OffersFor merchants →
Draft — not yet in force. Under legal review; published for transparency while the pilot is being prepared.

DRAFT — NOT IN FORCE. COUNSEL REVIEW REQUIRED BEFORE PUBLICATION.

Offers — Privacy Policy (Pilot)

Version: 0.2-draft · Operator: [OPERATOR ENTITY — COUNSEL] · Governing framework: New Zealand Privacy Act 2020 · Last updated: [DATE — set at publication]

This policy also serves as the published privacy policy required for listing the Offers connector in AI-assistant tool directories (e.g. MCP connector directories).


At a glance

  • Browsing offers through your AI assistant requires no account and creates no profile of you. The only records that arise from anonymous browsing are a short-lived rate-limiting counter keyed to an IP address and short-lived security logs at our hosting provider's edge. We do not use either to identify or profile you.
  • We never see or store card numbers. Payment is collected by Stripe on behalf of the merchant and settles directly to the merchant at the moment of sale. We hold order records (amount, status, your name and email for voucher delivery), not payment credentials.
  • We never sell personal information and we run no advertising or cross-site tracking. The consumer surface is permanently unmonetized; we earn fees from merchants only.
  • The merchant is the seller. When you accept an offer we share your order details with the merchant, because the voucher is the merchant's obligation to you and your consumer-law rights sit with the merchant.
  • Your AI assistant sits between you and us. We receive only what your assistant's tool call sends; your conversation with the assistant is governed by the assistant provider's own privacy policy, not this one.
  • Nothing in this policy limits your statutory rights — see Section 17.4.

1. Who we are and what this policy covers

1.1 Offers is a verified-offers platform operated by [OPERATOR ENTITY — COUNSEL] ("we", "us", the "Platform"). Consumers discover offers through AI assistants using the Model Context Protocol (MCP) and, on acceptance, either purchase a single-use prepaid voucher directly from the merchant (a voucher-mode offer) or receive the merchant's offer code to use with the merchant (a code-mode offer).

1.2 We are not the seller. Each merchant is the merchant of record and seller of its own offers. For voucher-mode offers, payment settles directly from you to the merchant via Stripe at the moment of sale; the Platform never holds your money. This policy covers only the personal information the Platform collects and holds. It does not cover:

(a) the merchant's handling of your information once disclosed to it (the merchant is a separate agency under the Privacy Act 2020, responsible for its own compliance) [COUNSEL]; (b) your AI assistant provider's handling of your conversation and account (see Section 7); or (c) Stripe's handling of your payment details when it processes your payment for the merchant (see Sections 4.4 and 8). Stripe acts in two roles: as the merchant's payment processor for your purchase, and separately as our processor for merchant onboarding and merchant fee billing.

1.3 Offer verification ("Verified by AITWIRE") reflects independent measurement only. Measurement outcomes are never purchasable, and no personal information about consumers is used in, or sold for, verification, ranking, or placement.

1.4 Nothing in this policy excludes, restricts, or modifies any right you have under the Privacy Act 2020, the Consumer Guarantees Act 1993, or the Fair Trading Act 1986. Where this policy describes another party's responsibilities, that description does not reduce any responsibility we have under the Privacy Act for information held by our own processors on our behalf.

2. Definitions

  • "Acceptance" — the binding step where you confirm an offer on the consent page presented for it: for a voucher-mode offer, a purchase; for a code-mode offer, the issuance of the merchant's code to you.
  • "Agency", "personal information", "IPP" — as defined in the Privacy Act 2020; "IPP" means an Information Privacy Principle in section 22 of that Act.
  • "Code-mode offer" — an offer where Acceptance delivers the merchant's offer code to you; any payment happens later, directly between you and the merchant. The Platform collects no payment on a code-mode offer.
  • "Discovery surface" — the anonymous, read-only MCP endpoint your AI assistant queries to search and view offers (offers_find, offers_get).
  • "Merchant" — a business selling offers through the Platform as merchant of record.
  • "Processor" — a service provider that holds or handles personal information on our behalf and on our instructions.
  • "Redemption ledger" — our append-only record that a voucher or offer code was redeemed with the merchant.
  • "Voucher" — the single-use prepaid entitlement issued on a paid order under a voucher-mode offer, redeemable with the merchant. The voucher is the merchant's obligation.

