Privacy Policy

Forge & Field ("we", "us", "our") is an AI consultancy business based in Matamata, Waikato, New Zealand. We help New Zealand businesses improve efficiency through AI strategy, workflow optimisation, and capability building.

Our Privacy Officer is responsible for ensuring compliance with the Privacy Act 2020. Contact details are in section 14.

We collect personal information only when necessary and only to the extent needed to deliver our services (IPP 1).

We do not collect sensitive information such as ethnicity, health data, political opinion, or criminal history.

We use your personal information only for the purposes for which it was collected or a directly related purpose (IPP 2 & 10):

• Delivering the AI Audit, assessment results, and consulting services you requested
• Processing payments and issuing invoices
• Scheduling and managing strategy calls or project meetings
• Sending service-related communications (booking confirmations, audit reports, reminders)
• Creating and managing your client portal account
• Improving our website and services through aggregated, anonymised analytics
• Meeting our legal and contractual obligations

We will not sell, rent, or trade your personal information to third parties for marketing purposes.

Our AI Audit feature uses a large language model (LLM) provided by OpenAI to generate personalised business recommendations based on your audit responses. When you submit an AI Audit:

• Your audit responses are transmitted to OpenAI's API for processing.
• OpenAI processes this data subject to their own privacy policy and data processing terms.
• We do not send your name or contact details to OpenAI — only the substantive audit content.
• AI-generated recommendations are reviewed by a Forge & Field consultant before being acted upon for paid engagements.

You may request that your audit data be deleted at any time by contacting us (see section 14).

We share personal information with the following service providers only to the extent necessary to operate our services:

Some of our service providers are based outside New Zealand (see section 5). Under IPP 12 of the Privacy Act 2020, we take reasonable steps to ensure that overseas recipients protect your information to a comparable standard.

• Stripe, OpenAI, and Resend are based in the USA and comply with applicable US data protection frameworks.
• MongoDB Atlas data is stored in the Sydney, Australia (ap-southeast-2) region.
• Railway and Vercel host application infrastructure in regions that include the USA.

By using our services, you consent to the transfer of your personal information to these overseas service providers on the basis described above.

We retain personal information only for as long as necessary for the purpose it was collected or as required by law (IPP 9):

• AI Audit results: 2 years from submission, then anonymised or deleted
• Client account and project data: Duration of engagement + 7 years
• Payment records: 7 years (Inland Revenue Act 1994 requirement)
• Email correspondence: 3 years
• Server access logs: 90 days

As a data subject under the Privacy Act 2020, you have the following rights (IPP 6 & 7):

• Right of access: Request a copy of the personal information we hold about you. We will respond within 20 working days.
• Right of correction: Request correction of inaccurate or out-of-date information.
• Right to know: Ask whether we hold personal information about you and how it is used.
• Right to object: Object to the use of your personal information for direct marketing at any time.
• Right to deletion: Request deletion of your data where it is no longer needed for the original purpose.

If we decline your request, we will inform you of your right to complain to the Office of the Privacy Commissioner at www.privacy.org.nz.

We implement appropriate technical and organisational security measures (IPP 5):

• All data transmitted between your browser and our servers is encrypted using TLS 1.2+
• Passwords are stored as bcrypt hashes — plaintext passwords are never stored
• JWT authentication tokens expire after a set period
• API endpoints are rate-limited to protect against brute-force attacks
• MongoDB Atlas enforces encryption at rest and network access controls
• Stripe handles all payment card data directly — we never receive or store card numbers

Our website may use session cookies necessary for authentication and security. We do not currently use third-party advertising or tracking cookies. You can control cookies through your browser settings.

Our services are directed at business owners and professionals. We do not knowingly collect personal information from anyone under the age of 16.

In the event of a privacy breach that is likely to cause serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as soon as reasonably practicable, and no later than 72 hours after becoming aware of the breach, in accordance with Part 7 of the Privacy Act 2020.

We may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated effective date. For material changes, we will notify existing clients by email at least 14 days before the changes take effect.

For privacy enquiries, access requests, or to raise a concern, contact our Privacy Officer:

If you are not satisfied with our response, you may make a complaint to the Office of the Privacy Commissioner: