Privacy Policy

Quad Mobile Application

Last Updated: 4 March 2026

Effective Date: 4 March 2026

1. Introduction

1.1. This Privacy Policy (“Policy”) explains how Quad (“we”, “us”, “our”, or the “Company”) collects, uses, stores, discloses, and protects your personal information when you use the Quad mobile application (“App”) and all related services (collectively, the “Service”).

1.2. We are committed to protecting your privacy and handling your personal information in compliance with the Privacy Act 2020 (New Zealand) and the Information Privacy Principles (“IPPs”) contained therein.

1.3. This Policy should be read together with our Terms of Service. Terms defined in the Terms of Service have the same meaning in this Policy unless otherwise stated.

1.4. By creating an account or using the Service, you acknowledge that you have read and understood this Policy and consent to the collection, use, and disclosure of your personal information as described herein.

2. Who We Are

2.1. Quad is a mobile application designed primarily for university students in New Zealand. We provide timetable management, event discovery, community forums, course reviews, career boards, and social features.

2.2. Quad is a personal project and is not a registered company (no NZBN). For the purposes of the Privacy Act 2020, Quad is the “agency” responsible for the personal information collected through the Service.

2.3. Contact Details:

Email: privacy@quadapp.nz
General enquiries: support@quadapp.nz
Location: Auckland, New Zealand

3. Personal Information We Collect

We collect the following categories of personal information:

3.1. Information You Provide Directly

(a) Account Registration Information:

Data	When Collected	Required?
Email address	Sign-up	Yes
Username	Sign-up	Yes
Password	Sign-up (email registration)	Yes (email accounts)
Academic year	Sign-up	Yes
Study programme(s) / Faculty	Sign-up	Yes
Marketing consent preference	Sign-up	Yes (response required)
Account role	Automatically assigned	Automatic (user or administrator)
Authentication type	Sign-up	Automatic (email, Google, or Apple)

(b) Profile Information:

Data	When Collected	Required?
Profile image	User-initiated upload	No

(c) User-Generated Content:

Data	When Created
Community posts (title and content; we also track view counts)	When you create a post
Community group memberships	When you join a community
Comments on posts	When you comment
Course reviews (including overall score, ratings for quality, enjoyment, difficulty, workload, exam format, semester taken, and your anonymity preference)	When you submit a review
Career board posts (including optionally: your preferred name, company/employer name, job title, graduation year, area of study, LinkedIn profile URL, and an uploaded image; we also track view counts)	When you create a career post
Career board comments	When you comment on career posts
Likes on posts, comments, reviews, and career posts	When you interact
Content reports (the type and identity of the reported content, your user ID as the reporter, the reason you provided, and the date)	When you report content
In-app notification records (notification type, message content, read/unread status, and timestamps)	When notifications are generated
Timetable and class enrolment records (which classes you are enrolled in, enrolment status, and timestamps)	When you load or sync your timetable
Cookie (in-app reward) balance and detailed transaction history (amount, reason, associated reference, resulting balance, and timestamp)	When you earn or spend cookies
Club administration records (if you are designated as a club administrator)	When you are assigned an admin role

(d) Social and Preference Data:

Data	When Collected
Friend requests and connections	When you send/accept friend requests
Event reminder subscriptions	When you subscribe to event reminders
Timetable sharing consent	When you toggle timetable sharing
Timetable colour scheme preference	When you customise settings
Account deletion reason	When you delete your account (optional)

3.2. Information Collected Through Third-Party Authentication

(a) Google OAuth 2.0

When you sign in using Google OAuth 2.0, we receive the following from Google:

Email address (the only field we extract and store)

We send your Google access token to Google’s API endpoint (googleapis.com/oauth2/v2/userinfo) to retrieve your email address. Our Google OAuth integration requests both email and profile scopes from Google. Although Google transmits profile data (such as your name, profile picture URL, and locale) as part of the OAuth flow, we discard this data and only extract and store your email address.

(b) Apple Sign-In

When you sign in using Apple Sign-In, we receive the following from Apple:

Email address (extracted from Apple’s identity token)

Apple provides an identity token (JWT) which we verify and decode server-side to extract your email address. Apple Sign-In requests email and fullName scopes. Although Apple may transmit your full name as part of the sign-in flow, we discard this data and only extract and store your email address. Apple may provide a private relay email address if you choose to hide your email.