3. The anonymous discovery surface: what we collect (and don't)

3.1 No account, no profile, no tracking. Browsing and searching offers requires no consumer account. We set no cookies on the discovery surface, use no advertising or analytics trackers, and assign no persistent identifiers to you. We do not build any history of what you searched or viewed for the purpose of identifying or profiling you, and we do not use the operational records described in 3.2 and 3.3 for that purpose.

3.2 IP addresses for rate limiting. To keep the endpoint available, we record a request counter keyed to the connecting IP address, evaluated over a rolling 60-second window. These counters exist solely for abuse prevention. Counter entries are overwritten in operation and stale entries are purged on a scheduled cycle of no more than [30 days]. [OPS: purge implemented — stale rate-limit rows older than 24 hours and usage events older than 30 days are deleted opportunistically from the admin metrics path.] Note that when your assistant provider relays the request from its own servers, the IP address we see is typically the provider's, not your device's.

3.3 Tool-call contents are processed transiently. The contents of a discovery tool call (e.g. a search category, city, or offer ID) are processed only to answer that call and are not stored as a record about you. Short-lived operational logs at our hosting provider's edge (Cloudflare) may transiently include request metadata (including IP address) for security and debugging; these are retained for [OPS: state edge log retention period] and are not used to profile consumers. [COUNSEL]

3.4 Aggregate usage statistics. We keep aggregate connector-usage events so we can operate the service: the type of request made (e.g. a connection, a search, an offer-details view) and, for offer-details views, which offer was viewed. These events are statistics about the service and its listings — they carry no identifier linking them to you: search and view events store no visitor identifier at all, and connection events store only a truncated hash of the connecting IP address salted with the calendar date, which cannot be linked across days. No search text is ever stored. These events are deleted within 30 days.

4. When you accept an offer: what we collect

4.1 Consent page. Binding assent happens at the Acceptance step, on a consent page that identifies the merchant as seller. That page uses only strictly necessary session state to complete the Acceptance — no advertising or analytics trackers. [OPS: confirm at build time]

4.2 What we collect at Acceptance (both modes):

Information Why
Name and email address To deliver your voucher or offer code, send your receipt or confirmation, and enable the merchant to honour the offer and your consumer-law rights
Delivery/contact details reasonably needed for the specific offer (if any) Fulfilment of that offer by the merchant
Acceptance/order record: offer, amount and currency (voucher-mode), status, timestamps, Stripe transaction references (voucher-mode) Recording the transaction and the Platform's merchant-side fees, support, and dispute handling
Voucher or code record: token/code reference, status (issued/redeemed/expired), expiry date Operating the single-use entitlement and its lawful expiry

4.3 Code-mode offers: no payment through us. On a code-mode offer we collect no payment and no payment information at all; we record the Acceptance, deliver the merchant's code, and bill the merchant a per-acceptance service charge. Any later payment is made by you directly to the merchant and is outside Platform systems entirely.

4.4 Voucher-mode payment is processed by Stripe for the merchant, not us. Your payment is collected by Stripe, Inc. and its affiliates as payment processor and settles directly to the merchant's own Stripe account; the merchant is the merchant of record for the charge. Card numbers and full payment credentials never pass through or rest on Platform systems — the payment fields on the consent page are served by Stripe. [OPS: confirm the chosen Stripe surface (Checkout/Elements) keeps all card data off Platform-rendered pages before publication.] We store only non-sensitive references (e.g. a Stripe payment/charge identifier).

