Privacy Policy

1. Introduction & scope

• This policy applies to all users of Fidella (Customers, Staff, Site Admins, Super Admins) and visitors of fidella.app.
• Fidella is a product of Kiwana Labs. Where this policy refers to "we" or "us", it refers to Kiwana Labs acting as the controller of personal data processed through the Fidella platform.

2. Data we collect

• Account data: name, email, Auth0 identifier, profile preferences, messaging preferences, analytics consent choices, and country/region.
• Usage data: device info, app interactions, and crash/diagnostic events, with PII scrubbing applied per our internal logging policy.
• Loyalty activity: site memberships, stamps/points/balances, rewards earned and redeemed, and Fidella Credit loads or transfers.
• Payment data: payment intent references and tokens processed by Stripe. We do not store card numbers.
• Support & communications: messages sent to support, contact requests, and interest registrations for unsupported regions.
• Optional profile fields: gender (for self-identification and aggregate, non-identifying reporting) and coarse location (for "nearest site" sorting on the Discover map). Both are optional, never used for advertising, never shared with merchants at the individual level, and can be cleared at any time.
• Age band: we capture a coarse age band at signup (under 16 / 16–18 / adult) to enforce minimum-age requirements. We deliberately do not collect a date of birth.

3. How we use data

• Service delivery (contract): authenticating users, operating loyalty programs, issuing and redeeming Fidella Credits, wallet passes, and vouchers.
• Security and fraud prevention (legitimate interests): abuse prevention, rate limiting, transfer limits informed by anti-money-laundering controls, and incident response.
• Analytics and product improvement (consent): non-essential analytics run only when you give explicit consent. Your consent choice is stored on your account and returned in account exports.
• Marketing (consent): optional communications and offers, unsubscribable at any time.

4. Data sharing

• Identity & auth: Auth0 for authentication and profile claims.
• Payment processing: Stripe for Fidella Credit purchases and related settlements.
• Infrastructure: hosting, storage, CDN, and email providers as subprocessors.
• Analytics & observability: tools such as Sentry, Mixpanel, and Google Analytics, with PII scrubbing and consent respected where applicable.
• Business operators (merchants): participating merchants receive only the customer data necessary to fulfil loyalty interactions, under a limited licence.

5. International data transfers

Personal data may be processed outside New Zealand. Where transfers occur, safeguards such as standard contractual clauses or equivalent mechanisms are applied where required by law.

6. Data retention

• Account/profile and server-side consent records: 24 months after deactivation or last verified activity.
• Loyalty, voucher, transfer, and stored-value ledger records: 7 years after the transaction or completion date, and longer where a dispute or legal hold applies.
• Support records: 24 months after ticket closure. Compliance, fraud, and legal-hold records: 7 years after case closure or release.
• Raw logs with identifiers: 30 days. Aggregated telemetry: 13 months.
• Backups: 35-day rolling retention, with masked-restore controls applied before any restored data is reintroduced to production access paths.

7. Legal basis for 7-year ledger retention

When you deactivate or delete your Fidella account we anonymise your profile data after 24 months. We retain the financial and loyalty ledger for 7 years from the deactivation date because we are legally required to keep accurate records of stored-value, refund, and tax-relevant transactions.

The retained tables include transactions, vouchers, promotion_applications, offer_inventory_ledger, settlements, refund-request tables, Stripe payment records, and wallet-pass identifiers (push tokens are cleared).

After profile anonymisation, the only personal-data fields that remain on these ledger rows are an opaque user identifier (used as a join key), Stripe payment-intent IDs (required by Stripe's own reconciliation), and non-personal data such as amounts, timestamps, site IDs, and offer/voucher IDs.

If you want ledger entries deleted before the 7-year window expires, contact us at privacy@fidella.app. We will assess whether a tax or anti-money-laundering hold applies. If it does, we will tell you the earliest date the record can be removed.

8. Your rights

• Access, correction, portability (export), and deactivation requests can be submitted via privacy@fidella.app or the in-app account tools. Exports include persisted messaging and analytics consent metadata; raw push subscription endpoints and other device secrets are excluded.
• Deactivation disables access immediately, clears active sessions and device/pass artefacts, and schedules profile anonymisation after 24 months unless a legal hold applies.
• Object to or withdraw consent for non-essential analytics or marketing at any time.
• Complaints may be directed to the relevant supervisory authority in New Zealand.

9. Fidella Credits & stored value

• Fidella Credits are closed-loop stored value usable only within the Fidella network. They are not e-money.
• Credits do not expire unless required by law, and are not redeemable for cash except where mandated by law.

10. Regional compliance

Fidella is designed to be compatible with GDPR-style rights and the New Zealand Privacy Act. Cross-border transfer assessments and Data Processing Addenda are completed for each merchant and region as required.

11. Contact

Privacy requests: privacy@fidella.app

12. Updates to this policy

We may update this policy from time to time. Material changes will be communicated through the Fidella app or by email. Continued use of Fidella after the effective date constitutes acceptance of the updated policy.