RB Alliance Limited (“RB Alliance”, “we”) is a New Zealand company. We are committed to handling personal information in accordance with the New Zealand Privacy Act 2020 and, where relevant, the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act.
Who we are
RB Alliance Limited, registered in New Zealand, with its place of business in Auckland. Privacy enquiries: privacy@rballiance.co.nz.
What we collect
We collect different information depending on how you interact with us:
- Public site visitors: pageviews, scroll depth, engagement time, device class, browser, country (derived from IP, never stored raw), referring URL. Visitor identifiers are daily-rotating hashes of your user agent and the day — they reset every 24 hours.
- Contact form submissions: name, email address, optional company name, message content, IP address (kept for 30 days for anti-spam), user agent.
- Client portal users: name, email address, organisation, role, and any data you choose to upload (project files, invoices). Authentication state.
- Admin users: name, email address, hashed password (bcrypt), browser session cookies, push subscription endpoints if you enable desktop notifications.
How we use it
- To respond to enquiries you send via the contact form.
- To provide and improve our services, including hosting your project files in the client portal.
- To produce invoices and statements (via Xero, see below).
- To understand which content is useful and where to invest, via first-party analytics.
- To send transactional email (replies to enquiries, invoice notifications) and, with your consent, occasional newsletters.
Cookies and tracking
We use cookies sparingly. The only cookies set by this site are:
auth.session — your authentication cookie (only set if you log in).rba_cookie_consent — remembers your cookie preference.
Our analytics is cookie-less. We do not use Google Analytics, Facebook Pixel, or any third-party tracker. We respect the DNT (Do Not Track) browser header — if it's set we collect nothing.
Third-party processors
- Vercel — hosts the website and processes requests on our behalf.
- Neon — hosts our PostgreSQL database (region: ap-southeast-2 / Sydney).
- Resend — sends transactional emails (enquiry replies, invoice sends).
- Xero — accounting platform. If you become a client, we may sync your organisation details to Xero so we can issue invoices.
- Google Workspace — used by our team for email and calendar. Personal replies from a team member may originate from a Google-hosted mailbox.
- GitHub — we use the GitHub App to surface repository activity on your project page if you choose to link a repo.
- Railway — hosts our background worker.
How long we keep your data
- Contact form submissions: indefinitely, unless you ask us to delete.
- IP address attached to enquiry: 30 days, then anonymised.
- Analytics events: 24 months, then aggregated into rollups.
- Activity log: 90 days hot, then archived to cold storage.
- Client billing records: 7 years (NZ statutory requirement).
Your rights
You can request access to, correction of, or deletion of your personal information at any time. We aim to respond within 20 working days. The fastest way is to submit a request via our data subject request form or email privacy@rballiance.co.nz.
Security
Data in transit is encrypted with TLS 1.3. Data at rest is encrypted in the Neon database (AES-256). Authentication tokens for connected integrations (Xero, Google, GitHub) are encrypted at the application layer before storage. Passwords are hashed with bcrypt.
International transfers
Your data is hosted on infrastructure in the Sydney, Australia region (Neon Postgres ap-southeast-2, Vercel APAC POPs). Some processors (Resend, GitHub, Google Workspace) operate globally; transfers to these processors are governed by their published terms.
Children
This site is not directed at children under 16 and we do not knowingly collect their data.
Changes to this policy
We update this policy as needed. Material changes are flagged at the top of the page for at least 14 days.
