DriftHR

Legal

Privacy Policy

Effective date: 28 April 2026 · Version 2.0

This Privacy Policy explains how Loominfo Limited(“Loominfo”, “we”, “us”) collects, uses, discloses, and protects personal information when you use the DriftHR platform at sitepresso.com (the “Service”).

We comply with the New Zealand Privacy Act 2020 and — where they apply — the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Australian Privacy Act 1988, and equivalent privacy laws in jurisdictions where we have users.

Who we are and how to contact us

Loominfo Limited, a company registered in New Zealand under company number 9429052682902.
Registered office: 17A Prictor Street, Papakura, Auckland, New Zealand.
General privacy contact: [email protected]

Privacy Officer (designated under New Zealand Privacy Act 2020 s23): Kiran Pal Singh, reachable at [email protected]. The Privacy Officer is responsible for ensuring our compliance with the Privacy Act, handling privacy enquiries, and dealing with data-subject requests.

For EU/EEA, UK, and other-jurisdiction residents, please contact us via the address and email above. As a New Zealand-based company without an EU establishment, we have not yet appointed an EU/UK GDPR Article 27 representative. We will do so as our user base in those jurisdictions grows. Until then, EU/UK residents can exercise their rights directly via the contact above; complaints can be raised with their national supervisory authority.

1. Personal information we collect

From Business account holders (you, when you sign up):

  • Identity: name, email address, phone number, password (hashed), preferred language.
  • Business details: business name, address, country, timezone, category, vertical, contact email and phone, logo and branding assets.
  • Billing: payment-card data is collected and stored by the subscription payment processor used for your billing country (Paddle, Razorpay, or Stripe); we receive only a token, limited payment metadata, and billing-country information.
  • Content: anything you upload to your storefront — pages, services, products, prices, photos, videos, copy, and your end-customers’ data that you choose to store on the Service.

From end Customers of Businesses (visitors to a Business’s site):

  • Booking, enquiry, or order details — name, email, phone, message, shipping address (if applicable), product selections, dates and times.
  • Customer-account credentials if you create an account on a Business’s storefront.
  • Technical data — IP address, device type, browser, operating system, referral source.
  • Strictly necessary cookies for authentication, session management, and shopping-cart state (where applicable).

From everyone who uses the Service:

  • Service-operational logs — pages visited, actions taken, timestamps, error reports.
  • Correspondence you send us (email, support tickets, in-product feedback).
  • Optional analytics events if we have asked for and received your consent (see Cookies below).

2. Why we collect it (legal bases under GDPR / equivalents)

  • Contract performance — to provide the Service you signed up for, send essential service emails (booking confirmations, security alerts, billing receipts), and process payments.
  • Legitimate interests — to prevent fraud and abuse, secure the Service, debug and improve features, and analyse usage in aggregate. We have assessed that these interests are not overridden by your rights.
  • Legal obligation — to comply with tax, accounting, regulatory, and law-enforcement obligations.
  • Consent — where legally required (for example non-essential analytics cookies, or opt-in marketing emails), we rely on your consent which you can withdraw at any time. Withdrawal does not affect prior lawful processing.
  • Vital interests — in rare cases involving a serious threat to life or safety.

3. Data roles (Controller / Processor)

When a Business stores personal data about its own end customers on the Service, the Business is the “controller” (GDPR), “agency” (NZ Privacy Act), or “business” (CCPA) of that data. Loominfo acts as the “processor”, “agent”, or “service provider” respectively. We process your customers’ personal data only on the Business’s documented instructions, consistent with these Terms and any Data Processing Addendum.

For data we collect directly from you (Businesses signing up for the platform, or end Customers using platform-level features such as the customer portal), Loominfo is the controller / business.

4. How we share personal information

We share personal data only with the sub-processors listed on our Sub-Processors page. All sub-processors are bound by written contract to protect your data and may only process it on our documented instructions. We require them to provide at least an equivalent level of protection to what is set out in this Policy.

We do not sell personal information. We do not share your personal information for cross-context behavioural advertising. Under CCPA/CPRA terminology, we do not “sell” or “share” personal information.

We may disclose personal data where legally required — for example, in response to a valid subpoena, court order, or request from a competent authority — and we will challenge overly broad requests where we reasonably can. We may also disclose data in connection with a corporate transaction (merger, acquisition, asset sale) provided the recipient is bound by privacy obligations no less protective than this Policy.

5. International transfers

The Service is hosted on Amazon Web Services in the Asia Pacific (Mumbai) region (ap-south-1) on our staging environment, and on the same region for production. Where your data is transferred outside the country in which you reside — for example, EU/UK data transferred to our AWS region — the transfer is safeguarded by:

  • The European Commission’s Standard Contractual Clauses (SCCs) and the UK’s International Data Transfer Agreement (IDTA) where applicable, with supplementary measures (encryption in transit and at rest).
  • AWS’s certifications including ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, and the EU Cloud Code of Conduct.

For New Zealand transfers, we comply with Information Privacy Principle 12 of the Privacy Act 2020. A copy of our SCCs / IDTA is available on request.

