Version 1.0 | Effective Date: [DATE]
Last reviewed: [DATE]
Note to legal review: This policy is written to satisfy the NZ Privacy Act 2020 (primary), the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), and the UK GDPR / Data Protection Act 2018. Before publishing, have a NZ-qualified solicitor review the lawful-basis table, cross-border transfer provisions, and the UK/EU adequacy status.
Blazor Forge Ltd. ("Blazor Forge", "we", "us") is a New Zealand company (NZBN: [INSERT]) that develops and operates the Sales2Paid™ CRM and project-delivery platform ("Service"). Sales2Paid™ is our trading name and a pending trade mark in New Zealand and Australia.
We are the data controller for information we collect from visitors to our website and from users of the Service.
For customers on an Enterprise-Managed or Enterprise-Self-Hosted Plan, a separate data processing arrangement may apply — contact privacy@sales2paid.com.
Privacy contact:
Blazor Forge Ltd. — Privacy Officer (Sales2Paid™)
Email: privacy@sales2paid.com
Address: [INSERT physical address, NZ]
This policy covers:
/apply sign-up form.It does not cover third-party websites or services linked from ours. Those are governed by their own privacy policies.
| Information | How collected | Why |
|---|---|---|
| IP address, browser type, pages visited, referrer URL | Server logs and analytics | Security, diagnosing errors, understanding usage patterns |
| Name, email, message | Contact form (/contact) | Responding to your enquiry |
| Name, company, email, phone, team size, region, website | Application form (/apply) | Assessing suitability for a Sales2Paid™ account |
We do not use third-party advertising trackers or sell data from website visitors.
| Information | How collected | Why |
|---|---|---|
| Name, email address | Registration or invite | Account creation, authentication, communications |
| Password (hashed) | Registration | Authentication |
| Company name, billing address | Account setup | Invoicing, contract administration |
| Payment card details | Via Stripe (not stored by us) | Billing |
| IP address, login timestamps | Security logs | Security, fraud detection, audit |
| Profile information (role, handle, language preference) | Account settings | Personalisation |
| Usage data (features accessed, actions taken) | Application telemetry | Product improvement, support |
Your Customer Data (the contacts, companies, projects, invoices, messages, and other records you store in Sales2Paid) belongs to you. We process it only to operate the Service on your behalf.
Customer Data may contain Personal Information about third parties (e.g., your prospects' phone numbers, your clients' email addresses). You are responsible for ensuring you have the lawful basis to store and process that data, and for providing those third parties with any required privacy notices.
When you submit an application, our automated qualification scorer may conduct a DNS lookup on your domain and a website reachability check. No Personal Information is sent to third parties in this process — we query publicly available DNS records and HTTP endpoints.
We use Personal Information for the following purposes and on the following bases:
| Purpose | Legal Basis (NZ PA 2020) | Legal Basis (UK GDPR / AU APPs) |
|---|---|---|
| Providing and operating the Service | Necessary to perform the contract (Principle 10) | Performance of contract (Art. 6(1)(b)) |
| Billing and payment processing | Necessary to perform the contract | Performance of contract |
| Sending service-related notifications (e.g., trial expiry, payment failure, security alerts) | Necessary to perform the contract | Performance of contract / Legitimate interest |
| Sending product updates and marketing emails | With your consent (opt-in) or legitimate interest where permitted | Consent (Art. 6(1)(a)) / Legitimate interest (Art. 6(1)(f)) |
| Improving the Service | Legitimate interest | Legitimate interest |
| Security monitoring and fraud detection | Legitimate interest / legal obligation | Legitimate interest / Legal obligation |
| Complying with legal and regulatory obligations | Legal obligation | Legal obligation (Art. 6(1)(c)) |
| Responding to support requests | Legitimate interest | Legitimate interest |
We do not use your information for automated decision-making that has legal or similarly significant effects on you without giving you the opportunity to request human review.
We do not sell your Personal Information.
