Legal · Privacy Policy

CNEX-Flow Privacy Policy

Effective1 April 2026Last updated3 April 2026

Introduction

IDL Creations Limited, trading as CNEX ("IDL Creations," "CNEX," "we," "us," or "our"), a New Zealand limited liability company, operates the CNEX-Flow platform ("Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Platform.

We are committed to protecting your privacy and handling your data in accordance with the New Zealand Privacy Act 2020, the EU General Data Protection Regulation (GDPR) where applicable, and other relevant data protection laws.

This Privacy Policy describes how we handle your data. Our lawful bases for processing are set out in Section 8. If you do not agree with any part of this Privacy Policy, you must immediately stop using the Platform and delete your account. This Privacy Policy may be updated from time to time, and it is your responsibility to review it regularly.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

  • Full name, email address, password (stored as a cryptographic hash, never in plain text)
  • Organization name and details
  • Profile information (phone number, address, avatar, timezone, preferences)

Financial & Business Data:

  • Client and contact information you enter
  • Invoice, quote, and bill details (amounts, line items, dates, recipient information)
  • Bank account details (account numbers, bank names, transaction records)
  • Tax identification numbers and tax-related information
  • Payment information (processed directly by Stripe — we do not store full card numbers in our application database)

Employee & Payroll Data:

  • Employee names, addresses, dates of birth, tax IDs
  • Bank account details for salary payments
  • Salary, wage, and compensation information
  • Tax withholding and deduction details
  • Employment contracts and documents
  • Leave and attendance records

Content & Documents:

  • Documents, files, and attachments you upload or create
  • Task descriptions, comments, and project details
  • Email content accessed through integrated email accounts (via the email providers you connect)
  • Calendar events synced through integrated calendar accounts

Credentials & Secrets:

  • API keys, access tokens, and other credentials stored in the Secret Vault (encrypted with AES-256-GCM)
  • Third-party service credentials you configure for integrations

1.2 Information Collected Automatically

Usage Data:

  • Pages visited, features used, actions taken within the Platform
  • Time spent on pages and interaction patterns
  • Search queries performed within the Platform
  • Error logs and performance data

Device & Technical Data:

  • IP address
  • Browser type and version
  • Operating system
  • Device type and screen resolution
  • Referring URLs

Authentication Data:

  • Login timestamps and history
  • Device fingerprints (hashed combination of browser and IP for device trust)
  • Multi-factor authentication method and status
  • Session information

1.3 Information from Third-Party Integrations

When you connect Third-Party Services, we may receive:

  • Stripe: Payment status, subscription details, invoice payment confirmations (not full card numbers)
  • Connected email & calendar accounts (Email/Calendar): Email messages, calendar events, contact information from connected email accounts — only as configured by you. When you connect your email or calendar account (e.g. Google, Microsoft, Yahoo, or your own IMAP/SMTP server), the content synced through the Platform is subject to that provider's security practices and data processing terms. WARNING: Syncing emails through the Platform may waive legal privilege, as email content is processed by the Platform and its service providers and may be accessed by AI Features. Consult your legal advisor before connecting accounts that contain privileged communications
  • Twilio: Call logs, SMS delivery status, phone number metadata
  • AI Providers (Anthropic): Processed versions of prompts and responses generated during AI feature usage

1.4 Information from Other Sources

  • Invitation details provided by the person who invited you to an Organization
  • Publicly available business information used for address lookup features

2. How We Use Your Information

We use your information for the following purposes:

2.1 Service Delivery

  • Providing, operating, and maintaining the Platform
  • Processing transactions and managing subscriptions
  • Generating invoices, reports, and financial documents
  • Performing calculations (tax, payroll, project costs)
  • Enabling AI-powered features (document drafting, automation, analysis)
  • Synchronizing data with connected Third-Party Services
  • Delivering notifications and alerts

