Owl.ai Logo

Privacy Policy

Last Updated: April 1, 2025

This Privacy Policy describes how OwlAI ("we," "us," or "our") collects, uses, and shares your personal information when you use our website, products, and services (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

If you have any questions about this Privacy Policy, please contact us at support@owlai.com.

1. Introduction

1.1 Who We Are

Utogi Ltd ("Company", "we", "us", or "our") operates the Owl AI Service. Our business is based in New Zealand, and we comply with the New Zealand Privacy Act 2020 ("Privacy Act") in respect of the personal information we collect and process. We act as a "agency" (data controller) for personal information that we collect about Users of our Service, and as a "service provider" (or data processor) for personal information that Users input about others (such as clients) insofar as we process it on the User's behalf.

1.2 Purpose of Policy:

This Privacy Policy explains: (a) what information we collect (and from whom); (b) how we use that information and the purposes of processing; (c) how we disclose or share information; (d) international data transfers, including transfer of data to servers or service providers located outside New Zealand (specifically including Singapore); (e) data retention practices; (f) your rights regarding your personal information (access, correction, deletion, etc.); and (g) our measures for security and privacy.

Scope

This Policy covers personal information we collect through the Owl AI web application, our related websites, and communications with Users (such as support emails). It applies to Users of Owl AI who may provide personal data about themselves or others. It does not cover information handled by third-party services that integrate with Owl AI (those services have their own privacy policies). If you are an individual whose data may be input by a User (for example, a client of a real estate agent who is using Owl AI), please note that we primarily process your data on behalf of that User or their agency, and they remain responsible for that data in their account.

2. Information We Collect

We may collect several types of information in the course of operating the Service:

2.1 Account and Contact Information

When you register for Owl AI, we collect personal information such as your name, email address, phone number (if provided), license number or agency details, and login credentials. If you register on behalf of an organization, we may also collect your company or office name and your role/title.

2.2 Profile and Professional Information

You may provide additional information in your profile, such as your job title (e.g., salesperson, branch manager), your region, and any preferences. In the course of using the Service, you might input data about your real estate license status or other accreditation relevant to compliance. This information helps tailor the Service to your needs.

2.3 Compliance Data (User-Provided Content):

The core of Owl AI is to assist with compliance tasks. Therefore, you (the User) may input or upload various data related to real estate transactions or compliance processes. This can include:

  • Property or transaction details (e.g., property addresses, listing information, dates).
  • Client or customer information (names of vendors, purchasers, etc.), which may include personal information about those individuals.
  • Documents or text related to agency agreements, disclosures, contracts, or correspondence (which might include personal or sensitive information).
  • Notes, checklists, or answers to compliance questionnaires (some of which may contain personal opinions or assessments).
  • Any other information you choose to submit to the AI assistant for analysis (e.g., asking a compliance question that includes scenario details).

Important: While you may input personal information about third parties (like clients) for legitimate purposes (e.g., to generate compliance forms), please do not upload excessive or unnecessary personal data that is not needed for the compliance task. We rely on you to ensure you have the right to use any personal information you input (see Terms & Conditions, User Data section).

2.4 Usage Data and Analytics:

We automatically collect certain information about how you access and use the Service:

  • Device and Technical Information: When you use Owl AI, our systems may log information such as your device type, operating system, browser type, IP address, and device identifiers. If you use a mobile device, we might see device model and OS version.
  • Usage Details: We record usage data like the pages or screens you visit, features you use, time spent, error logs, and other interaction information. For example, we may log that you clicked a particular button, or that you used the AI assistant at a certain time.
  • Cookies and Similar Tech: As a web app, Owl AI may use cookies or local storage to store session information, authentication tokens, or preferences on your device. We may also use cookies and third-party analytics tools (like Google Analytics or similar) to collect information about how our website is used, to help us improve the user experience. These cookies may collect anonymized information such as page response times, referral URLs, and aggregate usage patterns. You can set your browser to refuse some cookies, but note that essential cookies (e.g., for login) are necessary for the Service to function.

2.5 Communication Data:

If you communicate with us (e.g., through support emails, chat, or phone), we will collect and retain that correspondence, which may include your contact details and the content of your communications. This helps us address your inquiries and improve our support services.

2.6 Financial and Billing Information:

If you subscribe to a paid plan, our third-party payment processor will collect your payment card details or bank information. We do not store full credit card numbers or bank account numbers on our servers. We may keep records of your transactions: e.g., billing name and address, the last four digits of a card, the payment amounts, and dates. All payment transactions are processed via secure encryption by compliant providers.

