Skip to main content
assembl

Legal · Privacy Policy

Privacy Policy.

Last reviewed · 27 May 2026 · Privacy Act 2020 (incl. IPP 3A from 1 May 2026)

assembl Ltd ("assembl", "we", "us", "our") is a New Zealand company that operates the platform at assembl.co.nz and the app at app.assembl.co.nz. We handle personal information in accordance with the Privacy Act 2020 and the thirteen Information Privacy Principles (IPPs), including IPP 3A (indirect collection notification) which came into force on 1 May 2026.

Our nominated Privacy Officer is the assembl founder, Kate Hudson. You can reach the Privacy Officer at privacy@assembl.co.nz.

What we collect (IPP 1, IPP 2)

We collect the minimum personal information needed to run the platform:

  • Account details — your name, work email, organisation name when you sign up or book a Pilot Sprint.
  • Usage data — which workflows you run, which kete chats you open, when, from what IP (hashed before storage). Used for rate-limiting and product analytics.
  • Workflow inputs — the text and files you submit to a workflow. This is the substance of the work. Stored against your tenant; deleted on your request.
  • Workflow outputs — drafts produced by our agents, paired with reviewer sign-offs, sealed in evidence packs.
  • Payment details — collected by our payment processor Stripe, not by assembl directly. We see your subscription status, not your card number.
  • Communications — emails, support messages, contact-form submissions.

We do not collect sensitive information (health, biometric, children's data, or similarly high-care records) unless the specific workflow requires it and you have a lawful basis to provide it. Tōro and education tools may involve information about tamariki or students. Those workflows are draft-only, scoped to the user or tenant, and must be reviewed by the responsible adult before being shared or acted on.

Why we collect it (IPP 1)

  • To provide the agents, workflows, evidence packs, and dashboards you are paying for.
  • To bill you correctly and process payments.
  • To comply with our own legal obligations (tax records, anti-money-laundering checks).
  • To improve the platform — analysing aggregated, de-identified usage patterns.
  • To respond to your support requests and contact-form messages.

We do not sell your data. We do not use your workflow inputs to train models. We do not surface one tenant's data inside another tenant's view.

How you're told about collection (IPP 3, IPP 3A)

When you give us information directly — through a signup form, a Pilot Sprint enquiry, a workflow submission — we tell you what we're collecting and why, at the point of collection. That's IPP 3.

Under IPP 3A, which came into force on 1 May 2026, when we collect personal information about you from someone else (for example, a teammate adds you to their assembl tenant, a parent uploads a school notice naming a child, or an operator uploads a meeting transcript naming attendees), assembl designs the workflow to keep the source and purpose visible and support notification where required.

We do not automatically send IPP 3A notices from public tools. The person using the tool remains responsible for deciding whether notification is required before sharing or relying on the output. Tenant workflows can add explicit notification tasks and evidence-pack records.

How we protect it (IPP 5)

  • All data is stored in Supabase (Postgres) in the ap-southeast-2 region (Sydney). Backups remain within Australia/New Zealand.
  • All connections are encrypted in transit with TLS 1.3.
  • All data is encrypted at rest using AES-256.
  • Row-level security policies enforce tenant isolation at the database level.
  • Service-role credentials are rotated, scoped to specific edge functions, and never exposed to the browser.
  • Access to production data is restricted to assembl Ltd directors. We log every read.

Who we share it with (IPP 11, IPP 12)

We share personal information only with the providers we need to run the platform:

  • Supabase (Australia / United States) — database and authentication.
  • Vercel (United States) — hosting and content delivery.
  • Google Cloud / Anthropic (United States) — the language-model inference for agents. Your inputs are sent to these providers transiently to generate the draft, and are not retained for training.
  • Stripe (United States) — payment processing.
  • Brevo (European Union) — transactional email delivery.
  • Cloudflare (United States) — DNS and DDoS protection.

Under IPP 12 (cross-border disclosure), we take reasonable steps to satisfy ourselves that providers used for personal information processing offer comparable safeguards to the Privacy Act 2020. We do this through published data-processing terms, security documentation, contractual controls, regional hosting where available, and minimisation or masking before model calls where practicable.

We do not share personal information with marketers, data brokers, advertisers, or any third party that has not been listed above. If we needed to add a new provider, this page would be updated and material changes communicated to active tenants.

How long we keep it (IPP 9)

  • Account details — for the life of your tenant, plus 7 years after closure (Inland Revenue requirement).
  • Workflow inputs and outputs — for the life of your tenant, plus the retention period specified in your contract. On request we will delete them sooner where lawfully possible.
  • Evidence packs — by default 7 years, to support audit and contract trails. Configurable per tenant.
  • Hashed IP addresses — 90 days, for rate-limiting and abuse detection.
  • Unsuccessful Pilot Sprint enquiries — 12 months, then deleted.

Your rights (IPP 6, IPP 7)

You have the right to ask for a copy of your personal information (IPP 6), and to correct it if it's wrong (IPP 7). Email privacy@assembl.co.nz with your request. We will respond within 20 working days and ordinarily provide your data within that window without charge.

You can also ask us to delete your data outside the retention rules above. We will action your request unless we are legally required to hold the data (for example, IRD tax records). If we cannot delete, we will explain why.

If something goes wrong

If we experience a notifiable privacy breach — one likely to cause serious harm — we will notify the Office of the Privacy Commissioner and affected individuals as soon as practicable, per the Privacy Act 2020. We keep a written log of every breach, including small ones, with date, scope, and remediation steps.

If you believe we have mishandled your personal information, please tell us first at privacy@assembl.co.nz so we can investigate. If you remain unsatisfied, you can complain to the Office of the Privacy Commissioner:

  • Web: privacy.org.nz
  • Phone: 0800 803 909
  • Email: enquiries@privacy.org.nz

Cookies and analytics

assembl.co.nz uses essential cookies for authentication and session management. We do not use third-party advertising cookies. We do not run Facebook Pixel or Google Analytics 4 tracking on the public marketing site. Logged-in app analytics (which workflows you ran, what your reviewer accepted) are recorded against your tenant and visible to you in your admin dashboard.

Changes to this policy

We'll update this page as the platform changes. Substantive changes get a new "last reviewed" date at the top. Material changes that affect your obligations under an active contract will be communicated to you in writing at least 14 days before they take effect.

See also: Disclaimer · Terms of Use