Privacy policy.
What we collect, where it lives, who gets to see it, and how to get it back. Plain English first, the legal version where it matters.
Last updated: 15 May 2026
1. Who we are
Mahi Time is a scheduling and booking platform operated by Mahi Time Limited, a company incorporated in New Zealand. We sell our service to businesses (our "Customers") in New Zealand and Australia. This policy applies to everyone whose data passes through Mahi Time: our Customers, their staff, and their own clients.
We are bound by the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988. If anything in this policy reads more restrictively than the law requires, the stricter standard wins.
2. What we collect
To run a booking platform we need to hold three categories of data:
- Account data from the Customer signing up: business name, your name, email, mobile number, billing address, and the password you set. If you opt into the AI Voice Agent, we also hold the voice persona configuration you choose.
- Operational data generated as you use the product: appointments, customer profiles, service catalogues, staff rosters, payment records, SMS and email logs, voice agent transcripts, and usage events (which buttons get clicked, which features get used).
- Technical data captured automatically: IP address, browser type, device, time zone, and the URLs visited within the admin panel. Used for security, debugging, and product analytics.
We do not collect biometric data, health records beyond the free-text notes you choose to write on a customer profile, or any "special category" data unless you put it there yourself.
3. Why we collect it
- To provide the booking and scheduling service you signed up for.
- To send transactional messages (booking confirmations, reminders, password resets).
- To take payment for your Mahi Time subscription (and to pass on, but never hold, the payment data your own customers give you).
- To detect abuse, fraud, and security issues.
- To improve the product: fix bugs, optimise slow queries, find features people actually want.
- To meet legal obligations (tax records, regulatory disclosures).
We never sell your data. We never share it with advertisers. We will never email your customers to promote our own product, your competitors, or anyone else.
4. Who we share it with
To run the product we use sub-processors. Each handles a specific piece of the puzzle and is contractually limited to what they need.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Hosting and backups | Sydney, Australia |
| Stripe | Online card payments and Mahi Time subscription billing | Global, processed in AU/US |
| Windcave | Optional in-store EFTPOS terminal processing | New Zealand |
| SMSGlobal | SMS sending (reminders, confirmations, verification codes) | Australia |
| Postmark | Transactional email (confirmations, password resets, campaigns) | United States |
| Optional two-way calendar sync, OAuth login on the admin panel | Global | |
| ElevenLabs | Voice synthesis for the AI Voice Agent add-on | United States |
| OpenAI | Language model behind the AI Voice Agent add-on | United States |
For Stripe and Windcave: we never see or store full card numbers. They are handled by Stripe and Windcave under PCI-DSS compliance. We hold only the last four digits and a tokenised reference so receipts can be matched back to a payment.
5. Where it lives
Your live data sits in AWS Sydney (ap-southeast-2). Nightly backups stay in the same region. Some sub-processors (Postmark, ElevenLabs, OpenAI) are based in the United States; data sent to them is encrypted in transit and stays only as long as needed to do the job.
6. How long we keep it
- Account active: indefinitely, while you're using the product.
- Payment and booking records: 7 years after account closure, to satisfy NZ tax law (Inland Revenue Act requires this).
- Voice agent transcripts and recordings: 30 days, then permanently deleted.
- SMS and email message bodies: 6 months, then permanently deleted.
- Backup snapshots: rolling 30-day window.
If you close your account, you can request immediate deletion of everything except records we are legally required to keep.
7. Your rights
Under NZ and AU privacy law you can:
- Access the data we hold about you. Log in and you can already see most of it; email us for anything you can't see in the UI.
- Correct anything inaccurate.
- Export your data in CSV (built into the admin panel) or via our REST API at any time.
- Delete your account and the data attached to it.
- Complain to the NZ Privacy Commissioner (privacy.org.nz) or the OAIC (oaic.gov.au) if you think we've mishandled something.
8. Cookies
We use a single first-party session cookie to keep you signed in. That's it. No tracking pixels, no advertising cookies, no third-party analytics that follow you across the web. The admin panel uses a CSRF token cookie as a security measure, which is also first-party and required for the app to work.
9. Children
Mahi Time is a B2B product. We do not knowingly collect data from anyone under 16. If a customer profile in your account is for a minor, the legal basis for processing that data is the consent of their parent or guardian given to you, not to us.
10. Changes to this policy
If we change anything material, we'll email every active account at least 14 days before the change takes effect. The "last updated" date at the top of this page is the source of truth.
11. Contact
Questions, requests, or anything privacy-related:
- Email: privacy@mahitime.com
- Post: Mahi Time Limited, Auckland, New Zealand
We aim to respond to every privacy request within 5 business days.