4.5 Disclosure to the merchant (IPP 11). Because the merchant is the seller and the voucher (or honoured code) is the merchant's obligation, we disclose your Acceptance, order, and voucher/code details (including your name and contact details) to the merchant. Your rights under the Consumer Guarantees Act 1993 and Fair Trading Act 1986 sit with the merchant and are never excluded; the merchant needs this information to honour them. [COUNSEL]

4.6 Redemption records. When you redeem, we record the redemption in an append-only ledger: voucher/offer reference, time, channel (e.g. QR scan, merchant dashboard), the merchant-side credential that performed it, and optionally a merchant-entered reference. We instruct merchants not to enter unnecessary personal information in free-text redemption fields. Redemption records exist to prove single use, prevent fraud, and evidence delivery — including as transactional evidence in our independent measurement of merchant performance (see Section 8.3 for what the measurement engine does and does not receive).

5. Merchant personal information we hold

5.1 For merchants (including sole traders, whose business information can be personal information) and their staff, we hold:

(a) Profile and vetting records — business name, contact details, address, domain-verified email, licence or inventory evidence supplied during pre-listing vetting, and vetting status; (b) Offer records — offers created, including the merchant's compliance attestation at creation (the lawful basis declared for the chosen expiry, the identity of the individual who attested, and when) — kept as a durable record because the attestation allocates legal responsibility; (c) Stripe connection records — the merchant's Stripe account ID, capability flags (charges/payouts enabled), country and currency, and a tokenised reference to the merchant's card on file for fee billing (the card number itself is held by Stripe, not us); (d) Risk, status, and moderation records — exposure caps, freeze status and reason, arrears status, and records of offer takedown or moderation decisions, including complaints or reports we received about an offer; (e) Staff/actor identifiers — the merchant-side credential or named individual that created or attested an offer or performed a redemption; (f) Ledgers — redemption ledgers and fee ledgers (commissions, per-acceptance service charges, and breakage fees with tax invoices).

5.2 Wind-down portability (merchant exit). If a merchant exits the Platform, we provide the merchant with complete copies of its voucher and redemption ledgers so outstanding vouchers remain honoured merchant-direct. Those ledgers include consumer order details already disclosed to the merchant at Acceptance under Section 4.5; the wind-down copy is principally a re-provision of that information, and it is necessary for the merchant, as seller, to continue honouring your voucher. The exiting merchant remains a separate agency under the Privacy Act 2020 and is contractually required to use the ledgers only to honour vouchers, meet its legal obligations, and handle your consumer-law claims. [COUNSEL]

5.3 Merchant insolvency. If a merchant enters liquidation, receivership, or a comparable process while vouchers are outstanding, we may disclose that merchant's voucher and redemption ledgers (including the consumer order details within them) to the appointed insolvency practitioner so that outstanding vouchers can be honoured or consumer claims recognised. You may also request copies of your own order, voucher, and redemption records (Section 11) to support a claim in such a process. [COUNSEL]

5.4 Platform wind-down. If the Platform itself winds down the pilot, the same portability applies: each merchant receives its complete voucher and redemption ledgers so outstanding vouchers remain honoured merchant-direct, and records we retain remain governed by this policy and the retention periods in Section 10. [COUNSEL]

6. Purposes and lawful basis (IPPs 1–4, 10)

6.1 We collect personal information only where necessary for Platform functions: operating the discovery surface securely; forming and recording contracts of sale between you and merchants; issuing, delivering, and redeeming vouchers and codes; billing merchants (including commissions, per-acceptance service charges, and breakage fees); operating our merchant risk controls (pre-listing vetting, redemption-based exposure caps, arrears or fraud freezes, and offer takedown/moderation); preventing fraud and abuse; handling disputes, chargebacks, and complaints; meeting tax, accounting, and legal obligations; independent measurement and verification of merchant performance (which uses transactional and redemption records, not consumer profiles); and responding to support requests and legal process.

6.2 We collect information directly from you (via your assistant's tool call and the consent page) or from your authorised agent — your AI assistant acting on your instruction [COUNSEL — IPP 2 agent-collection framing]. We do not use personal information for purposes materially different from those above, and we do not use consumer personal information to train AI models.

