Privacy Policy

1.1. User Information. Name, contact details, business name, FAP / FSPR / adviser registration numbers, billing information, account credentials, IP address, device identifiers, usage logs, and configuration choices you make within the Platform.

1.2. Client Information. Personal and financial data you upload about your Clients, including identity details, income records, employment history, loan applications, credit information, banking information (account numbers, balances, repayment details), and supporting documentation (e.g., payslips, bank statements, identity documents).

1.3. Email Data (Optional Gmail Integration). If you elect to connect a Google account, we receive email messages, attachments, headers, and metadata as described in section 5.

1.4. Communications. Records of your communications with our support, sales, and operations teams.

1.5. Derived Data. Vector embeddings, extracted fields, summaries, classifications, and case records that we generate from the information you provide.

2.1. Direct Input. Through forms, chat, account settings, and other Platform interfaces.

2.2. Document Uploads. From files you upload (including PDFs, images, spreadsheets, and email attachments).

2.3. Connected Services. From Google APIs when you connect a Google account (section 5).

2.4. Automated Collection. Through cookies, server logs, and similar technologies recording your interaction with the Platform.

2.5. Third Parties. From sub-processors, identity verification providers, and other third parties acting at your direction.

3.1. To provide, operate, secure, maintain, and improve the Platform and its features (including case generation, document parsing, email processing, form-filling, and retrieval-augmented search).

3.2. To verify the identity and professional standing of Users and to confirm continued eligibility under section 2 of our Terms of Service.

3.3. To bill for services, manage subscriptions, and recover unpaid amounts.

3.4. To monitor performance, detect and prevent fraud, abuse, and security incidents, and to enforce our Terms of Service.

3.5. To process information through third-party Artificial Intelligence (AI) providers as described in section 4.

3.6. To comply with our legal obligations, including under the Privacy Act 2020, Fair Trading Act 1986, and Companies Act 1993, and to respond to lawful requests from regulators and law enforcement.

3.7. To communicate with you about the Platform, including service updates, security notices, and (where you have not opted out) commercial communications.

3.8. To develop, test, and operate the Platform (including internal evaluation of our own prompts, classifiers, and configurations on representative or synthetic data).

4.1. AI is central to the Platform. The Platform uses AI and machine learning to parse documents, classify and extract email content, generate draft text, summarise case data, and assist with workflow automation. AI output is probabilistic and may contain errors; it is not a substitute for your professional judgement.

4.2. Third-party AI providers. We route AI tasks to one or more of the following providers, as configured by us from time to time:

• Anthropic, PBC (United States) — Claude family models
• OpenAI, Inc. (United States) — GPT family models
• Google LLC / Google Ireland Limited (United States / European Union) — Gemini models and Vertex AI Search

4.3. No model training on your data. We do not use Client Information, Gmail data, or other Platform content to train, fine-tune, or otherwise develop foundation AI models that we operate or distribute. Our agreements with the AI providers in section 4.2 prohibit those providers from using Platform-submitted data to train or fine-tune their foundation models. We may, however, use Platform data for internal evaluation, debugging, and quality control of our own prompt configurations and classifiers, subject to access controls and the confidentiality obligations in this Policy.

4.4. No automated decision-making for credit. The Platform does not make automated credit, lending, or financial-advice decisions. You remain the decision-maker, adviser, and submitter of record for every Client interaction.

4.5. Sub-processor list. A current list of AI and infrastructure sub-processors (including processing regions and links to their data-handling policies) is available on request at privacy@twio.ai.

5.1. Optional integration. Users may, but are not required to, connect a Google account to the Platform using OAuth 2.0.

5.2. OAuth scopes requested. When you connect Google, we may request the following scopes. We request each only to the extent necessary for the corresponding Platform feature, and you can review the exact scopes presented on the Google consent screen at the time of authorisation:

• gmail.readonly — read email messages, attachments, headers, and metadata, so the Platform can identify and extract Client mortgage information from your inbox and sent items.
• gmail.send — send messages on your behalf, exclusively when you click “Send” on a draft within the Platform. The Platform does not send automated emails from your account.
• gmail.metadata or equivalent push-notification scope (when enabled) — receive real-time mailbox change notifications from Google to keep your case workspace current.
• userinfo.email and userinfo.profile — confirm the identity of the connected account.

5.3. What we do with Gmail data. Gmail data is used to:

• identify, classify, and extract mortgage-related content into Client cases on your behalf;
• generate retrieval-augmented search indexes (vector embeddings) so you can search across past Client correspondence within the Platform;
• compose, draft, and send emails initiated by you through the Platform; and
• operate, secure, and maintain the foregoing features.

5.4. No use for advertising; no sale of Gmail data. We do not use Gmail data for advertising, behavioural profiling, or marketing purposes. We do not sell, rent, or license Gmail data, and we do not permit any third party to do so.