2.7 Third-Party Sources:

Generally, we collect personal information directly from you. In some cases, we might collect information from third-party sources: for example, if you integrate Owl AI with another system (like pulling client data from a CRM via API) or if a colleague (e.g., your Compliance Manager) inputs information about you (like adding a salesperson to an organization account). Also, we may obtain or verify certain professional information from public sources, such as verifying your real estate license status against publicly available registers (if needed for eligibility). If we do so, we will comply with any consent requirements.

2.8 Sensitive Information:

Owl AI is not designed to collect sensitive personal information (such as health data, racial/ethnic origin, religious beliefs, or sexual orientation) about individuals, except incidentally if such information appears in compliance records (which is uncommon). We do not require any such sensitive data for our Service. We ask that you avoid inputting highly sensitive personal data into Owl AI unless it is strictly necessary for a compliance matter. We also do not intentionally collect any information about children (individuals under 16) as the Service is for professional use.

3. How We Use Personal Information

We use the collected information for the following purposes, in accordance with the Privacy Act's principles of purpose and use limitation:

3.1 Providing the Service:

First and foremost, we use your information to operate, maintain, and provide you with the features and functionality of Owl AI. This includes:

  • Using your Account Information to create and manage your user account, authenticate you when you log in, and provide customer support.
  • Using Compliance Data and other User inputs to run the AI compliance assistant and generate responses, analysis, or documents as requested. For example, if you input details of a transaction to check compliance, our system processes that data (which may involve algorithmic analysis) and returns a result to you.
  • Remembering your settings and preferences (e.g., saved templates, notification choices) so we can personalize your experience.
  • Enabling internal features like giving your Compliance Manager access to supervise (as described in Terms and below in Section 4.1 of this Policy).
  • Processing transactions and Subscription management (billing, reminders, account status).

3.2 Service Improvement and Development:

We want to make Owl AI better. We may use usage data, feedback, and aggregated insights from user behaviour to:

  • Identify usage trends and popular features, to inform our product development.
  • Debug and troubleshoot errors or issues you encounter. For example, analyzing error logs or crash reports to fix bugs.
  • Conduct research and development on our AI algorithms. Your anonymized inputs and usage patterns help us train and refine our compliance AI models (we do not use identifiable personal information for public AI training, but we might use anonymized or aggregated data to improve our algorithm's accuracy).
  • Test new features or user interface changes (often using dummy data or volunteer users, but real usage stats might guide decisions).
  • Measure the effectiveness of our communications or onboarding (like whether tutorial screens are helpful, based on user completion rates).
  • Any research or analysis is generally done on aggregated or de-identified data when possible. If we generate Aggregated Data (as defined in Terms) for analytical purposes, it will not identify you personally.

3.3 Communications:

We use your contact information to communicate with you:

  • Service and Transactional Messages: Such as email verification, password reset emails, billing invoices or receipts, subscription renewal notices, trial expiration warnings, and important service notices (e.g., security alerts, or significant changes to the Service).
  • Support Responses: If you reach out with a question or issue, we will use your name and email/phone to respond.
  • Announcements and Updates: We may send emails to inform you of new features, maintenance downtime, or policy changes (like updates to this Privacy Policy or Terms). These are not marketing messages but are part of our service communications.
  • Feedback and Surveys: Occasionally, we may request feedback or send surveys to understand your satisfaction and gather suggestions. Responding is optional.
  • Marketing Communications: We may send newsletters or promotions about our Service or related products. However, these will only be sent in accordance with anti-spam laws. If you are in New Zealand, we will ensure compliance with the Unsolicited Electronic Messages Act. You will have the ability to opt out of marketing emails at any time by using the unsubscribe link or contacting us. Transactional or service emails (first bullet above) will still be sent as needed.

3.4 Compliance and Legal Obligations:

We may use (and retain) personal information as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, or protect our legal rights. Examples: Keeping records required by tax laws or financial regulations (e.g. transaction records). Using data to investigate or prevent fraudulent activities or misuse of our Service (security monitoring). Where required, cooperating with lawful requests by government authorities or regulators (e.g., the Real Estate Authority, if they lawfully request information). Enforcing our Terms and investigating potential violations thereof (which might involve reviewing certain user activity or data if we suspect misuse).

