AcervasAcervas
How it worksFeaturesPricingFAQAboutContact
Log inStart my 90-day free pilot

Acervas — Privacy Policy

Last updated: 18 May 2026

Acervas Limited (NZBN 9416841) (Acervas, we, us, our) is committed to protecting personal information in accordance with the Privacy Act 2020 (New Zealand) and other applicable privacy laws.

This Privacy Policy explains what personal information we collect, how we use and share it, how we protect it, and the choices you have. It applies to our website at acervas.com and our software platform (the Service).

If you have questions about this Privacy Policy or your personal information, contact us at info@acervas.com.

1. About the personal information we handle

Acervas's Service is designed primarily to handle industrial maintenance data — information about machines, equipment, fixes, procedures, and operational events. Most of the data flowing through the Service is not personal information.

However, we do collect and process some personal information, particularly about:

  • the people who set up and administer customer accounts;
  • the engineers and operators who use the Service on behalf of our customers;
  • visitors to our website; and
  • prospective customers we communicate with.

This Privacy Policy explains how we handle that personal information.

2. The personal information we collect

2.1 Information you give us

We collect personal information you provide directly, including:

  • Account information — name, email address, job title, phone number, and the name of the company or plant you represent
  • Authentication information — login credentials, including hashed passwords
  • Communications — the content of emails, support requests, and other communications you send us
  • Marketing and sales information — information you provide when you request a demo, sign up for our newsletter, or interact with our sales team
  • Recordings of your voice — when you use the voice input feature, we capture and process audio recordings of you and your personnel speaking. These recordings are transcribed using automated speech recognition technology

2.2 Information generated through your use of the Service

  • Usage data — records of your interactions with the Service, including features used, queries submitted, and entries created
  • Device and technical information — IP address, browser type and version, operating system, device identifiers, and approximate location derived from your IP address
  • Diagnostic and log information — error logs, performance data, and similar technical information

2.3 Information from third parties

We may receive limited information about you from:

  • Your employer or plant operator — when they create an account for you on the Service
  • Our analytics provider (PostHog) — anonymised usage analytics about how people interact with the Service
  • Public sources — for example, LinkedIn profiles when we research prospective customers

2.4 Information we do not seek

We do not knowingly collect personal information from children. The Service is intended for use by adult professionals in industrial workplaces. We do not deliberately collect sensitive personal information (for example, health information, racial or ethnic origin, religious beliefs, or political opinions). If such information is included in customer-uploaded content, we treat it as customer data and process it only as a service provider to the customer.

3. How we use personal information

We use personal information for the following purposes.

3.1 To provide the Service

  • Authenticate users and provide access to the Service
  • Process voice, text, and photo inputs and return AI-generated outputs
  • Display knowledge entries to authorised users within your plant and (subject to anonymisation) across the cross-plant network
  • Provide customer support

3.2 To operate and improve Acervas's business

  • Communicate with you about your account, billing, and changes to the Service
  • Respond to your enquiries
  • Send transactional emails (for example, password resets, billing notices)
  • Send marketing communications, where you have consented or where permitted by law (you can opt out at any time)
  • Monitor and improve the performance, security, and reliability of the Service
  • Train and evaluate machine learning models using anonymised and aggregated data, in accordance with our Terms of Service. We do not use identifiable personal information for model training without explicit consent.

3.3 To comply with law and protect rights

  • Comply with legal obligations, including responding to lawful requests from public authorities
  • Enforce our Terms of Service
  • Detect, prevent, and respond to fraud, security incidents, or unlawful activity
  • Protect the rights, property, or safety of Acervas, our customers, or others

3.4 Lawful basis

Under New Zealand law (Information Privacy Principle 1, Privacy Act 2020), we collect personal information for the purposes set out above and only where collection is necessary for those purposes. Where the EU General Data Protection Regulation (GDPR) applies to processing of your personal information, our lawful bases are:

  • Performance of a contract with you (or steps prior to entering a contract);
  • Legitimate interests — our legitimate interests in operating, improving, and securing the Service, where these are not overridden by your fundamental rights;
  • Consent — where we have asked for and received your consent (for example, marketing communications);
  • Legal obligation — where processing is required to comply with applicable law.

4. How we share personal information

We do not sell personal information. We share personal information only as described below.

4.1 With our service providers (sub-processors)

We use trusted third-party service providers to operate the Service. These providers process personal information on our behalf, subject to written agreements requiring them to protect the information and use it only for the purposes we authorise.

Our current sub-processors include:

| Provider | Purpose | Location of processing | |---|---|---| | Supabase | Database, authentication, file storage | United States (with EU data residency option) | | Vercel | Application hosting, content delivery | Global edge network, primary processing in United States | | OpenAI | Speech-to-text (Whisper), text embeddings, AI text generation (GPT-4o) | United States | | Upstash (Redis) | Caching, rate limiting | United States | | Resend | Transactional email delivery | United States | | PostHog | Product analytics | United States or EU (configurable) |

We may update this list from time to time. Material changes to our sub-processor list will be communicated through this Privacy Policy or by direct notice.

4.2 With other customers (cross-network knowledge sharing)

The Service enables anonymised cross-plant knowledge sharing as described in our Terms of Service. Knowledge shared cross-network is stripped of organisational identifiers, plant names, personnel names, and other content that could reasonably identify you before being made available to other customers. Photographs are not shared cross-network unless the customer opts in to photo sharing.

4.3 In connection with business transactions

If Acervas is involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will require the recipient to honour this Privacy Policy or notify you of any material changes.