5.5. No use for AI training. Gmail data is not used to train, fine-tune, or develop foundation AI models. See section 4.3 for the limited internal-evaluation uses that apply to all Platform data.

5.6. Limited disclosure. Gmail data is disclosed only to (a) the sub-processors listed in section 6 acting on our behalf; (b) you and persons authorised by you; (c) regulators and law-enforcement bodies where required by law or in response to a valid legal process; and (d) any party with your explicit prior consent.

5.7. No staff access without legitimate reason. Twio staff do not read the content of your Gmail messages except (a) with your consent (e.g., support ticket), (b) for security or fraud investigation, (c) to comply with applicable law, or (d) for limited internal operations (debugging or quality control) under access controls, logging, and confidentiality obligations.

5.8. Storage and retention. Email messages and attachments imported via the Gmail integration are stored persistently within your Platform account as part of your case workspace, including: message headers, plain-text body, HTML body, attachment metadata, retained attachment binaries, and derived vector embeddings used for search. This data is retained for as long as your subscription is active and your underlying case / Client records are retained, subject to section 9 (Retention). You may delete imported emails at any time through Platform tools, which removes the source record and the corresponding vector embedding from active systems within a reasonable period (typically 30 days, allowing for backup cycles).

5.9. Google API Services User Data Policy. Our use and transfer to any other application of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.10. Revocation. You can disconnect your Google account at any time from within the Platform or from your Google Account permissions page. Revocation stops further retrieval of Gmail data; data already imported into your Platform workspace remains subject to section 9 unless you delete it.

5.11. Your responsibility for consent. By connecting Gmail, you confirm that you are entitled to grant the access requested and that you will obtain and maintain any consents from your Clients (and other third parties) that are required by the Privacy Act 2020 or your professional obligations.

6.1. We do not sell personal information. We do not sell, rent, or trade personal information to advertisers, marketers, or data brokers.

6.2. Sub-processors. We share personal information with the following categories of sub-processors strictly to provide the Platform:

• Cloud infrastructure: Amazon Web Services (AWS S3), Google Cloud (Cloud Run, Pub/Sub, Vertex AI), and managed PostgreSQL providers (e.g., Neon).
• AI providers: Anthropic, OpenAI, and Google (see section 4.2).
• Email and notifications: SMTP / transactional email providers used to send service messages and outbound mail you initiate.
• Observability and analytics: Logging, monitoring, and LLM-observability providers (e.g., Langfuse) used to operate the Platform.
• Identity and authentication: Google (OAuth) and similar providers you elect to connect.

6.3. Sub-processor obligations. We require each sub-processor under written contract to: (a) process personal information only to provide their service to us; (b) maintain appropriate technical and organisational security measures; (c) not use the information for their own purposes (including AI training); and (d) notify us of any security incident affecting our data.

6.4. Legal disclosure. We may disclose personal information where required by law, court order, or formal request from a regulator, or where we believe in good faith that disclosure is necessary to investigate fraud, protect the rights, property, or safety of Twio, our Users, or others, or to enforce our Terms of Service.

6.5. Business transfers. If Twio is involved in a merger, acquisition, restructuring, or sale of assets, personal information may be transferred as part of that transaction, subject to confidentiality protections and continued compliance with this Policy.

7.1. Countries where your data may be processed. To provide the Platform, your personal information is transferred to and processed in the following jurisdictions, depending on the sub-processor and feature:

• United States (Anthropic, OpenAI, AWS, Google Cloud, observability vendors)
• European Union / Ireland (Google Cloud, certain observability vendors)
• Australia / Singapore (regional AWS and Google Cloud storage, where elected)
• New Zealand

7.2. Basis for cross-border disclosure. We rely on the following bases under Information Privacy Principle 12 of the Privacy Act 2020 for each cross-border transfer:

• Contractual safeguards: We have entered into binding written agreements with each sub-processor requiring data protection on terms comparable to the Privacy Act 2020 (including, where applicable, Standard Contractual Clauses or equivalent).
• Your authorisation: By accepting this Policy and by initiating sub-processor-dependent features (for example, connecting a Google account), you authorise the cross-border transfer that is necessary to provide that feature.

7.3. Note on equivalence. The United States and some other recipient jurisdictions are not prescribed by the New Zealand Government as having comparable privacy law to New Zealand. We rely on contractual safeguards and your authorisation, not on prescribed equivalence.

8.1. We use technical and organisational measures intended to protect personal information against unauthorised access, loss, alteration, or disclosure, including encryption in transit (TLS), encryption at rest for storage of structured data, access controls, logging, and segregation of tenant data.

8.2. No method of electronic transmission or digital storage is completely secure. We do not guarantee that our security measures will prevent every unauthorised access, and you acknowledge that you transmit information to the Platform at your own risk.