2.2 Account Management

  • Creating and managing your account and Organization
  • Authenticating your identity and managing sessions
  • Enforcing access controls and permissions
  • Processing member invitations

2.3 Communication

  • Sending transactional emails (account verification, password resets, billing receipts, security alerts)
  • Sending service notifications (task assignments, deadline reminders, system alerts)
  • Responding to support requests and inquiries

2.4 Security & Fraud Prevention

  • Detecting, preventing, and responding to security incidents
  • Monitoring for unauthorized access or abuse
  • Enforcing our Terms of Service and Acceptable Use Policy
  • Maintaining audit logs for security purposes

2.5 Product Improvement

  • Analyzing usage patterns to improve features and user experience
  • Identifying and fixing bugs and performance issues
  • Developing new features based on aggregate usage trends

2.6 Legal Compliance

  • Complying with applicable laws, regulations, and legal processes
  • Responding to lawful requests from government authorities
  • Establishing, exercising, or defending legal claims

3. AI Data Processing

3.1 AI Providers

The Platform uses multiple external AI providers to power different features:

ProviderUsesData Sent
Anthropic (Claude)Document drafting, Connekz AI assistant, analysis, code generationPrompts, contextual data from your Organization relevant to the task
OpenAIEmbedding generation, content analysis, AI featuresText content for embedding/analysis
xAI (Grok)Search, analysis, AI featuresSearch queries, contextual data

We may add, change, or substitute AI providers at any time. The AI providers we currently use are listed above and in our list of sub-processors in Section 4.2; we will notify you of changes as described in Section 4.2.

3.2 What Data AI Features Access

When you use AI Features, the following data may be sent to the applicable AI provider for processing:

  • The specific prompt or instruction you provide
  • Contextual data from your Organization required to generate a relevant response (e.g., task details, project context, document content)
  • We do not send your full database, financial records, or employee personal data to AI providers unless specifically required by the feature you are using

3.3 How CNEX-Flow Automates AI Processing

CNEX-Flow automates the process of interacting with AI providers on your behalf. Instead of you manually crafting prompts, copying data into separate AI tools, and transferring outputs back into your workflow, the Platform handles this entire process seamlessly — constructing prompts with the right context, sending them securely to the appropriate AI provider, receiving the response, and presenting it within the Platform.

This automation means your data is transmitted to external AI services as part of normal Platform operation. You would need to share the same data if you used these AI services directly — CNEX-Flow simply removes the manual steps.

3.4 AI Provider Data Handling

We maintain contractual agreements with all AI providers that include:

  • Contractual prohibition on training. We maintain contractual agreements with all AI providers that are designed to prohibit the use of your data to train or improve their models. We use API-based access with data processing agreements that explicitly prohibit this. While we take reasonable steps to select providers who honor these commitments and to enforce our contractual rights, we cannot independently audit or guarantee the internal data practices of third-party AI providers at all times. If we become aware that an AI provider has breached its data processing obligations, we will take immediate steps to address the breach, including suspending data flows to that provider, notifying affected users, and pursuing contractual remedies.
  • Encryption in transit. All data sent to AI providers is encrypted using TLS 1.2 or higher.
  • Limited retention. AI interactions may be temporarily retained by providers for abuse monitoring and safety purposes (typically 30 days or less), after which they are automatically deleted.
  • No human review by default. AI providers do not have their employees review your data unless required for safety incident investigation, and such review is subject to strict access controls.

3.5 AI Data Minimization

We apply data minimization principles to AI processing:

  • Only data necessary for the specific AI task is included in prompts
  • Personally identifiable information is excluded or anonymized where possible
  • Sensitive data (tax IDs, bank account numbers) is never sent to AI providers unless explicitly part of the feature function and disclosed to you
  • We select the most appropriate AI provider for each task to minimize unnecessary data exposure

3.6 Opting Out of AI Features

You may choose not to use AI Features. AI-powered functionality is clearly labeled within the Platform. The core Platform features (invoicing, project management, client management) function fully without AI. Disabling AI features does not affect your subscription or access to non-AI functionality.

