ShiftScript Ltd ("ShiftScript", "we", "us") is a software company registered in New Zealand, operating the ShiftScript platform at shiftscript.nz. We are the agency responsible for the personal information we collect and hold.
Privacy Officer contact: [email protected]
Postal address: ShiftScript Ltd, Palmerston North, New Zealand
When you create a ShiftScript account, we collect: your name, email address, organisation name, and a handle (username). We do not collect payment card details — payments are processed directly by Stripe Inc.
We log queries submitted to your workspace, the documents retrieved in response, the timestamp of each query, and the staff member handle associated with each query. This constitutes the audit log that is a core feature of the Service.
Documents you upload are stored as encrypted chunks in Cloudflare R2. We do not read, index, or otherwise access your document content except as required to provide the retrieval service (vectorisation and chunk retrieval).
We collect standard server logs including IP addresses, browser type, and request timestamps for security and debugging purposes. We do not use advertising cookies or cross-site tracking technologies.
| Purpose | Information used | Legal basis (NZ Privacy Act 2020) |
|---|---|---|
| Providing the Service | Account info, document chunks, query logs | IPP 1 — collected for a lawful purpose (contract performance) |
| Billing and subscriptions | Email, org name, plan type | IPP 1 — lawful purpose (contract); passed to Stripe for processing |
| Audit log feature | Query content, handle, timestamp | IPP 1 — collected at your direction for compliance purposes |
| Security and debugging | IP addresses, request logs | IPP 1 — legitimate interest in platform security |
| Welcome emails | Email address | IPP 1 — transactional communication directly related to your account |
We use personal information only for the purposes stated above. Specifically:
All ShiftScript data is stored on Cloudflare's infrastructure. Cloudflare operates data centres globally; your data may be stored or processed in any Cloudflare data centre region. Cloudflare has data processing agreements covering GDPR and equivalent standards. ShiftScript is operated from New Zealand. We do not use self-hosted servers or third-party cloud storage providers other than Cloudflare.
For organisations with specific data residency requirements, contact us at [email protected] to discuss arrangements.
The following third-party services process data on our behalf as part of delivering the Service:
| Processor | Purpose | Data shared | Privacy link |
|---|---|---|---|
| Cloudflare Inc | Infrastructure: file storage, database, edge compute | All platform data | cloudflare.com/privacypolicy |
| Stripe Inc | Payment processing | Email, billing details | stripe.com/privacy |
| Resend Inc | Transactional email (welcome, account) | Email address, name | resend.com/privacy |
| AIML API / AI providers | Query processing (AI model inference) | Document fragments (3–5 chunks per query, ~4,800 chars) | No training on API data under API terms |
Under the Privacy Act 2020 and its 13 Information Privacy Principles, you have the right to:
To exercise any of these rights, contact [email protected]. We will respond within 20 working days in accordance with IPP 6.
| Data type | Retention period |
|---|---|
| Account information | Retained while account is active + 30 days after cancellation |
| Uploaded documents | Retained while in your workspace. Permanently purged within 24 hours of deletion or workspace closure. |
| Query / audit logs | Retained for 12 months from query date, then purged. Exportable at any time. |
| Billing records | Retained for 7 years (NZ tax law requirement) |
| Security / access logs | 90 days, then purged |
We implement the following technical security measures:
Despite these measures, no system is perfectly secure. If you believe a security incident has occurred, contact [email protected] immediately.
In the event of a privacy breach that creates a risk of serious harm, we will notify affected individuals and the Office of the Privacy Commissioner as required by section 113 of the Privacy Act 2020, and no later than 72 hours of becoming aware of the breach. We will also notify you directly if your workspace data is involved.
ShiftScript uses no advertising cookies, no third-party analytics tracking, and no cross-site tracking technologies. We use a session cookie strictly necessary for authentication. This cookie is not shared with third parties.
Your data is processed on Cloudflare's global infrastructure and may be transferred to servers outside New Zealand. Cloudflare operates under contractual data processing agreements that meet the requirements of IPP 12 for cross-border disclosures. AI model inference involves sending document fragments to AI provider APIs; these providers operate under API terms that prohibit training on customer data.
ShiftScript is not directed at children under 16. We do not knowingly collect personal information from children.
We will notify account holders via email at least 14 days before any material changes to this policy take effect. The current version is always at shiftscript.nz/privacy.html.
Privacy Officer: [email protected]
ShiftScript Ltd, Palmerston North, New Zealand
If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner (New Zealand) at privacy.org.nz or by calling 0800 803 909.