Privacy Policy — Fullstack Forge

1. Introduction

Fullstack Forge ("we", "us", "our") is a New Zealand-based digital services business. We build websites, deliver search-engine optimisation (SEO), and create AI-powered lead-generation systems for tradies and small businesses across New Zealand.

We understand that your personal information matters. This privacy policy explains, in plain English, what information we collect, why we collect it, how we look after it, and what rights you have under the New Zealand Privacy Act 2020. It applies whenever you visit our website at https://fullstack-forge.netlify.app, use any of our free online tools, submit a form, or engage us for services.

By using our website or services you acknowledge that you have read and understood this policy. If anything is unclear, please get in touch — our contact details are at the bottom of this page.

2. Information We Collect

We only collect information that is reasonably necessary to operate our business and provide you with the services you have asked for. The types of personal information we may hold include:

Contact & business details — your name, email address, phone number, business name, and business type, collected when you fill in a contact form, request a quote, or book a consultation.
Website URL — the address of your existing website, provided when you request a free website audit or use one of our analysis tools.
Account credentials — your email address and name if you register for a client dashboard or log in via a social provider (e.g. Google).
Tool inputs & results — data you enter into our free online tools (for example, a URL submitted to a site-speed checker or SEO analyser) and the results those tools generate.
AI-processed data — information you provide that is sent to AI services (such as OpenAI) for processing. This may include business descriptions, website content, or enquiry details used to generate automated reports, recommendations, or lead-qualification insights.
Payment information — billing details processed securely by our payment provider, Stripe. We never see or store your full card number on our servers.
Device & usage data — technical information collected automatically when you browse our site, including IP address, browser type, operating system, pages viewed, time on page, and referring URL.

3. How We Collect Information

We collect personal information in the following ways:

Directly from you — when you complete a contact form, request a free audit, use an online tool, register an account, place an order, or communicate with us by email, phone, or social media.
Automatically via our website — through cookies, server logs, and analytics tools when you browse our pages (see Section 8 below).
From third-party platforms — for example, Google or Facebook if you choose to log in with a social account, or from publicly available business directories when we perform research on your behalf as part of a paid service engagement.

Where possible, we collect information directly from you and will let you know at the point of collection what is required and what is optional.

4. Purpose of Collection

We use the personal information we hold to:

Respond to your enquiries and provide consultations.
Deliver the services you have purchased — including website design, SEO, and AI-powered lead-generation systems.
Process data through AI services to generate automated reports, content drafts, competitor analyses, or lead-qualification scoring on your behalf.
Run our free online tools and return results to you (e.g. website audits, SEO checks, speed tests).
Process payments and issue invoices.
Send project updates, account notifications, and service-related communications.
Send marketing emails where you have opted in (see Section 9).
Monitor and improve our website performance, security, and user experience.
Comply with our legal obligations under New Zealand law.

We will not use your personal information for a purpose that is materially different from the purpose for which it was collected, unless you give us permission or the law allows it.

5. Sharing of Information

We do not sell, rent, or trade your personal information. We may share limited data with the following trusted third-party service providers who help us deliver our services:

Netlify — website hosting, serverless functions, and form submissions (United States).
Stripe — secure payment processing (United States).
Google Analytics — anonymised website usage statistics (United States).
Mailchimp (Intuit) — email marketing and newsletters, only if you have opted in (United States).
OpenAI — AI-powered processing for automated reports, content generation, and lead-qualification analysis (United States). Inputs you provide (such as business descriptions or website content) may be sent to OpenAI's API for processing. We use their API tier, which means your data is not used to train their models.

Each provider only receives the minimum data needed to perform its function and is bound by its own privacy policy and contractual obligations. We also require that our providers maintain appropriate security safeguards.

We may also disclose personal information where required or permitted by New Zealand law — for example, in response to a lawful request from a government agency.

6. Overseas Data Transfers

Some of the third-party services listed above are based in the United States. This means your personal information may be transferred to, and processed in, countries outside New Zealand.

In accordance with Information Privacy Principle 12 of the Privacy Act 2020, we take reasonable steps to ensure that overseas recipients protect your information in a way that is comparable to New Zealand privacy standards. This includes choosing providers that offer robust privacy and security commitments and, where available, using data processing agreements.

7. Data Security

We take the security of your information seriously and apply reasonable safeguards to protect it from unauthorised access, loss, misuse, or disclosure. Our measures include:

HTTPS (TLS) encryption across the entire website.
Secure, hashed authentication for user accounts.
Restricted access — only authorised personnel can view personal data.
Regular software updates and security monitoring.
Use of environment variables and secrets management for API keys.

No method of electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a privacy breach that poses a risk of serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as required by the Privacy Act 2020.

8. Cookies and Analytics

Our website uses cookies — small text files stored on your device — to help the site function properly and to understand how visitors use it.

Types of cookies we use

Essential cookies — required for authentication, session management, and core site functionality. These cannot be disabled without breaking the experience.
Analytics cookies — set by Google Analytics to collect anonymised usage data such as pages visited, time on site, and referral source. This helps us understand what content is useful and where we can improve.

You can control or delete cookies through your browser settings. Blocking analytics cookies will not affect your ability to use the site, but some features that rely on essential cookies (such as the client dashboard) may not work correctly if those are disabled.

9. Marketing Communications

We may send you marketing emails — such as tips, guides, or service updates — only if you have explicitly opted in (for example, by ticking a checkbox on a form or subscribing to our mailing list).

Every marketing email includes a clear unsubscribe link. You can opt out at any time and we will remove you from the mailing list promptly.

Transactional communications — such as project updates, invoices, or account notifications — are not marketing and will be sent as needed to fulfil our service obligations.

10. Access and Correction Rights

Under Information Privacy Principles 6 and 7 of the Privacy Act 2020, you have the right to:

Access the personal information we hold about you.
Request correction if any information is inaccurate, incomplete, or misleading.
Request deletion of your personal information where there is no lawful reason for us to retain it.

To make a request, email us at the address below. We will respond within 20 working days, as required by law. If we refuse a request, we will explain why and inform you of your right to complain to the Office of the Privacy Commissioner.

11. Data Retention

We keep your personal information only for as long as we need it for the purposes described in this policy, or as required by law. As a general guide:

Enquiry & contact form data — retained for up to 24 months after your last interaction, then deleted.
Client project data — retained for the duration of the engagement plus 7 years to meet tax and accounting obligations.
Account data — retained while your account is active. You may request deletion at any time.
Analytics data — anonymised and retained in accordance with Google Analytics' data-retention settings (currently set to 14 months).
AI processing data — inputs sent to AI APIs are processed in real time. We do not store AI-generated outputs beyond what is needed to deliver results to you, unless you request otherwise as part of a paid engagement.

When personal information is no longer required, we securely delete or de-identify it.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our services, technology, or legal requirements. When we make material changes, we will update the "Effective date" at the top of this page.

We encourage you to review this policy periodically. Continued use of our website or services after changes are published constitutes acceptance of the updated policy.

13. Contact Information

If you have any questions about this privacy policy, want to make an access or correction request, or wish to raise a concern about how we have handled your personal information, please contact us:

Email: hello@fullstackforge.co.nz
Website: Contact form

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner (Te Mana Mātāpono Matatapu).