4. Data Sharing & Third Parties

4.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes.

4.2 Service Providers (Sub-Processors)

We share data with third-party service providers who process data on our behalf to deliver the Platform:

ProviderPurposeData Shared
Amazon Web Services (AWS)Cloud infrastructure, data hosting, storage, compute, backupsAll Platform data (encrypted at rest and in transit)
StripePayment processing, subscription billingBilling contact, payment method, plan details
TwilioPhone calls, SMS messagingPhone numbers, call/SMS content as configured
LiveKitReal-time video and voice meetingsAudio and video streams and meeting metadata for calls you make
DeepgramSpeech-to-text transcriptionAudio from voice messages and meeting recordings you choose to transcribe
Email & calendar providers you connect (e.g. Google, Microsoft, Yahoo, or your own IMAP/SMTP server)Email and calendar integration for accounts you connectEmail and calendar data from the accounts you connect
Anthropic (Claude)AI-powered features: drafting, analysis, Connekz assistantPrompts and contextual data for AI tasks
OpenAIAI-powered features: embeddings, content analysisText content for processing
xAI (Grok)AI-powered features: search, analysisSearch queries and contextual data

The sub-processors we currently engage are listed in the table above. When we add or replace a sub-processor that processes personal data, we will provide at least 30 days' notice before the change takes effect. If you have a reasonable objection to a new sub-processor, you may notify us at admin@cnexflow.com within that 30-day period. We will work with you in good faith to address your concerns. If we cannot resolve your objection, you may terminate your subscription and receive a pro-rata refund for any pre-paid period.

All sub-processors are bound by data processing agreements that require them to protect your data, use it only for the specified purpose, and not use your data for training AI models or any purpose other than providing the contracted service.

4.3 Orchestration & Data Flow

CNEX-Flow operates as an orchestration platform that automates data flow between multiple services on your behalf. During normal use, your data may pass through several Third-Party Services in sequence. For example:

  • Creating an invoice may involve AI processing (Anthropic/OpenAI), payment link generation (Stripe), and email delivery (via your connected email provider)
  • Making a phone call involves Twilio for telephony and AWS for call recording storage
  • Using the Connekz AI assistant may route your query through one or more AI providers depending on the task

This is the same data you would need to share if you used each service independently — CNEX-Flow automates the connections so you do not have to. By using the Platform, you acknowledge that your data will be transmitted to the applicable Third-Party Services as necessary to deliver the features you use.

We may add new Third-Party Service integrations over time to expand Platform capabilities. When we add a new sub-processor that processes personal data, we will update the sub-processor list in Section 4.2 and notify you in accordance with that section.

4.4 Legal Disclosure

We may disclose your information if required to do so by law or if we believe in good faith that such disclosure is necessary to:

  • Comply with a legal obligation, court order, or legal process
  • Protect and defend the rights or property of CNEX
  • Prevent fraud or other illegal activity
  • Protect the personal safety of users or the public

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

4.6 With Your Consent

We may share your data with third parties when you explicitly consent to such sharing (e.g., enabling a new integration).

5. Data Storage & Security

5.1 Data Location & Infrastructure

Your data is stored on Amazon Web Services (AWS) infrastructure. Backups are stored in geographically separate AWS regions for disaster recovery.