We share Personal Information only in the following circumstances:
We engage trusted third-party providers who process Personal Information on our behalf under written data processing agreements:
| Provider | Purpose | Data transferred | Location |
|---|---|---|---|
| SiteHost Ltd. | Primary web and database hosting (default tier) | All Customer Data | NZ, AU, SG (NZ-headquartered, CLOUD Act immune) |
| SiteHost Ltd. | Outbound and inbound mail server hosting | Email message content, sender/recipient addresses | NZ (NZ-headquartered, CLOUD Act immune) |
| UpCloud Ltd. | Web and database hosting — Level 2/3 privacy tiers | All Customer Data (Level 2/3 tenants only) | AU (Sydney), SG, Helsinki, Frankfurt (Finnish-headquartered, CLOUD Act immune) |
| OVHcloud SAS | Web and database hosting — Level 2/3 privacy tiers | All Customer Data (Level 2/3 tenants only) | AU (Sydney), SG, Strasbourg, Frankfurt (French-headquartered, CLOUD Act immune) |
| SmarterASP.NET | Supplementary web and database hosting | All Customer Data (tenants on this hosting) | USA — Level 0 only; not used for sovereign or CLOUD Act immune tiers |
| Stripe, Inc. | Payment processing (SaaS subscription billing) | Account holder name, email, billing address, card data | USA |
| SMSEveryone | SMS notifications (event reminders, OTP) | Mobile number, message content | NZ/AU |
| Apollo.io | Company enrichment (opt-in feature) | Company name, domain | USA |
| Serper | Web search enrichment (opt-in feature) | Search queries (no personal data) | USA |
| Xero | Accounting integration (only if you connect Xero) | Invoice data, contact names and email addresses | Xero's infrastructure (AU/NZ) |
We will update this table when we add or change sub-processors and will notify you if required by applicable law.
Note on SmarterASP: SmarterASP is a US-based provider used only for Level 0 (Standard) hosting. Customers who have selected Level 1 (Data Sovereign), Level 2 (CLOUD Act Immune), or Level 3 (Maximum Privacy) tiers are not hosted on SmarterASP infrastructure. See Section 6A for hosting tier details.
If Blazor Forge Ltd. is acquired, merged, or undergoes a change of control, Personal Information may be transferred to the successor entity. We will notify you and, where required, seek your consent.
We may disclose Personal Information where required by law, court order, or regulatory demand. Where we are not prohibited, we will notify you before disclosing.
We may disclose information where reasonably necessary to prevent fraud, enforce our Terms, or protect the safety of others.
Sales2Paid is based in New Zealand. Where your Customer Data is transferred to or hosted in another country, the transfer is governed by your selected hosting tier and the safeguards described below.
New Zealand: New Zealand has been granted an adequacy decision by the European Commission. We transfer data internationally only to countries with adequate protections or under appropriate safeguards (SCCs where required).
Australia: Australian customers' data is hosted in Australia by default (SiteHost AU or UpCloud/OVHcloud Sydney where applicable). Australia is recognised by NZ as having comparable privacy protections.
United Kingdom: For UK customers, we rely on the adequacy decision covering New Zealand under UK GDPR. Transfers to the USA (e.g., Stripe) rely on Standard Contractual Clauses (SCCs) or equivalent UK mechanisms. We do not host UK customer data in UK datacentres — see Section 6A for the reason.
European Union: Level 3 (Maximum Privacy) customers have their data hosted exclusively within the EU (UpCloud Helsinki/Frankfurt or OVHcloud Strasbourg/Frankfurt). Data never leaves the EU. This tier provides full GDPR compliance with no cross-border data transfer. For all other tiers, EU customers should contact us for applicable SCCs.
Sales2Paid offers four hosting tiers. Your tier is chosen at application time and cannot be changed without a migration (which may incur cost and downtime).
| Tier | Infrastructure | Data location | CLOUD Act exposure | Five Eyes reach | Best for |
|---|---|---|---|---|---|
| Level 0 Standard |
Best-available provider (may include SmarterASP or equivalent) | Not guaranteed | Possible if US-DC provider used | Possible | Small businesses with no compliance requirements |
| Level 1 Data Sovereign |
SiteHost (NZ-headquartered) | Contractually in your country (NZ, AU, SG) | None — SiteHost is NZ-HQ | Possible if NZ, AU DC (Five Eyes members) | NZ/AU businesses needing local data residency |
| Level 2 CLOUD Act Immune |
SiteHost NZ/AU · OVHcloud AU/SG · UpCloud AU/SG | Contractually in your chosen region (NZ, AU, SG) | None — NZ, French, or Finnish HQ providers | Possible — NZ/AU are Five Eyes; SG has bilateral treaties | Businesses needing CLOUD Act immunity in Pacific region |
| Level 3 Maximum Privacy |
UpCloud Helsinki/Frankfurt · OVHcloud Strasbourg/Frankfurt | EU only — contractually guaranteed, no cross-border transfer | None — Finnish and French HQ, outside US jurisdiction entirely | None — Finland and France are not Five Eyes members | EU tenants, regulated industries, enterprise compliance requirements |
Why not UK datacentres? We do not use UK datacentres at any tier. The UK Investigatory Powers Act 2016 (IPA) gives UK intelligence agencies broad interception and compelled-modification powers with limited judicial oversight. Post-Brexit, UK data has no GDPR backstop. No commercial SaaS arrangement can adequately mitigate this risk at the infrastructure level.
