Privacy policy.
What we collect, where it lives, who gets to see it, and how to get it back. Plain English first, the legal version where it matters.
Last updated: 27 May 2026
1. Who we are
Mahi Time is a scheduling and booking platform operated by Mahi Time Limited, a company incorporated in New Zealand. We sell our service to businesses (our "Customers") in New Zealand and Australia. This policy applies to everyone whose data passes through Mahi Time: our Customers, their staff, and their own clients.
We are bound by the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988. If anything in this policy reads more restrictively than the law requires, the stricter standard wins.
2. What we collect
To run a booking platform we need to hold three categories of data:
- Account data from the Customer signing up: business name, your name, email, mobile number, billing address, and the password you set. If you opt into the AI Voice Agent, we also hold the voice persona configuration you choose.
- Operational data generated as you use the product: appointments, customer profiles, service catalogues, staff rosters, payment records, SMS and email logs, voice agent transcripts, and usage events (which buttons get clicked, which features get used).
- Technical data captured automatically: IP address, browser type, device, time zone, and the URLs visited within the admin panel. Used for security, debugging, and product analytics.
We do not collect biometric data, health records beyond the free-text notes you choose to write on a customer profile, or any "special category" data unless you put it there yourself.
3. Why we collect it
- To provide the booking and scheduling service you signed up for.
- To send transactional messages (booking confirmations, reminders, password resets).
- To take payment for your Mahi Time subscription (and to pass on, but never hold, the payment data your own customers give you).
- To detect abuse, fraud, and security issues.
- To improve the product: fix bugs, optimise slow queries, find features people actually want.
- To meet legal obligations (tax records, regulatory disclosures).
We never sell your data. We never share it with advertisers. We will never email your customers to promote our own product, your competitors, or anyone else.
4. Who we share it with
To run the product we use sub-processors. Each handles a specific piece of the puzzle and is contractually limited to what they need.
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloud hosting provider | Application hosting and encrypted backups | Australia and New Zealand |
| Stripe | Online card payments and Mahi Time subscription billing | Global, processed in AU/US |
| Windcave | Optional in-store EFTPOS terminal processing | New Zealand |
| SMSGlobal | SMS sending (reminders, confirmations, verification codes) | Australia |
| Postmark | Transactional email (confirmations, password resets, campaigns) | United States |
| Optional two-way calendar sync, OAuth login on the admin panel | Global | |
| ElevenLabs | Voice synthesis for the AI Voice Agent add-on | United States |
| OpenAI | Language model behind the AI Voice Agent add-on | United States |
For Stripe and Windcave: we never see or store full card numbers. They are handled by Stripe and Windcave under PCI-DSS compliance. We hold only the last four digits and a tokenised reference so receipts can be matched back to a payment.
5. Where it lives
Your live data is hosted locally within Australia and New Zealand. Nightly backups stay in the same region. Some sub-processors (Postmark, ElevenLabs, OpenAI) are based in the United States; data sent to them is encrypted in transit and stays only as long as needed to do the job.
6. How we protect your data
We treat everything you trust us with as sensitive, and the measures below apply with extra force to credentials, payment references, and any data we receive from a connected account such as Google Calendar.
- Encryption in transit. All traffic to and from Mahi Time, and every call we make to a sub-processor's API, runs over TLS 1.2 or higher. We do not transmit data over unencrypted connections.
- Encryption at rest. Databases and nightly backups are encrypted on disk. The most sensitive secrets, including the OAuth refresh and access tokens we hold for Google Calendar sync, are additionally encrypted at the application layer (AES-256 via a key held separately from the data), so they stay unreadable even with direct database access.
- Least-privilege access. Access to production systems is limited to the few engineers who need it, each with an individual account and strong authentication. Inside the product, role-based permissions keep every Customer's data isolated from every other Customer's.
- Minimal Google scopes. When you connect Google Calendar we request only the narrow permissions the feature needs: read and write calendar events, read your list of calendars, and your email address (so we can show which account is connected). We never request access to Gmail, Drive, Contacts, or any other Google data.
- Revocable at any time. You can disconnect Google Calendar from inside Mahi Time, or revoke our access directly at myaccount.google.com/permissions. Either way we delete the stored tokens.
- Breach response. If a breach affecting your data ever occurs, we will notify you and the relevant regulator (the NZ Privacy Commissioner or the OAIC) as the law requires.
7. Google user data and Limited Use
If you choose to connect a Google account for two-way calendar sync, Mahi Time accesses your Google Calendar through Google's APIs using the minimal scopes listed in section 6. We use that access for one purpose only: to show your existing Google Calendar events as busy time inside Mahi Time, and to write the bookings you make in Mahi Time back to your Google Calendar.
Mahi Time's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In plain terms:
- We only use Google user data to provide and improve the calendar-sync feature you switched on.
- We do not transfer Google user data to anyone else, except as needed to provide or improve that feature, to comply with applicable law, or in connection with a merger or acquisition (with notice to you).
- We do not use Google user data for advertising, and we never sell it.
- We do not let humans read Google user data unless you give specific consent, it is necessary for security or to comply with the law, or the data has been aggregated and anonymised for internal operations.
8. How long we keep it
- Account active: indefinitely, while you're using the product.
- Payment and booking records: 7 years after account closure, to satisfy NZ tax law (Inland Revenue Act requires this).
- Voice agent transcripts and recordings: 30 days, then permanently deleted.
- SMS and email message bodies: 6 months, then permanently deleted.
- Backup snapshots: rolling 30-day window.
If you close your account, you can request immediate deletion of everything except records we are legally required to keep.
9. Your rights
Under NZ and AU privacy law you can:
- Access the data we hold about you. Log in and you can already see most of it; email us for anything you can't see in the UI.
- Correct anything inaccurate.
- Export your data in CSV (built into the admin panel) or via our REST API at any time.
- Delete your account and the data attached to it.
- Complain to the NZ Privacy Commissioner (privacy.org.nz) or the OAIC (oaic.gov.au) if you think we've mishandled something.
10. Cookies
We use a single first-party session cookie to keep you signed in. That's it. No tracking pixels, no advertising cookies, no third-party analytics that follow you across the web. The admin panel uses a CSRF token cookie as a security measure, which is also first-party and required for the app to work.
11. Children
Mahi Time is a B2B product. We do not knowingly collect data from anyone under 16. If a customer profile in your account is for a minor, the legal basis for processing that data is the consent of their parent or guardian given to you, not to us.
12. Changes to this policy
If we change anything material, we'll email every active account at least 14 days before the change takes effect. The "last updated" date at the top of this page is the source of truth.
13. Contact
Questions, requests, or anything privacy-related:
- Email: [email protected]
- Post: Mahi Time Limited, Auckland, New Zealand
We aim to respond to every privacy request within 5 business days.