Privacy Policy
Issued by Whaitiri Black Limited (trading as GIWAHS) · NZ Company No. 6860633 · NZBN 9429046803306 · GST No. 125-955-886 · Registered office 55 Ngatitoa Street, Takapuwahia, Porirua 5022, New Zealand.
This Privacy Policy explains how Whaitiri Black Limited (trading as GIWAHS) collects, uses, stores, and protects information about you when you use the GIWAHS platform. We process personal information in accordance with the New Zealand Privacy Act 2020 and, for users in the European Economic Area, the United Kingdom, and other applicable jurisdictions, the General Data Protection Regulation (GDPR) and its national equivalents.
1. Information we collect
We collect (a) information you provide directly: name, email, phone, company, billing contact, sourcing categories, RFQ details, supplier application data, and any communications with us; (b) data automatically collected: browser type, IP address, device identifiers, usage patterns, referrer URLs, and cookie identifiers; (c) information from public sources for supplier-intelligence purposes: trade registries, customs records, publicly reported brand-to-factory associations, and third-party verification reports.
2. Lawful basis (GDPR / UK GDPR)
Where GDPR applies we rely on the following lawful bases: (i) performance of a contract — to deliver the platform and Founding Partner programme; (ii) legitimate interests — to operate, secure, and improve the platform, prevent fraud, and conduct supplier intelligence; (iii) consent — for non-essential cookies, marketing communications, and the Founders Wall public-visibility opt-in; (iv) legal obligation — to comply with NZ tax retention rules and applicable court orders.
3. How we use information
We use information to operate and improve the platform, deliver requested services (RFQ routing, supplier applications, Founding Partner onboarding), issue and reconcile invoices via Whaitiri Black Limited, communicate updates and renewals, surface sourcing intelligence, prevent fraud, comply with NZ Privacy Act 2020 / GDPR / UK GDPR / CCPA, and meet our tax and accounting obligations under NZ Tax Administration Act 1994 §22(2) (7-year retention of invoices and payment records).
4. Buyer data
Buyer profile data (account details, saved searches, RFQ history, supplier shortlists) is used exclusively to deliver the platform to the buyer. Buyer data is never sold. Where a buyer initiates contact with a supplier or submits an RFQ, the relevant contact details and RFQ payload are shared with that supplier. Within Whaitiri Black Limited, buyer data is accessed only by personnel with a legitimate operational need.
5. Supplier data
Supplier profile data (company details, certifications, capacity, verification evidence) is published on the platform under the trust and disclaimer framework documented at /trust. Verification evidence is reviewed by GIWAHS and used to assign Trust marks (Verified · Trusted · Elite Verified · Under Review) per the Founder Vault Doc 32 trust framework. Suppliers may request correction or removal of supplier-submitted information at any time by emailing support@giwahs.com.
6. Payment data (Stripe)
Card numbers, CVCs, and full PAN data are processed exclusively by Stripe (https://stripe.com/privacy) under Stripe’s PCI-DSS-certified infrastructure. Whaitiri Black Limited does not store, transmit, or have access to full card data. We receive only payment confirmations, the last four digits of the card, country of issuance, and the customer billing email for reconciliation. Prior to Stripe activation, Founding Partner payments are made by bank transfer to Whaitiri Black Limited in New Zealand and reconciled manually; the bank captures payment metadata under the Banking Ombudsman Scheme and applicable NZ banking privacy rules.
7. Cookies and analytics
We use strictly necessary cookies for sign-in, session management, and security. We use analytics cookies (PostHog or equivalent) to understand aggregate usage. We use no third-party advertising cookies and we do not sell visitor data. EU/UK visitors are served a cookie banner with granular consent controls on first visit; choices can be revised at any time via the cookie preference link in the footer.
8. Sharing and disclosure
We share information (i) with sub-processors under contractual data-processing agreements (Stripe, Supabase, Resend, Google Workspace, PostHog; full subprocessor list in Doc 31, available on request); (ii) with suppliers when you initiate contact or submit an RFQ; (iii) with professional advisors (NZ counsel, chartered accountant) under confidentiality obligations; (iv) when required by law, court order, or to protect rights, property, or safety. We do not sell personal information under any definition (CCPA included).
9. International transfers
GIWAHS is operated from New Zealand and serves users globally. Information may be transferred to and processed in jurisdictions with privacy laws different from your own. Where GDPR-protected data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable.
10. Data retention
We retain personal information for as long as necessary to provide the platform and to comply with legal obligations. Specific retention periods: Founder application + onboarding data — 7 years (NZ Tax Administration Act 1994 §22(2) for invoices and payment records); communications and CRM notes — 5 years; analytics — 24 months in identifiable form. Cancelled-account data is purged 30 days after cancellation unless retention is required by law.
11. Your rights
Under the NZ Privacy Act 2020 you have the right to access and correct personal information we hold about you. Under GDPR / UK GDPR you additionally have rights to erasure, restriction, portability, and to object to processing based on legitimate interests. To exercise any of these rights, email privacy@giwahs.com. We respond within 20 working days (NZ) or 30 calendar days (GDPR), at our shortest applicable timeframe.
12. Security
We implement industry-standard technical and organisational measures: TLS 1.2+ for all transit, encryption at rest, role-based access control, MFA on all admin accounts, and regular review of sub-processor security posture. Full controls documented at /trust/security. No system is completely secure; report any suspected incident to security@giwahs.com.
13. Children
GIWAHS is not directed to individuals under 18 and we do not knowingly collect personal information from minors.
14. Complaints
If you have a privacy complaint that we cannot resolve directly, NZ users may contact the Office of the Privacy Commissioner (https://privacy.org.nz); EU users may contact their local supervisory authority; UK users may contact the Information Commissioner’s Office (https://ico.org.uk).
15. Contact
Privacy enquiries: privacy@giwahs.com. Postal: Privacy Officer, Whaitiri Black Limited, 55 Ngatitoa Street, Takapuwahia, Porirua 5022, New Zealand. NZBN 9429046803306.
