Privacy Policy

Latch NZ Ltd (“Latch”, “we”, “us”, or “our”) operates the Latch platform at latchapp.co.nz. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our service, and your rights under the New Zealand Privacy Act 2020.

By using Latch, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our service.

1. Who we are

Latch NZ Ltd is a New Zealand company providing automated gym door access and membership payment software. Our contact email is support@latchapp.co.nz.

2. Information we collect

Account information

When you create a Latch account, we collect:

• Your name and email address
• A password (stored as a secure hash — we never store your plain-text password)
• Your role (gym owner or member)

Gym owner information

If you set up a gym on Latch, we also collect:

• Your gym name and membership price
• Stripe account connection details (managed by Stripe — we do not store full payment credentials)
• Configuration settings for your doors

Usage data

When the platform is used, we collect:

• Door unlock events (member ID, timestamp, door ID)
• Payment events (sourced from Stripe webhooks)
• Access grant and revocation events
• Server logs (IP address, browser type, pages visited)

Analytics

We use Google Analytics (GA4) to understand how visitors use our website. GA4 collects anonymised data about your visit including pages viewed, session duration, and approximate location. This data is processed by Google and governed by Google's Privacy Policy. We do not use analytics data to identify individuals.

3. How we use your information

We use the information we collect to:

• Create and maintain your account
• Provide and operate the Latch service
• Process and manage gym membership payments via Stripe
• Grant and revoke door access based on payment status
• Send transactional emails (payment confirmations, renewal reminders, access notifications)
• Provide customer support
• Maintain security and audit logs
• Comply with legal obligations
• Improve our service

We do not sell your personal information to third parties. We do not use your personal information for unsolicited marketing without your consent.

4. How we store your information

Your data is stored in Supabase (a managed PostgreSQL service). Latch uses the Supabase region ap-southeast-2 (Sydney, Australia), which means your personal information is stored in Australia. We have selected this region for proximity to New Zealand and to comply with the spirit of the NZ Privacy Act 2020's requirements around cross-border disclosures.

Payment information is handled by Stripe and is subject to Stripe's privacy policy. We do not store full card numbers or CVV codes — Stripe handles all payment processing.

5. Third parties we share data with

We share data with the following third-party services to operate Latch:

• Supabase — database and authentication provider. Data stored in Sydney, Australia.
• Stripe — payment processing. Subject to Stripe's Privacy Policy.
• Vercel — hosting and serverless functions. Processes request data to serve the application.
• Google Analytics — anonymised website analytics.

We do not sell, rent, or trade your personal information with any other parties.

6. Data retention

We retain personal information for as long as:

• Your account is active
• Required to provide the service you have subscribed to
• Required by law or for legitimate business purposes

If you close your account, we will delete or anonymise your personal data within 30 days, unless we are required to retain it for legal or compliance reasons. Unlock audit logs may be retained in anonymised form.

7. Your rights under the NZ Privacy Act 2020

Under the Privacy Act 2020, you have the right to:

• Request access to the personal information we hold about you
• Request correction of any inaccurate information
• Ask us to delete your personal information (subject to any legal retention requirements)
• Complain to the Office of the Privacy Commissioner if you believe we have breached the Act

To exercise any of these rights, email us at support@latchapp.co.nz. We will respond within 20 working days.

8. Cookies

We use cookies and similar technologies to operate the service. These include:

• Session cookies — required to keep you signed in. These expire when you close your browser.
• Authentication cookies — managed by Supabase to maintain your authenticated session.
• Analytics cookies — set by Google Analytics to measure website usage. These are anonymised.

Essential cookies are required for the service to function. You can block analytics cookies via your browser settings or a browser extension without affecting your ability to use Latch.

9. Security

We take reasonable steps to protect your personal information from unauthorised access, use, or disclosure. These include:

• TLS encryption for all data in transit
• Encrypted password storage (bcrypt hashing via Supabase Auth)
• Row-level security policies on all database tables
• Server-side validation of all unlock commands
• Unlock commands that expire in 10 seconds

No method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at support@latchapp.co.nz.

10. Children

Latch is not intended for use by children under 16. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For material changes, we will notify you by email. Continued use of Latch after changes take effect constitutes your acceptance of the revised policy.

12. Contact us

For privacy enquiries, requests, or complaints:

• Email: support@latchapp.co.nz
• Company: Latch NZ Ltd
• Country: New Zealand

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner (privacy.org.nz).