Sign inMatch the role
Policies · Role cards

Privacy Policy

How Roleworks Limited handles personal data, and the rights you have under the EU/UK GDPR, the California CCPA/CPRA, and the New Zealand Privacy Act 2020.

Last updated · 3 June 2026

Role · The Record Keeper

What we collect

We collect only what we need to run the service and produce your reports.

Responsibilities
  • Account data: name, email, authentication identifiers.
  • Billing data: handled by Stripe; we store plan status and customer references, not full card numbers.
  • Brief & report data: the text you submit and the reports generated from it.
  • Usage data: basic analytics and logs to keep the service reliable and secure.
Role · The Lawful Processor

Why we process it (lawful basis)

Under the GDPR we rely on specific lawful bases; equivalent principles apply under the NZ Privacy Act and CCPA.

Responsibilities
  • Contract: to provide the account, studio and reports you ask for.
  • Legitimate interests: to secure, improve and support the service.
  • Consent: for optional communications, withdrawable at any time.
  • Legal obligation: to meet tax, accounting and compliance duties.
Role · The Rights Desk

Your rights

You can exercise the following rights by emailing our privacy contact. We respond within the timeframes required by applicable law.

Responsibilities
  • GDPR: access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
  • CCPA/CPRA: know, delete, correct, and opt out of sale/sharing — we do not sell personal information.
  • NZ Privacy Act 2020: access and correction, with complaints to the Office of the Privacy Commissioner.
  • Contact: support@roleworksnz.com
Role · The Vendor Manager

Sub-processors & transfers

We use a small number of trusted processors to operate Roleworks. Data may be processed outside New Zealand under appropriate safeguards (e.g. Standard Contractual Clauses).

Responsibilities
  • Stripe — payments and subscription billing.
  • Supabase — authentication and database storage.
  • Resend — transactional and report-delivery email.
  • Vercel — application hosting and delivery.
Role · The Custodian

Retention & security

We keep personal data only as long as needed for the purposes above, then delete or anonymise it.

Responsibilities
  • Briefs and reports are retained for the life of your account unless you delete them.
  • We apply encryption in transit and access controls appropriate to the data.
  • On account closure, personal data is deleted or anonymised within a reasonable period, subject to legal retention duties.
Role · The Cookie Steward

Cookies & analytics

We keep tracking to a minimum. We use only the cookies needed to run the service and privacy-friendly, aggregate analytics — we do not sell your data or run advertising trackers.

Responsibilities
  • Strictly-necessary cookies: keep you signed in and secure your session.
  • Analytics: we use privacy-friendly, cookieless aggregate analytics (Vercel Analytics) to understand traffic — no cross-site advertising profiles.
  • Payment provider cookies may be set during checkout to process your payment securely.
  • You can block cookies in your browser; strictly-necessary cookies are required for the app to work.