3.5 Analytics and AI Processing:

As noted, we use analytics tools to understand how the Service is used (e.g., Google Analytics or our own internal analytics). These tools process usage data to help us with performance monitoring and user experience optimization. We also perform AI processing on the data you input to generate results - this is a core function of Owl AI. In some cases, our AI processing might involve sending data to a secure AI engine or service. For instance, if we utilize a third- party AI platform to power our compliance assistant, your query and relevant context might be sent to that AI service, which then returns a result. We ensure that any third-party AI providers are under appropriate confidentiality and data protection obligations (see section 4 on disclosure). The AI processing is automated, but note that we do not use AI to make final decisions that produce legal effects for you; the outputs are suggestions for you to consider, not binding decisions.

3.6 Aggregated Insights:

We may use information across many users to produce aggregate statistics or insights that do not identify any individual user. For example, "X% of Owl AI users completed an anti-money laundering checklist for each listing" or "The most common compliance query this quarter was about trust account obligations." These help us and the community understand trends. We may publish such insights in marketing or research materials, but they will be anonymized and aggregated.

3.7 Retention of Data (Use Duration):

We will use and retain personal information only for as long as necessary to fulfill the purposes for which it was collected (as described above) or as required by law. More details on retention are provided in Section 6 below. We will not use personal information for any additional purposes that are incompatible with the above, unless we obtain your consent or have a legal basis to do so (for example, a legal requirement or vital interest).

4. Disclosure of Personal Information

We understand the importance of keeping your personal and professional data confidential. We will not sell your personal information to third-party marketers. However, we do need to share certain information with others in the following circumstances:

4.1 Within Your Organization (Compliance Manager Access):

If your Owl AI account is part of an organization account (for example, your agency or brokerage has multiple users on Owl AI), certain data will be shared among the authorized users within that organization:

  • Compliance Manager/Branch Manager: As detailed in the Terms, a Compliance Manager or admin user at your organization may have the right to access data from the accounts of the salespersons they supervise. This includes your compliance activities, entries, and documents on the Service. We facilitate this internal data sharing as part of the Service's functionality. It is up to your organization to manage which personnel have such access. If you are a salesperson, assume that your branch manager or compliance officer can see your work in Owl AI. This is done to meet legal supervision requirements.
  • Team Collaboration: If the Service offers features for collaboration (e.g., sending a compliance task to another team member, or jointly managing a file), the necessary data will be visible to those team members as you direct.
  • We do not disclose your personal information to any other Users of Owl AI outside of your own organization without your direction or consent.

4.2 Service Providers:

We use trusted third-party companies to help us provide and improve the Service. These third parties perform services on our behalf and may need access to personal information to do so. Categories of service providers include:

  • Cloud Hosting and Infrastructure: We may host data (including personal information and User Data) on cloud platforms (such as Amazon Web Services or Microsoft Azure, possibly with servers located in Singapore or other countries). They store and process data under our instructions and implement security.
  • AI and Data Processing Services: We might integrate third-party AI engines or natural language processing services to power the compliance assistant's capabilities. If so, some of your queries or data might be sent to such a service for processing. For instance, if we use an AI API hosted in another country, the content of your question and relevant context data will be transmitted to that AI service and a result returned. We will ensure any such provider is under contract to only use the data for providing the result and not for their own purposes.
  • Analytics Providers: Third-party analytics tools (like Google Analytics) that collect usage data as described. They may set cookies or receive certain usage info (usually IP address and activity info).
  • Email and Communication Tools: Services that facilitate sending emails, in-app messages, or support chats (e.g., an email delivery service, or a customer support ticketing system). They process contact info and message content as needed.
  • Payment Processors: If you pay by credit card or direct debit, a certified payment processor (e.g., Stripe, PayPal, or a bank) will handle the transaction and process your payment details. We only share necessary billing info and receive confirmations.
  • Backup and Storage Providers: We might use secure backup storage or document storage services for redundancy and file handling.
  • Professional Advisors: On occasion, we might need to disclose information to our auditors, attorneys, accountants, or insurers on a confidential basis for advice or compliance (for example, reviewing our practices or in handling a legal dispute).

All our service providers are contractually required to protect personal information and use it only for the purposes of performing services for us, consistent with this Policy and applicable law. We take steps to ensure our providers are compliant with the Privacy Act 2020 (or, where applicable, meet comparable privacy safeguards such as under EU GDPR or Singapore's PDPA if data is transferred there).

