SpendGuard™ Privacy Policy

1. Introduction

Constant Control Limited ("we", "us", "our") is committed to protecting the privacy of individuals who use the SpendGuard™ platform and who interact with Constant Control Limited. We comply with the New Zealand Privacy Act 2020 (the Act) when dealing with personal information.

This Privacy Policy explains how we collect, use, store, disclose, and protect personal information in connection with the SpendGuard™ platform and associated services. It does not limit or exclude any of your rights under the Act.

For further information on the Act, visit www.privacy.org.nz.

2. What Personal Information We Collect

2.1 Account and Identity Information

• Full name and email address
• Job title and organisational role
• Account credentials (passwords are stored as one-way cryptographic hashes — we never store or have access to plaintext passwords)
• Organisation name and domain

2.2 Platform Usage Information

• Actions performed within the platform (e.g. creating, editing, or approving contracts and CSOs)
• Access logs including IP addresses, browser/device type, and session timestamps
• Audit trail records of data changes within your organisation's workspace

2.3 Communications

• Email communications with our support team
• Support tickets and associated correspondence

2.4 Information You Upload

• Contract data, spend data, vendor information, and other materials uploaded to SpendGuard™ in the course of using the platform

We collect personal information directly from you wherever possible. We may also collect information from your organisation's administrators who configure your account.

3. How We Use Personal Information

• To provide, operate, and improve the SpendGuard™ platform
• To verify your identity and manage your account
• To send transactional communications (e.g. account invitations, password resets, security notifications)
• To provide customer support and respond to enquiries
• To detect and investigate security incidents and fraud
• To meet our legal and contractual obligations
• To conduct anonymised, aggregated analytics to improve platform performance

We do not use your personal information for advertising, nor do we sell it to third parties. We do not use your personal information to train AI or machine learning models without your explicit written consent.

4. Data Jurisdiction and Storage Locations

SpendGuard™ is a cloud-based platform. Your data is stored and processed across the following jurisdictions:

• New Zealand — Constant Control Limited's business operations and customer support
• Australia — Primary database and authentication infrastructure (Supabase on AWS ap-southeast-2, Sydney)
• United States — Application hosting and edge compute (Vercel); transactional email (Resend)
• Additional jurisdictions — If your organisation enables optional AI features or third-party integrations (see Sections 11 and 12), data may be transmitted to additional jurisdictions depending on the provider you configure

We take steps to ensure all sub-processors handling your data outside New Zealand are subject to contractual obligations providing equivalent or greater privacy protections to those required by the New Zealand Privacy Act 2020.

Government and enterprise customers with specific data residency requirements should contact us at privacy@constantcontrol.co.nz to discuss available options.

5. Sub-Processors

We rely on the following core third-party sub-processors to deliver SpendGuard™. Each is subject to a Data Processing Agreement (DPA) or equivalent contractual obligations:

We maintain a current sub-processor list and will notify customers of any material changes with reasonable advance notice. The full up-to-date list is available on request.

Note: If your organisation configures optional AI features with a custom AI provider or third-party integrations (see Sections 11 and 12), additional sub-processors may apply based on the providers you select. Constant Control is not responsible for the privacy practices of third-party providers configured directly by your organisation.

6. Disclosure of Personal Information

• Sub-processors listed in Section 5, solely for the purpose of delivering the SpendGuard™ service
• Our professional advisers (lawyers, auditors, insurers) where necessary
• Regulatory authorities or law enforcement where we are legally required to do so (e.g. in response to a valid court order or statutory requirement)
• Any other person authorised by you or by the Privacy Act 2020

We will not voluntarily disclose your personal information to any government agency or law enforcement authority without a valid legal basis. All requests for disclosure are reviewed by our legal counsel before any information is provided.

Where we receive a legal demand for disclosure, we will notify you as promptly as legally permitted. In some jurisdictions, non-disclosure orders may prevent us from providing notification; where this applies, we will note the occurrence in our annual transparency report.

7. Data Security

• Transport Layer Security (TLS 1.2/1.3) for all data in transit
• AES-256-GCM encryption for sensitive fields (e.g. API keys) at rest
• bcrypt hashing (cost factor 12) for all passwords — we never store or have access to plaintext passwords
• Supabase transparent database encryption (AES-256) for all data at rest
• Role-Based Access Control (RBAC) with five permission levels
• Multi-Factor Authentication (MFA) available for all users; enforceable at the organisation level
• Row-Level Security (RLS) enforced at the database layer ensuring strict tenant data isolation
• Immutable audit logs for all user actions and data access events
• Independent penetration testing conducted annually; most recent test completed Q1 2026 (all findings remediated)

While we take all reasonable steps to protect your personal information, no internet-based service can guarantee absolute security. Report security concerns immediately to security@constantcontrol.co.nz.

8. Privacy Breach Notification

In the event of a privacy breach likely to cause serious harm, we will:

• Notify affected customers within 72 hours of becoming aware of the breach
• Notify the Office of the Privacy Commissioner (OPC) where required by the Privacy Act 2020
• Provide a description of the breach, the categories of data affected, containment steps taken, and recommendations for affected individuals
• Provide a full post-incident report within 30 days of resolution

To report a suspected privacy breach: security@constantcontrol.co.nz (monitored 24/7).

