Kizuly
Privacy Policy
Effective date: 12 April 2026 | Last updated: 12 April 2026
This Privacy Policy explains how Kizuly (“Kizuly”, “we”, “us”, or “our”) collects, uses, and protects information when you use the Kizuly analytics platform (“Platform”). Kizuly is a business-to-business (B2B) service. We do not collect or process data from end consumers. The data we handle relates to retailers and their business operations only.
By connecting your store to Kizuly, you agree to this Privacy Policy. If you have questions, contact us at privacy@kizuly.com.
1. Who We Are
Kizuly is operated by Kizuly, registered in New Zealand. We provide an AI-powered sales analytics platform for independent hobby and tabletop game retailers.
Kizuly acts as a data processor on your behalf. You, the retailer, remain the data controller and owner of your store data at all times. We process your data only for the purposes described in this policy and in our Terms of Service.
Privacy contact: privacy@kizuly.com
2. What Data We Collect
We collect the minimum data necessary to provide the Platform.
| Data Type | What We Collect | What We Do NOT Collect |
|---|---|---|
| Order data | Product name, quantity, revenue, order date, product category | Customer names, email addresses, shipping addresses, payment details, IP addresses |
| Product data | Product title, product type, price, inventory level | Supplier invoices, cost prices, supplier names, margin data |
| Account data | Retailer name, email address, store URL, subscription plan tier | Tax file numbers, bank account details, identity documents, payment card numbers |
| Usage data | Chat questions asked, AI responses, insight card feedback (thumbs up/down), page views | End-customer behaviour, browser fingerprints, individual session tracking beyond what is necessary |
We do not collect personal information about your end customers. We specifically exclude customer names, contact details, and payment information from all data we ingest from your Shopify store.
3. How We Use Your Data
3.1 AI-powered insights and chat
We use aggregated summaries of your sales data to generate AI-powered insight cards and to answer questions you ask through the chat interface. We send aggregated sales summaries to the Anthropic API (Claude) to generate these insights. We never send raw order records, customer data, or personally identifiable information to any AI service.
Specifically, the data sent to the Anthropic API includes: total revenue figures, product category breakdowns, top product lists, order counts, and time-period comparisons. Individual order records are never transmitted.
3.2 Anonymised network benchmarking
With your agreement (set out in our Terms of Service), we include anonymised data from your store in an aggregate network pool. This pool is used to generate industry benchmarks — for example, average category revenue across all connected stores. Your store is never individually identifiable from this data.
Benchmarks are only displayed when data from at least 5 stores contributes to that data point. Your individual store's figures are never exposed to other retailers.
3.3 Platform operation and improvement
We use your account data to authenticate you, manage your subscription, and send transactional emails (such as account invitations and service notifications). We use aggregated, de-identified usage patterns — such as frequently asked chat questions — to improve the Platform and develop new insight types.
3.4 Legal compliance
We may use or retain data where required by applicable law, or to comply with a valid legal process. We will notify you of any such request where permitted by law.
4. Data Sharing and Third Parties
We do not sell your data. We do not share your data with third parties for advertising purposes. We share data only with the sub-processors listed below, and only to the extent necessary to provide the Platform.
| Sub-processor | Purpose | Location | Data Shared |
|---|---|---|---|
| Anthropic, Inc. | AI insight generation and chat responses | United States | Aggregated sales summaries only — no raw records or PII |
| Railway Technologies | Database hosting, application hosting, and storage | United States | All application data (encrypted at rest), Shopify session tokens |
| Vercel, Inc. | Platform hosting (dashboard) | United States / global CDN | Application code only — no user data stored |
| Resend, Inc. | Transactional email delivery | United States | Retailer email address and invite content only |
| Cloudflare, Inc. | DNS and network infrastructure | Global | Network traffic metadata only |
We will update this list if we add or change sub-processors. We apply contractual obligations to all sub-processors to ensure they protect your data to at least the standard set out in this policy.
5. International Data Transfers
Kizuly is operated from New Zealand. Some of our sub-processors, including Anthropic and Railway, store and process data in the United States. By using the Platform, you acknowledge that your data may be transferred to and processed in countries outside your own, including the United States.
We take steps to ensure that international transfers are subject to appropriate safeguards. For EU/UK retailers, we can provide a Data Processing Agreement (DPA) on request that addresses GDPR transfer requirements — contact privacy@kizuly.com.
