KaiMate Privacy Policy

When you use KaiMate, you trust us with your personal information. We are committed to maintaining that trust by protecting your privacy and being transparent about how we handle your data.

This Privacy Policy ("Policy") explains how KaiMate NZ Limited ("KaiMate", "we", "us", or "our") collects, uses, discloses, and protects your personal information when you use our websites, mobile applications, and related services (collectively, the "Services"). It also outlines your rights and choices regarding your personal information.

By using the Services, you agree to the practices described in this Policy. We comply with the New Zealand Privacy Act 2020.

Scope

This Policy applies to all users of KaiMate's Services, including customers who place pickup orders via our platform. It covers personal information collected from customers (including registered account holders) who browse restaurants, place orders, participate in our loyalty programme, or otherwise interact with our Services.

This Policy does not cover:

• The independent data practices of restaurants or other merchant partners. Those partners are separate data controllers responsible for their own compliance. We share your information with them only as necessary to fulfil your orders (see Section 5).
• Third-party websites or services linked from our platform. Each such service has its own privacy policy.

Our Services are intended for use by persons in New Zealand. If you are located outside New Zealand, please review this Policy carefully before using our Services.

We collect personal information that you provide directly, that is generated when you use our Services, or that we receive from third parties. "Personal information" means information that identifies you or can reasonably be linked to you.

2.1 Account and Profile Information

When you register or update your account, we collect your name, email address, phone number, login credentials, and other contact details. If you sign in via a third-party service (such as Google, Apple, etc.), we receive basic profile information as permitted by that service (typically your name and email). Guest users who order without creating a full account will still have their contact and payment details collected to process the order.

2.2 Order Information

When you place an order, in addition to the information referred to in 2.1 above, we collect the information needed to process it, including: items ordered, special instructions or dietary notes, selected restaurant, order time and pickup details, and transaction details such as order number and amounts. If your special instructions include health-related information (such as food allergies or dietary requirements), we treat that as provided with your consent and use it solely to fulfil your order.

2.3 Payment Information

When you place an order, payment is processed directly through Stripe, our third-party payment provider. Card details (such as your card number and expiry date) are entered directly into Stripe's secure interface and are never transmitted to or held by KaiMate. We receive only a payment token and transaction confirmation from Stripe. We may also collect your billing address where required for transaction verification. Stripe's handling of your payment data is governed by Stripe's own privacy policy.

2.4 Loyalty and Rewards Data

If you participate in our TohaKai loyalty programme or related promotions, we collect your points or rewards earned and redeemed, referral codes, and associated transaction details. Participation is voluntary. Opting out may mean you do not receive certain rewards.

2.5 Customer Communications

When you contact us for support or otherwise communicate with us (by email, in-app chat, or phone), we collect the information you provide, including your name, contact details, and the content of your messages. We may retain records of correspondence, including call recordings or chat transcripts, for quality assurance and service improvement purposes.

2.6 Reviews and Feedback

If you submit a review or rating, we collect your review text, rating, and any display name you provide. Published reviews may be visible to other users and the public. We recommend that you do not include sensitive personal information in reviews.

2.7 Device and Usage Information

We automatically collect certain technical information when you access our Services, including your device type, operating system, browser type, IP address, and unique device identifiers. We also collect usage data such as pages or screens viewed, navigation paths, features used, and access times. If you enable location services, we may collect your precise or general location to show nearby restaurants. This information helps us troubleshoot issues, secure the platform, and improve our Services.

2.8 Cookies and Similar Technologies

We use cookies, web beacons, and similar tracking technologies to personalise your experience and gather analytics. For full details, see Section 6 (Cookies and Tracking Technologies) below.

2.9 Information from Third Parties

We may receive information about you from third-party sources, such as social media platforms if you link your account, or referral partners who share your details with your permission. We ensure that any third-party data is lawfully collected and that we have the right to use it.

We collect only the personal information that is necessary for the purposes described in this Policy or as otherwise permitted by law. Some information is required to use certain features — for example, we must have payment details to process orders. If you choose not to provide required information, you may not be able to use that part of the Service.