We implement multiple layers of protection following industry best practices and the AWS shared responsibility model:

  • AWS responsibility: Physical security of data centers, hardware maintenance, network infrastructure, and hypervisor security
  • CNEX responsibility: Application security, data encryption, access controls, configuration management, patching, and monitoring

5.2 Encryption

  • Data at rest: Sensitive data (credentials, secrets, employee tax IDs, bank account numbers) is encrypted using AES-256-GCM. Database storage is encrypted using AWS-managed encryption
  • Data in transit: All data transmitted between your browser and our servers, and between our servers and Third-Party Services, is encrypted using TLS 1.2 or higher
  • Passwords: Stored as cryptographic hashes using industry-standard algorithms (never in plain text)
  • AI data in transit: All data sent to AI providers (Anthropic, OpenAI, xAI) is encrypted using TLS 1.2 or higher

5.3 Backup & Recovery

We maintain multiple backup systems and disaster recovery mechanisms:

  • Automated backup systems designed to perform regular backups of Platform data
  • Point-in-time recovery capability
  • Geographically distributed backup storage
  • Periodic backup restoration testing

Despite these measures, no backup system is infallible. Data loss, corruption, or delayed recovery may occur in exceptional circumstances. We recommend maintaining your own backups of critical business data using the Platform's export features.

5.4 Organization Data Isolation

Each Organization on the Platform operates within a logically isolated environment using dedicated containerized workspaces. Under normal operation, data belonging to one Organization is not accessible by other Organizations, though no isolation mechanism is infallible. This isolation extends to computing resources, file storage, and database access.

5.5 Access Controls

  • Role-based access controls within Organizations (Owner, Admin, Member, Client)
  • Internal access to customer data is restricted to authorized CNEX personnel on a need-to-know basis
  • All internal access is logged and auditable
  • Multi-factor authentication is available for all user accounts

5.6 Incident Response

We maintain an incident response plan for data security incidents. In the event of a data breach that affects your personal information, we will:

  • Notify the New Zealand Privacy Commissioner as soon as practicable, and in any event within 72 hours, of becoming aware of a notifiable privacy breach
  • Notify affected individuals as soon as practicable
  • Notify relevant EU supervisory authorities within 72 hours where GDPR applies
  • Provide details of the breach, potential impact, and remediation steps

5.7 Security Limitations

While we implement industry-standard security measures and invest significantly in protecting your data, no system is completely immune to security threats. Cloud infrastructure, software, and networking technologies inherently carry risks including but not limited to:

  • Zero-day vulnerabilities in underlying infrastructure or dependencies
  • Sophisticated cyberattacks that circumvent existing protections
  • Hardware failures or data center incidents affecting AWS infrastructure
  • Human error in configuration or operations
  • Vulnerabilities in Third-Party Services that process your data

We cannot guarantee the absolute security of your data. You acknowledge these inherent risks and accept that your use of the Platform is subject to them. You are responsible for maintaining the security of your account credentials, enabling multi-factor authentication, and promptly reporting any suspected unauthorized access to admin@cnexflow.com.

6. Data Retention

6.1 Active Accounts

While your account is active, we retain your data as necessary to provide the Service.

6.2 After Account Termination

  • 30-day export period: After account closure, you have 30 days to export your data
  • Data deletion: After the export period, your data is scheduled for permanent deletion from our primary systems, except for data retained under Section 6.3 (Legal Retention Requirements) and aggregated anonymized data as described in Section 6.4 (which cannot be used to identify you)
  • Backup purge: Data in backups is purged within 90 days of deletion from primary systems

6.3 Legal Retention Requirements

Certain data may be retained beyond the standard deletion period where required by law. Where CNEX acts as a data processor (e.g., for employee data), retention periods are determined by the data controller (your Organization) in accordance with their legal obligations. Where CNEX acts as a data controller, retention periods are as follows:

  • Tax and financial records: Up to 7 years as required by the New Zealand Tax Administration Act 1994 and equivalent laws in other jurisdictions
  • Employment records: As required by applicable employment legislation
  • Billing records: As required for accounting and tax purposes
  • Security logs: Retained for a reasonable period for security audit purposes

6.4 Anonymized Data

Aggregated, anonymized data that cannot be used to identify any individual or Organization may be retained indefinitely for analytical and product improvement purposes. Anonymization is performed using industry-standard techniques designed to prevent re-identification of any individual or Organization. While these techniques significantly reduce re-identification risk, no anonymization method can guarantee absolute impossibility of re-identification. Truly anonymized data is not considered personal data under applicable privacy laws.

