AkoPlus

Privacy Policy

Last updated: 24 February 2026

1. Overview

AkoPlus is operated by Moana Digital Solutions ("we", "us", "our"), based in New Zealand. We are committed to protecting your privacy and handling your personal information in accordance with the New Zealand Privacy Act 2020 (Information Privacy Principles) and the Australian Privacy Act 1988 (Australian Privacy Principles).

This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights.

2. Information We Collect

2.1 Account Information

Email address — used as your username for login
Name — displayed in your profile and as author of campaigns, shops, and shared content
Password — stored securely using PBKDF2-SHA256 hashing (we never store or see your plaintext password)
Time zone — automatically detected from your browser for accurate scheduling
Preferences — time format, default view, notification settings

2.2 Content You Create

Feature	Data Collected
Tasks	Descriptions, dates, times, notes, checklists, categories, priorities, recurrence settings
Impact Campaigns	Campaign titles, descriptions, cover images, goal amounts, bank details, end dates
Shop	Store details, product listings (names, descriptions, prices, images, digital files), discount codes
Directory	Contact names, phone numbers, email addresses, physical addresses, notes, profile images, attached files
Notes	Titles, content, colour labels, pinned status
Vault	Upload link labels, uploaded files (original filenames, file sizes, MIME types)
Family Hub	Group names, descriptions, cover images, member lists, posts (text + media files), comments, reactions, events (titles, dates, locations, RSVPs), savings goals, contributions
Budget / Finance	Budget periods, uploaded bank statements (.xlsx/.xls/.csv/.pdf), parsed transactions (dates, descriptions, amounts, categories), financial goals, AI-generated insights, budget categories

2.3 Transaction Data (Impact & Shop)

Pledges & Donations: Supporter name, email, mobile (optional), amount, payment type, payment status, Stripe session IDs
Shop Orders: Customer name, email, phone, shipping address, order items, amounts, payment status, tracking numbers, discount codes used

                We do not store credit card numbers. Card payments are processed directly by Stripe. We only receive a Stripe session ID to verify payment status.
            

2.4 Google Calendar Integration

If you choose to connect your Google Calendar account:

OAuth tokens: We store a Google access token and refresh token (encrypted) to maintain the calendar connection. These allow AkoPlus to read and write calendar events on your behalf.
Calendar data synced: Task descriptions, dates, and times are synced as Google Calendar events. We also receive event IDs from Google to maintain the sync relationship.
Sync token: A Google sync token is stored to enable efficient incremental syncing (only fetching changes since the last sync).

Google data handling: Your Google Calendar data is accessed via Google's API under Google's Privacy Policy. We only access your primary calendar. We do not access your Gmail, Drive, or any other Google service. You can disconnect Google Calendar at any time via Settings, which removes all stored tokens.

Google API Services User Data Policy compliance: AkoPlus's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We only use Google Calendar data to provide and improve the calendar sync feature within AkoPlus.
We do not transfer Google user data to third parties except as necessary to provide the service, as required by law, or with your explicit consent.
We do not use Google user data for serving advertisements.
We do not allow humans to read Google user data unless with your affirmative consent, for security purposes, to comply with law, or when data is aggregated and anonymised for internal operations.

2.5 Technical & Security Data

Login history: Date/time, IP address, and user agent (browser) of each login — retained for security purposes
Push notification subscriptions: Browser push endpoint and encryption keys
Session data: Session tokens for authentication and single-session enforcement
AI token usage: Cumulative count of AI tokens used (for usage tracking, no content stored)

2.6 AI Feature Data

When you use AI-powered features, the following data is sent to OpenAI's API for processing:

Feature	Data Sent to OpenAI
Voice AI	Audio recording (for transcription via Whisper), transcribed text + task context (for command processing)
Smart Chat	Your message text + conversation history (last 12 turns)
Task Parsing / Categorisation	Task description text + existing task context
OCR (Tasks / Contacts)	Image data (for text extraction via GPT-4o vision)
Briefing / Suggestions	Task summaries for the surrounding days
Campaign Generation	Your prompt text describing the campaign
Voice Notes	Audio recording (transcribed and structured into a note)
Family Post AI	Prompt text, audio recording, or photo (for AI-assisted post content generation)
Family Event AI	Natural language text describing the event
Budget Insights	Transaction summaries, category totals, and spending patterns for the budget period
Budget Adviser Chat	Your message text + conversation history + financial summary data
Affordability Calculator	Purchase details + financial summary for AI affordability analysis

OpenAI data handling: Data sent to OpenAI's API is processed under OpenAI's Privacy Policy. Per OpenAI's API data usage policy, API inputs and outputs are not used to train their models. We do not store your AI inputs or outputs beyond what is needed for the immediate request (except Smart Chat conversation history in your session, which is cleared when you reset the chat).

3. How We Use Your Information

We use your information for the following purposes:

Purpose	Legal Basis (NZ Privacy Act IPP 10)
Provide and operate AkoPlus features	Directly related to the purpose of collection
Process campaign pledges, donations, and shop orders	Directly related — facilitating transactions you initiate
Send transactional emails (receipts, reminders, shipping notifications)	Directly related — part of the service you are using
Send push notifications (task reminders, new pledges/orders)	With your consent (opt-in)
Send email task reminders	With your consent (opt-in via Settings)
Process AI requests via OpenAI	Directly related — providing the AI feature you activated
Maintain login history and session security	Necessary for security and fraud prevention
Track AI token usage	Necessary for platform operation and fair usage
Display public campaign/shop/contact pages	With your consent (you choose to make content public)

We do not use your information for:

Selling or renting to third parties
Targeted advertising or ad profiling
AI model training
Any purpose unrelated to operating AkoPlus