When you sign up via Google OAuth or Apple Sign-In, a system-generated credential is created internally for account management. You do not need to use or remember this credential.

3.3. Information Collected Automatically

(a) Device and Technical Data:

Data	Purpose
Push notification token (Expo)	Delivering event reminder notifications
Device type (iOS, Android, or web)	Ensuring correct notification delivery
Authentication tokens (JWT)	Session management; tokens contain your email address as an encoded (but not encrypted) claim — while signed to prevent tampering, the email within a token can be read by decoding it
Email verification codes	Account verification (temporary)
Event interaction data (aggregated impression and click counts per event)	Service improvement and analytics

(b) On-Device Storage:

The App stores the following data locally on your device:

Data	Storage Method	Storage Key	Sensitive?
Access token (JWT, contains your email address)	expo-secure-store (encrypted device storage)	`munchys_access_token`	Yes
Refresh token (JWT, contains your email address)	expo-secure-store (encrypted device storage)	`munchys_refresh_token`	Yes
Timetable data (your enrolled classes for the current week, including class names, times, locations, course codes, and cache validity metadata)	AsyncStorage (unencrypted)	`@munchys:timetable-store`	No
Timetable loaded flag	AsyncStorage (unencrypted)	`@munchys:me-store`	No

Note: The storage key prefix @munchys / munchys_ is an internal identifier and refers to the Quad application.

Important: Authentication tokens are stored using expo-secure-store, which uses the device’s native secure storage (Keychain on iOS, EncryptedSharedPreferences on Android). Non-sensitive cached data (timetable) is stored using AsyncStorage, which is unencrypted. On Android devices, AsyncStorage data is stored within the app’s sandboxed directory. On iOS, data is stored in the app’s Documents directory, which is sandboxed but may be included in device backups. We recommend that you enable device-level encryption and secure your device with a passcode.

3.4. Information We Do Not Collect

We do not collect:

precise geolocation data;
contacts or address book data;
biometric data;
financial or payment card information;
date of birth (we rely on self-declaration of age); or
health or medical information.

4. How We Collect Your Information (IPP 3 and IPP 4)

4.1. Directly from you. We collect most personal information directly from you when you:

create an account;
update your profile;
post content, reviews, or comments;
interact with other users (friend requests, likes);
subscribe to event reminders;
contact us for support; or
delete your account.

4.2. From third parties. We collect your email address from Google when you authenticate using Google OAuth 2.0, or from Apple when you authenticate using Apple Sign-In.

4.3. Automatically. We automatically collect device push notification tokens when you grant notification permissions, and authentication tokens are generated automatically during sign-in.

4.4. Manner of collection. We collect personal information by lawful and fair means, and in a manner that is not unreasonably intrusive. We only collect information that is necessary for the purposes described in Section 5.

5. Why We Collect and Use Your Information (IPP 1 and IPP 10)

5.1. We collect and use your personal information for the following purposes:

Purpose	Legal Basis	Data Used
(a) Account creation and management	Necessary for providing the Service	Email, username, password, year, studies
(b) Authentication and security	Necessary for providing the Service	Email, password, tokens, Google OAuth data, Apple Sign-In data
(c) Providing core features	Necessary for providing the Service	Posts, reviews, comments, likes, friend connections, timetable data, event reminders
(d) Push notifications	Your consent (opt-in)	Push token, device type, event details
(e) Email communications	Necessary for providing the Service	Email address, verification codes
(f) Content moderation	Legitimate interest in maintaining safe environment	Review text content (sent to OpenAI for automated moderation)
(g) Service improvement and analytics	Legitimate interest	Account deletion reasons, usage patterns, aggregated event interaction data (impression and click counts)
(h) Marketing communications	Your consent (opt-in at sign-up)	Email address
(i) Legal compliance	Required by law	Account data as needed

5.2. Automated Content Moderation. When you submit a course review, the text of your review may be sent to OpenAI’s API for automated content moderation. This processing checks your review text against our acceptable use standards (e.g., detecting profanity or harmful content). Only the review text is sent to OpenAI; no other personal information (such as your email, username, or user ID) is included in the request. We currently use the gpt-3.5-turbo model for review content moderation and the gpt-4o model for event data extraction from publicly sourced event posters. Per OpenAI’s API data usage policy, data sent via the API is not used to train OpenAI’s models.

