What This Policy Covers: This Privacy Policy explains how Kaha Create collects, uses, protects, and shares your personal information when you use our platform. We're committed to transparency about your data and your rights.
Your Information, Your Control: You decide what you share with us. You can access and correct your information at any time. We never sell your personal data to anyone.
What We Collect: We collect information you give us (like your name and email), content you create (videos and courses), and information about how you use our platform. We also collect payment information through Stripe when you make or receive payments.
How We Use It: We use your information to run the platform, process payments, improve our services, keep your account secure, and communicate with you. Your content remains yours - we only use it to provide the services you've asked for.
Cultural Data Protection: We take extra care with cultural knowledge and mātauranga Māori. You control who sees culturally sensitive content and how it's used. Our cultural protections are built into every level of our platform.
Data Sovereignty: We prioritise keeping data in the Pacific region. Currently, all data is stored in AWS Sydney, Australia. We're developing New Zealand-only hosting options for organisations requiring data sovereignty (coming 2025).
Who We Share With: We share information only with:
Payment processors (Stripe) to handle transactions
Service providers (AWS, Google Analytics, Neon, Gleap) to run the platform - sharing only the minimum needed
Law enforcement when legally required (warrant or court order)
We never sell your information or use it for advertising.
Your Privacy Rights: Under New Zealand's Privacy Act 2020, you can request access to and correction of personal information we hold. We also provide tools to export your data on account deletion and delete your account (subject to legal retention requirements). We respond to privacy requests within 20 working days.
Cookies & Tracking: We use essential cookies to make the platform work and optional analytics cookies to improve our services. You can control cookie settings in your browser.
Security: We protect your information with encryption, secure servers, access controls, and regular security testing. No system is 100% secure, but we use industry-leading practices and services.
Children's Privacy: Learners must be at least 13 years old (with parental consent if under 16). Creators who monetise content must be at least 18 years old. We provide special protections for children's data.
Questions? Contact us at privacy@kahacreate.co.nz anytime.
At Kaha Create, we believe your personal information is taonga (treasure) that deserves protection, respect, and care. Just as we apply principles of kaitiakitanga (guardianship) to the knowledge shared on our platform, we apply these same values to your privacy.
What This Means:
Transparency with Integrity:
We tell you clearly what data we collect and why
We map exactly where your information travels
We explain the trade-offs when using different services
We never hide how we use your information
Control and Rangatiratanga:
You maintain authority over your personal information
You decide what you share and with whom
You can access, change, or delete your data at any time
Your choices about cultural protocols are honoured
Manaakitanga in Data Protection:
We handle your information with the same care we'd want for our own
We protect cultural data with additional safeguards
We respond to your concerns with respect and urgency
We design for your wellbeing, not just our convenience
Collective Responsibility:
We recognise that some data relates to communities, not just individuals
We support iwi and hapū data sovereignty
We contribute to stronger data protection for all New Zealanders
We stand for privacy rights as fundamental human rights
Kaha Create Limited is a New Zealand company registered for GST (GST Number: 146-184-065). Our registered office is at 8 Kereru Bend, Tawa, Wellington, New Zealand.
This Privacy Policy applies to:
Our website and platform at kahacreate.com and all subdomains
Our mobile and desktop applications
All services we provide through the platform
Information collected before, during, and after you use our services
We comply with:
Privacy Act 2020 (this policy focuses on privacy protections)
Consumer Guarantees Act 1993 and Fair Trading Act 1986 (covered in our Terms of Service)
Electronic Transactions Act 2002 (digital transactions)
Te Tiriti o Waitangi principles regarding Māori data
Privacy Officer: Email: privacy@kahacreate.co.nz Physical address: 8 Kereru Bend, Tawa, Wellington, New Zealand Support email: support@kahacreate.co.nz Cultural data enquiries: tikanga@kahacreate.co.nz
Account Information:
Full name
Email address
Password (hashed - we never see your actual password)
Organisation name and details (if applicable)
Profile photo and bio (optional)
Communication preferences
Content You Create:
Videos (uploaded or recorded through our platform)
Audio recordings
Scripts and text content
Images and presentation materials
Quiz questions and answers
Reflection prompts and exercises
Learning outcomes and behavioural change goals
Course titles, descriptions, and metadata
Course structure and curriculum design
Organisation branding and visual customisation
Member lists and role assignments (for organisation accounts)
Note: This list is not exhaustive; any content created or uploaded as a learning resource is collected so we can share it with your learners.