6. How long we keep your data

  • Active accounts: for as long as you use the Service.
  • Closed accounts — 30-day grace period: when you click “Delete my account” in Settings, your account is marked for deletion immediately and your storefront / personal data becomes unavailable to others, but the underlying records are kept for 30 days so you can sign back in to undo if you change your mind. After 30 days, an automatic process anonymises personal data: name, email, and phone are removed from active tables.
  • Transaction shells (anonymised): bookings, enquiries, orders, and payment records are kept after deletion with personal details removed (your name shows as “Deleted user”). This lets the business retain accurate revenue / activity history. They cannot be linked back to you without a court order.
  • Account audit log (kept indefinitely): for legal-claims defence (GDPR Article 17(3)(e)) and law-enforcement subpoena response, we keep an immutable record of: business name, owner email (plaintext + SHA-256 hash), country, signup IP, deletion timestamp, deletion-request IP, and the deletion reason if you provided one. This record is only accessible to internal compliance staff and never used for marketing.
  • Payment records: retained for the period required by tax law in our and your jurisdiction (typically 7 years in NZ, 6 years in the EU/UK).
  • Anonymised and aggregated analytics: may be retained indefinitely.
  • Backups: encrypted database backups are taken daily and retained for 7 days locally. Deletion requests are honoured on the live system within 30 days; they propagate through backup rotation within 7 days of the request.
  • Operational and security logs: retained at least 14 days, longer if we are investigating an incident.

7. Your rights

Depending on where you live, you have some or all of these rights. We will honour valid requests within 30 days at no charge.

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct data that is inaccurate or incomplete.
  • Erasure (“right to be forgotten”) — subject to lawful retention.
  • Portability — receive your data in a structured, commonly used, machine-readable format.
  • Objection — object to processing based on legitimate interests, including profiling.
  • Restriction — restrict processing in certain circumstances.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time.
  • Automated decision-making — we do not currently use solely automated decision-making that produces legal or similarly significant effects on you.
  • Lodge a complaint — with your supervisory or data-protection authority.

California (CCPA/CPRA) specific rights:

  • Right to know the categories and specific pieces of personal information we collect, use, and disclose.
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt-out of sale or sharing — not applicable, we do neither.
  • Right to limit use of sensitive personal information — we collect only what is necessary to operate the Service.
  • Right to non-discrimination for exercising any of the above.
  • Authorised agents may submit requests on your behalf with verifiable proof of authority.

How to exercise rights: email [email protected] with a clear description of your request and enough information to verify your identity (for example, the email on your account). We will respond within 30 days; for complex requests we may extend this once by a further 60 days, with notice.

New Zealand residents may complain to the Office of the Privacy Commissioner at privacy.org.nz.
EU residents may complain to their national data-protection authority — a list is at edpb.europa.eu.
UK residents may complain to the Information Commissioner’s Office at ico.org.uk.
California residents may complain to the California Privacy Protection Agency.

8. Security

We take reasonable steps to protect personal information from loss, misuse, and unauthorised access, modification, or disclosure. The controls in place today are:

  • Encryption in transit — TLS 1.2+ enforced for every connection between visitors, our application, and our backend services.
  • Encryption of credentials and tokens — passwords are hashed with bcrypt; OAuth refresh tokens are encrypted with AES-256-GCM before storage. We do not store payment-card data.
  • Network-layer protection — AWS Shield Standard (automatic DDoS protection) and AWS Global Accelerator absorb attacks at the AWS edge before traffic reaches our servers.
  • Application-layer protection — nginx rate limits (request-per-second and concurrent-connection caps per IP), fail2ban (bans IPs that probe SSH, HTTP auth, or rate-limit boundaries), and CrowdSec (community threat intel with iptables firewall bouncer).
  • Bot protection on public forms — Cloudflare Turnstile (when configured for a tenant).
  • Daily database backups with local 7-day rotation, encrypted with AES-256 (GPG symmetric).
  • Operational logs — nginx access and error logs, application error logs (via Sentry), and a structured audit log of pricing and subscription changes.
  • Pinned dependencies with manual review on update; we run npm audit on a recurring schedule and apply patches promptly.
  • SSH access to production locked to an allowlisted home/office IP and protected by SSH keys (no password auth).

We are continuing to mature these controls. Items on our pre-launch hardening list (planned before we accept paid customers at scale): EBS volume-level encryption at rest for the database disk, off-site encrypted backup mirroring (S3, separate region), formal logrotate retention policy, and an incident-response runbook.

No system is perfect. In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify you and the relevant supervisory authority without undue delay and in any case within 72 hours where required by law (GDPR Art. 33-34, NZ Privacy Act Notifiable Privacy Breach scheme, equivalents elsewhere).

9. Cookies and similar technologies

We use a small set of strictly-necessary cookies for authentication, session management, cart persistence (e-commerce), and language preference. These do not require consent under GDPR ePrivacy because they are essential to deliver the Service you requested.

For non-essential analytics cookies (currently PostHog product analytics), we surface a consent banner on first visit and only set those cookies after you click “Accept all”. You can change your mind at any time via the “Cookie preferences” link in the footer; rejecting analytics stops new events being captured immediately.

Full details — including the exact cookies, what they do, and how long they live — are at Cookie Notice.

You can also disable cookies in your browser; parts of the Service will not function without the strictly-necessary set.

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at [email protected] and we will delete it. Where a Business uses our platform to take bookings or sell to minors, the Business is responsible for parental-consent obligations under COPPA, GDPR Art. 8, and equivalents.

11. Marketing

We may send you product update emails and occasional marketing communications to your registered account email. You can opt out at any time using the “unsubscribe” link in any marketing email, or by emailing us. Essential service emails (security alerts, payment receipts, booking and order confirmations) cannot be unsubscribed from while your account is active.

12. Changes to this policy

We may update this Privacy Policy. We’ll notify you of material changes by email or in-product notice at least 30 days before they take effect, and we’ll update the version number and effective date at the top of this page.

13. Contact

[email protected]
Loominfo Limited, 17A Prictor Street, Papakura, Auckland, New Zealand
Company number: 9429052682902

Version 2.0.0-2026-04-28.