Legal

Privacy Policy

Last updated: April 3, 2026

Who we are

GoPal is a procurement tracking tool built by N&M Enterprise Ltd, based in Auckland, New Zealand. This policy covers the GoPal web application (app.getgopal.co.nz) and the GoPal Chrome extension.

What data we collect

GoPal collects only the data necessary to provide procurement tracking:

Account information: Email address, display name, and role within your organisation.
Order data: Order details you enter or capture, including item names, quantities, prices, vendor names, and staff names.
Inventory data: Item names, quantities, and stock movement records.
Page content (Chrome extension only): When you click "Capture" on a vendor website, the extension reads the visible page text and sends it to our AI service to extract order details. This data is processed in real time and not stored beyond the extraction.

We do not collect browsing history, personal files, keystrokes, or any data from websites where you have not explicitly triggered a capture.

How we use your data

To provide and maintain the GoPal procurement tracking service.
To process AI-powered order extraction when you use the Chrome extension's capture feature.
To send account-related emails (invitations, password resets).

We do not sell, rent, or share your data with third parties for advertising or marketing purposes.

Where data is stored

Database: Supabase (hosted in AWS ap-southeast-2, Sydney, Australia). All data is encrypted at rest and in transit.
Authentication tokens: Stored locally in your browser via chrome.storage.local (extension) or localStorage (web app). Never transmitted to third parties.
AI processing: Page text sent to Anthropic's Claude API for order extraction. Anthropic does not store or train on this data.

Data isolation

GoPal is a multi-tenant application. Each organisation's data is strictly isolated using Row-Level Security (RLS) at the database level. Users from one organisation cannot access another organisation's data under any circumstances.

Chrome extension permissions

https://*/*: Required because procurement vendors can be on any domain. The extension only activates on vendor websites configured by your organisation.
file://*/*: Enables capturing order data from locally saved PDF invoices.
storage: Stores your authentication token and configuration cache locally.
activeTab, scripting, tabs: Required to inject the capture interface on vendor websites when you activate the extension.

Data retention & deletion

Your data is retained for as long as your account is active. If you wish to delete your account and all associated data, contact us at the email below. We will process deletion requests within 30 days.

Contact

If you have questions about this privacy policy or your data:

hello@getgopal.co.nz

N&M Enterprise Ltd · Auckland, New Zealand