8.3. You are responsible for the security of your account credentials, devices, and connected Google account. You must notify us promptly at security@twio.ai of any actual or suspected unauthorised access to your account or to any Client Information held on the Platform.

9.1. We retain personal information for as long as is necessary to provide the Platform, comply with our legal obligations, resolve disputes, and enforce our agreements.

9.2. User Information is retained for the duration of your account and for a reasonable period thereafter (typically seven (7) years from termination, aligned with our and your statutory record-keeping obligations).

9.3. Client Information (including imported Gmail content, attachments, case records, and derived embeddings) is retained for the duration of your subscription. Following termination, we will retain Client Information for a period reasonably necessary to allow you to export it (see section 10) and for any longer period required by law.

9.4. Statutory retention. Where personal information forms part of records you are required to retain under the Financial Markets Conduct Act 2013 (s454), the Financial Markets Conduct Regulations 2014, or the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (s49), we may retain that information for the statutory minimum period (typically seven (7) years) notwithstanding any earlier request for deletion.

9.5. Backups. Routine system backups may retain copies of deleted personal information for a limited additional period (typically up to 90 days) before being overwritten.

9.6. Deletion on request. You can delete most Client records and email imports through Platform tools; these are removed from active systems within a reasonable period.

10.1. Access (IPP 6). You may request a copy of the personal information we hold about you by emailing privacy@twio.ai with the subject “Access Request”. We will respond within 20 working days as required by section 40 of the Privacy Act 2020.

10.2. Correction (IPP 7). You may ask us to correct personal information that is inaccurate, incomplete, or out of date. If we do not agree to make the requested correction, we will, on your request, attach a statement of correction to the record.

10.3. Verification. Before releasing personal information, we will verify your identity by reasonable means (e.g., authenticated Platform login).

10.4. Charges. We do not normally charge for access or correction. Where a request is repeated, voluminous, or requires substantial processing, we may charge a reasonable fee under section 66 of the Privacy Act 2020 after notifying you.

10.5. Refusal. We may refuse a request only on grounds permitted by the Privacy Act 2020 (sections 49–54). If we refuse, we will explain why.

10.6. Client requests. Because Users (advisers) collect Client data from Clients directly, end-Clients should initially direct access and correction requests to their adviser. We will reasonably assist Users to fulfil such requests.

10.7. Complaints. If you have a privacy concern, contact our Privacy Officer at privacy@twio.ai. If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner at www.privacy.org.nz.

11.1. We comply with the mandatory privacy breach notification regime in Part 6, Subpart 1 of the Privacy Act 2020 (sections 112–118).

11.2. Where we become aware of a privacy breach that has caused or is likely to cause serious harm to one or more individuals, we will:

• notify the Office of the Privacy Commissioner as soon as practicable after becoming aware of the breach;
• notify affected Users without unreasonable delay, except where the Privacy Act 2020 permits delayed or substitute notification; and
• cooperate reasonably with affected Users in any consequential notifications they (as collecting agencies) must make to their Clients.

11.3. Your obligation. You must notify us promptly at security@twio.ai of any actual or suspected privacy breach involving the Platform (including credential compromise or unauthorised access by your staff or contractors).

12.1. The Platform uses cookies and similar technologies to maintain session state, authenticate logins, remember preferences, prevent fraud, and analyse Platform performance.

12.2. You can control cookies through your browser settings. Disabling essential cookies may impair Platform functionality.

13.1. The Platform is not intended for, and we do not knowingly collect information about, individuals under the age of 18. You must not upload information about a person you know or suspect to be a minor.

14.1. As the financial adviser, you collect personal information from your Clients directly and remain the agency responsible for Client-facing collection notices, consents, and disclosures under the Privacy Act 2020.

14.2. You warrant that you have obtained and will maintain all informed consents required for: (a) uploading Client Information to a third-party SaaS platform; (b) processing Client Information through AI providers in the United States and other jurisdictions listed in section 7; and (c) cross-border disclosure as described in section 7.

14.3. You must ensure your own Client-facing privacy disclosures accurately reflect your use of the Platform, including the Gmail integration if you use it.

15.1. We may update this Policy from time to time. Material changes will be communicated through the Platform or by email at least 14 days before they take effect, except where shorter notice is required for legal or security reasons.

15.2. Your continued use of the Platform after the effective date of an update constitutes acceptance of the updated Policy. If you do not agree, your remedy is to discontinue use.

For any questions about this Policy or our handling of personal information, please contact our Privacy Officer:

Privacy Officer, Twio Technologies Ltd.
Email: privacy@twio.ai
Security incidents: security@twio.ai
General enquiries: support@twio.ai
Or via our contact form.

External escalation: Office of the Privacy Commissioner (www.privacy.org.nz).