4.3 Legal Requirements and Safety:

We may disclose personal information if we, in good faith, believe that such action is necessary to:

  • Comply with the law or legal process: including responding to court orders, warrants, or other requests by government or regulatory authorities (such as the New Zealand Real Estate Authority or the Office of the Privacy Commissioner). If a Compliance Manager or the Real Estate Authority requests access to data under a lawful authority (for instance, exercising powers under the Real Estate Agents Act or for an investigation), we may be legally obligated to provide certain data.
  • Enforce our Terms and Agreements: including investigation of potential violations of our Terms of Service, or to detect, prevent, or address fraud, security, or technical issues.
  • Protect rights, property, and safety: of the Company, our users, or the public as required or permitted by law. For example, disclosing information to prevent harm or in the context of urgent cybersecurity incidents.
  • We will endeavor, to the extent allowed, to notify you if we are compelled to disclose your data to a government or third-party (for instance via subpoena) so that you may have an opportunity to object, unless we are legally prohibited from doing so or if the matter is urgent.

4.4 Business Transfers:

If the Company is involved in a merger, acquisition, reorganization, or sale of all or some of our assets, personal information may be transferred to the acquiring entity or merged with the information of the successor entity. For example, if another company acquires Owl AI or Utogi Ltd, your information will likely be one of the assets transferred. In such an event:

  • We will ensure that the new owner has privacy measures at least as protective as those described in this Policy.
  • We will provide notice on our website or to registered users of the change in ownership and any new privacy policy or changes thereof.
  • If you have an active account, you will have the opportunity to delete your account prior to the transfer if you do not wish your data to be transferred.

4.5 Aggregated or De-Identified Data:

We may share aggregated, anonymized data that cannot reasonably identify any individual or organization. For instance, we might publish reports or share with partners statistical information like "X% of users complete compliance checks in under 1 hour". This data does not contain personal information and is used for industry analysis, academic research, marketing, or other business purposes. This type of data may be shared freely since it poses no privacy risk.

4.6 Outside New Zealand – Cross-Border Transfer:

As outlined further below (Section 5), if we transfer personal information to another country (for example, to a server or provider in Singapore or the United States), we will do so in compliance with Principle 12 of the Privacy Act 2020. Recipients outside New Zealand will either be in jurisdictions with comparable privacy safeguards or will be bound by contractual terms that ensure comparable protection of the personal information. By using the Service, you consent to the transfer of your personal information to countries outside New Zealand as necessary for the purposes described (subject to compliance with the above measures). Except as described in this Policy, we do not share personal information with third parties without your consent.

5. International Data Transfers

5.1 Data Storage Locations:

The personal information we collect may be stored and processed on servers in New Zealand or in other countries. Specifically, we currently utilize reputable cloud infrastructure providers including Amazon Web Services (AWS) in the Australia Region for hosting and core application services, and Cleark, located in the United States, for certain operational and data processing functions. These platforms are selected based on their reliability, security, and alignment with privacy best practices. In addition, some of our other third-party service providers (such as analytics, email, and AI processing tools) may also be located outside of New Zealand, including in the United States, Australia, and potentially the European Union.

5.2 Risks of Overseas Storage:

When personal information is stored or processed outside New Zealand, it may be subject to the legal jurisdiction of those foreign countries. This means that, in rare cases, foreign courts, law enforcement, or national security authorities could potentially obtain access to personal information through their local laws. However, we only transfer information overseas in accordance with this Policy and where we are satisfied that the recipient will protect the information in a manner comparable to the protections under New Zealand law.

5.3 Adequacy and Safeguards (Principle 12 Compliance):

New Zealand's Privacy Act Principle 12 requires that before sending personal information overseas, we take reasonable steps to ensure the recipient is required to protect it in a way that is comparable to New Zealand's privacy protections, unless an exception applies. Our approach includes:

  • Relying on the fact that some jurisdictions (e.g., the European Union) are deemed to offer comparable privacy safeguards.
  • For jurisdictions like the United States and Australia, we apply additional contractual protections, such as standard contractual clauses or data protection agreements, to ensure equivalent safeguards are in place.
  • Where appropriate, we will obtain your consent for an overseas transfer (e.g., if no other legal safeguard applies).
  • We continuously monitor our data flows and ensure encryption is applied to data in transit and at rest.

5.4 By Using the Service:

You consent to your personal information being transferred to and stored in other countries as described in this section, including but not limited to Australia and the United States, with the understanding that we will take all reasonable steps to ensure your data is treated securely and in accordance with this Policy and applicable law. If you have concerns about a particular overseas transfer, please contact us (see Section 11) and we can provide more detail or explore alternatives if available.