4.4 To comply with law or protect rights

We may disclose personal information when we believe in good faith that disclosure is necessary to:

  • Comply with a legal obligation, court order, or lawful request from a public authority
  • Enforce our Terms of Service
  • Protect the rights, property, or safety of Acervas, our customers, or others
  • Investigate fraud or security incidents

4.5 With your consent

We may share personal information for other purposes with your explicit consent.

5. International data transfers

Because we use service providers based in the United States and elsewhere, personal information may be transferred to and processed in countries outside New Zealand. These countries may have data protection laws different from those of New Zealand or your country of residence.

When we transfer personal information internationally:

  • For transfers from New Zealand, we ensure the receiving party is subject to privacy safeguards comparable to those in the Privacy Act 2020, in accordance with Information Privacy Principle 12.
  • For transfers subject to GDPR, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

6. How long we keep personal information

We keep personal information only for as long as needed for the purposes set out in this Privacy Policy, and in any event:

| Category | Retention period | |---|---| | Account and authentication information | For the duration of your account, plus 7 years for tax and legal compliance | | Customer content (knowledge entries, voice recordings, photos) | For the duration of your account. On termination, exportable for 30 days, then deleted in accordance with our Terms of Service | | Anonymised and aggregated data | Indefinitely, as set out in our Terms of Service | | Sales and marketing communications | Until you opt out, plus 12 months | | Website analytics | Up to 13 months | | Diagnostic and log information | Up to 12 months | | Billing and financial records | 7 years (NZ tax law requirement) |

We may retain information for longer where required by law, where needed to defend legal claims, or where the information has been irreversibly anonymised.

7. How we protect personal information

We take reasonable steps to protect personal information against loss, unauthorised access, disclosure, alteration, and misuse. These include:

  • Encryption in transit using TLS for all connections to the Service
  • Encryption at rest for data stored in our database and file storage
  • Access controls — role-based access, with administrative access restricted to authorised personnel
  • Row-level security in our database to enforce strict separation between customer data
  • Cross-network query architecture designed so that cross-plant queries are structurally incapable of identifying source plants
  • Hashed passwords — we never store passwords in clear text
  • Regular security review of our systems, dependencies, and sub-processors
  • Incident response procedures to detect and respond to security events

No system is completely secure. If you believe your account or any personal information has been compromised, contact us immediately at info@acervas.com.

8. Your privacy rights

Under the Privacy Act 2020 (NZ) and other applicable laws, you have certain rights in relation to your personal information.

8.1 Rights under New Zealand law

  • Access — you can request a copy of the personal information we hold about you
  • Correction — you can request that we correct personal information that is inaccurate, incomplete, or out of date
  • Complaint — you can complain to us or to the Office of the Privacy Commissioner (privacy.org.nz) if you believe we have breached your privacy

8.2 Additional rights under GDPR (if applicable)

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction where GDPR or equivalent law applies, you also have the right to:

  • Erasure ("right to be forgotten") — request deletion of your personal information, subject to legal and contractual exceptions
  • Restriction — request that we limit processing of your personal information
  • Data portability — request a copy of your personal information in a structured, machine-readable format
  • Object — object to processing based on legitimate interests or for direct marketing
  • Withdraw consent — where processing is based on consent, withdraw your consent at any time
  • Lodge a complaint with your local data protection authority

8.3 How to exercise your rights

To exercise any of these rights, contact us at info@acervas.com. We will respond within the timeframes required by applicable law (in New Zealand, within 20 working days of receiving your request).

We may need to verify your identity before responding. In some cases, applicable law allows or requires us to refuse a request or charge a reasonable fee. We will explain if this is the case.

8.4 Note on customer data

If you are an end user of the Service (for example, an engineer using the Service on behalf of your employer), Acervas processes most of your personal information on behalf of your employer, who is the controller of that information. To exercise rights in relation to that information, please contact your employer in the first instance.

9. Cookies and similar technologies

Our website and Service use cookies and similar technologies to:

  • Keep you logged in to your account (essential cookies)
  • Remember your preferences (preference cookies)
  • Understand how the Service is used (analytics cookies — PostHog)

Essential cookies are required for the Service to function. You can disable other cookies through your browser settings, though some features may not work correctly.

We do not use third-party advertising cookies.

10. Marketing communications

We may send you marketing communications about Acervas products and services, where you have consented or where permitted by law.

You can opt out of marketing communications at any time by:

  • Clicking the unsubscribe link in any marketing email
  • Emailing info@acervas.com

Opting out of marketing communications does not affect transactional communications relating to your account or use of the Service.

11. Children

The Service is not directed to children under 18 and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us at info@acervas.com and we will delete it.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you in advance by email (where we have your email address) or by prominent notice on the Service or our website.

The "Last updated" date at the top of this Privacy Policy shows when it was last revised. Your continued use of the Service after the effective date of a change constitutes your acceptance of the change.

13. Contact us

For all enquiries — including privacy, security, and general matters — contact us at info@acervas.com.

Acervas Limited 23 Wilding Avenue, Epsom, Auckland 1023, New Zealand NZBN: 9416841

If you are not satisfied with our response to a privacy enquiry or complaint, you can contact the Office of the Privacy Commissioner (New Zealand):

  • Website: privacy.org.nz
  • Phone: 0800 803 909
  • Email: enquiries@privacy.org.nz
AcervasAcervas

Fix it once. Know it everywhere. The cross-plant knowledge network for maintenance teams.

Product

How it worksNetworkFeaturesIntegrationsPricing

Company

AboutFAQContactPrivacy PolicyTerms of Service

© 2026 Acervas. All rights reserved.