Privacy Policy

1. Who We Are

Juravie is a product of Highmark Forge Limited, a company incorporated in New Zealand (Company Number: 9405255, NZBN: 9429053443816), with its registered office at 74 Chedworth Avenue, Chedworth, Hamilton 3210, New Zealand.

For the purposes of applicable data protection laws, Highmark Forge Limited is the data controller of your personal data (information that identifies you as an individual, such as your name, email, and account details). When we process documents and content you upload to the Service on your behalf, we act as a data processor on your instructions.

This Privacy Policy explains how we collect, use, store, and protect your information when you use juravie.com and the Juravie platform (the "Service"). It applies to all users in New Zealand, Australia, and the United States.

2. Scope

This Privacy Policy covers two categories of information:

• Personal Data: Information that identifies you as an individual (name, email, IP address, payment details). This is governed by this Privacy Policy.
• Customer Content: Documents, templates, and other files you upload to or create within the Service. Customer Content is processed solely to provide the Service under your instructions and is governed by our Terms of Service. We do not use Customer Content for any purpose other than providing the Service to you.

3. Information We Collect

3.1 Information You Provide

• Account information: Name, email address, professional role, company name, subdomain, and data region preference when you register
• Payment information: Billing details processed securely by Stripe, Inc. We do not store your credit card numbers on our servers
• Customer Content: Documents, templates, and files you upload or create
• Chat interactions: Commands and messages you send to the AI assistant
• Support communications: Messages you send to our support team

3.2 Information Collected Automatically

• Marketing website analytics: Pages visited on our public marketing website (juravie.com) are collected via Google Analytics. Google Analytics is not used within the application itself, the dashboard, or any authenticated areas of the Service.
• Application audit logs: Within the Service, we log actions such as document access, edits, and commands executed for security and audit purposes. These logs are stored in your isolated tenant environment and are not shared with third parties.
• Device information: Browser type, operating system, screen resolution
• IP address: Used for security, fraud prevention, approximate geographic location, and data sovereignty enforcement (geo-verification of access requests)
• Cookies: Session cookies for authentication; analytics cookies on the marketing website only (see Section 10)

4. How We Use Your Information

We use your information for the following purposes:

We do not use your information to:

• Train artificial intelligence or machine learning models
• Sell or rent your personal data to third parties
• Send marketing communications without providing a clear opt-out mechanism
• Profile you for automated decision-making that produces legal effects

5. AI Processing and Your Data

Juravie uses artificial intelligence to assist with document creation, editing, search, and compliance checking. This section explains how your data interacts with AI systems.

• No training on your data: Your documents, chat messages, and AI interactions are never used to train, fine-tune, or improve AI models — by us or by our AI infrastructure providers.
• Zero data retention by AI providers: We use Amazon Web Services (AWS) Bedrock as our AI infrastructure. Under our enterprise agreement, AWS Bedrock does not store, log, or retain your prompts or AI-generated outputs.
• Isolated processing: Each customer's data is processed in an isolated environment. Your documents are never accessible to or commingled with other customers' data during AI processing.
• Human oversight required: AI-generated outputs are suggestions only. The Service is designed so that you review and approve all AI-generated content before it is finalized.

For more detail on our AI practices, see our AI Policy.

6. Data Sharing and Sub-Processors

We share your information only with the following categories of recipients, and only to the extent necessary to provide the Service:

We will notify you at least 30 days in advance before adding a new sub-processor. If you object to a new sub-processor, you may terminate your subscription without penalty.

We may also disclose your information if required by law, regulation, legal process, or enforceable governmental request.

7. International Data Transfers

Depending on your selected data region, your data may be stored and processed in:

• Australia (ap-southeast-2): For users who select the Australia / New Zealand region
• United States (us-east-1): For users who select the United States region

Your Customer Content is stored exclusively in your selected region and is not transferred to other regions unless you request it.

Geographic access controls are enforced at the infrastructure level using WAF geo-restriction. Access to the Service is limited to users physically located within the countries associated with your data region (Australia and New Zealand for the ap-southeast-2 region; United States for the us-east-1 region). IP addresses are geo-verified to enforce these data sovereignty requirements, ensuring that your data is not transmitted outside your selected region during normal use of the Service.