5.5 Specific Notes on AWS and Cleark:

Our primary infrastructure is hosted via AWS in the Australia Region, a platform with robust security and privacy controls. We encrypt data in transit and at rest, and AWS is contractually bound to follow our instructions and maintain appropriate safeguards. Additionally, we use Cleark, a third-party provider based in the United States, for specific storage and processing tasks. Cleark is also subject to contractual obligations to protect data under standards comparable to New Zealand's privacy requirements.

5.6 Access from NZ:

Regardless of where data is stored, Utogi Ltd remains based in New Zealand. Our authorized staff in New Zealand (and in any other approved locations) may access and manage the data remotely. All such access is controlled and governed by our internal confidentiality and security protocols.

6. Data Retention and Deletion

6.1 Retention Periods:

We will retain your personal information and User Data only for as long as necessary to fulfill the purposes for which it was collected (as outlined in this Policy) or as required by law. In general: Account Data: We keep your account registration information for as long as your account is active. If you close your account, we will delete or anonymize this information within a reasonable time after closure, except as noted below for legal or business needs. Compliance Data / User-Provided Content: Data that you have entered into the Service (e.g., compliance records, notes, documents) is retained while your account is active so that you can access your historical records. If you delete specific items (e.g., delete a particular report or entry), we will remove it from active databases, though it may remain in backups for a short period. If you or your organization deletes your account or your Subscription lapses, we typically hold onto your data for a grace period (e.g. 30-60 days) in case you reactivate or need a copy. After that, we will begin the process of deleting or anonymizing the data. Communication Data: Emails and support correspondence might be retained for a longer period (even after account deletion) to maintain records of our communications and any support resolutions. These are often stored in our support system or email archives, subject to secure access.

Analytics Data: Usage analytics may be retained in aggregated form indefinitely, as it does not identify users. Raw log data with IP addresses may be kept for a shorter period (often few months) for debugging and then either deleted or anonymized.

Financial Records: We retain billing records, invoices, and payment history as long as required for tax and accounting purposes (often at least 7 years under NZ tax law). However, these records contain minimal personal info (e.g., name, company, amount, date). Backup Copies: Our system likely performs regular backups. These backups are retained for disaster recovery for a limited time (e.g., backups might be kept for 30-90 days). Thus, even after data is deleted from live systems, it might persist in encrypted backups until those backups cycle out.

6.2 Legal Hold and Obligations:

We may need to retain certain information longer if required by law or if needed for legal proceedings. For example: If we receive a legal hold notice or are party to a litigation or investigation, we will retain relevant information until the matter is resolved and the hold lifted. If a complaint or dispute is unresolved, we may retain necessary information until it is resolved (e.g., a complaint to the Privacy Commissioner or a disciplinary investigation by the REA related to a user). Certain transaction info will be kept to comply with financial regulations or anti-money laundering laws if applicable.

6.3 Destruction of Personal Information:

When we no longer need personal information and are not required to keep it, we will take steps to securely delete, destroy, or anonymize it. Secure deletion may include erasing electronic files using tools that prevent recovery, and shredding physical documents if any.

6.4 User Requests:

You have the right to request deletion of your personal information (see Section 7.3). Upon such a request, if we cannot find a lawful basis to continue holding the data, we will delete it. Note: if your request pertains to data needed for providing the Service (like your account info) and you still want to use the Service, deletion might not be feasible without closing your account.

6.5 Residual Anonymous Data:

Even after deletion of personal information, some residual data may remain in our systems (for example, in audit logs or backup files) but this data is disassociated from personal identifiers or is in a form that cannot readily be used to identify you.

6.6 Retention Summary:

In summary, we aim not to hold personal data longer than necessary. Our retention schedules are designed to meet business needs and legal requirements while respecting privacy. If you have specific questions about how long certain data is kept, you can contact us (Section 11) for more detail relevant to your case.

7. Your Rights and Choices

As a user of Owl AI and as a data subject under New Zealand law, you have certain rights regarding your personal information. We strive to facilitate the exercise of these rights. This section outlines those rights and how you can exercise them:

7.1 Right to Access:

You have the right to request access to the personal information we hold about you. This is sometimes called a Privacy Act "information request". You can ask us to confirm whether we are processing your personal data, and you can request a copy of that data. How to Request: To exercise this right, please contact us using the details in Section 11. To help us process your request, please specify what information you would like to access (for example, "all my personal data" or a specific data type like "profile information" or "activity logs from June 2025"). We may need to verify your identity before releasing data to ensure we don't give it to an unauthorized person. Our Response: We will respond to your access request as soon as reasonably practicable, and in any case within the timeframe required by law (which is usually within 20 working days under the Privacy Act 2020). We will provide you the information in a suitable form (likely electronically). If we lawfully refuse your request (for example, if it would involve disclosing another individual's personal data or is vexatious), we will give you reasons for the refusal and outline how you can complain if you're not satisfied.