7. Your Rights

7.1 Under the New Zealand Privacy Act 2020

As a data subject under New Zealand law, you have the right to:

  • Access: Request access to the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete personal information
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)
  • Complaint: Lodge a complaint with the New Zealand Privacy Commissioner if you believe your privacy rights have been breached

7.2 Under the GDPR (for EU/EEA Users)

If you are located in the European Union or European Economic Area, you additionally have the right to:

  • Data portability: Receive your data in a structured, commonly used, machine-readable format
  • Restriction: Request restriction of processing of your personal data
  • Objection: Object to processing of your personal data
  • Withdraw consent: Withdraw consent at any time where processing is based on consent
  • Automated decision-making: Not be subject to decisions based solely on automated processing (our AI Features provide suggestions, not automated decisions)

7.3 Exercising Your Rights

To exercise any of these rights, contact us at admin@cnexflow.com. We will respond to your request within 20 working days (NZ Privacy Act) or 30 days (GDPR), unless an extension is permitted by law. We may need to verify your identity before processing your request.

7.4 Data Export

You can export your data through the Platform's export features where available. We are progressively expanding export capabilities across all data types. For data types where automated export is not yet available, you may request a data export by contacting admin@cnexflow.com and we will provide your data in a structured, commonly used, machine-readable format within a reasonable timeframe.

8. Lawful Basis for Processing (GDPR)

Where GDPR applies, we process personal data on the following lawful bases:

PurposeLawful Basis
Service deliveryPerformance of a contract (Article 6(1)(b))
Account managementPerformance of a contract
Billing and paymentsPerformance of a contract
Security and fraud preventionLegitimate interests (Article 6(1)(f))
Device fingerprinting (browser + IP hash for security)Legitimate interests (security and fraud prevention)
Product improvement (aggregated analytics)Legitimate interests
Legal complianceLegal obligation (Article 6(1)(c))
Marketing communicationsConsent (Article 6(1)(a))
AI feature processingLegitimate interests where AI enhances requested functionality; Consent where AI processes special categories of data. You may withdraw consent for AI processing at any time by disabling AI features without affecting the core functionality of the Platform

For employee/payroll data processed on behalf of your Organization, CNEX acts as a data processor and your Organization is the data controller. The lawful basis for processing employee data is determined by your Organization.

9. Multi-Tenancy & Data Isolation

9.1 Organizational Boundaries

Each Organization on the Platform is a separate data boundary. Data entered by one Organization is not accessible by, shared with, or visible to any other Organization.

9.2 Multi-Organization Users

If a User is a member of multiple Organizations, their personal account data (name, email, preferences) is shared across Organizations. However, Organization-specific data (projects, clients, invoices, etc.) remains isolated within each Organization.

9.3 Administrator Visibility

Organization Administrators can view all data within their Organization, including content created by Members. Members should be aware that their activity and content within an Organization is visible to Administrators.

9.4 Client Role Limitations

Users with the Client role have restricted access and can only view data that has been explicitly shared with them by the Organization.

10. Cookies & Tracking

10.1 Essential Browser Storage

The Platform uses browser localStorage (not traditional HTTP cookies) for essential functionality:

  • Authentication tokens: To keep you logged in during your session
  • Theme preferences: To remember your dark/light mode selection (stored as a cookie for SSR compatibility)
  • Session management: To maintain your session state and active organization context

A theme preference cookie (`cnex-theme`) is set for server-side rendering compatibility. No other cookies are set by the Platform. These storage mechanisms are essential for the Platform to operate and cannot be disabled.

10.2 Analytics

We may use analytics tools to understand how the Platform is used. Analytics data is aggregated and anonymized. We do not use third-party advertising cookies or tracking pixels.

