifiers, commercial information, internet/usage activity, professional/employment-related information, inferences drawn from the above. See Section 3.
- Sources: directly from you, automatically from your use of the Platform, and from the third parties listed in Section 3.3.
- Purposes: see Section 4.
- Recipients: see Section 5.
- Sale or sharing for cross-context behavioural advertising: No.
- Sensitive personal information: we do not knowingly process sensitive personal information for purposes that require an opt-out under US state law.
- Right to know, delete, correct, opt-out, and limit use: see Section 8.
- Retention: see Section 7.
- Non-discrimination: we will not deny service, charge different prices, or provide a different level of service because you exercised a US-state privacy right.
13. Australia (Privacy Act 1988) and New Zealand (Privacy Act 2020) Disclosures
We are bound by the Australian Privacy Principles and the New Zealand Information Privacy Principles. Complaints may be lodged with the Office of the Australian Information Commissioner (oaic.gov.au) or the Office of the New Zealand Privacy Commissioner (privacy.org.nz). We will respond to such complaints within the statutory timeframes.
14. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified by email and/or in-app banner at least 14 days before they take effect. The “Last Updated” date at the top of this Policy reflects the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.
15. Contact Us
- Email: privacy@giwahs.com
- Postal: Whaitiri Black Limited (trading as GIWAHS) · registered office address to be inserted on publication.
- Data Protection Officer (where required): dpo@giwahs.com
End of Document 24.