Privacy Policy

Section 1 — Who we are

Gnosis Limited is a New Zealand company. We build and operate Gnosis, a contract administration assistant for civil engineering and construction.

• Registered name: Gnosis Limited
• NZBN: 9429050876716
• GST registration: 137044315
• Registered office: 99 Victoria Street, Hamilton, New Zealand 3204
• Primary contact: info@gnosis.ltd
• Privacy enquiries: info@gnosis.ltd

---

Section 2 — What personal information we collect

We collect personal information that you provide directly and information generated automatically when you use Gnosis.

Information you provide directly

• Account information when you sign up: your name, email address, password (stored as a salted hash — we never see the original), optional company name, optional role title.
• Single Sign-On (SSO) information if you sign in with Google or Microsoft: your name and email address as returned by the identity provider. We do not access your Google or Microsoft account data beyond this.
• Contract content you upload, type, or generate while using Gnosis: contracts, schedules of rates, variations, payment claims, RFIs, notices, NCRs, transmittals, attachments, comments, and any other content you produce in the app. This is treated as your data, not ours. See §4 below.
• Communications you send us: emails, support tickets, contact form submissions, replies to our emails.
• Payment information when you subscribe: payment is handled by Stripe (see §5 sub-processors). We never see your credit card details. We do see and store the Stripe Customer ID, Subscription ID, and metadata about your subscription (currency, price tier, quantity, status).

Information collected automatically

• Usage data about how you use the app: login times, in-app actions, feature usage. Used to improve the product and diagnose bugs. Aggregated wherever possible.
• Device and browser data: browser type, operating system, screen size, language preference, IP address (used for security and to detect unusual access).
• Cookies and similar technologies: see our Cookie Policy for details.
• Tracking pixels on the marketing site (gnosis.ltd) for advertising and analytics: Google Tag Manager, Google Analytics, Facebook Pixel, LinkedIn Insight Tag. Pixels are not active inside the app at app.gnosis.ltd.

Information we do NOT collect

• We do not scrape or analyse the contents of your contracts beyond what you actively use Gnosis features for (e.g. AI extraction of a payment claim you uploaded).
• We do not use your contract content to train AI models.
• We do not collect government identification numbers, biometric data, health information, or other sensitive categories unless you upload them inside your contract documents (in which case they are treated as part of your contract content per §4).

---

Section 3 — How we use it

We use the personal information we collect to:

• Provide the service — create and run your account, process subscriptions, dispatch notifications, generate PDFs, run AI extractions you initiate, route approval workflows, send password-reset and signup-verification emails.
• Communicate with you — respond to support tickets, send transactional emails (signup, password reset, billing receipts, approval notifications), and reply to messages you send.
• Improve the product — analyse aggregated usage to understand which features are working, where bugs occur, and what to prioritise next.
• Bill you — process subscription payments via Stripe, send invoices and receipts, manage trial periods, sync subscription quantity with the number of active contracts in your workspace.
• Detect and prevent abuse — investigate suspicious activity, prevent fraud, comply with legal obligations.
• Send occasional product updates — only if you've opted in via a subscribe checkbox. You can unsubscribe at any time via the unsubscribe link in every such email.

We do not sell your personal information. We do not share it with advertisers. We do not use your contract content for any purpose beyond delivering the service to you.

---

Section 4 — Your contract content is yours

Anything you upload, create, or generate inside Gnosis — contracts, schedules of rates, variations, payment claims, RFIs, notices, NCRs, transmittals, attachments, comments, PDFs we generate for you — is your data, not ours.

You grant us a limited licence to process your contract content for the sole purpose of providing the service: storing it in our database, displaying it in the app, running AI extractions you initiate, generating PDFs you request, routing approval workflows you submit, dispatching notifications you've configured. We do not use your contract content for any other purpose. We do not train AI models on it. We do not share it with third parties except the sub-processors listed in §5 (and only as needed to deliver the service).

You can export your contract content as PDFs (via the Reports hub) before cancelling. You can request a full data export by emailing info@gnosis.ltd. On account cancellation, your contract content is retained for 30 days (in case you reactivate) then permanently deleted from production and backups within a further 90 days.

