Legal

Privacy Policy

Last updated: April 9, 2026

Who we are

GoPal is a procurement tracking tool operated by Gopal Limited (company number 9422116), based in Auckland, New Zealand. This policy covers the GoPal web application (orders.getgopal.co.nz), the GoPal Chrome extension, and the marketing site (getgopal.co.nz).

What data we collect

GoPal collects only the data necessary to provide procurement tracking:

Account information: Email address, display name, and role within your organisation.
Order data: Order details you enter or capture, including item names, quantities, prices, vendor names, and staff names.
Inventory data: Item names, quantities, and stock movement records.
Audit logs: Records of who made changes to orders and when, for accountability purposes.
Page content (Chrome extension only): When you click "Capture" on a vendor website, the extension reads the visible page text and sends it to our AI service to extract order details. This data is processed in real time and not stored beyond the extraction.

We do not collect browsing history, personal files, keystrokes, or any data from websites where you have not explicitly triggered a capture.

How we use your data

To provide and maintain the GoPal procurement tracking service.
To process AI-powered order extraction when you use the Chrome extension's capture feature.
To send account-related emails (invitations, password resets).
To maintain audit trails for accountability and compliance within your organisation.

We do not sell, rent, or share your data with third parties for advertising or marketing purposes.

Third-party processors

GoPal uses the following third-party services to operate. Each processes data only as necessary to provide their service:

Supabase (AWS ap-southeast-2, Sydney): Database hosting, authentication, and Edge Function execution. All data encrypted at rest and in transit.
Anthropic (Claude API): AI-powered order extraction from vendor websites. Page text is sent for real-time processing only — Anthropic does not store or train on this data per their commercial API terms.
Cloudflare: Website hosting, CDN, and security headers for the web application and marketing site.

Where data is stored

Database: Supabase (hosted in AWS ap-southeast-2, Sydney, Australia). All data is encrypted at rest and in transit.
Authentication tokens: Stored locally in your browser via chrome.storage.local (extension) or localStorage (web app). Never transmitted to third parties.

Data isolation

GoPal is a multi-tenant application. Each organisation's data is strictly isolated using Row-Level Security (RLS) at the database level. Users from one organisation cannot access another organisation's data under any circumstances. Within an organisation, department-level access controls ensure staff can only view data relevant to their role.

Chrome extension permissions

https://*/*: Required because procurement vendors can be on any domain. The extension only activates on vendor websites configured by your organisation.
file://*/*: Enables capturing order data from locally saved PDF invoices.
storage: Stores your authentication token and configuration cache locally.
activeTab, scripting, tabs: Required to inject the capture interface on vendor websites when you activate the extension.

Your rights under the NZ Privacy Act 2020

Under the New Zealand Privacy Act 2020, you have the right to:

Access your data (IPP 6): You may request a copy of all personal information we hold about you. We will respond within 20 working days.
Request corrections (IPP 7): If any personal information we hold about you is inaccurate, you may request that we correct it.
Request deletion: You may request deletion of your account and all associated personal data at any time.

To exercise any of these rights, email us at hello@getgopal.co.nz. We will verify your identity before processing any request.

Data retention & deletion

Your data is retained for as long as your organisation's account is active. Order and inventory records are kept for your organisation's compliance and reporting needs. If you wish to delete your account and all associated data, contact us at the email below. We will process deletion requests within 20 working days.

When an organisation's account is terminated, all associated data (orders, inventory, staff directory, audit logs) is permanently deleted within 90 days.

Privacy breach notification

In accordance with the NZ Privacy Act 2020 (Part 6A), if we become aware of a notifiable privacy breach — one that has caused or is likely to cause serious harm — we will:

Notify the Office of the Privacy Commissioner as soon as practicable.
Notify all affected individuals, describing the breach, what data was involved, and the steps we are taking in response.
Take immediate steps to contain the breach and prevent further unauthorised access.

We maintain internal breach response procedures and conduct regular security reviews to minimise risk.

Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify affected users by email or through the GoPal application. The "Last updated" date at the top of this page reflects the most recent revision.

Contact & privacy officer

For any questions about this privacy policy, your data, or to make a privacy request:

hello@getgopal.co.nz

Privacy Officer: Aashish Verma

Gopal Limited · Auckland, New Zealand