Privacy Policy
Kriaka Limited ("Kriaka", "we", "us") operates kriaka.com and provides AI agent services to businesses in New Zealand. This policy explains how we collect, use, store, and protect personal information in compliance with the New Zealand Privacy Act 2020.
1. Information We Collect
Through Our Website
- Contact form submissions: name, email address, company name, and message content.
- Automatically collected data: IP address, browser type, pages visited, referring URL, and visit timestamp.
- Analytics: aggregated, non-identifying usage data via Cloudflare Web Analytics, with no cookies and no personal tracking.
Through Our Services
- Client contact details: names, email addresses, and phone numbers of client personnel.
- Business data: information provided by clients for agent configuration, such as email accounts, calendar data, CRM records, and customer lists.
- Connected business-system data: if you connect Google Workspace, Microsoft, Xero, Fergus, email, calendar, document storage, or another approved system, the account data, permissions, and records approved through consent, onboarding authority, API token, or another agreed access method.
- Connected-account metadata: OAuth metadata, connected account IDs, scopes, connection status, provider errors, and audit records needed to operate and support approved integrations.
- Staff, customer, supplier, and contractor information: personal information contained in client systems where it is relevant to the approved workflow.
- Service usage data: agent interaction logs, performance metrics, and error logs.
2. How We Use Your Information
| Purpose | Legal basis under the Privacy Act |
|---|---|
| Responding to contact form enquiries | IPP 1, lawful purpose, directly from you |
| Providing contracted AI agent services | IPP 10, purpose for which it was collected |
| Sending service updates or invoices | IPP 10, directly related purpose |
| Improving our website and services | IPP 10, legitimate interest, aggregated data |
| Complying with legal obligations | IPP 11, permitted disclosure |
We do not use personal information for unsolicited marketing, selling or renting to third parties, training AI models on your data, or profiling individuals for automated decisions.
3. Third-Party Disclosure
We may share personal information with:
- AI model providers, such as OpenAI, Anthropic, Google, or other approved model providers, where client data is processed through LLM APIs to deliver our services. We minimise sensitive data in API calls.
- AI routing providers, such as OpenRouter, where needed to route requests to selected or fallback model providers.
- Managed integration brokers, such as Composio, where approved for hosted OAuth, token management, tool execution, or proxied business-system API calls. These providers may process connected-account metadata and selected business-system data returned by or sent through approved tools.
- Connected business-system providers and APIs, such as Google Workspace, Microsoft, Xero, Fergus, email, calendar, document storage, and job management systems, where you approve a connection or ask us to use that system for the services.
- Search, enrichment, or research providers, where a workflow expressly includes web search, company research, contact lookup, or similar research support.
- Cloud infrastructure, monitoring, and email delivery providers, such as Cloudflare, for hosting, email delivery, analytics, security, and reliability.
- Professional advisors, including accountants, lawyers, and insurers, as needed for business operations.
- Law enforcement or regulators, if required by New Zealand law or court order.
We will not disclose your personal information to any other party unless it is needed for the services, listed in the applicable provider register or client agreement, authorised by you, or allowed or required by law.
Google Workspace API Data
If you connect Google Workspace, Kriaka will access only the Google account data and permissions you approve through Google's consent screen or the signed client onboarding authority. Depending on the deployment, access may be handled directly by Kriaka or through an approved managed integration broker. We use that data only to provide or improve the Workspace features you ask your agent to perform, such as sending email, scheduling calendar events, or creating and updating Drive, Docs, Sheets, and Slides files.
We do not sell Google user data, use it for advertising, use it to determine creditworthiness, or use it to train generalized AI models. Kriaka's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
You can revoke Kriaka's Google access from your Google Account permissions. You can also contact us to disconnect a Google Workspace integration or request deletion of Kriaka-held data associated with that connection.
4. Indirect Collection
For client services, Kriaka may receive personal information about staff, customers, suppliers, subcontractors, or other people from client systems rather than directly from those individuals. This can happen when an approved workflow uses email, calendar, documents, accounting, job management, CRM, or similar business systems.
Where the client owns the relationship with those individuals, the client is usually best placed to give practical privacy notice. Kriaka provides notice templates and data-handling information for that purpose. Kriaka may also provide notice directly where it collects personal information for its own business purposes or where direct notice is appropriate.
5. Data Storage and Security
- Personal information is stored on secure cloud infrastructure and approved service providers.
- We use HTTPS encryption for data in transit.
- Access to personal information is restricted to authorised Kriaka personnel.
- We implement reasonable technical and organisational safeguards against unauthorised access, loss, or misuse.
- Contact form data is retained for 12 months, then deleted unless a business relationship is established.
Data location: information may be stored and processed outside New Zealand by Kriaka or approved providers. We take reasonable steps to use providers, contractual safeguards, or authorisations appropriate for New Zealand Privacy Act overseas disclosure requirements.
6. Data Retention
| Data type | Retention period |
|---|---|
| Contact form enquiries with no engagement | 12 months |
| Client contract data | Duration of contract plus 7 years for tax and legal requirements |
| Agent interaction logs | Duration of contract plus 90 days |
| Website analytics | Aggregated, no personal data retained |
| Invoices and financial records | 7 years under the Tax Administration Act 1994 |
7. Your Rights
Under the New Zealand Privacy Act 2020, you have the right to access your personal information, request correction of inaccurate information, know what information we hold and why, withdraw consent for processing based on consent, and complain to the Office of the Privacy Commissioner if you believe we have breached the Privacy Act.
To exercise these rights, contact us at [email protected]. We will respond to access and correction requests within 20 Business Days, as required by the Privacy Act.
8. Cookies
kriaka.com does not use cookies for tracking or advertising. We use Cloudflare Web Analytics, which is privacy-first and does not use cookies or collect personal data. If we add cookies in the future, this policy will be updated.
9. AI-Specific Transparency
- No model training: your data is not used to train or fine-tune AI models. We use API-based access with data processing agreements from providers.
- Human oversight: client agents operate under configurable guardrails. External-facing actions can require human approval before sending.
- Data minimisation: we configure agents to process only the minimum data necessary for the task at hand.
- Logs and auditability: agent actions are logged. Clients can request audit logs of their agent's activity.
10. Children's Privacy
Our services are designed for businesses, not individuals under 16. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be posted on kriaka.com with an updated effective date. If you are an existing client, we will notify you of material changes by email.
12. Contact Us
Kriaka Limited
Company number: 9431431
NZBN: 9429053691804
Auckland, New Zealand
Email: [email protected]
Web: https://kriaka.com
Privacy complaints: if you are not satisfied with our response, you may contact the Office of the Privacy Commissioner at privacy.org.nz or 0800 803 909.