5.3. We will not use your personal information for purposes other than those described in this Policy, unless we obtain your consent or are otherwise permitted or required to do so under the Privacy Act 2020 (IPP 10).

6. Disclosure of Your Information (IPP 11)

6.1. Other Users. When you use the Service, certain information is visible to other users:

Data	Visibility
Username	All users (on posts, comments, reviews, friend lists)
Profile image	All users
Posts and comments	Members of the relevant community; or all users for public communities
Course reviews	All users (or anonymised if posted anonymously)
Career posts and comments	All users
Friend status	Mutual friends
Timetable	Only friends (if you have enabled timetable sharing consent)

6.2. Third-Party Service Providers. We share personal information with the following third-party service providers who assist us in operating the Service:

Provider	Data Shared	Purpose	Location
Amazon Web Services (AWS) S3	Profile images, event poster images, career post images	Cloud file storage	ap-southeast-2 (Sydney, Australia)
Google OAuth 2.0	Google access token (from you to Google); email address (from Google to us)	Account authentication	United States
Apple Sign-In	Apple identity token (from you to Apple); email address (from Apple to us via identity token)	Account authentication	United States
Google Cloud Vision API	Publicly available event poster images	Optical character recognition (OCR) for event data extraction	United States
OpenAI API	Review text content only (no personal identifiers); publicly available event poster text and captions	Automated content moderation (reviews); event data extraction (events)	United States
Expo Push Notification Service	Push tokens, notification title, body, and event ID	Delivering push notifications	United States
Google Gmail SMTP	Recipient email address, verification code	Sending email verification and password reset emails	United States
Rork SDK (build-time tool)	Project identifier (no user personal data)	Development tooling; includes PostHog analytics relay that is not active in production builds	United States

6.3. No Sale of Personal Information. We do not sell, rent, or trade your personal information to third parties for their marketing or commercial purposes.

6.4. Law Enforcement and Legal Requirements. We may disclose your personal information if required or permitted to do so by law, regulation, legal process, or governmental request. We may also disclose information where we believe in good faith that disclosure is necessary to:

(a) comply with applicable law or a court order;
(b) protect the safety of any person;
(c) prevent fraud or other illegal activity; or
(d) protect our rights or property.

6.5. Business Transfers. If Quad is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

6.6. Anonymous and Aggregated Data. We may create anonymous or aggregated data from your personal information by removing information that identifies you. We may use and disclose such anonymous or aggregated data for any purpose, as it is no longer personal information under the Privacy Act 2020.

7. Cross-Border Disclosure of Personal Information (IPP 12)

7.1. Some of your personal information is transferred to, and processed in, countries outside New Zealand by our third-party service providers:

Destination	Provider	Data Transferred
Australia (ap-southeast-2, Sydney)	AWS S3	Profile images, event poster images, career post images
United States	Google (OAuth, Gmail SMTP, Cloud Vision)	Email address, verification codes, event poster images
United States	Apple (Sign-In)	Email address (via identity token)
United States	OpenAI	Review text content, event poster text and captions
United States	Expo	Push tokens, notification content

7.2. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient:

(a) is subject to privacy laws that provide comparable safeguards to the Privacy Act 2020;
(b) is subject to binding contractual obligations that protect your personal information; or
(c) has consented to handling the information in accordance with the Privacy Act 2020.

7.3. The countries to which we transfer data (Australia and the United States) have privacy frameworks that we consider to provide adequate protections. Australia has the Privacy Act 1988 (Cth), and the United States has sector-specific privacy laws along with contractual protections provided by our service providers.

7.4. By using the Service, you acknowledge and consent to the transfer of your personal information outside New Zealand as described in this Section. You have the right to withdraw this consent at any time by deleting your account, but this will result in the termination of the Service.

