← Short summary

RANZ Hub — Privacy Policy

Effective date: 20 April 2026
Version: 2026.05

1. Who we are

The RANZ Hub ("the Hub", "we", "our", "us") is operated by the Roofing Association of New Zealand Incorporated ("RANZ"), a registered incorporated society (NZ registration: [TBC]). You can contact our Privacy Officer at any time:

  • Privacy Officer: Luke Boustridge, CEO
  • Email: privacy@ranz.co.nz
  • Postal: 13/9 Lovell Court, Rosedale, Auckland 0632, New Zealand

2. What this policy covers

This policy explains how we collect, use, store, and share personal information when you use the RANZ Hub. It is governed by the NZ Privacy Act 2020 and the 13 Information Privacy Principles.

3. What information we collect

Directly: name, email, roofing role, region, years of experience, primary sectors, company name, brands you install, your consent preferences.

Automatically: learning activity (questions, answers, scores, badges, streaks, certificates), device and technical data (browser, device, IP, session, push subscription tokens), usage patterns within the Hub.

We do NOT collect: payment information, third-party advertising or analytics tracking cookies, Google account data beyond name and email.

4. Why we collect it (IPP 1)

  1. Providing the service.
  2. Tailoring learning pathways to your sector and role.
  3. RANZ industry reporting (aggregated, de-identified).
  4. Supplier reporting (aggregated, de-identified — see §5).
  5. Safety, security, fraud prevention.
  6. Communications (service notifications, and marketing if you opt in).

5. Supplier reporting

Suppliers may sponsor extra learning content. Sponsored content is clearly labelled and reviewed by RANZ's Technical Committee. Suppliers receive aggregatedreports only — they never see names, emails, company names, or anything identifying. We apply a minimum cohort of 10 installers to every reported statistic to prevent re-identification. You can opt out of supplier reporting at any time in your account settings.

5b. AI features (Ask, photo classifier, admin AI-assist)

The Hub uses AI (large language models) to answer questions in "Ask", classify photos you attach, and help admins draft corrections to learning content. To do this, we send the following to our AI provider (Ollama Cloud, hosted in the United States) on a per-request basis:

  • the question text or admin prompt you submit;
  • any photo you attach (for vision-based answers / classification);
  • retrieved excerpts from indexed source documents (the Building Code, MRM Code of Practice, etc.);
  • if you flag an AI answer as wrong: the original question, the AI's answer, your reason, and the source IDs the AI used.

We do not send your name, email, or contact details to the AI provider. We do not use your AI interactions to train third-party models, and we do not sell this data. We retain AI interaction logs for up to 90 days for safety, abuse prevention, and quality improvement, then anonymise them.

Important: AI output can be wrong. The Hub is provided as an information aid only and you must verify any answer against the cited source before relying on it. See our Terms of Use for the full disclaimer and limitation of liability.

6. Who we share information with (IPP 11)

Google (sign-in), SwiftFox CRM (email and typed company name, at sign-in and profile setup, to verify membership and match your company), Neon (database hosting, US), Vercel (application hosting), Cloudflare (file storage, edge network), Ollama Cloud (AI inference for Ask and photo classification — see §5b), Resend (transactional email), web push services (FCM, APNS, Mozilla), supplier partners (aggregated only), and government / law enforcement where required by NZ law. We do not sell your personal information.

Overseas disclosure (IPP 12). Some service providers process data in the United States. We only disclose personal information to overseas recipients where they are subject to comparable privacy laws or have contractual safeguards in place.

7. How long we keep it (IPP 9)

  • Active accounts — kept while the account is active.
  • Closed accounts — identifiers anonymised immediately; aggregated activity kept 12 months then hard-deleted.
  • Consent records — 7 years.
  • Invoicing / legal records — as required by Companies Act / IRD rules (typically 7 years).

8. How we keep it safe (IPP 5)

TLS 1.2+ in transit, AES-256 at rest. Google OAuth — we never see your password. Least- privilege production access; access is logged. OWASP Top 10 is part of our change review. In the event of a notifiable privacy breach (one causing or likely to cause serious harm), we will notify the Office of the Privacy Commissioner and affected individuals as soon as practicable after becoming aware, as required by the Privacy Act 2020.

9. Your rights (IPP 6 & 7)

  • Access — "Export my data" in your account.
  • Correct — most fields are editable; otherwise email us.
  • Withdraw consent — in your account settings.
  • Delete — from your account settings.
  • Complain — to us first, then privacy.org.nz / 0800 803 909.

We respond to access or correction requests within 20 working days.

10. Children

The Hub is for people in the roofing trade. We do not knowingly collect information from anyone under 16. If you believe we have, contact us and we will delete it.

11. Cookies and local storage

We use only essential cookies: session, CSRF protection, service worker cache, and preference storage. No advertising or tracking cookies.

12. Changes to this policy

Material changes trigger a version bump, in-app banner, and re-consent where the change affects how your data is used.

13. Contact

Privacy Officer — Luke Boustridge, CEO
Email: privacy@ranz.co.nz
Post: 13/9 Lovell Court, Rosedale, Auckland 0632, New Zealand

Office of the Privacy Commissioner — privacy.org.nz — 0800 803 909 — enquiries@privacy.org.nz — PO Box 10 094, Wellington 6143.