10.3 No Third-Party Advertising

We do not use cookies for targeted advertising. We do not allow third-party advertisers to place cookies on the Platform.

11. Children's Privacy

The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at admin@cnexflow.com.

12. International Data Transfers

12.1 Transfer Mechanisms

Your data may be transferred to, stored in, and processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • New Zealand: New Zealand is recognized by the European Commission as providing an adequate level of data protection
  • Standard Contractual Clauses: For transfers to countries without an adequacy determination, we use EU Standard Contractual Clauses
  • Data Processing Agreements: All sub-processors are bound by contractual obligations to protect your data

12.2 AI Processing

AI prompts may be processed by providers located in the United States. These providers are bound by data processing agreements designed to prohibit the use of your data for model training (see Section 3.4 for details and limitations).

13. NZ Privacy Act 2020 — Information Privacy Principles

We are committed to compliance with all 13 Information Privacy Principles (IPPs) under the New Zealand Privacy Act 2020:

  • IPP 1 (Purpose): We collect personal information only for lawful purposes directly connected with providing the Platform.
  • IPP 2-3 (Source & Collection from subject): We collect personal information directly from you where practicable. Where we collect employee data from your Organization rather than from employees directly, this is because direct collection from employees is not practicable in a business software context — your Organization as the employer has the direct relationship with its employees.
  • IPP 4 (Manner of collection): We collect information only by lawful and fair means, and not by means that are unfair or unreasonably intrusive.
  • IPP 5 (Storage & security): We take reasonable steps to protect personal information from loss, unauthorized access, use, modification, or disclosure (see Section 5).
  • IPP 6-7 (Access & correction): You have the right to access and correct your personal information (see Section 7).
  • IPP 8 (Accuracy): We take reasonable steps to ensure personal information is accurate, up to date, complete, relevant, and not misleading before we use it.
  • IPP 9 (Retention): We do not keep personal information for longer than necessary (see Section 6).
  • IPP 10-11 (Use & disclosure): We only use or disclose personal information for the purposes described in this Privacy Policy or a directly related purpose.
  • IPP 12 (Cross-border disclosure): We ensure comparable protections for all cross-border data transfers (see Section 12).
  • IPP 13 (Unique identifiers): We do not assign unique identifiers to individuals except as necessary for account management. We do not use government-issued identifiers (e.g., IRD numbers) as general identifiers within the Platform.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) where our processing activities are likely to result in a high risk to the rights and freedoms of individuals, including for our AI-powered features, payroll processing functionality, and any new processing involving sensitive data categories.

14. Employee & Payroll Data (Special Category)

14.1 Data Processor Role

When your Organization uses CNEX-Flow's payroll and employee management features, CNEX acts as a data processor processing employee data on behalf of your Organization (the data controller).

14.2 Enhanced Protection

Employee and payroll data receives enhanced protection:

  • Encrypted at rest using AES-256-GCM
  • Access restricted to Organization Administrators with appropriate roles
  • Not included in aggregated analytics or product improvement datasets
  • Not sent to AI providers unless the Organization explicitly uses AI features on employee data
  • Subject to strict retention policies aligned with employment and tax law requirements

14.3 Employee Rights

Employees whose data is processed through the Platform have the right to request access to and correction of their personal data. These requests should be directed to their employer (your Organization), who can fulfill them through the Platform. If an employee contacts us directly, we will direct them to their employer.

14.4 Organization Responsibilities

If you enter employee data into the Platform, you are responsible for:

  • Providing employees with a clear privacy notice that discloses their data will be processed through CNEX-Flow, including a link to this Privacy Policy (available at https://cnexflow.com/legal/privacy)
  • Obtaining any necessary consents
  • Responding to employee data access and correction requests
  • Ensuring compliance with applicable employment and privacy laws

14.5 Direct Employee Rights

Employees whose data is processed through the Platform may have direct rights against CNEX under applicable data protection laws, including the right to lodge complaints under the NZ Privacy Act 2020 (IPP 5) and the right to compensation under GDPR Article 82 for data security incidents. CNEX acknowledges these rights and will cooperate with employees exercising them. CNEX's liability to employees for data security incidents is limited to the extent caused by CNEX's failure to implement the security measures described in Section 5 of this Privacy Policy, and is subject to the limitations that cannot be excluded by applicable law.