8. How We Store and Protect Your Information (IPP 5)

8.1. Storage Locations

Data	Storage Location	Details
Account and activity data	MySQL database	Hosted server infrastructure
Cached data	Redis (in-memory cache)	Hosted within our server infrastructure; temporary and not persisted to disk
Profile images	AWS S3 (ap-southeast-2)	Sydney, Australia region
Authentication tokens (JWT)	Server-side (refresh tokens in database); client-side (access and refresh tokens on device)	Encrypted in transit
Push notification tokens	MySQL database	Server-side
Email verification codes	MySQL database	Temporary; deleted after registration

8.2. Security Measures

We implement the following technical and organisational measures to protect your personal information:

(a) Encryption and Hashing:

For email-based accounts, passwords are hashed using BCrypt (industry-standard one-way hashing algorithm) before storage.
For Google OAuth and Apple Sign-In accounts, a system-generated credential is created for internal account management. This credential is hashed using BCrypt and cannot be used for authentication by the user.
Authentication tokens are signed using HMAC-SHA256 with a secret key.
Data in transit between the App and our servers is encrypted using HTTPS/TLS.

(b) Access Controls:

JWT (JSON Web Token) authentication with 1-hour access token expiry.
Refresh tokens with 30-day expiry, stored server-side.
HttpOnly cookies for access tokens (preventing JavaScript-based token theft).
Secure cookie flag enabled in production (HTTPS-only).
CORS (Cross-Origin Resource Sharing) restrictions to authorised domains only.

(c) Account Security:

Password requirements: 8 to 13 alphanumeric characters, must contain at least one letter and at least one number.
Email verification required for new accounts.
Deleted accounts are blocked from authentication.

(d) Notification Security:

Push notification tokens are deactivated automatically when delivery fails (e.g., invalid or expired tokens).
Push token prefixes are logged for debugging; full tokens are not logged.

8.3. Security Limitations

While we take reasonable steps to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. In particular:

Authentication tokens are stored in encrypted device storage (expo-secure-store), which uses Keychain (iOS) and EncryptedSharedPreferences (Android).
Non-sensitive cached data (timetable) is stored in unencrypted AsyncStorage within the App’s sandboxed directory. We recommend enabling device-level encryption.
Cached data may persist on your device until the App is uninstalled or the cache is cleared.

9. How Long We Keep Your Information (IPP 9)

9.1. We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

9.2. Retention Periods

Data	Retention Period	Trigger for Deletion
Active account data (email, username, year, studies)	Duration of account	Account deletion
Password hash	Duration of account	Account deletion (retained in soft-deleted record)
Profile image (AWS S3)	Indefinite (see note below)	Profile images are not currently automatically deleted from cloud storage when reset, replaced, or when your account is deleted; we are working to implement automated deletion
Access tokens (JWT)	1 hour	Automatic expiry
Refresh tokens	30 days	Automatic expiry; replaced on token refresh
Email verification codes	Until registration completes	Deleted upon successful completion of account registration; if registration is not completed, the code may persist
Push notification tokens	While active	Deactivated on delivery failure; removed on token unregistration
Posts, comments, reviews	Indefinite	User deletion (individual) or account deletion (anonymised)
Likes and interactions	Indefinite	Preserved after account deletion
Friend connections	Duration of connection	When either party unfriends or deletes their account
Event reminder subscriptions	Until event passes or user unsubscribes	User action or event completion
Cookie (reward) transaction logs	Indefinite	Not currently subject to automated purge
Account deletion reasons	Indefinite	Retained for service improvement

9.3. Account Deletion

When you delete your account:

(a) Data that is anonymised:

Your username is replaced with “DeletedUser_[ID]”

(b) Data that is deactivated:

Your account is marked with a deletion timestamp and you can no longer sign in

(c) Data that remains (with retention periods):

Your email address remains in our database for up to 90 days after deletion, after which it is purged
Your posts, comments, reviews, and likes remain on the Service but are attributed to the anonymised username
Your account deletion reason (if provided) is retained
Profile images on AWS S3 are scheduled for deletion within 30 days of account deletion
Push notification tokens may remain until they expire or are deactivated by delivery failure
Friend connections remain (displaying your anonymised username)
Community memberships, event reminder subscriptions, and in-app notification history are retained
Cookie (reward) transaction logs are retained

(d) Data that expires naturally:

Access tokens expire after 1 hour
Refresh tokens expire after 30 days

9.4. We will take reasonable steps to destroy or de-identify personal information that is no longer needed for any purpose for which it may lawfully be used, in accordance with IPP 9.