We use your personal information to provide, maintain, and improve our Services, and to keep you and other users safe. Specifically, we use your information for the following purposes:

• Processing Orders and Providing Services. Your information is used to process and confirm orders, communicate order updates, send receipts and notifications, and handle payments and refunds. We share order details with the relevant restaurant so they can prepare and fulfil your order.
• Restaurant Communication. We provide the restaurant with your first name, order details, and contact information (if needed) so they can fulfil and communicate with you about your order. The restaurant is independently responsible for the personal information it receives for this purpose.
• Account Management and Authentication. We use your information to create and maintain your account, authenticate you at sign-in, manage your preferences, and send verification codes, two-factor authentication prompts, or password reset links when requested.
• Loyalty Programme Administration. We use your order and account data to operate the TohaKai loyalty programme, including allocating reward points, tracking redemptions, communicating your reward status, and supporting the community charity component of the programme.
• Customer Service and Support. We use your information to investigate and resolve your support requests, monitor service quality, and improve our policies and procedures.
• Personalisation and Recommendations. We may use your location, order history, and preferences to personalise content, suggest relevant restaurants or menu items, and highlight deals in your area. We do this only where permitted by law or with your consent.
• Marketing and Promotional Communications. With your consent, we may send you newsletters, special offers, app updates, and other promotions. You can opt out at any time (see Section 7). Transactional and service-related communications are not affected by a marketing opt-out.
• Analytics and Service Improvement. We analyse usage patterns to identify trends, improve features, and optimise the user experience. Aggregated, non-identifying analytics may be shared with partners or potential investors, but such reports do not contain personal details.
• Fraud Prevention and Security. We use personal information to detect, investigate, and prevent fraudulent transactions, abuse, security incidents, and other harmful activity. Where necessary, this may involve automated decision-making designed to protect the platform.
• Legal and Compliance. We use and retain personal information to comply with legal obligations (including tax, audit, and record-keeping requirements), respond to legal processes, enforce our Terms of Service, and protect the rights, property, or safety of our users, partners, or the public.

We will not use your personal information for purposes that are incompatible with those described above without your consent, unless otherwise permitted by law. Where we rely on consent, you may withdraw it at any time (see Section 7).

KaiMate processes your personal information in accordance with the New Zealand Privacy Act 2020 and, where applicable, other relevant privacy laws. We rely on the following legal bases:

• Performance of a contract: Processing is necessary to provide the Services you have requested, including processing orders, managing your account, and operating the loyalty programme.
• Legitimate interests: We process certain information (such as for analytics, fraud prevention, and service improvement) where doing so serves our legitimate business interests and does not override your privacy rights.
• Legal obligation: We retain and process some information to comply with applicable laws, including tax and financial record-keeping requirements.
• Consent: Where required by law, we obtain your consent before processing — for example, for marketing communications, targeted advertising cookies, or sensitive personal information such as dietary or health-related data. You may withdraw consent at any time without affecting the lawfulness of prior processing.

KaiMate does not sell or rent your personal information to third parties. We share your information only in the following circumstances, and always with appropriate protections in place:

• Restaurant Partners: When you place an order, we share your first name, order details, and relevant contact information with the restaurant you are ordering from, so they can fulfil and communicate with you about your order. Restaurants are independently responsible for the personal information they receive.
• Service Providers: We work with trusted third parties that perform functions on our behalf, such as payment processing, data hosting, analytics, marketing support, and customer service tooling. These providers receive only the information necessary to perform their specific function and are contractually required to protect your data and use it solely for services provided to KaiMate.
• Affiliated Companies: We may share information with current or future KaiMate affiliated entities (such as subsidiaries operating in other regions) to support the delivery and improvement of our Services. Any affiliate accessing personal information is bound by practices consistent with this Policy.
• Marketing and Advertising Partners: With your consent (where required), we may share certain information — such as a hashed email or device identifier — with digital advertising platforms to deliver or measure KaiMate advertising. You can opt out of this at any time (see Section 7). We do not permit these partners to use your data for their own independent marketing.
• Business Transfers: If KaiMate undergoes a merger, acquisition, reorganisation, or sale of assets, your personal information may be disclosed to a prospective or actual acquirer, subject to confidentiality protections. We will notify you if your information becomes subject to a new or materially different privacy policy.
• Legal Requirements: We may disclose your information where required or permitted by law, including to comply with a court order, subpoena, or regulatory request; to establish, exercise, or defend legal claims; or to investigate, prevent, or act on suspected fraud, illegal activity, or threats to safety.
• With Your Consent: We will share your personal information with third parties in any other circumstances only with your explicit consent.

