Privacy Policy
Last updated: 13 February 2026
1. Introduction
This Privacy Policy explains how Homefree collects, uses, stores, and shares your personal information when you use the Homefree web platform at https://www.homefree.co.nz and the Homefree mobile application (collectively, the “Service”).
We are committed to complying with the New Zealand Privacy Act 2020 and its Information Privacy Principles. If you have questions or concerns, contact us at support@homefree.co.nz.
2. Information We Collect
2.1 Information You Provide
- Account registration: Email address and password.
- Profile information: First name, middle names, last name, preferred name, mobile phone number, and date of birth.
- Advisor business information: Business email, phone, website, company name, logo, and profile photo.
- Financial information: Loan details (account numbers, amounts, terms, interest rates, payment structures), loan balances, property addresses, property title numbers, property valuations, and related financial data.
- Property addresses: Entered via an address search feature powered by Mapbox and stored as structured location data.
2.2 Information Collected Automatically
- Authentication data: Session tokens, login timestamps, and authentication state.
- Usage analytics: Page views, session duration, feature usage, and user-linked events via Amplitude.
- Error and performance data: Error reports, stack traces, performance metrics, and browser/device information via Sentry. Personally identifiable information (such as email and IP address) may be included in error reports.
- Session recordings: We use Sentry Session Replay to visually record a sample of user sessions on the web platform. Approximately 10% of normal sessions and 100% of sessions where errors occur are recorded. These recordings may capture on-screen content, including financial data visible on the page.
- Cookies: Authentication session cookies, a UI preference cookie for sidebar state (7-day duration), and analytics cookies.
- Device information (mobile): Device type, operating system, and app version.
2.3 Information From Third Parties
- Mapbox: Geocoded address data returned when you search for a property address.
3. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Provide the Service | All account and financial data |
| Authentication and security | Email, password, session tokens |
| Advisor–client data sharing | Financial data within your household |
| Mortgage calculations | Loan terms, interest rates |
| Error monitoring and debugging | Error data, session recordings, PII |
| Product analytics | Usage data, page views, user ID |
| Transactional emails | Email address |
| Audit trail | All data changes with before/after values |
| Address lookup | Address search queries |
4. How We Share Your Information
4.1 With Your Advisor (for Clients)
When you are a member of a household, your assigned advisor can access your profile information and all financial data within your household, including loans, properties, valuations, balances, and the audit trail of changes. This sharing is based on your household membership and the advisor authority consent you provide.
4.2 With Household Members
Other members of the same household can see your basic profile information and shared financial data within the household.
4.3 With Platform Administrators
Platform administrators have access to all data for operational and support purposes.
4.4 With Third-Party Service Providers
| Provider | Data Shared | Purpose | Location |
|---|---|---|---|
| Supabase | All data | Database, authentication, storage | Cloud |
| Sentry | Error data, PII, session recordings | Error monitoring | US |
| Amplitude | User ID, page views, events | Product analytics | US |
| Mapbox | Address search queries | Geocoding | US |
| Resend | Email addresses, content | Email delivery | US |
| Vercel | Web traffic, server logs | Hosting | Global |
| Browser font requests | Web font delivery | Global |
4.5 We Do Not Sell Your Data
We do not sell, rent, or trade your personal information to third parties.
5. Data Security
We implement appropriate technical and organisational measures to protect your information, including:
- Row-Level Security (RLS): All database tables enforce access controls so users can only access data they are authorised to see.
- Role-based access control: Granular permissions for admin, advisor, and client roles.
- Protected fields: Sensitive fields like admin status and user type are protected by database-level triggers to prevent unauthorised changes.
- Encrypted communications: All data transmitted between your device and our servers is encrypted using TLS (HTTPS).
- Session management: JWT-based authentication with secure session handling.
- Audit trail: An immutable log of all data changes is maintained for accountability and security.
6. Data Retention
- Account data: Retained while your account is active. When you delete your account, your personal and financial data is deleted. Related records are removed automatically.
- Audit trail: Audit records are retained indefinitely for regulatory compliance and security purposes. When a user account is deleted, audit entries are preserved with the user reference anonymised.
- Error monitoring data: Subject to Sentry's data retention policies (typically 30–90 days).
- Analytics data: Subject to Amplitude's data retention policies.
- Session recordings: Subject to Sentry's session replay retention policies.
7. Your Rights
Under the New Zealand Privacy Act 2020, you have the right to:
- Access the personal information we hold about you (Information Privacy Principle 6).
- Correct any inaccurate personal information (Information Privacy Principle 7).
- Know what information is held about you and why.
- Request deletion of your account and associated data.
- Withdraw consent for advisor authority at any time.
- Complain to the Office of the Privacy Commissioner if you are unsatisfied with our handling of your information.
To exercise any of these rights, contact us at support@homefree.co.nz.
8. International Users
Homefree primarily serves users in New Zealand. If you access the Service from outside New Zealand, please be aware that your data may be transferred to, stored, and processed in countries other than your own, including the United States, where several of our third-party service providers are located.
If you are located in the European Union or United Kingdom, we process your data on the basis of contractual necessity, consent, or legitimate interest. You may have additional rights under the General Data Protection Regulation (GDPR), including the right to erasure, data portability, and the right to object to processing.
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt-out of the sale of personal information. We do not sell personal information.
9. Cookies and Tracking
Essential Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| sb-* | Authentication session | Session |
| sidebar_state | UI sidebar preference | 7 days |
Analytics Cookies
We use Amplitude for product analytics on the web platform. Amplitude may set cookies to track usage patterns and session data. On the mobile app, analytics cookies are disabled; device- level identifiers are used instead.
Session Replay
We use Sentry Session Replay to record user sessions on the web platform for the purpose of debugging and improving the Service. Approximately 10% of sessions are recorded under normal conditions, and 100% of sessions are recorded when an error occurs. These recordings may capture content visible on screen, including financial data. Personally identifiable information may be included in the data sent to Sentry.
Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly. Uninstalling the mobile app removes all locally stored data.
10. Children's Privacy
The Service is not directed at children under 16 years of age. You must be at least 18 to create an account. If we become aware that we have collected personal information from a child under 16, we will delete that information promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy. Previous versions are available upon request.
12. Contact
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
- Email: support@homefree.co.nz
- General enquiries: contact@homefree.co.nz