10. Your Rights Under the Privacy Act 2020

10.1. Right of Access (IPP 6)

You have the right to request access to the personal information we hold about you. To make an access request:

Email us at: privacy@quadapp.nz
We will respond within 20 working days of receiving your request, as required by the Privacy Act 2020.
We may ask you to verify your identity before processing your request.

We may refuse access in limited circumstances as permitted by the Privacy Act 2020, including where:

(a) disclosure would endanger the safety of any person;
(b) disclosure would involve the unwarranted disclosure of the affairs of another person; or
(c) the information is subject to legal privilege.

If we refuse access, we will provide you with the reasons and inform you of your right to complain to the Privacy Commissioner.

10.2. Right of Correction (IPP 7)

You have the right to request correction of any personal information we hold about you that is inaccurate, incomplete, or misleading.

Self-service corrections: You can update the following information directly through the App:

Username (Profile > Edit Profile > Username)
Academic year (Profile > Edit Profile > Year)
Study programmes (Profile > Edit Profile > Studies)
Profile image (Profile > change photo)

Corrections requiring our assistance: For other corrections (e.g., email address), please contact us at privacy@quadapp.nz.

We will respond to correction requests within 20 working days. If we decline to correct information, we will give you our reasons and attach a statement of the correction you requested to the information.

10.3. Right to Complain

If you believe we have breached the Privacy Act 2020 or mishandled your personal information, you may:

(a) contact us directly at privacy@quadapp.nz to resolve the issue;
(b) lodge a complaint with the Office of the Privacy Commissioner of New Zealand:
- Website: https://privacy.org.nz
- Phone: 0800 803 909
- Email: enquiries@privacy.org.nz

10.4. Right to Withdraw Consent

Where we process your personal information based on your consent, you may withdraw that consent at any time:

Push notifications: Disable via your device settings or the App
Marketing communications: Contact us at privacy@quadapp.nz
Timetable sharing: Toggle off timetable consent in the App
Account and all data processing: Delete your account via Profile > Delete Account

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

11. Children’s Privacy

11.1. The Service is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. During account registration, users are required to confirm that they are at least 16 years of age.

11.2. If you are between 16 and 18 years of age, you must have the consent of a parent or legal guardian to use the Service.

11.3. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information as soon as reasonably practicable.

11.4. If you are a parent or guardian and believe your child under 16 has provided personal information to us, please contact us at privacy@quadapp.nz.

12. Cookies and Tracking Technologies

Note: This section refers to browser cookies (small data files stored by your web browser) and device-local storage. The in-app “cookies” that you earn and spend as rewards are a gamification feature unrelated to browser cookie technology.

12.1. Browser Cookies

When accessing the Service through a web browser (if applicable), we use the following cookie:

Cookie Name	Purpose	Type	Duration	Attributes
`accessToken`	Session authentication	Functional (essential)	1 hour	HttpOnly, Secure (production), SameSite=None (production) / Lax (development), Path=/, Domain=quadnz.com (production)

This cookie is essential for the operation of the Service and cannot be disabled while using the Service. It does not track you across third-party websites.

12.2. No Third-Party Tracking

We do not use:

third-party analytics cookies (e.g., Google Analytics);
advertising or targeting cookies;
social media tracking pixels; or
any other third-party tracking technologies.

12.3. Local Storage on Your Device

The App uses expo-secure-store (encrypted device storage) for authentication tokens and AsyncStorage for non-sensitive cached data, as described in Section 3.3(b). This data is stored within the App’s sandboxed environment and is not accessible to other applications on your device (subject to the security limitations noted in Section 8.3).

13. Automated Decision-Making

13.1. Automated Content Moderation. We use automated systems, including third-party artificial intelligence services (OpenAI), to assist with content moderation of course reviews. When you submit a review, the text may be automatically analysed for compliance with our acceptable use standards.

13.2. How It Works. Your review text is sent to OpenAI’s API, which returns a determination of whether the content meets our standards. No personal identifiers are included in the request to OpenAI.

13.3. Human Oversight. Automated moderation decisions are subject to human review. If your review is flagged or rejected by the automated system, you may contact us at support@quadapp.nz for a manual review.