---

Section 5 — Who we share it with (sub-processors)

Gnosis uses third-party service providers ("sub-processors") to deliver parts of the service. Each one processes specific data on our behalf under contract, and only as needed to deliver the function listed.

| Sub-processor | What they do for Gnosis | What data they process | Location | |---|---|---|---| | Stripe, Inc. | Payment processing, subscription management, Customer Portal | Customer ID, subscription metadata, payment method (stored by Stripe, not us) | United States (Stripe global infrastructure) | | Google LLC (Firebase Authentication) | Sign-up, sign-in, SSO with Google + Microsoft | Email, name, password hash (never the password), SSO tokens | United States (Firebase global infrastructure) | | Twilio, Inc. (SendGrid) | Transactional email + notifications | Email address, name, subject + body of emails sent on your behalf | United States | | Railway Corporation | Application hosting (API + App + MySQL database) | All Gnosis data | United States (US West region) | | Hostinger International Ltd. | Marketing site hosting (gnosis.ltd) | Marketing site visitor data only — not app data | European Union | | Google LLC (Google Tag Manager, Google Analytics) | Marketing site analytics + advertising | Page views, click events, browser/device fingerprint (no contract data) | United States | | Meta Platforms, Inc. (Facebook Pixel) | Marketing site advertising attribution | Page views from gnosis.ltd visitors (no contract data) | United States | | LinkedIn Corporation (Insight Tag) | LinkedIn advertising attribution | Page views from gnosis.ltd visitors (no contract data) | United States |

Each sub-processor is bound by contract to use your data only for the function listed. We review this list periodically and update it here when sub-processors are added or removed.

Sub-processors NOT used:

• We do not use any AI / LLM service (OpenAI, Anthropic, Google Gemini) outside the strict context of features you actively use (e.g. AI extraction of an Excel file you uploaded — these requests are processed and the prompts/responses are not retained outside your contract content). We do not feed your contract content into general-purpose AI for product improvement.
• We do not use behavioural ad networks, retargeting platforms, or data brokers.

If a customer requires a written sub-processor list for procurement or DPA purposes, email info@gnosis.ltd and we'll provide it.

---

Section 6 — Where your data is stored

Gnosis production infrastructure (API, App, MySQL database) runs on Railway, hosted in their US West region. Backups are stored in the same region.

The Gnosis marketing site at gnosis.ltd is hosted on Hostinger, with infrastructure in the European Union.

Payment data is held by Stripe under their own data-residency rules (United States, with EU and other regional infrastructure for non-US customers per Stripe's policy).

When you sign up from outside the United States, your personal information is transferred to and processed in the United States. We rely on standard contractual safeguards with our US-based sub-processors. If you're in the European Union, the United Kingdom, Australia, or New Zealand and want to know more about the specific safeguards in place, email info@gnosis.ltd.

---

Section 7 — How long we keep it

• Account information (name, email, password hash, etc.): retained while your account is active. On cancellation, retained for 30 days, then deleted.
• Contract content: retained while your account is active. On cancellation, retained for 30 days (in case you reactivate), then deleted from production. Backups containing your data are pruned within a further 90 days.
• Payment records: retained per New Zealand tax and accounting requirements — generally 7 years.
• Communications you send us (emails, support tickets): retained for 3 years for service-quality and audit purposes, then deleted.
• Usage and analytics data: retained for 26 months in aggregate; raw event data trimmed within 14 months.
• Marketing site analytics (Google Analytics, Facebook Pixel data): retained per the respective provider's policy.

---

Section 8 — Your rights under New Zealand Privacy Act 2020

If you're in New Zealand, the Privacy Act 2020 gives you several rights regarding personal information that Gnosis holds about you:

• Right to access — you can request a copy of the personal information we hold about you. Email info@gnosis.ltd and we'll respond within 20 working days as required by the Act.
• Right to correction — if any information we hold about you is inaccurate, incomplete, or out-of-date, you can ask us to correct it. We will correct it or, if we disagree, attach a statement of correction to the record.
• Right to know what is collected, how it's used, and who it's shared with — this Privacy Policy is intended to satisfy that obligation. If anything is unclear, ask.
• Right to complain — if you believe Gnosis has breached the Privacy Act 2020, you can complain to us first (we'd appreciate the chance to fix it), and if you're not satisfied, you can complain to the Office of the Privacy Commissioner at privacy.org.nz.

Gnosis treats the Information Privacy Principles (IPPs) of the Privacy Act 2020 as a default minimum standard for all customers regardless of location.

