Privacy Policy

1. Who we are and what this policy covers

Minimise is a New Zealand-registered business that builds AI voice agents and multi-channel follow-up automation for NZ businesses. Our primary contact for privacy enquiries is privacy@minimise.co.nz.

This policy covers minimise.co.nz and all its subdomains (auth., portal., n8n., mcp., webhooks., and others), plus any automation Minimise operates on a client's behalf. If you are a client of Minimise or an end-customer of one of our clients, this policy describes how your information is handled.

2. What information we collect

From website visitors

• Server access logs (IP address, browser type, pages visited, timestamps). These are retained for 90 days and used solely for security and operational purposes.
• Contact form submissions (name, email address, phone number, and any message content you provide). We use these only to respond to your enquiry.

From AIOS / cadence clients

When you engage Minimise to build automation on your behalf, we process the data you instruct us to work with. This typically includes:

• Contact lists (names, phone numbers, email addresses)
• Call recordings and transcripts from voice AI interactions
• Calendar events and booking metadata
• Message bodies (SMS, email) sent or received as part of your cadence
• CRM records and lead data as instructed by you
• API credentials and OAuth tokens (stored in encrypted Vault — see §5)

Under the NZ Privacy Act 2020, you (the client) are the information controller and Minimise acts as your processor. We process this data only on your instruction.

From end-customers of our clients

Where Minimise-built automation contacts individuals on a client's behalf (e.g. an outbound call, an SMS follow-up, or an email cadence), we may process:

• Name and contact details provided by the client
• Call audio and transcript of any voice interaction
• Responses to messages (reply content, opt-out signals)
• Appointment or booking details if the automation includes scheduling

This collection is governed by IPP 1 of the NZ Privacy Act 2020. The client determines the lawful basis for collecting this data; Minimise processes it on their instruction.

3. How we use information

We use information strictly to deliver the automation work the client has engaged us for. Specifically:

• Running voice agents, SMS cadences, email sequences, and CRM integrations as configured
• Storing job state, logs, and credentials needed to operate reliably
• Debugging and improving the automation on a client's account
• Communicating with clients about their build or service

We do not resell your data, profile individuals for marketing, or use client or end-customer data to train third-party AI models. Any use of data for AI model inference (e.g. Claude) is covered by §7 and the processor list. Anthropic's API does not use API traffic for model training by default.

4. Where information is stored and processed

Our primary data store is Supabase (Postgres), hosted on AWS in the Sydney region (ap-southeast-2). Our orchestrator runs on a DigitalOcean droplet also in Sydney. Some serverless compute runs on Modal (US East by default) for transient processing; Modal does not persistently store your data.

AI inference (Claude model calls) is processed by Anthropic in the US. Voice calls and transcripts pass through Twilio and Retell (both US-based). Full processor list is in §7.

If you are an EU/UK resident and have concerns about cross-border data transfers, see §9.

5. How we secure information

• All API keys and OAuth refresh tokens are stored in Supabase Vault (pgcrypto-encrypted at rest). We never store plaintext credentials in our database.
• All data in transit is encrypted via TLS 1.2+.
• Service-role keys are scoped per workload; no single key has broad cross-client access.
• Our orchestrator droplet accepts only SSH key authentication; no public service ports beyond 80/443 reverse-proxied through nginx.
• Access to production systems is limited to Minimise staff directly working on your build.

We describe our security practices honestly. We do not claim certifications (SOC 2, ISO 27001) we have not undergone, and we do not use vague marketing language like "bank-grade" or "military-grade" encryption.

6. How long we keep information

• Operational client data — kept for the duration of the active retainer plus 90 days for handover and offboarding.
• Call recordings and transcripts — retained per Retell's default retention settings unless the client requests a shorter period in writing.
• Server access logs — 90 days.
• Supabase backups — retained per Supabase's default backup policy (7 days point-in-time recovery on the Pro plan). Backups age out automatically; deleted data will be fully purged from backups within 7 days of deletion.
• Deletion audit logs — kept 12 months (as evidence that a deletion request was processed).

Financial records required under NZ law (Tax Administration Act) are retained for 7 years regardless of any deletion request (see §12 for exemptions).