7.2 Right to Correction:

You have the right to request correction of personal information that you believe is inaccurate, incomplete, outdated, or misleading. Scope: This applies to factual personal data we hold about you (e.g., your name, contact details, or records of your interactions). If you find any inaccuracies, you can ask us to correct them. How to Request: Contact us with the details of what information is incorrect and what the correct information should be. In many cases, you can correct some information yourself by logging into your account (for example, updating your email or profile info). Where self-service is not possible, we will handle it. Our Response: We will correct the information if we agree it is wrong. If we don't agree that a correction is necessary, we will at your request take reasonable steps to attach a statement of correction sought but not made, so that future readers see your point of view. We will notify you of the action taken on your request.

7.3 Right to Deletion ("Right to be Forgotten"):

Under the Privacy Act, individuals have a right to request deletion of personal information as part of correction if the information is not needed or if retaining it is a breach of the Act. While NZ law doesn't provide an absolute "right to be forgotten" as in some jurisdictions, we honour deletion requests in many cases.

How to Request: You may request that we delete personal information we hold about you, especially if: (a) you have closed your account and want all data removed, (b) the data is no longer necessary for the purpose it was collected, or (c) you initially consented and now wish to withdraw consent (if no other legal ground for keeping it applies).

Conditions: We will delete upon request unless we have a legitimate reason to retain the data (for example, a legal obligation or a compelling business need like an unresolved issue). We'll communicate with you about any such reason. Deletion of certain data may mean you can no longer use the Service (since basic account data is necessary to provide it).

Process: When we delete data, we will remove it from active databases. Backup copies will be removed in the ordinary course of our backup rotation. We will confirm to you when deletion is completed (or if a partial deletion due to exceptions, we'll inform you what was not deleted).

7.4 Right to Object or Restrict Processing:

In certain situations, you may have the right to object to or request we restrict certain processing of your data. For example, if we were using your data for direct marketing (which we do minimally), you can opt-out. If you have a dispute over the accuracy of data or our use of it, you can ask us to pause processing (aside from storage) until resolved. While NZ's Privacy Act doesn't explicitly enumerate "object" or "restrict" as separate rights like GDPR, we will as a matter of good practice consider and comply with reasonable requests to cease or limit processing of your personal information if you have a valid objection.

7.5 Withdrawal of Consent:

Where we rely on your consent to process personal data (for instance, if you agreed to a particular optional feature or to receive marketing communications), you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent for emails, you can use the "unsubscribe" link in marketing emails or update preferences in your account. For other consents, contact us. Note that if you withdraw consent for core data usage necessary to provide the Service, we may need to deactivate your account.

7.6 Opt-Out of Communications:

You can control certain communications: Marketing Emails: As mentioned, you can unsubscribe from promotional emails. We will honor such opt-outs promptly. In-app Notifications: If the PWA sends notifications (like push notifications for tasks), you can typically control these via your device or browser settings. Cookies: You can manage cookie preferences through your browser settings (to refuse cookies or clear them). Some parts of the Service might not function optimally without certain cookies (especially login/session cookies).

7.7 Non-Discrimination:

We will not discriminate against you for exercising any of these rights. The Service accessible to you will remain the same, except insofar as needed to implement the request (e.g., if you delete data or restrict processing, certain features relying on that data may not work).

7.8 Complaints:

If you believe we have not handled your personal information in accordance with the Privacy Act or this Policy, you have the right to make a complaint. We encourage you to contact us first (Section 11) so we can try to resolve it. If you are not satisfied with our response, you can lodge a complaint with the Office of the Privacy Commissioner in New Zealand. (Website: privacy.org.nz). We will cooperate fully with any inquiries.

7.9 Access by Agents:

If you are a client or third party whose data is input by a User (e.g., an agent), and you come to us to exercise rights, we might need to redirect you to that User (the data controller). For example, if a home seller found out their agent put their info into Owl AI and they want it deleted, we will likely confirm if the agent (our User) agrees, because they control that content. But we will help facilitate such requests in line with our legal obligations. To exercise any of your rights or for questions about them, please use the contact information in Section 11. We will need to verify identity for potentially sensitive requests to ensure we are dealing with the correct individual (for instance, by asking you to email from your registered address or asking for some identifying info).