7. Your AI assistant sits in the middle

7.1 Requests reach us through the AI assistant you use (e.g. via an MCP connector). We receive only what the tool call carries. We do not receive your conversation history, your assistant account details, or anything the assistant provider holds about you.

7.2 Your assistant provider independently processes your conversation, including what you tell it about offers, under its own privacy policy. The assistant provider is a separate agency; it is not our processor or agent, and this policy does not govern its conduct. This paragraph describes responsibility under the Privacy Act; it does not exclude any liability we have for our own acts or omissions.

8. Processors and cross-border disclosure (IPP 12)

8.1 We use these processors, which hold information on our behalf under contractual safeguards:

Processor Role Where
Cloudflare, Inc. Edge network, application hosting, and primary database (Workers/D1) Global edge network; primary data storage location [OPS/COUNSEL: confirm and state honestly — no fixed region is currently configured]
Stripe, Inc. and affiliates (including Stripe New Zealand) In its role as our processor: merchant onboarding/KYC and merchant fee billing (including the card-on-file for breakage fees) United States and global infrastructure
[EMAIL DELIVERY PROVIDER — OPS: name before publication] Delivery of vouchers, codes, receipts, and confirmations by email [state jurisdiction]

For your voucher-mode purchase itself, Stripe processes your payment as the merchant's payment processor (Section 4.4), not as our processor; your payment credentials are held by Stripe under Stripe's own privacy policy.

8.2 Some of this storage and processing occurs outside New Zealand. Where we disclose personal information to an overseas agency, we rely on contractual and other safeguards intended to provide comparable protection to the Privacy Act 2020 [COUNSEL — confirm the IPP 12 basis for each processor before publication].

8.3 The AITWIRE measurement engine, which provides merchant identity resolution and independent verification, is operated by [RELATED ENTITY / SAME ENTITY — COUNSEL]. It processes merchant business information and transaction-level redemption evidence; it does not receive consumer names, email addresses, or other consumer contact details, and it builds no consumer profiles. [OPS: confirm the engine contract excludes consumer identifiers before publication.]

9. Disclosures we may make

Beyond the disclosures described in Sections 4.5, 5.2–5.4, and 8, we disclose personal information only:

(a) For disputes and chargebacks — order, voucher/code, and redemption records may be shared with the merchant, Stripe, and the relevant card issuer or financial institution to evidence whether a purchase was made and delivered, when you or your bank dispute a charge, or to prevent or investigate payment fraud; (b) For legal claims — where reasonably necessary to establish, exercise, or defend legal claims arising from a sale, redemption, or offer, including consumer-law claims involving the merchant [COUNSEL]; (c) Where required or authorised by law — to courts, law enforcement, Inland Revenue, the Commerce Commission, the Office of the Privacy Commissioner, or other regulators, in response to lawful requirements or as an IPP 11 exception permits [COUNSEL]; (d) To our advisers — professional advisers (legal, accounting, audit) bound by confidentiality, where needed for the purposes in Section 6.1.

We do not make any other routine disclosures, and Section 12 (what we never do) applies to every disclosure above.

10. Retention (IPP 9)

We keep personal information only as long as needed for the purpose collected, then delete or de-identify it:

Data class Retention
Discovery-surface rate-limit counters (IP-keyed) Operational window (60 seconds active); stale entries purged within [24 hours — purge implemented, see 3.2]
Discovery tool-call contents Transient processing only; not retained as records about you (edge logs: [OPS — state period])
Aggregate connector-usage events (no visitor linkage on content events; day-salted connection hash only) Deleted within [30 days]
Acceptance/order records, vouchers/codes, receipts, fee ledgers, tax invoices (including breakage-fee invoices) [7 years] from the transaction, per NZ tax record-keeping obligations [COUNSEL — Tax Administration Act 1994]
Redemption ledgers [7 years], aligned to the order records they evidence [COUNSEL]
Consumer name/contact details held within an order record Retained while the voucher is live (up to the 3-year maximum expiry) and for the dispute and claims window after that; where feasible, de-identified within the retained order record before the end of the full [7-year] period [COUNSEL — confirm whether tax records require identity to persist for the full period]
Merchant vetting, attestation, risk, and takedown/moderation records Duration of the merchant relationship plus [7 years]; attestation records retained for the full period the underlying offer could be challenged [COUNSEL]
Support and complaint correspondence [2 years] after resolution, unless connected to a live dispute or claim [OPS/COUNSEL]

A merchant's account (and the records supporting it) remains open while any voucher it sold is outstanding, so vouchers stay honourable.

