Privacy Policy

Overview

This Privacy Policy explains how Kavinex Limited (“Kavinex”, “we”, “us”, or “our”) collects, uses, discloses, and protects information in connection with our business-to-business software-as-a-service platform for automotive and mechanical workshops (the “Services”). We operate from New Zealand and may serve customers in Australia and other locations.

We are committed to complying with New Zealand’s Privacy Act 2020 and the Australian Privacy Act 1988 (Cth), as applicable, and to implementing appropriate safeguards for cross-border data transfers.

Who we are

Controller: Kavinex Limited (New Zealand). Kavinex Limited may be supported by our parent company DEVPOP PTY LTD (ABN: 54 680 990 158), Suite 436, 585 Little Collins St, Melbourne VIC 3000, Australia. Operational addresses may vary depending on the service being delivered.

Scope

This Policy covers information we handle in providing the Services to customers who use Kavinex in the course of trade (business customers). If you are an end-customer of one of our business customers, Kavinex processes your information as a processor/service provider on behalf of that customer.

Information we collect

• Account and organisation information: contact details, user names, role/permissions, authentication data, billing details, subscription history.
• Service content and uploads: job data, invoices, vehicle/customer records, messages, images, audio/video, and other files you upload. Unlimited uploads are subject to fair use and content restrictions described below.
• Technical data: device, browser, IP address, timestamps, usage logs, telemetry, crash reports, and cookies or similar technologies to operate and secure the Services.
• AI interaction data: prompts, inputs, and outputs generated when using AI features.

Cookies and analytics

We use cookies and similar technologies (such as local storage, pixels, and device identifiers) to operate the Services, remember preferences, maintain sessions, and understand usage. We may also use privacy‑respecting analytics to help improve reliability and performance. You can control cookies through your browser settings; disabling certain cookies may affect functionality.

How we use information

• Provide, operate, maintain, and improve the Services.
• Authenticate users, administer permissions, and secure accounts.
• Process transactions, subscriptions, and customer support requests.
• Provide AI-assisted functionality (e.g., summarisation, suggestions, automation).
• Monitor, prevent, and detect fraud, abuse, or security incidents.
• Comply with legal obligations and enforce our Terms.
• Communicate important service notices, changes, and updates.

Marketing communications and spam compliance

We may send service and transactional communications (which are necessary to provide the Services). With your consent, we may also send optional marketing communications that you can opt out of at any time using unsubscribe links or by contacting us. We comply with the New Zealand Unsolicited Electronic Messages Act 2007 and the Australian Spam Act 2003.

AI features and model improvement

By default, your Service Content is not used to train Kavinex models. You may choose to opt in to allow Kavinex to use your prompts, inputs, and outputs to improve our AI models and features. If you opt in, we may aggregate, anonymise, and/or pseudonymise data where feasible, and implement technical and organisational controls to protect confidentiality. You can change your opt-in preference at any time in your account settings or by contacting us. Opting out does not affect your ability to use AI features, but it may limit some personalised improvements.

AI outputs may be inaccurate or incomplete. You are responsible for reviewing outputs and for how you use them in your business. Do not rely on AI outputs as professional advice.

Legal bases for processing (NZ/EU-style)

We process personal information on one or more of the following bases: performance of a contract with you; our legitimate interests in operating, improving, and securing the Services; your consent (for example, for AI training opt-in or certain analytics/marketing); and compliance with legal obligations.

Storage, security, and location

We use reputable third-party infrastructure providers including Cloudflare to host, store, and secure information. We employ safeguards such as encryption in transit, encryption at rest (where supported), access controls, auditing, and layered security practices.

Data may be stored or processed in multiple regions and may be transferred internationally, including to countries outside New Zealand and Australia. For cross‑border disclosures, we take steps consistent with Information Privacy Principle 12/13 under New Zealand’s Privacy Act 2020 and Australian Privacy Principle 8 (APP 8), including contractual safeguards and due diligence on overseas recipients where applicable.

Notifiable privacy/data breaches

We assess suspected privacy incidents promptly. Where a breach is likely to cause serious harm, we will notify affected customers and the relevant regulator as required by law, including the Office of the Privacy Commissioner (NZ) under the Notifiable Privacy Breaches scheme and the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme. We will also take reasonable steps to mitigate harm and prevent recurrence.

Sharing of information

• Service providers and subprocessors (e.g., hosting, analytics, communications, security).
• Professional advisers (e.g., legal, accounting) under confidentiality obligations.
• Business transfers (e.g., merger, acquisition), subject to continued protections.
• Legal and compliance disclosures where required by law or to protect rights and safety.

Subprocessors: We maintain a current list of key subprocessors used to deliver the Services. A copy is available on request.

Retention

We retain information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. This may include retaining certain records for tax, accounting, or regulatory purposes under New Zealand and Australian law. You can request deletion of your content, subject to legal and operational constraints. Backups and logs may persist for a limited time after deletion.

Your privacy rights

Subject to applicable law (including the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988), you may have rights to request access to, correction of, or deletion of personal information we hold about you; to object to or restrict certain processing; and to withdraw consent where processing is based on consent. We will respond within a reasonable time. We may require identity verification and may deny requests where permitted by law.

Children

The Services are designed for business use and are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us so we can take appropriate steps to delete the information.

Data export and portability

We provide self-service and/or assisted export of your data in standard formats and can support migration into or out of Kavinex. Export and migration may be subject to reasonable technical limits and service fees where extensive assistance is requested.

Content rules and fair use

You must not upload illegal, infringing, harmful, or irrelevant content. While we currently offer “unlimited” uploads in an early-stage revision, this is subject to fair use and operational limits. We may investigate and take action (including suspension or termination) where uploads are abusive, excessive, or unrelated to your legitimate business use of the Services.

Third-party services

The Services may integrate with third-party products. Your use of those products is governed by their terms and privacy policies. We are not responsible for third-party practices.

Changes to this Policy

We may update this Policy from time to time. We will post the updated version and update the effective date above. Material changes will be notified through the Services or by other reasonable means.

Contact

For privacy questions or concerns, contact us at [email protected] or by post at: Suite 436, 585 Little Collins St, Melbourne VIC 3000, Australia. If you are a New Zealand resident, you may also contact the Office of the Privacy Commissioner under the Privacy Act 2020.

Complaints: If you have a privacy complaint, please contact us first so we can help. If you are not satisfied, you may lodge a complaint with the Office of the Privacy Commissioner (New Zealand) or the Office of the Australian Information Commissioner (Australia).