Privacy

1. Who we are

Cloverbase Limited (NZBN 9429051598744) is a New Zealand company based at Whangārei Heads, Northland. We are the data controller for any personal information collected through cloverbase.com, the Cloverbase Diagnostic, our proposals, and our client engagements.

You can reach us through the contact page for any privacy question or request.

2. What we collect

We collect personal information in three contexts.

• When you contact us. Your name, email, organisation, role, and whatever you tell us in your message.
• When you take the Cloverbase Diagnostic. Your answers to the diagnostic questions and (only if you ask us to send your result) your name and email. The diagnostic does not require an account or login.
• When you become a client.The information needed to deliver, invoice, and document the engagement: the principals’ contact details inside your organisation, scope and timeline, and the artefacts produced during the work.

We do not collect special-category personal information (health, ethnicity, political views, biometrics, etc.) and we do not ask for it.

3. Cookies and analytics

cloverbase.com sets one essential cookie for session continuity. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking.

We use a privacy-preserving analytics service (Plausible Analytics, hosted in the EU) to count page views and referrers in aggregate. Plausible does not set cookies, does not collect personal data, and does not retain IP addresses. You do not need to accept anything to use cloverbase.com.

4. Why we collect what we collect

To answer your question, deliver an engagement, send you something you asked for, produce an aggregate picture of how the site and the diagnostic are being used so we can improve them, and meet our New Zealand legal obligations (tax, financial records, the Privacy Act 2020).

We do not collect, retain, or process personal information for any other purpose without your consent.

5. AI training and automated decision-making

We do not train, fine-tune, or otherwise use AI models on your personal information, your diagnostic answers, your engagement materials, or any content you share with us. This is a categorical commitment, not a configurable setting.

Where Cloverbase uses AI tools internally (for example, to draft a summary of a public meeting note, or to translate between languages), the inputs come from public sources or from our own work product. Client material is not put into third-party AI services without your explicit written agreement, and is never used to train external models.

The Cloverbase Diagnostic uses a static rules engine to score your answers. There is no machine-learning model evaluating you and no automated decision is made about you that has legal or similarly significant effects. The result is a structured output you control.

6. Who we share data with

We use a small set of third-party services to run the business. Each is named below with what they do and where they store data.

• Vercel (United States) · hosts cloverbase.com.
• Microsoft 365 (Australia, New Zealand) · email, calendar, documents, and Microsoft Bookings.
• Calendly (United States) · Mark’s discovery booking link.
• Plausible Analytics (Germany) · privacy-preserving analytics, no personal data.
• Xero (New Zealand) · invoicing and accounting records for paid engagements.

We do not sell, rent, or trade your personal information. We do not share your information with marketers, data brokers, or AI training providers under any circumstances.

7. International transfers

Some of the providers listed above store data outside New Zealand (the United States, the European Union, or Australia). Where this happens, we rely on the reasonable-protection assessment in section 22 of the Privacy Act 2020, including the equivalent-protection schedules issued by the Office of the Privacy Commissioner in 2024 and updated in 2025. For visitors in the European Union or the United Kingdom, we rely on the Standard Contractual Clauses (UK addendum where applicable) adopted by the relevant provider.

8. How we keep your information safe

We use the providers named above precisely because they meet enterprise-grade security standards (SOC 2, ISO 27001, or equivalent). Access inside Cloverbase is limited to the principals. We use multi-factor authentication on every account that holds client data. We retain personal information only as long as we need it for the purpose it was collected, or as required by New Zealand law (financial records, for example, must be retained for seven years).

If we ever experience a notifiable privacy breach as defined by Part 6 of the Privacy Act 2020, we will notify the Office of the Privacy Commissioner and any affected individuals as soon as practicable.

9. Your rights

Under the Privacy Act 2020, you have the right to ask us:

• What personal information we hold about you.
• To correct any personal information that is wrong.
• To delete personal information we no longer have a lawful basis to keep.
• To stop using your personal information for any purpose you have not agreed to.

If you are a resident of the European Union or the United Kingdom, the General Data Protection Regulation gives you equivalent rights, plus the right to data portability and to object to processing on legitimate-interest grounds.

Send any of these requests through the contact page and we will respond within ten working days. There is no fee unless your request is manifestly unfounded or excessive (which we have not seen happen).

10. Children

Cloverbase is not directed at children under sixteen and we do not knowingly collect personal information from anyone under sixteen. If you believe a child has provided us with personal information, contact us and we will remove it.

11. Changes to this policy

This policy is versioned with the brand. Material changes are dated at the top of the page and announced on cloverbase.com. The previous version is archived and available on request.

12. If you are not happy

If you are not satisfied with how we have handled your personal information, you can complain directly to us through the contact page, or you can complain to the New Zealand Office of the Privacy Commissioner at privacy.org.nz. If you are in Australia, the equivalent body is the Office of the Australian Information Commissioner. If you are in the European Union or United Kingdom, your supervisory authority is listed at the European Data Protection Board’s website.

Document control. Cloverbase Privacy Policy v1.0. Last updated 10 May 2026. Owned by Mark Smith and Meg Smith.