6. Data Retention
We retain your data for as long as your account is active and for a period afterwards as set out below:
| Data Type | Retention Period | Notes |
|---|---|---|
| Order and product data | Duration of subscription + 90 days | Permanently deleted 90 days after account cancellation |
| Account data (email, store URL) | Duration of subscription + 90 days | Deleted with account |
| Chat logs and AI responses | Duration of subscription + 90 days | Deleted or anonymised with account |
| Aggregated/anonymised network data | Indefinitely | Cannot be reverse-engineered to your store — retained for platform integrity |
| Billing and transaction records | 7 years | Required by law in most jurisdictions |
When you request account deletion, we will permanently delete all raw data associated with your store within 90 days and confirm deletion by email.
7. Security
We take the security of your data seriously and implement appropriate technical and organisational measures, including:
- Encryption in transit: all data transferred between your browser, our applications, and our databases uses HTTPS/TLS encryption
- Encryption at rest: all database storage is encrypted at rest via our database provider (Railway)
- Data siloing: your raw store data is logically isolated — no other retailer can access your data, even accidentally
- Access controls: role-based access controls limit who within Kizuly can access retailer data. Admin access to raw retailer data is logged
- Secrets management: API keys and credentials are stored in environment variables and never committed to version control
- Authentication: accounts are protected by hashed passwords and invite-only registration with time-limited, single-use tokens
No system is perfectly secure. If you discover a security vulnerability, please report it to privacy@kizuly.com.
8. Your Rights
Depending on your location, you have the following rights regarding your data:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of all data Kizuly holds about your store | Email privacy@kizuly.com — fulfilled within 20 working days (NZ) or 30 days (GDPR) |
| Correction | Request correction of inaccurate data we hold about you | Email privacy@kizuly.com |
| Deletion / Erasure | Request permanent deletion of all your store data | Email privacy@kizuly.com or use Settings > Privacy in the platform (coming soon) |
| Data portability (GDPR) | Receive your data in a machine-readable format (CSV/JSON) | Email privacy@kizuly.com |
| Object to automated processing | Opt out of your anonymised data being included in the aggregate network pool | Email privacy@kizuly.com — note this may limit access to benchmarking features |
| Withdraw consent | Withdraw consent to data processing at any time by closing your account | Settings > Account > Close Account |
We will not discriminate against you for exercising any of these rights.
9. Cookies and Analytics
Kizuly uses only the cookies and local storage necessary to operate the Platform, including:
- Authentication session cookies: required to keep you logged in
- localStorage for chat session continuity: stores a session identifier so your chat history persists across page loads — this data remains on your device
- localStorage for dashboard filter preferences: stores your toggle settings (e.g. show/hide singles) so they persist between sessions
We do not use third-party advertising cookies. We do not use analytics services that track individual user behaviour across sessions. If we add analytics in future, this policy will be updated and a cookie consent banner will be displayed.
10. Legal Frameworks That Apply
Kizuly's retailer base spans multiple jurisdictions. We comply with the following frameworks:
- New Zealand Privacy Act 2020: applies to all NZ-based retailers and their data
- Australian Privacy Act 1988: applies to AU-based retailers
- UK GDPR / EU GDPR: applies to any retailer in the UK or EU, or whose end customers include EU/UK residents. EU/UK retailers may request a Data Processing Agreement (DPA)
- California Consumer Privacy Act (CCPA): applies where relevant for retailers with California customers
GDPR is the most demanding framework we apply. Where GDPR applies to your account, all of its rights and protections apply in full, regardless of your location.
11. Data Breach Notification
In the event of a data breach affecting your store's data, we will:
- Contain the breach and assess its severity as quickly as possible
- Notify affected retailers as soon as practicable once the nature of the breach is understood
- Notify the relevant regulatory authority within 72 hours where required (GDPR) or as soon as practicable (NZ Privacy Act)
- Provide you with information about what data was affected, what we are doing about it, and what steps you should take
Our designated privacy contact for breach notifications is: privacy@kizuly.com
12. Children
Kizuly is a business-to-business service intended solely for use by adults operating retail businesses. We do not knowingly collect any data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, contact privacy@kizuly.com immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email to the address associated with your account, and by updating the “Last updated” date at the top of this document. Continued use of the Platform after a change takes effect constitutes acceptance of the updated policy.
The current version of this policy is always available at kizuly.com/privacy.
14. Contact Us
For all privacy-related questions, requests, or concerns:
| Contact Method | Details |
|---|---|
| privacy@kizuly.com | |
| Response time | Within 5 business days for general enquiries; within 20 working days for formal access requests |
| Legal entity | Kizuly, Blenheim, New Zealand |
| EU/UK representative | Contact privacy@kizuly.com — we will provide representative details on request |