Privacy Policy

1. Who we are

RapidCert is operated by M&L RYAN LIMITED trading as RapidCert, NZBN 9429052857768 ("we", "us", "our"). RapidCert is a contractor/supplier prequalification platform operated in New Zealand. Our website is rapidcert.co.nz. You can contact us at hello@rapidcert.co.nz.

2. Scope and programme administrator roles

This privacy policy explains how we collect, use, disclose, store, and protect personal information through our website and Platform. Programme administrators may also collect and use information through their own prequalification programmes and may have their own privacy obligations, notices, and retention requirements.

Where you submit information for a programme, the relevant programme administrator controls programme requirements, assessment decisions, access by assessors, and programme-specific retention or deletion instructions. RapidCert provides and operates the technology platform and related services, and is responsible for the platform, security, support, analytics, legal compliance, and service improvement purposes that we determine ourselves.

If you submit personal information about another person, such as an employee, subcontractor, insurer contact, referee, or other third party, you are responsible for ensuring you have authority to do so and, where required, that the person is informed that their information may be collected, used, disclosed, stored, retained, and processed as described in this policy, including by programme administrators, service providers, overseas recipients, and AI-assisted features.

3. Information we collect

We may collect the following types of information:

• Information you provide: name, email address, company name, and message content when you submit our contact form.
• Account information: name, email, company details, user roles, and other information provided during registration or account use on the RapidCert platform.
• Prequalification data: evaluation responses, uploaded evidence documents, insurance policy details, payment-related information, assessor notes, renewal information, and communications submitted through the platform.
• AI-assisted workflow data: information submitted through the platform that may be processed by AI-assisted features to support summarisation, classification, extraction, review, or operational workflow assistance.
• Usage and analytics data: information about how you interact with our website and platform, including pages visited, features used, browser type, device information, IP address, identifiers, events, and approximate location derived from technical data.
• Security and support data: information used for fraud prevention, bot protection, error monitoring, debugging, audit, security, support, and service improvement.

4. How we use your information

We use your information to:

• Provide, operate, secure, maintain, and improve the RapidCert platform
• Process prequalification evaluations, insurance tracking, renewals, and payments
• Share programme submissions with the relevant programme administrator and assessors
• Respond to enquiries submitted through our contact form
• Send evaluation, renewal, insurance expiry, support, and service notifications
• Analyse usage patterns to improve our website and platform
• Provide AI-assisted features that support platform and programme workflows
• Prevent misuse, investigate errors, maintain audit records, and protect security
• Comply with legal obligations and enforce our agreements

5. AI-assisted processing

RapidCert may use AI-assisted features to help provide, operate, secure, and improve prequalification workflows using information submitted through the platform. These features may assist with tasks such as summarising information, extracting document details, classifying responses, highlighting potential issues, drafting operational suggestions, or supporting assessor and administrator review.

AI-assisted features are intended to support human users and programme administrators. They do not replace programme administrator review, judgement, or final decision-making. We currently use the paid Gemini API for AI-assisted processing. On Google's published terms for paid Gemini API services, prompts, files, cached content, and responses are not used to improve Google's products, but may be logged, stored transiently, or cached for a limited period in countries where Google or its agents maintain facilities for abuse monitoring, safety, security, and required legal or regulatory purposes. Unless we expressly agree otherwise, we do not permit third-party AI providers to use customer or programme data submitted through the Platform to train their general-purpose models.

If you have concerns about AI-assisted processing of your data for a programme, contact the relevant programme administrator to discuss available options, including whether an alternative process or opt-out is available for that programme.

6. Analytics, cookies, monitoring, and bot protection

We use analytics services including PostHog and Google Analytics to understand how visitors and users interact with our website and platform. These services may use cookies, local storage, and similar technologies to collect information such as pages visited, time spent on pages, referring URLs, device information, events, and identifiers. Where you submit a form or use the platform, analytics data may be linked to your contact or account details.

We may also use session replay with sensitive inputs masked, error monitoring, logging, and bot-protection tools such as Cloudflare Turnstile to protect the service, diagnose issues, and improve reliability. You can control some cookie and storage preferences through your browser settings, but disabling them may affect service functionality.

7. How we share your information

We do not sell your personal information. We may share information with:

• Prequalification programme administrators: evaluation data, evidence, insurance information, payment status, renewal information, and related records are shared with the client organisations that manage the prequalification programmes you participate in.
• Authorised users and assessors: information may be visible to users who are authorised by the relevant programme administrator or your organisation.
• Service providers: third-party services that help us operate our platform, such as cloud hosting, storage, payment processing, email delivery, analytics, error monitoring, bot protection, security, support, and AI-assisted workflow providers.
• Legal and safety requirements: where required or permitted by law, regulation, court order, legal process, security incident response, or to protect rights, safety, and property.

8. Overseas disclosure and service providers

Our platform infrastructure is hosted on Amazon Web Services (AWS). We also use service providers that may process or store information in New Zealand, Australia, the United States, Europe, or other countries where they or their subprocessors operate.

Where Information Privacy Principle 12 applies, we disclose personal information overseas only where we reasonably believe the recipient is subject to the New Zealand Privacy Act, comparable privacy laws, prescribed safeguards, or contractual, technical, and organisational safeguards that provide comparable protection, or where another lawful basis applies, such as informed authorisation. Some overseas recipients may be subject to different privacy laws from New Zealand.

9. Data storage and security

We use reasonable technical and organisational measures to protect information, including access controls, encryption in transit, infrastructure security controls, monitoring, and operational safeguards. No method of electronic storage or transmission is 100% secure.

If we become aware of a privacy or security incident affecting personal information, we will assess it and take steps required by applicable law, which may include notifying affected people, programme administrators, or the Office of the Privacy Commissioner where required.

10. Your rights

Under the New Zealand Privacy Act 2020, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Ask us to delete or stop retaining information where it is no longer needed
• Complain to the Office of the Privacy Commissioner if you believe your privacy has been breached

To exercise these rights, contact us at hello@rapidcert.co.nz. We may need to verify your identity and, for programme-specific records, coordinate with the relevant programme administrator. Deletion or retention requests are subject to legal, contractual, operational, backup, audit, security, and programme retention requirements.

11. Data retention

We retain information for as long as needed to provide our services, operate the Platform, support programme administrators, comply with legal obligations, resolve disputes, maintain security and audit records, and enforce our agreements. Prequalification records may be retained for the period required by the relevant programme administrator or applicable programme requirements.

Deleting or closing an account may not immediately remove all information, including records retained for programme administration, legal compliance, backups, audit logs, fraud prevention, security, dispute resolution, or legitimate business purposes.

12. Third-party links

Our website and Platform may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to read their privacy policies.

13. Changes to this policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "last updated" date. Material changes may also be notified through the Platform or by email where practicable.

14. Contact us

If you have questions about this privacy policy or how we handle your information, contact us at hello@rapidcert.co.nz.