8. Analytics and AI Processing Details

8.1 Use of Analytics Tools:

As part of improving our Service, we utilize third-party analytics services (such as Google Analytics or similar) to gather information about how users interact with our platform. These services use cookies or similar technologies to collect usage data (as described in Section 2.4). This data helps us understand website traffic, page usage, and user behavior on the Service. For example, analytics can tell us which guides are most frequently accessed or how users navigate through a compliance workflow. Data Shared: Typically, anonymized data such as truncated IP address, device type, and usage events. We do not intentionally send personal content from your compliance records to analytics services.

Opt-Out: If you do not want analytics cookies, you can disable cookies in your browser or use Google's opt-out browser add-on (if using Google Analytics). Note that core functionality won't be affected if analytics is disabled.

No Personal Profiling for Ads: We do not use these analytics to serve targeted advertisements to you, nor do we share usage profiles with advertisers. The analytics are purely for our internal understanding and improvement of the Service.

8.2 AI Processing in Service:

The Owl AI PWA uses artificial intelligence algorithms to analyze user-provided information and generate outputs (like compliance tips or document checks). Here's how we handle the data in AI processing:

Input Data: When you submit a query or run a compliance check through the AI assistant, the relevant data (which could include personal info if you included any in the query) is fed into our AI model or an integrated third-party AI service.

Processing: The AI processes this data, which may involve natural language understanding and referencing compliance rules coded into the system. If a third-party AI engine is used (for example, an OpenAI, Microsoft, or other AI API), the data is transmitted securely to that engine. The AI service will return a result (text, analysis, classification, etc.).

Temporary Use: The data transmitted to an AI API might be processed and not retained by the third-party, depending on their policies. We choose providers that contractually commit not to use customers' data to train their general models (unless they've been certified with adequate privacy). For instance, if using OpenAI's API, we would utilize settings that opt out of data being used for their model improvements (per their policy). Storage of Results: The results returned (which may include summary of input and advice) are stored in your account as part of your records. Both the input and output might be logged for your reference. These logs are protected as any other User Data. AI Limitations: No automated decision from the AI is binding – it's always up to you to interpret and use it (see Terms disclaimers). Also, we do not do any automated decision-making that has legal or significant effects on individuals without human involvement. The AI might classify a risk as "high" or "low" but that's a tool, not a final decision about you or any person.

8.3 Continuous Learning:

We may use past anonymized user queries and outcomes to refine our AI's knowledge base. For example, if many users ask about a new regulation, we might update the AI to include that. We may review some interactions (anonymously) to improve system responses. Any such review is done by authorized personnel under confidentiality obligations, and primarily we rely on aggregated metrics to improve the AI. We do not individually profile users via the AI or share their query contents outside the company (except via the AI processing as described).

8.4 Automated Emails or Alerts:

Analytics might trigger automated alerts in the product (like "You have not completed X step, please consider doing so"). These are meant to enhance user experience or compliance thoroughness. You can often configure or dismiss these within the app.

8.5 Cookies and Local Storage:

Our use of local storage (including cookies) is minimal and intended for session management (keeping you logged in) and storing preferences (e.g., theme, language). We do not use tracking cookies that follow you outside our site, and we do not engage in cross-site tracking of your activities.

8.6 AI Ethics and Privacy:

We are committed to ensuring our AI's usage aligns with privacy principles: It will only use your data to assist you and not for unrelated purposes. We seek to minimize personal data in AI inputs. For instance, instead of inputting a client's full name, you might just say "the client" in queries; where possible, our interface might guide you to avoid unnecessary identifiers. The AI's outputs should not reveal personal data you didn't provide. It doesn't have an external knowledge of individuals beyond what's input. If you have concerns about how our AI processes your data, please contact us. We can provide more technical details or adjust how your data is handled, where feasible.

9. Data Security

9.1 Our Commitment:

We take reasonable security safeguards to protect personal information from loss, unauthorized access, use, modification, disclosure, or other misuse, in compliance with Privacy Principle 5 of the Privacy Act and industry best practices.

9.2 Encryption:

All communications with the Owl AI Service are protected by TLS/SSL encryption in transit (HTTPS). This means data you send us via the web app is encrypted while traveling over the internet. We also encrypt sensitive data at rest in our databases (for example, passwords are hashed and never stored in plain text; any sensitive personal identifiers can be encrypted at rest).

Access Control: We employ access controls to restrict who within our organization can access personal data. Staff access is on a need-to-know basis, and only authorized personnel (for example, a support engineer addressing an issue) will access user data, and even then, only what is necessary. Our team accounts are protected with strong authentication (including multi-factor authentication where possible).