When sharing information, we disclose only the minimum necessary for the intended purpose and seek to anonymise or aggregate data wherever feasible.

KaiMate uses cookies and similar tracking technologies (such as web beacons and local storage objects) to make our website and app function effectively, personalise your experience, and gather analytics.

Types of Cookies We Use

• Essential Cookies: Required for core functionality such as staying logged in, maintaining items in your cart, and completing orders. These cannot be disabled without affecting core Service functionality.
• Functional Cookies: Remember your preferences (such as language or region) to enhance your experience.
• Analytics Cookies: Help us understand how users interact with our Services, including popular pages and navigation patterns. Data is typically aggregated and does not directly identify you. We may use tools such as Google Analytics for this purpose.
• Personalisation Cookies: Allow us to tailor content to your interests based on your activity on our Services.
• Advertising Cookies: Used by us and our advertising partners to deliver relevant ads and measure campaign performance. These are only placed with your consent where required by law.

Your Cookie Choices

We provide a cookie consent banner on our website where you can accept or decline non-essential cookie categories. You can also manage cookies through your browser settings or use our cookie management tool. For mobile users, your device's operating system may offer options to limit ad tracking.

Please note that disabling certain cookies may affect the availability of some features, such as staying logged in or completing an order. We do not currently respond to browser "Do Not Track" signals, as there is no industry-wide standard for interpreting them.

You have rights regarding your personal information. The specific rights available to you may depend on your jurisdiction. KaiMate is committed to honouring these rights and providing you with meaningful control over your data.

• Right to Access: You may request a copy of the personal information we hold about you. We may need to verify your identity before providing this information.
• Right to Correction: If the personal information we hold about you is inaccurate or incomplete, you have the right to request that we correct it. You can also update many details directly in your account settings.
• Right to Deletion: You may request deletion of your personal information in certain circumstances. We will evaluate deletion requests in accordance with applicable law. Some information may be retained for legal, compliance, or fraud prevention purposes (see Section 8).
• Withdrawal of Consent: Where we rely on consent to process your information, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Marketing Opt-Out:You can unsubscribe from marketing emails via the unsubscribe link in any marketing message. For SMS, follow the instructions provided (e.g. reply "STOP"). Opting out of marketing does not affect transactional or service communications.
• Cookie and Advertising Opt-Out: See Section 6 for your options to manage cookies and targeted advertising.
• Complaints: If you believe we have not handled your personal information in accordance with applicable law, you may lodge a complaint with the relevant authority:
  • New Zealand: Office of the Privacy Commissioner — privacy.org.nz

We ask that you contact us first so we can try to resolve your concern directly.

To exercise any of these rights, please contact us using the details in Section 11. We will respond within any timeframe required by law. We do not generally charge a fee for handling requests, but may do so for requests that are manifestly unfounded or excessive. We may also request additional information to verify your identity.

We retain personal information only for as long as necessary to fulfil the purposes described in this Policy, or as required by law. Key retention guidelines:

• Account Information: Retained while your account is active. Upon account deletion, we initiate deletion or anonymisation of your personal data, except where retention is required for legal, compliance, or dispute resolution purposes.
• Order and Transaction Records: Retained for as long as required by applicable financial and tax regulations (typically seven years in New Zealand).
• Customer Support Communications: Retained for a reasonable period following resolution of your inquiry (generally one to two years), unless earlier deletion is requested and no overriding purpose applies.
• Marketing Data: Contact details on our marketing list are retained until you unsubscribe. We may retain a record of your opt-out to honour your preference.
• Analytics Data: Aggregated, non-identifying analytics data may be retained indefinitely. Raw usage data linked to an identifiable user is typically retained for a short period only.
• Legal Hold: Where we are involved in litigation or receive a legal preservation request, relevant information may be retained beyond standard periods until the matter is resolved.