4. Information Sharing & Disclosure

4.1 What We Share

Recipient	Data Shared	Purpose
Google (Calendar API)	Task descriptions, dates, times (synced as calendar events)	Two-way calendar sync (only if you connect your Google account)
OpenAI (API)	AI feature inputs (text, audio, images) as described in Section 2.6	AI processing
Stripe (via campaign/shop/family owner's account)	Donor/customer/contributor email, payment amount	Payment processing
Campaign supporters (public page)	Supporter first name, donation amount, payment status	Public supporters list (donor chose to contribute)
Shop customers (order tracking)	Order status, tracking number	Order fulfilment
Family members	Posts, comments, reactions, events, savings within a group	Shared family group functionality
Public visitors (public pages)	Campaign/shop/contact/family info you made public	Content you chose to publish

4.2 What We Do Not Share

We do not share your personal data with data brokers, advertisers, or marketing platforms.
We do not share your tasks, notes, or private content with anyone.
Campaign/shop/family Stripe API keys are encrypted at rest and never exposed in API responses or to other users.
Google Calendar tokens are stored securely and only used for calendar sync. They are deleted when you disconnect.

4.3 Legal Disclosure

We may disclose information if required by law, court order, or to comply with a lawful request by New Zealand or Australian authorities.

5. Data Storage & Security

Database: SQLite database stored on the server. Your data is not replicated to third-party databases.
Passwords: Hashed with PBKDF2-SHA256 — we never store plaintext passwords.
Stripe keys: Encrypted at rest using Fernet symmetric encryption (derived from the application secret key).
Files: Uploaded files (Vault, Shop, Directory, Campaign images) are stored on the server filesystem with UUID-based filenames to prevent path traversal.
HTTPS: All data in transit is encrypted via TLS/HTTPS.
Session security: Single-session enforcement, CSRF protection, rate limiting, Content Security Policy headers.
Access control: All API endpoints require authentication. Admin functions are restricted to admin users only.

6. Data Retention

Data Type	Retention
Account data	Until you delete your account
Tasks, notes, contacts	Until you delete them or your account
Campaigns, pledges	Until you delete the campaign or your account
Shop orders	Until you delete the shop or your account
Family Hub data	Until you delete the group or your account (leaving a group removes your membership but preserves your posts)
Vault files	Until you delete the link/file or your account
Google Calendar tokens	Until you disconnect Google Calendar or delete your account
Login history	Until your account is deleted
Smart Chat history	Session-only (cleared on chat reset or session expiry)
AI audio/image inputs	Temporarily during processing only — deleted immediately after

When you delete your account, all associated data is permanently removed from our database and filesystem, including tasks, campaigns, shops, contacts, notes, files, images, and login history.

7. Cookies & Local Storage

Session cookie: A session cookie is used for authentication. It is essential for the platform to function and is not used for tracking.
Remember me: A persistent cookie may be set for auto-login if you choose "remember me" during login.
localStorage: Used client-side for: TTS voice preferences, PWA install state, shop cart data (per shop), and offline task queue. No personal data is sent to third parties via localStorage.
Service Worker cache: Task data and static assets are cached locally for offline functionality. Cleared when you clear browser data or when the app updates.

We do not use analytics cookies, tracking pixels, or third-party advertising cookies.

8. Your Rights

Under the NZ Privacy Act 2020 (IPP 6 & 7) and the Australian Privacy Act 1988 (APP 12 & 13), you have the right to:

8.1 Access Your Data

You can export all your task data at any time via Settings → Export (JSON or CSV format). You can view your account information, login history, and all content through the app interface.

8.2 Correct Your Data

You can update your name, email, password, and preferences via Settings. You can edit or delete any tasks, campaigns, shops, contacts, notes, and files at any time.

8.3 Delete Your Data

You can delete individual items (tasks, campaigns, contacts, etc.) at any time. You can delete your entire account via Settings → Delete Account, which permanently removes all your data.

8.4 Withdraw Consent

Disable push notifications in Settings at any time
Disable email notifications in Settings at any time
Disconnect Google Calendar at any time (removes all stored tokens and stops syncing)
Make campaigns/shops/contacts/family groups private at any time
Stop using AI features at any time (no ongoing data processing)

8.5 Complain

If you believe we have breached your privacy, you may:

Contact us directly (see Section 12)
Lodge a complaint with the NZ Office of the Privacy Commissioner: privacy.org.nz
Lodge a complaint with the Office of the Australian Information Commissioner: oaic.gov.au

9. Children's Privacy

AkoPlus is not intended for children under 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided personal information, we will take steps to delete it promptly.

Users aged 16–17 may use AkoPlus with parental or guardian consent.

10. International Data

AkoPlus is hosted and primarily operates in New Zealand. If you access the platform from outside New Zealand:

Your data may be stored on servers in New Zealand or the hosting provider's location.
AI processing via OpenAI may occur on servers in the United States, subject to OpenAI's data processing practices.
Google Calendar sync communicates with Google's servers (primarily United States), subject to Google's data processing practices.
Stripe payment processing occurs in the jurisdiction of the campaign/shop/family owner's Stripe account.

We ensure that any cross-border data handling meets the requirements of the NZ Privacy Act 2020 (IPP 12) regarding disclosure to overseas recipients.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via the platform. The "Last updated" date at the top indicates when the policy was last revised.

12. Contact Us

For privacy enquiries, data access requests, or complaints:

Email: [email protected]
Platform: akoplus.co.nz
Operator: Moana Digital Solutions, New Zealand

We will respond to privacy requests within 20 working days, as required by the NZ Privacy Act 2020.