11. Access and correction (IPPs 6 and 7)

11.1 You may request access to, and correction of, personal information we hold about you. Contact: [PRIVACY OFFICER EMAIL — OPERATOR ENTITY — COUNSEL]. We will respond within 20 working days as required by the Privacy Act 2020. If we decline correction, you may request that a statement of the correction sought be attached to the information.

11.2 Because the discovery surface is anonymous, we hold nothing that identifies you unless you accepted an offer; access requests about browsing alone will usually return no information because none exists. Requests about purchases are answered from Acceptance, order, voucher/code, and redemption records matched by the email address on your order.

11.3 We will take reasonable steps to verify that an access or correction request comes from the individual concerned (or their authorised agent) before releasing information, so that the access right cannot be used to obtain someone else's order details.

12. What we never do

12.1 We do not sell personal information. This is an unconditional commitment, not a pilot-period one.

12.2 We run no advertising, ad targeting, or cross-site tracking, on any surface.

12.3 Verification neutrality: measurement and verification outcomes are never purchasable. No merchant can pay for rank, placement, or a verification result, and no consumer data is monetised — the consumer surface is permanently unmonetized. Platform revenue comes only from merchant-side fees (a commission on paid offers, a per-acceptance service charge on code-mode offers, and a breakage fee on expired-unredeemed vouchers, billed direct to the merchant and never taken from, or netted against, consumers).

13. Security (IPP 5)

We protect personal information with safeguards appropriate to its sensitivity: encryption in transit, access controls scoped to role, tokenised payment references (never raw card data), single-use voucher tokens, append-only ledgers for redemption and fee events, and merchant risk controls (vetting, redemption-based exposure caps, freezes) that limit the blast radius of a compromised merchant account. [OPS: keep this list synchronised with what is actually deployed; do not publish capabilities that are not live.]

14. Privacy breach notification

If a privacy breach occurs that has caused, or is likely to cause, serious harm, we will notify the Office of the Privacy Commissioner and affected individuals (consumers and merchant personnel alike) as soon as practicable, as required by Part 6 of the Privacy Act 2020, and we will tell you plainly what happened, what information was involved, and what we are doing about it.

15. Children

The Platform is not directed at children, and offers are contracts of sale intended for adults. We do not knowingly collect children's personal information. [COUNSEL — confirm whether an age statement or gate is required for any offer class (e.g. alcohol, adult experiences)]

16. Changes to this policy

16.1 We may update this policy as the pilot evolves. The current version is always published at [URL]; material changes will be dated and, where they affect information already collected, notified to affected merchants and (where we hold contact details) consumers before taking effect.

16.2 No change will retroactively weaken the commitments in Section 12, and no change will apply information already collected to a materially new purpose without the notice or authorisation the Privacy Act requires.

17. Complaints, contact, and your statutory rights

17.1 Privacy questions or complaints: [PRIVACY OFFICER — OPERATOR ENTITY — COUNSEL], [address], [email].

17.2 If you are unsatisfied with our response, you may complain to the Office of the Privacy Commissioner (Te Mana Mātāpono Matatapu): www.privacy.org.nz.

17.3 This policy is governed by New Zealand law.

17.4 Nothing in this policy excludes, restricts, or modifies your rights under the Privacy Act 2020, the Consumer Guarantees Act 1993, the Fair Trading Act 1986, or any other law that cannot be contracted out of.

OffersFor customersFor merchantsConsumer termsMerchant termsPrivacymatt@mattherbert.ca