Privacy Policy

Anchor & Co complies with the New Zealand Privacy Act 2020 and the 13 Information Privacy Principles (IPPs) it contains. Where we handle personal information about people in jurisdictions with comparable privacy regimes (including the Australian Privacy Principles and the GDPR), we also comply with applicable requirements under those frameworks.

Anchor & Co operates as a data processor for the organisations that use our platform. This means each organisation is the data controller for information about its people, decisions, programmes, and operating data. Each organisation determines the purposes for which that information is collected and used. Anchor & Co processes it on their behalf and in accordance with their instructions.

We use personal information to:

• Provide the AnchorOS platform and its features to organisations and their users
• Enable organisations to manage outcomes, decisions, delivery, risks, and reporting
• Enable governance forums to record decisions and link them to actions and outcomes
• Communicate with users about their accounts, updates, and support
• Improve the platform through aggregated, anonymised usage analysis
• Comply with our legal obligations

We do not use personal information for advertising or marketing to third parties. We do not sell personal information.

Some of the information held in an AnchorOS tenant can be sensitive, including:

• Strategic priorities and confidential decision papers
• Risk registers and post-incident records
• Financial and budget data attributable to programmes
• Records of governance processes (including iwi and hapū governance kōrero, where the platform is operated by an organisation that uses it for that purpose)

We apply appropriate care to this information. Access within the platform is restricted on a need-to-know basis. Each organisation controls who has access to sensitive information within its own tenant via per-user, per-module permissions. Every permission change is recorded in the audit trail.

We share personal information only in the following circumstances:

• With users authorised by the relevant organisation to access the relevant information through the platform
• With third-party service providers who assist us in operating the platform (including hosting, AI processing, application hosting, email delivery, and error monitoring), under appropriate data processing agreements
• With the user, where the organisation directs us to share information with them
• Where required by New Zealand law or a court order
• In the event of a business transfer, see section 14

We do not share personal information with government agencies except where required by law. We do not share personal information with third parties for marketing or commercial purposes.

AnchorOS uses artificial intelligence to assist users with operational tasks, including decision drafting, report ingest, and strategy document parsing. AI features are optional and supplementary. They do not make decisions for the organisation or its governance forums. All material decisions remain with the human user, governance body, or accountable owner.

Personal information held in AnchorOS is stored in cloud infrastructure hosted on Amazon Web Services (AWS) in the ap-southeast-2 region (Sydney, Australia). All core organisational data is stored in the Australasian region. The infrastructure is configured so that client data does not route through United States, European, or other offshore regions under normal operation. This is an architectural constraint, not a policy.

We use the following technical and organisational security measures:

• Encrypted data transmission (HTTPS / TLS 1.2 or higher)
• Encrypted storage at rest (AES-256)
• One-way cryptographic hashing of passwords
• Zero-trust, multi-tenant architecture with row-level security enforced at the database layer
• Server-side role-based access controls and per-user, per-module permission overrides
• Session token rotation on every request
• Immutable, field-level audit trail of every data mutation
• Rate limiting on AI and integration endpoints
• Server-side validation of file uploads (MIME type, extension, size, sanitised file names)
• Regular security review and incident response process

AnchorOS’s primary database and core operational data are hosted in Sydney, Australia. Some third-party services we use to operate the platform involve transferring limited data to the United States or globally distributed regions for processing:

• Anthropic (AI text processing):United States. Receives only operational context within the authenticated user’s tenant scope. No client data is used for model training.
• Vercel (application hosting and edge network): Globally distributed edge network with primary compute in the United States. Handles request routing and TLS termination, not the storage of organisational data.
• Email delivery and error monitoring providers: United States. Receive email addresses, email content for delivery, and error logs with personal data scrubbed.

All providers that process data outside Australasia have executed Data Processing Agreements (DPAs) with contractual safeguards, and each provider holds industry-standard security certifications (such as SOC 2 Type II and ISO 27001). These transfers comply with Information Privacy Principle 12 of the New Zealand Privacy Act 2020.

Anchor & Co uses the following third-party service providers to operate the platform. Data Processing Agreements are in place with all providers.

For detailed information about each provider, contact privacy@anchorand.co.

Anchor & Co maintains a documented privacy breach response process. If we become aware of a privacy breach, we will:

• Contain the breach immediately and assess its severity
• Notify the affected organisation(s) within 24 hours of confirmation for a P1 (critical) incident, and within 48 hours for a P2 (high) incident affecting data
• Assess whether the breach is likely to cause serious harm to affected individuals
• If serious harm is likely, notify the Office of the Privacy Commissioner and affected individuals as required under section 114 of the Privacy Act 2020

We treat all breaches seriously, including near-misses, and conduct post-incident reviews to prevent recurrence. All P1 and P2 incidents result in a written post-incident review, shared with affected organisations on request.

We retain personal information for as long as it is needed for the purposes described in this policy, and as required by law or the agreement we have with the organisation operating the relevant tenant.

Default audit retention is 7 years. This is consistent with standard New Zealand record-keeping obligations for governance and decision-making, and is configurable by tenant administrators. When an organisation’s relationship with Anchor & Co ends, we will retain tenant data for the period agreed in writing, after which it will be deleted unless the organisation requests earlier deletion or extended retention.

Data sent to AI providers is retained by those providers for a maximum of 30 days for trust and safety purposes, then permanently deleted.

Individual users can request deletion of their own personal information by contacting us or their organisation administrator. Organisations can request a full data export or complete deletion of their tenant at any time.

Under the New Zealand Privacy Act 2020, you have the right to:

• Access: request access to personal information we hold about you
• Correction: request correction of personal information that is inaccurate or outdated
• Complaint: make a complaint if you believe your privacy rights have been breached

To exercise these rights, please contact us at privacy@anchorand.co. We will acknowledge your request within 5 working days and respond substantively within 20 working days, as required by the Privacy Act 2020.

If you are a user whose information is held within an organisation’s AnchorOS tenant, your organisation is the primary point of contact for access and correction requests. We will work with the organisation to fulfil your request.

The AnchorOS platform uses cookies and similar technologies to keep you logged in during a session, remember your preferences, and analyse how the platform is being used. For full details, see our Cookie Policy.

If Anchor & Co is involved in a merger, acquisition, or sale of assets, personal information held by Anchor & Co may be transferred to the acquiring entity. We will ensure that personal information continues to be protected in accordance with this policy following any such transfer, and we will notify affected organisations of any material change to how their information is handled.

We may update this Privacy Policy from time to time to reflect changes in our practices or the law. The current version will always be available at anchorand.co/privacy. We will notify organisation administrators of material changes. Continued use of the platform after a change is published constitutes acceptance of the updated policy.

• Privacy enquiries: privacy@anchorand.co
• Security and incidents: security@anchorand.co
• General enquiries: hello@anchorand.co
• Postal: Anchor & Co Limited, Aotearoa New Zealand

If you are not satisfied with our response to a privacy concern, you can contact the Office of the Privacy Commissioner at www.privacy.org.nz or 0800 803 909.