Payment processing (Stripe) and marketing website analytics (Google Analytics on public pages only) may process data in the United States. No application usage data or Customer Content is transferred to the United States for analytics purposes. Where personal data is transferred to the United States, we rely on contractual protections consistent with the requirements of applicable data protection laws in New Zealand and Australia.

8. Data Retention

• Active accounts: We retain your data for as long as your account is active and as necessary to provide the Service.
• After termination: Upon account closure, we automatically create a backup export of your data. Your account remains accessible for 25 days to allow you to export data manually. After 30 days from the closure request, your Customer Content and personal data are permanently deleted from our systems, including your dedicated database and file storage. The backup export remains available for download for an additional 30 days after deletion, after which it is also permanently removed.
• Backups: Encrypted backups may retain data for up to 90 days after deletion, after which they are permanently destroyed.
• Audit logs: Audit logs are retained for 7 years in compliance with applicable record-keeping requirements.
• Payment records: Retained for 7 years as required by New Zealand tax law (Tax Administration Act 1994) and equivalent obligations in other jurisdictions.

9. Data Security

We implement technical and organizational measures designed to protect your data, including:

• AES-256 encryption for data at rest
• TLS 1.2+ encryption for data in transit
• Per-tenant database isolation — each customer's data is stored in a dedicated, isolated database that is not shared with any other customer
• Role-based access controls with least-privilege principles
• Comprehensive audit logging of all data access and modifications
• Regular security assessments and vulnerability scanning

Our security practices are aligned with industry frameworks including SOC 2 and ISO 27001 principles. We do not currently hold formal SOC 2 or ISO 27001 certifications. For more detail, see our Security page.

10. Cookies and Tracking

We use the following categories of cookies:

• Strictly necessary cookies: Required for authentication and session management within the Service. These cannot be disabled.
• Analytics cookies (marketing website only): We use Google Analytics on our public marketing website (juravie.com) to understand how visitors find and use the website. Google Analytics is not present within the application, dashboard, or any authenticated area. You may opt out by using browser-based opt-out tools or by disabling cookies in your browser settings.

We do not use advertising cookies or third-party tracking for marketing purposes. No analytics or tracking cookies are used within the Service itself.

11. Your Rights

11.1 All Users

Regardless of your location, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete personal data
• Delete your personal data (subject to legal retention obligations)
• Export your data in a portable format
• Object to processing based on legitimate interests
• Withdraw consent where processing is based on consent

11.2 New Zealand Users

Under the Privacy Act 2020 (New Zealand), you have the right to:

• Request access to your personal information (Information Privacy Principle 6)
• Request correction of your personal information (Information Privacy Principle 7)
• Complain to the Office of the Privacy Commissioner if you believe we have breached the Privacy Act: www.privacy.org.nz

We comply with the Information Privacy Principles (IPPs) set out in the Privacy Act 2020, including principles relating to collection (IPP 1-4), storage and security (IPP 5), access and correction (IPP 6-7), accuracy (IPP 8), retention (IPP 9), use (IPP 10), and disclosure (IPP 11-12).

11.3 Australian Users

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have the right to:

• Access your personal information (APP 12)
• Request correction of your personal information (APP 13)
• Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs: www.oaic.gov.au

We comply with the APPs, including APP 1 (open and transparent management), APP 3 (collection of solicited personal information), APP 6 (use or disclosure), APP 8 (cross-border disclosure), APP 11 (security), and APP 13 (correction).

11.4 United States Users

If you are a resident of a US state with comprehensive privacy legislation (including California, Virginia, Colorado, Connecticut, and others), you may have additional rights including:

• The right to know what personal information we collect and how it is used
• The right to delete your personal information
• The right to opt out of the sale or sharing of personal information — we do not sell or share your personal information
• The right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at the address below.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice within the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.

14. Contact Us

For privacy-related inquiries, data access requests, or complaints, contact us at:

We aim to respond to all privacy inquiries within 20 business days, as required under the New Zealand Privacy Act 2020.