When personal information is no longer required, we delete it securely or anonymise it. Where immediate deletion is not feasible (for example, data in archived backups), we ensure the information remains securely stored and is not used for any active purpose pending deletion.

KaiMate hosts and processes your personal information within New Zealand. We endeavour to keep your personal data within New Zealand where possible. Where third-party service providers (such as our payment processor) operate infrastructure outside New Zealand, we ensure appropriate protections are in place in accordance with the Privacy Act 2020. We will not voluntarily disclose your personal information to any foreign government or authority unless required to do so by applicable law. If you have any questions about how your data is stored or protected, please contact us.

KaiMate takes the security of your personal information seriously. We implement appropriate technical, administrative, and physical safeguards to protect your data from loss, misuse, unauthorised access, disclosure, or alteration. Our measures include:

• Encryption: We use HTTPS/TLS to protect data in transit and encrypt sensitive data at rest, including financial information.
• Access Controls: Access to personal information is restricted to staff and contractors who need it to perform their duties. We enforce a need-to-know policy and require internal use of multi-factor authentication.
• Secure Infrastructure: We host our platform on reputable cloud services with advanced security measures, including firewalls and intrusion detection. Systems are kept current with security patches.
• Monitoring and Testing: We monitor systems for suspicious activity and conduct regular security audits and penetration testing.
• Data Minimisation: We collect only what we need and retain it only as long as necessary, reducing risk in the event of a security incident.
• Payment Security: All payment transactions are processed directly through Stripe, a PCI-DSS-certified payment provider. KaiMate never receives, transmits, or stores your card number or full payment details. We hold only the payment token and transaction record returned by Stripe.
• Third-Party Standards: We contractually require service providers to protect your data to standards consistent with this Policy.

No method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you and the relevant authorities as required by law.

We encourage you to use a strong, unique password for your KaiMate account, not share your credentials, and log out after using a shared device. KaiMate will never contact you unexpectedly requesting your password or full payment card details. If you suspect unauthorised access to your account, please contact us immediately.

Our Services are not intended for use by persons under the age of 18. We do not knowingly collect personal information from minors. If you are a parent or guardian and believe your child has created a KaiMate account or provided us with personal information without your consent, please contact us immediately. We will take steps to delete the account and associated information as soon as practicable, unless we are required by law to retain it.

If we inadvertently collect personal information from a child under the applicable minimum age, we will delete that information promptly upon becoming aware of it.

We may update this Policy from time to time to reflect changes in our business, legal obligations, or Services. When we make changes, we will revise the "Last Updated" date at the top of this document. If the changes are significant, we will provide a more prominent notice — such as an email notification or an in-app alert.

Your continued use of the Services after any update indicates your acceptance of the revised Policy, to the extent permitted by law. If you do not agree with the updated terms, you should stop using the Services and deactivate your account. The current version of this Policy is always available in the app and on our website.

If you have any questions, concerns, or requests regarding this Policy or our privacy practices, please contact our Privacy Officer:

• Email: privacy@kaimate.co.nz
• Subject line:"Privacy Inquiry"
• Mail: Privacy Officer, KaiMate NZ Limited, Wellington, New Zealand
• In-App: Help / Support → Contact Support, and indicate your query is a privacy matter.

We will aim to respond to all legitimate requests within 30 days, or within any shorter timeframe required by applicable law. If your request is complex, we will inform you if additional time is needed.

To protect your data, we may ask you to verify your identity before we respond to certain requests.

Thank you for trusting KaiMate with your personal information. We are committed to keeping it safe.