Network Security: Our servers are protected by firewalls, and we regularly update systems to patch vulnerabilities. We monitor for suspicious activities on our systems. We use intrusion detection and prevention systems as appropriate.

Backups and Recovery: We maintain routine backups stored securely to prevent data loss. Backup data is encrypted and protected. In case of any data incidents, we have a disaster recovery plan.

Testing and Audits: We periodically test our infrastructure and applications for security weaknesses (including conducting vulnerability scans and perhaps third-party penetration tests). We also review our security policies regularly. If required by clients (especially enterprise customers), we can provide information about our security measures.

9.3 Organizational Measures:

Privacy Training: Our staff are trained on privacy and data security practices. We ensure that those handling personal data understand the importance of protecting it and the procedures to do so.

Privacy Officer: We have designated a privacy officer or responsible person who oversees compliance with privacy obligations within our company.

Confidentiality Agreements: All employees and contractors with access to personal data sign confidentiality agreements and are legally obligated to maintain the privacy of data. Data Minimization: We only collect data that we need. By reducing unnecessary personal data in our system, we inherently reduce risk.

9.4 User Responsibilities:

Despite our efforts, the security of data also depends on Users: Account Security: You must keep your login credentials secure. Do not share your password and use a strong, unique password for our Service. We encourage you to enable any additional security features we provide (like 2-factor authentication if offered). Physical Access: Be aware of who can access your devices. If you leave a computer or device unattended while logged into Owl AI, someone could access your data. Always log out or lock your device.

Phishing Awareness: The Company will never ask you for your password via email or phone. Beware of phishing emails pretending to be Owl AI. Always log in directly via our app or site, not via emailed links unless you trust the source. Data You Input: Avoid inputting highly sensitive personal data into the Service unless needed. While we secure everything, things like personal ID numbers, financial account details of clients, or health information seldom need to be in a real estate compliance tool. By limiting what you put in, you control what could potentially be exposed in an unlikely breach.

9.5 Data Breach Response:

In the unlikely event of a security breach that leads to unauthorized access, disclosure, or loss of personal information, we have an incident response plan. We will: Contain and investigate the incident immediately.

Assess the risk and impact, particularly any potential harm to individuals.

Notify affected users and authorities as required by law. Under the Privacy Act 2020, if a breach is likely to cause serious harm, we are required to notify the Office of the Privacy Commissioner and affected individuals as soon as practicable. We will provide details of the breach, what information was involved, and recommendations for users (such as resetting passwords or monitoring accounts).

Take steps to remediate and prevent future incidents (e.g., patching vulnerabilities, enhancing controls).

9.6 No Guarantee:

While we are dedicated to protecting your information, no security measure is 100% infallible. The internet by its nature has risks. Therefore, we cannot guarantee absolute security of your data. However, we will use all reasonable means to protect it and will be transparent with you if any issues arise. If you become aware of any security vulnerability or incident relating to the Service or your account, please notify us immediately via the contact info in Section 11. We appreciate Users helping us in maintaining security.

10. Changes to this Privacy Policy

10.1 Policy Updates:

  • We may modify or update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons.
  • When we make material changes, we will notify users in an appropriate manner:
  • We may post a prominent notice on our website or within the app (for example, a banner or notification).
  • We may also send an email to registered users summarizing the changes if the changes are significant.
  • The "Last Updated" date at the top of this Policy will always indicate when the latest changes were made.

10.2 Your Acceptance:

By continuing to use the Service after any changes to this Policy become effective, you signify acceptance of the updated terms (to the extent permitted by law). If you do not agree to any aspect of a revised Policy, you should discontinue use of the Service and may request deletion of your data.

10.3 Review Frequency:

We undertake periodic reviews of our privacy practices and this Policy. Even if not prompted by a particular change, we might update wording for clarity or comprehensiveness. We encourage you to review this Privacy Policy occasionally to stay informed about how we are protecting your information.

10.4 Historical Versions:

For transparency, we can provide prior versions of our Privacy Policy upon request, or maintain an archive on our site, so you can see how the Policy has evolved.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us. We are here to help and will respond as promptly as possible.

Utogi Ltd (Owl AI) – Privacy Officer Email: hello@Owl AI.com

When contacting us about your personal data, please provide sufficient detail so we can assist you (e.g., the email associated with your account, and the specific request). For security, we may need to verify your identity before executing certain requests, as noted. We value your privacy and trust. Any feedback on our privacy practices is welcome. Thank you for entrusting Owl AI with your compliance needs—we are committed to protecting the information you share with us.