Legal

Privacy Policy

Effective date: 4 March 2026 ยท Last updated: 4 March 2026

1. Who we are

MortgageReady ("we", "us", "our") operates the website at mortgageready.co.nz (the "Service"). We are based in New Zealand and comply with the Privacy Act 2020 (NZ).

2. What information we collect

We collect information you provide directly when using the Service:

  • Account information โ€” email address and password when you register.
  • Financial profile data โ€” income, KiwiSaver balances, savings, living expenses, existing debts, and target property details you enter to build your mortgage-readiness profile.
  • Uploaded documents โ€” bank statements, payslips, identification documents, and employment contracts you choose to attach to your profile.
  • Broker and lender contacts โ€” names, companies, and contact details of mortgage brokers or lenders you add to your profile.
  • Saved properties โ€” property listing URLs and associated metadata you save to your properties tracker.
  • Usage data โ€” anonymised analytics including page views, feature usage, and device type, collected via Vercel Analytics.

3. How we use your information

We use the information we collect to:

  • Provide, maintain, and improve the Service โ€” including calculating your borrowing power, affordability score, and generating reports.
  • Process uploaded bank statements to extract and categorise transactions for spending insights.
  • Generate AI-assisted engagement letters addressed to your nominated brokers or lenders.
  • Sync your profile securely across devices via cloud storage.
  • Send transactional emails such as account verification and password resets.
  • Understand aggregate usage patterns to improve the product (anonymised data only).

4. AI processing

Certain features use AI (large language models) to generate content on your behalf, such as engagement letters and bank statement spending insights. Your financial data is sent to the AI provider solely for the purpose of generating that content. We do not use your data to train AI models, and the AI provider is contractually prohibited from retaining your data beyond the processing request.

5. How we store and protect your data

  • Profile data is stored in a PostgreSQL database hosted by Supabase with row-level security โ€” each user can only access their own data.
  • Uploaded documents are stored in Supabase Storage with access restricted to the owning user.
  • All data is transmitted over HTTPS/TLS encryption.
  • Passwords are hashed using bcrypt via Supabase Auth โ€” we never store or see your plaintext password.
  • We use Supabase's infrastructure, which hosts data in AWS data centres. While we prefer data sovereignty, Supabase does not currently offer an NZ-hosted region.

6. Who we share your data with

We do not sell, rent, or trade your personal information. We share data only with:

  • Supabase โ€” database hosting and authentication.
  • Vercel โ€” application hosting and anonymised analytics.
  • AI provider (OpenAI) โ€” engagement letter and bank statement analysis processing only, with no data retention.
  • Polar โ€” payment processing for premium features. Polar handles payment information directly; we do not store credit card details.

We may also disclose information if required by New Zealand law or to protect the rights and safety of our users.

7. Cookies and tracking

We use minimal cookies required for authentication (session tokens) and theme preference. We use Vercel Analytics for anonymised, aggregate usage metrics โ€” this does not use third-party tracking cookies and does not track individual users across other websites.

8. Your rights under the Privacy Act 2020

As a New Zealand user, you have the right to:

  • Access โ€” request a copy of all personal information we hold about you.
  • Correction โ€” ask us to correct any inaccurate information.
  • Deletion โ€” ask us to delete your account and all associated data. You can also export your profile as JSON before deleting.

To exercise any of these rights, email us at privacy@mortgageready.co.nz. We will respond within 20 working days as required by the Act.

9. Data retention

We retain your profile data for as long as your account is active. If you delete your account, all personal data โ€” including uploaded documents, saved properties, and financial profile information โ€” is permanently deleted within 30 days. Anonymised, aggregate analytics data may be retained indefinitely.

10. Children

The Service is not directed at anyone under the age of 16. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 16, we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: privacy@mortgageready.co.nz

You may also lodge a complaint with the Office of the Privacy Commissioner if you are unsatisfied with our response.

Terms of Use โ†’