15. Communication Preferences

15.1 Transactional Communications

We send transactional emails necessary for the operation of your account (verification codes, password resets, billing receipts, security alerts). These cannot be opted out of while you maintain an active account.

15.2 Service Notifications

Notifications related to your use of the Platform (task assignments, deadline reminders, system alerts) can be configured through your notification preferences in the Platform settings.

15.3 Marketing Communications

We will only send marketing communications with your explicit opt-in consent. You can unsubscribe from marketing communications at any time by clicking the unsubscribe link in the email or updating your preferences in your account settings.

15.4 SMS & Phone

SMS and phone communications through Twilio integration are initiated by your Organization. CNEX does not send unsolicited SMS or phone calls. Your Organization is responsible for obtaining appropriate consent from recipients.

16. Third-Party Links & Services

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices, content, or security of third-party websites or services. We encourage you to review the privacy policies of any third-party services you access through the Platform.

17. Legal Process & Government Data Requests

We may be required to disclose customer data in response to valid legal process, including subpoenas, court orders, search warrants, or regulatory demands. Where permitted by law, we will:

  • Notify the affected Organization before disclosing their data
  • Limit disclosure to the data specifically required by the legal process
  • Challenge requests we believe are overly broad, vague, or legally deficient
  • Maintain a record of all government and law enforcement data requests received

Where we are legally prohibited from notifying the affected Organization (e.g., under a non-disclosure order or suppression order), we will comply with the restriction and seek to have it lifted at the earliest opportunity.

We intend to publish a transparency report summarizing the volume and nature of government data requests received, beginning after our first full year of operation.

18. Changes to This Privacy Policy

18.1 Right to Update

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

18.2 Notification

For material changes, we will notify you via:

  • Email to the address associated with your account
  • A prominent notice within the Platform
  • At least 30 days before the changes take effect

18.3 Acceptance

Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Privacy Policy. If you do not agree with any changes, you must stop using the Platform before the changes take effect and close your account.

18.4 Review Responsibility

It is your responsibility to review this Privacy Policy periodically. We recommend reviewing it at least once every three months.

19. Data Breach Notification

19.1 Our Commitment

In the event of a data breach that compromises your personal information, we will:

  • Assess the nature, scope, and severity of the breach
  • Take immediate steps to contain and remediate the breach
  • Notify the New Zealand Privacy Commissioner as required by the Privacy Act 2020
  • Notify relevant EU/EEA supervisory authorities within 72 hours where GDPR applies
  • Notify affected individuals as soon as practicable with:
    • A description of the breach
    • The types of data affected
    • Likely consequences
    • Steps we are taking to address the breach
    • Recommendations for actions you can take to protect yourself

19.2 Your Responsibilities

If you become aware of any unauthorized access to your account or data, please notify us immediately at admin@cnexflow.com.

20. Data Protection Officer

For privacy-related inquiries, requests, or complaints, contact our privacy team:

IDL Creations Limited (trading as CNEX)

  • Email: admin@cnexflow.com
  • Website: https://cnexflow.com

New Zealand Privacy Commissioner

If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the New Zealand Privacy Commissioner:

  • Website: https://www.privacy.org.nz
  • Phone: 0800 803 909

EU/EEA Supervisory Authorities

If you are located in the EU/EEA, you have the right to lodge a complaint with your local data protection supervisory authority.

By using CNEX-Flow, you acknowledge that you have read this Privacy Policy in its entirety, understand how your data is collected, used, and protected, and consent to the data practices described herein. If you do not agree, do not use the Service.