13.4. Your Rights. If you believe an automated decision has been made incorrectly, you have the right to:

(a) request a human review of the decision;
(b) express your point of view; and
(c) challenge the decision.

14. Event Data Collection

14.1. The Service displays event information curated from publicly available posts by university clubs and organisations, with the knowledge and permission of those clubs.

14.2. Event Data Processing:

(a) Event poster images and captions are sourced from publicly available profiles of university clubs that have given us permission to feature their events.
(b) Images are processed using Google Cloud Vision API (OCR) to extract text from event posters.
(c) Extracted text and captions are analysed using OpenAI (gpt-4o model) to classify posts as events and extract event details (dates, times, fees, etc.).
(d) All events are reviewed and approved by the Quad team before being published in the App.
(e) Processed event poster images are stored on AWS S3.

14.3. This process handles publicly available information from club and organisation accounts and does not involve the processing of personal information of our users. If you are a club or organisation representative and have concerns about how your event information is displayed, please contact us at support@quadapp.nz.

15. Marketing Communications

15.1. During registration, you may opt in to receive marketing communications from us.

15.2. Marketing consent is optional and is not a condition of using the Service.

15.3. You may withdraw your marketing consent at any time by contacting support@quadapp.nz.

15.4. Withdrawal of marketing consent does not affect your access to or use of the Service.

16. Email Communications

16.1. We send the following types of emails:

Type	Purpose	Can You Opt Out?
Email verification	Confirm your email during registration	No (required for account creation)
Password reset	Send verification code for password recovery	No (security-related)
Marketing	Promotional communications (if opted in)	Yes (contact privacy@quadapp.nz)

16.2. Emails are sent through Google Gmail SMTP services. Your email address and the email content (verification codes) are transmitted to Google’s servers in the United States for delivery.

16.3. We do not share your email address with any third parties for their marketing purposes.

17. Data Breach Notification

17.1. In the event of a notifiable privacy breach — that is, a breach that it is reasonable to believe has caused, or is likely to cause, serious harm to affected individuals — we will:

(a) notify the Office of the Privacy Commissioner as soon as practicable in accordance with the Privacy Act 2020;
(b) notify affected individuals as soon as practicable, providing details of the breach and the steps they can take to protect themselves; and
(c) take immediate steps to contain the breach and mitigate any harm.

17.2. We maintain incident response procedures to detect, investigate, and respond to data breaches promptly.

18. Changes to This Privacy Policy

18.1. We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law.

18.2. When we make material changes, we will:

(a) update the “Last Updated” date at the top of this Policy;
(b) notify you through the App (via in-app notification or prompt) at least 14 days before the changes take effect; and
(c) where required by law, obtain your consent to the updated Policy.

18.3. We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy.

19. How to Contact Us

General Privacy Enquiries

Email: privacy@quadapp.nz
Location: Auckland, New Zealand

Access and Correction Requests

Email: privacy@quadapp.nz
Response time: Within 20 working days

Complaints

Email: privacy@quadapp.nz (we will acknowledge your complaint within 5 working days)

Office of the Privacy Commissioner (New Zealand)

Website: https://privacy.org.nz
Phone: 0800 803 909
Email: enquiries@privacy.org.nz
Post: PO Box 10094, The Terrace, Wellington 6143, New Zealand

Harmful Digital Communications

Netsafe: https://netsafe.org.nz
Phone: 0508 NETSAFE (0508 638 723)

20. Information Privacy Principles (IPP) Reference

For your reference, this Policy addresses the following Information Privacy Principles under the Privacy Act 2020:

IPP	Principle	Where Addressed
IPP 1	Purpose of collection	Section 5
IPP 2	Source of personal information	Sections 3, 4
IPP 3	Collection of information from individual	Section 4
IPP 4	Manner of collection	Section 4.4
IPP 5	Storage and security	Section 8
IPP 6	Access to personal information	Section 10.1
IPP 7	Correction of personal information	Section 10.2
IPP 8	Accuracy of personal information	Sections 10.2, Terms of Service 3.3
IPP 9	Retention of personal information	Section 9
IPP 10	Limits on use of personal information	Section 5.3
IPP 11	Limits on disclosure	Section 6
IPP 12	Disclosure outside New Zealand	Section 7
IPP 13	Unique identifiers	Not applicable (we do not assign government-issued unique identifiers)