Why not AWS, Azure, or Google Cloud? These providers are all US-headquartered. Even when data is stored in a non-US datacentre, the US CLOUD Act allows US authorities to compel the parent company to produce that data without going through normal Mutual Legal Assistance Treaty (MLAT) procedures. We do not use these providers for Customer Data at any tier.
No absolute immunity: No hosting tier provides complete immunity from government access. Every country has national security law that can compel access in extreme circumstances. Level 3 (EU) provides the strongest commercially available protection by requiring cross-border requests to proceed via MLAT — a slow, transparent, and legally contestable process subject to CJEU oversight.
Signals intelligence: No hosting tier protects against state-level signals intelligence (bulk cable interception, NSA/GCHQ collection). These operate outside normal legal process. Level 3 eliminates legal compulsion risk; it does not eliminate intelligence agency risk. No commercial arrangement can.
We use a minimal set of cookies necessary to operate the Service.
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie (.ASPXAUTH / ASP.NET Core auth) | Maintaining your login session | Session / until logout |
| CSRF protection token | Preventing cross-site request forgery | Session |
| Tenant context cookie | Identifying your tenant subdomain | Session |
We do not use:
Our website may display a cookie consent notice to meet legal requirements in certain jurisdictions. We default to privacy-preserving settings.
| Category | Retention period |
|---|---|
| Active Customer Data | Retained while your account is active |
| Customer Data after cancellation | 30 days post-cancellation, then deleted |
| Trial Customer Data (not upgraded) | 7 days after trial expiry notice, then deleted |
| Billing records | 7 years (financial record-keeping obligation) |
| Security and access logs | 12 months |
| Support correspondence | 3 years from closure |
| Marketing enquiries | 2 years from last contact |
| Application form submissions (declined) | 12 months |
After retention periods, data is securely deleted or anonymised. Backups are purged on a rolling cycle aligned with the above periods.
We take reasonable steps to protect Personal Information from loss, misuse, and unauthorised access, including:
No system is perfectly secure. If you suspect your account has been compromised, contact security@sales2paid.com immediately.
You have the right to:
You have the right to:
You have the right to:
To exercise any of these rights, email privacy@sales2paid.com. We will respond within:
We may ask you to verify your identity before acting on a request.
We may send you product updates, feature announcements, and tips by email. You can unsubscribe at any time via the unsubscribe link in any marketing email or by emailing privacy@sales2paid.com. Transactional and service-related emails (e.g., invoices, security alerts, trial expiry notices) are not marketing and cannot be opted out of while your account is active.
The Service is not intended for children under 18. We do not knowingly collect Personal Information from children. If you believe a child has provided us with information, contact privacy@sales2paid.com and we will delete it.
Where you are an enterprise customer using Sales2Paid™ to process Personal Information about your own customers or contacts, Blazor Forge Ltd. acts as a data processor and you act as the data controller.
For Enterprise-Self-Hosted/Reseller customers: you are the data controller for your End Customers' data, which is processed entirely on your own infrastructure. Sales2Paid has no access to that data unless you grant it for support purposes.
We may update this policy to reflect changes in our practices, the Service, or the law. We will notify you by email and by posting the updated policy at https://sales2paid.com/privacy with the new effective date. Material changes will be notified at least 30 days in advance.
For privacy enquiries or to exercise your rights:
Blazor Forge Ltd. — Privacy Officer (Sales2Paid™)
Email: privacy@sales2paid.com
Address: [INSERT physical address, NZ]
Response time: 3 business days (acknowledgement); 20 working days (full response)
Complaints:
| Jurisdiction | Regulator |
|---|---|
| New Zealand | Office of the Privacy Commissioner — www.privacy.org.nz |
| Australia | Office of the Australian Information Commissioner — www.oaic.gov.au |
| United Kingdom | Information Commissioner's Office — www.ico.org.uk |
We encourage you to contact us first — we would like the opportunity to resolve any concern directly.
Blazor Forge Ltd. (trading as Sales2Paid™) | privacy@sales2paid.com
Registered in New Zealand | NZBN: [INSERT]
Sales2Paid™ is a trade mark of Blazor Forge Ltd., with applications pending in New Zealand and Australia.