9. Data Retention and Deletion

• Active accounts: data is retained for the duration of the subscription
• On contract termination: all customer data is deleted within 30 days, unless otherwise required by law
• Backup copies: purged within the applicable backup retention window (7 days standard; 30 days enterprise) following account deletion
• Audit logs: retained for 7 years from the date of creation, in accordance with our Data Retention Policy and NZ Public Records Act 2005 requirements
• A deletion certificate is available on request following account closure

10. Your Privacy Rights

Under the Privacy Act 2020, you have the right to:

• Request access to the personal information we hold about you
• Request correction of any personal information that is inaccurate, incomplete, or misleading
• Complain to us if you believe we have breached the Privacy Act 2020

Contact our Privacy Officer at privacy@constantcontrol.co.nz. We will respond within 20 working days. We may require evidence of your identity before processing a request.

11. Artificial Intelligence Features

SpendGuard™ includes AI-powered features that are optional and require explicit activation by your organisation's administrator. All AI features are disabled by default. Before any AI feature is enabled, your organisation's administrator must grant explicit consent, which is recorded in the platform's audit log.

11.1 How AI Features Work

SpendGuard™ supports two AI activation models:

• Constant Control shared AI — Data is processed via Constant Control's Anthropic API integration. Only anonymised, de-identified data is transmitted; no personally identifiable information (names, email addresses, user IDs) is included in AI requests.
• Bring Your Own Key (BYOK) — Your organisation may configure its own AI provider API key and endpoint (e.g. Anthropic, Azure OpenAI, or another compatible provider). In this model, data flows directly from SpendGuard™ to your chosen provider. Constant Control does not have visibility into or control over that provider's data handling practices.

Important: When using the BYOK model, your organisation is responsible for ensuring your chosen AI provider meets your privacy, security, and data sovereignty requirements. Constant Control's privacy commitments apply to data processed within our infrastructure only.

11.2 AI Insights

The AI Insights feature generates automated analysis of contract spend, CSO performance, and budget variance. When enabled using Constant Control's shared AI key, only anonymised spend metrics and structural data are transmitted to the AI provider. No vendor names, user names, or personally identifiable information are included.

11.3 AI Query (Ask Your Data)

The Ask Your Data feature allows authorised users to submit natural language queries about their organisation's contract data. Queries and relevant anonymised context are transmitted to the configured AI provider. Query content and responses are logged in the platform audit trail.

11.4 News and Market Intelligence

Organisations may configure a news search query to surface relevant news and market intelligence within the platform. This feature transmits a configurable search query (organisation name, keywords) to an external search service to retrieve publicly available news articles. No personal information is included in these queries. Organisations should ensure their configured search query does not contain personal information.

We will not process personal data through any AI system without explicit agreement per our AI Usage and Customer Protection Policy.

12. Third-Party Integrations

SpendGuard™ supports optional integrations with third-party platforms to enable workflow automation and notifications. These integrations are disabled by default and must be configured by your organisation's administrator.

12.1 Microsoft Teams

When the Microsoft Teams integration is enabled, SpendGuard™ will transmit notification data (e.g. contract alerts, approval requests) to your organisation's configured Teams webhook. Data transmitted is limited to the notification content configured by your administrator. This data is processed by Microsoft in accordance with Microsoft's privacy policy and your organisation's Microsoft 365 agreement.

12.2 Ticketing Systems

SpendGuard™ supports integration with third-party ticketing systems (e.g. Jira, ServiceNow). When enabled, relevant contract and workflow data may be transmitted to your configured ticketing platform. Your organisation is responsible for ensuring the ticketing system integration meets your privacy and data handling requirements.

Constant Control is not responsible for the data handling practices of third-party integration providers configured by your organisation. We recommend reviewing the privacy policies of any integration you enable.

13. Cookies and Tracking

SpendGuard™ uses session cookies and authentication tokens to maintain your logged-in session and ensure platform security. We do not use advertising cookies or third-party tracking cookies within the platform.

Our public website (constantcontrol.co.nz) may use analytics cookies to monitor site usage. You may disable cookies via your browser settings, although this may affect some platform features.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify customers of material changes via email or in-platform notification at least 30 days before changes take effect. The current version is always available at https://www.spendguard.co.nz/legal/privacy.

15. Complaints

• Contact our Privacy Officer first: privacy@constantcontrol.co.nz
• Post: Privacy Officer, Constant Control Limited, New Zealand

We will acknowledge your complaint within 5 working days and respond substantively within 20 working days.

If unsatisfied with our response, lodge a complaint with the Office of the Privacy Commissioner:

• Website: www.privacy.org.nz
• Phone: 0800 803 909

16. Contact

• Privacy Officer: privacy@constantcontrol.co.nz
• Security incidents: security@constantcontrol.co.nz
• Legal / contractual: legal@constantcontrol.co.nz
• General: team@constantcontrol.co.nz

Constant Control Limited — Licensed for business in New Zealand. Servicing a global market for our clients.