---

Section 9 — Your rights under Australian Privacy Act 1988 (APPs)

If you're in Australia, the Privacy Act 1988 and the Australian Privacy Principles (APPs) give you the following rights regarding personal information that Gnosis holds about you:

• Right to access — you can request access to the personal information we hold about you. Email info@gnosis.ltd and we'll respond within 30 days.
• Right to correction — you can ask us to correct inaccurate information.
• Right to anonymity / pseudonymity — where practicable; note that running a Gnosis account requires at least a verifiable email address.
• Notification of overseas disclosure — your personal information is disclosed to sub-processors in the United States (see §5 and §6). We take reasonable steps to ensure those sub-processors comply with the APPs.
• Right to complain — first to us, then to the Office of the Australian Information Commissioner at oaic.gov.au if not satisfied.

---

Section 10 — Your rights under US California Consumer Privacy Act (CCPA)

If you're a California resident, the California Consumer Privacy Act gives you the following rights:

• Right to know what personal information we collect about you, how it's used, and with whom it's shared. This Privacy Policy provides that.
• Right to delete — you can request deletion of your personal information, subject to specified exceptions (e.g. completing a transaction, complying with legal obligations, ongoing security purposes).
• Right to opt-out of sale — Gnosis does not sell personal information as defined by the CCPA, so there is nothing to opt out of, but we acknowledge the right.
• Right to non-discrimination — exercising any of these rights will not result in different service or pricing.

To exercise any CCPA right, email info@gnosis.ltd with "CCPA Request" in the subject. We may need to verify your identity before responding.

The CCPA is the most prominent US privacy law that applies to Gnosis customers. Other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, etc.) confer similar rights and we honour them where applicable. Email us to ask about your specific state's rights.

---

Section 11 — Cookies and tracking

Gnosis uses cookies and similar technologies. See our Cookie Policy for full details. Briefly:

• Strictly necessary cookies on app.gnosis.ltd: session token, CSRF protection, workspace context. Cannot be disabled without breaking the app.
• Analytics cookies on the marketing site (gnosis.ltd): Google Analytics. You can opt out via Google's opt-out tool.
• Advertising cookies on the marketing site (gnosis.ltd): Facebook Pixel, LinkedIn Insight Tag. You can opt out via your browser's cookie controls or the respective network's preferences page.

No advertising cookies fire inside the app at app.gnosis.ltd. The app is ad-free.

---

Section 12 — Children's privacy

Gnosis is not intended for and is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided personal information to us, please contact info@gnosis.ltd and we will delete it promptly.

---

Section 13 — Security

We take reasonable steps to protect personal information from unauthorised access, modification, disclosure, and loss:

• SSL / TLS encryption for all data in transit between your browser and Gnosis
• Internal-only networking for the MySQL database (not exposed to the public internet)
• Salted password hashes — we never see plaintext passwords
• SSO via Google and Microsoft Firebase Authentication (industry-standard OAuth flows)
• Role-based access control inside the app — workspace scoping ensures teammates only see their workspace's data
• Audit logs on permission mutations
• Regular backups
• Stripe handles all payment card data — Gnosis is not exposed to card details and inherits Stripe's PCI DSS compliance for the payment surface

We are not currently SOC 2 or ISO 27001 certified. SOC 2 Type 1 is planned. Despite the lack of certification, the security building blocks above are in place. For procurement-side security reviews, email info@gnosis.ltd and we'll send the security overview document.

No method of transmission or storage is 100% secure. If a data breach affecting your personal information occurs, we will notify you and the relevant privacy authority as required by applicable law (within 72 hours under NZ Privacy Act 2020 for notifiable breaches, within 30 days for serious breaches under the Australian Notifiable Data Breaches scheme).

---

Section 14 — Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will:

• Update the "Last updated" date at the top of this page
• Post the updated policy at this URL (https://gnosis.ltd/privacy-policy/)
• Notify active customers by email if the changes are material (i.e. involve new categories of data collection, new sub-processors, new sharing arrangements, or new rights)

We recommend reviewing this policy periodically. Continued use of Gnosis after a material change to this policy constitutes acceptance of the updated policy.

---

Section 15 — How to contact us

For any privacy enquiry, request, or complaint:

Email: info@gnosis.ltd (subject line: "Privacy request" speeds routing)

Post: Gnosis Limited 99 Victoria Street Hamilton, New Zealand 3204

If you're not satisfied with our response:

• New Zealand: Office of the Privacy Commissioner — privacy.org.nz — 0800 803 909
• Australia: Office of the Australian Information Commissioner — oaic.gov.au — 1300 363 992
• United States (California): California Attorney General's Office — oag.ca.gov/privacy

---