7. Who we share information with

We share information only with the sub-processors below, and only to the extent necessary to operate the services you have engaged us for. We do not sell data and we do not share with advertising or marketing networks.

We do not use OpenAI / ChatGPT. All AI inference is via Anthropic (Claude) only.

8. Your rights under the NZ Privacy Act 2020

Under the NZ Privacy Act 2020, you have the right to:

• Access personal information we hold about you (IPP 6).
• Correct personal information that is inaccurate (IPP 7).
• Request deletion — see §12 for the full process and exemptions.
• Complain to us first; if unresolved, to the Office of the Privacy Commissioner (OPC) at privacy.org.nz.

To exercise any of these rights, email privacy@minimise.co.nz. We will acknowledge within 5 NZ business days and respond within 20 NZ business days (as required by the Act).

9. If you are in the EU or UK

Minimise is based in New Zealand and is not formally registered as a GDPR controller or processor in the EU. However, we respect GDPR rights for EU and UK residents on a best-effort basis.

If you are in the EU or UK, you have the right to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and to object to processing. You also have the right to lodge a complaint with your local data protection authority.

Our lawful basis for processing is legitimate interest (operating contracted services) and contract performance. We do not rely on consent as our primary basis for processing data we receive from our clients — consent is the client's responsibility for data they collect from their own end-customers.

Where data is transferred outside the EU/EEA (e.g. to Anthropic or Twilio in the US), standard contractual clauses are available on request via privacy@minimise.co.nz. We do not we make data transfers to countries without an EU adequacy decision beyond what is strictly necessary for the contracted service.

10. If you are in California

Under the CCPA/CPRA, California residents have rights to know, delete, and opt out of the sale or sharing of personal information. We extend these rights on request.

We do not sell or share personal information as defined under the CCPA/CPRA. We do not use personal information for cross-context behavioural advertising.

To exercise your California rights, contact privacy@minimise.co.nz. We will respond within 45 days.

11. Cookies and tracking

minimise.co.nz marketing site: We do not intentionally set non-essential or third-party tracking cookies. The site is built with Next.js and deployed on Netlify; Netlify may set essential cookies for load-balancing or abuse prevention. We do not embed analytics pixels, Facebook Pixel, Google Analytics, or similar third-party trackers at this time. If this changes, this section will be updated and the "Last updated" date above will change.

Portal subdomains (portal.minimise.co.nz): First-party session cookies are used to maintain your authenticated session via Supabase Auth. These are strictly necessary and cannot be opted out of while using the portal.

This page (/privacy): No tracking or analytics scripts are loaded on this page.

12. Data deletion requests

1. Email privacy@minimise.co.nz with subject prefix [Data Deletion] and a description of what you would like removed.
2. If you are an end-customer of a Minimise client: Your data was processed on that client's instruction — they are the controller. We will forward your request to the client; the client decides and instructs us, and we execute on their instruction.
3. If you contacted Minimise directly (enquiry form, email): We verify your identity against the email you used, then process the deletion.
4. We acknowledge within 5 NZ business days and complete within 30 NZ business days (inside the NZ Privacy Act, GDPR 30-day, and CCPA 45-day envelopes).
5. "Deletion" means removal from our primary Supabase store and purge from Vault secrets. Supabase backups age out within 7 days of the deletion.
6. Exemptions: Records we must retain under NZ law (e.g. financial records — Tax Administration Act, 7-year minimum); call recordings subject to an active dispute hold; the audit log of the deletion itself (kept 12 months).

13. Children

Our services are B2B only. We do not knowingly collect personal information from anyone under 16. If we become aware that we have inadvertently collected such data, we will delete it promptly.

14. Changes to this policy

When we update this policy, the "Last updated" date at the top will change and the version number will increment. For material changes (new processors, changed data scope, new jurisdictional stances), we will summarise the change in the table below. Minor changes (typo fixes, contact email updates) increment the minor version only.

The full history of every change is available in the git history of minimise-website-build and in .claude/references/legal-stance.md (internal reference).

15. Contact

For privacy enquiries, access requests, or deletion requests:

For formal correspondence by post, email us first and we will provide our registered business address. We do not publish our physical address on this page.