Compliance · Privacy
assembl is built for review-first work. We treat personal information as something entrusted to a named human, not something a system gets to move around on its own.
We collect the minimum information needed to run assembl: account details, organisation details, workflow inputs, uploaded files, generated drafts, review decisions, audit metadata, support messages, billing status, and security logs. Workflow inputs can include personal information where a user chooses to provide it.
We use this information to provide draft-only agent workflows, retrieve relevant knowledge, maintain audit logs, support customers, prevent abuse, bill correctly, and improve the product using aggregated or de-identified usage signals. We do not sell personal information and we do not use customer workflow data to train public models.
The Privacy Amendment Act 2025 added Information Privacy Principle 3A, in force from 1 May 2026. Where assembl receives personal information about a person from someone else, we design workflows so users can notify affected people when required and record the source, purpose, and reviewer responsible for that notice.
Customer records are stored in tenant-scoped systems with row-level security, encrypted transport, encrypted storage, restricted service credentials, and audit logging. Evidence packs are retained for the period agreed with the customer, typically aligned to contract, tax, or regulatory record-keeping requirements. Deletion requests are honoured unless another law requires retention.
Draft generation may call Anthropic, Google Gemini, OpenAI, Supabase, Vercel, Stripe, Twilio, or other named infrastructure providers depending on the workflow. Sensitive workflows mask or minimise personal information before retrieval or model calls wherever practicable.
People can request access to or correction of personal information held by assembl. If we cannot resolve a privacy concern directly, the Office of the Privacy Commissioner provides the independent complaints channel for New Zealand privacy matters.
Related: AI use disclosure · Te Tiriti statement