Cultural Information (when you choose to provide it):
Cultural sensitivity flags
Traditional Knowledge Label selections
Community access restrictions
Attribution requirements
Whakapapa of knowledge as provided in the pre-creation survey
Data sovereignty preferences
Payment and Financial Information:
Bank account details for Creator payouts (processed through Stripe)
Billing address
Tax information (IRD number if you're GST registered)
Payment preferences (koha, fixed price, free)
Transaction history
Communications:
Support enquiries and help tickets
Feedback and feature requests
Survey responses
Email correspondence with our team
Technical Information:
IP address
Device type and operating system
Browser type and version
Screen resolution
Time zone setting
Device identifiers
Account IDs and unique identifiers
Stripe customer IDs
Cookie identifiers
These are collected so we can help with support tickets and technical issues only.
Usage Information:
Pages visited and features used
Time spent on different sections
Click patterns and navigation paths
Search queries within the platform
Content viewing and completion rates
Tool usage (AI features, video editing, etc.)
These are collected so we can help with support tickets and technical issues, and improve the performance of the platform for you and others.
Performance Data:
Page load times
Error messages and bugs encountered
Feature performance metrics
Video streaming quality data
Payment Processors (Stripe):
Payment success/failure status
Transaction IDs
Dispute or chargeback information
Fraud detection signals
Social Media (if you choose to connect):
Public profile information (name, profile picture)
Only when you explicitly authorise connection
Analytics Providers:
Aggregated usage patterns
Anonymous demographic data
Performance benchmarks
We may collect information that reveals:
Cultural or ethnic origin (when you share Cultural Content)
Philosophical beliefs (through content you create)
This information is collected only when you choose to provide it and is protected with additional safeguards under our cultural integrity framework.
When you:
Create an account
Upload or record content
Configure your privacy settings
Make or receive payments
Contact our support team
Complete forms or surveys
Update your profile
Through:
Cookies and similar technologies
Log files and server records
Analytics tools (Google Analytics)
Error reporting systems
Video streaming analytics
We tell you what we're collecting and why:
At account creation
When you upload content
Before using AI features
When setting up payments
Through in-platform notifications
In feature-specific consent dialogues
To Provide Our Services:
Create and manage your account
Host and deliver your content
Process videos and generate learning resources
Enable AI-powered features (transcription, quiz generation, editing)
Facilitate content sharing according to your settings
Process payments and payouts
Provide customer support
To Improve Our Services:
Analyse usage patterns to improve features
Test new functionality
Optimise platform performance
Identify and fix bugs
Develop new features based on user needs
To Communicate With You:
Send service updates and notifications
Respond to your enquiries and support requests
Provide technical notices and security alerts
Share product updates (if you've opted in)
Send billing and payment information
To Ensure Security:
Detect and prevent fraud
Monitor for suspicious activity
Protect against security threats
Enforce our Terms of Service
Verify identity for account recovery
To Comply With Legal Obligations:
Meet tax reporting requirements (IRD)
Respond to lawful requests from authorities
Enforce our legal rights
Comply with court orders or regulatory requirements
When you use our AI features:
Transcribe audio from your videos
Generate quiz questions from your content
Create reflection prompts and exercises
Suggest content improvements
Generate learning outcomes
Optimise scripts for readability
Important: We configure AWS Bedrock to prohibit data retention and training use. Your content is processed in isolated sessions and is not used to improve AI models or train AI systems.
For mātauranga Māori and other Cultural Content:
Apply culturally appropriate access restrictions
Enable Traditional Knowledge Label functionality
Support community consent processes
Facilitate data sovereignty choices
Honour tikanga-based sharing protocols
Enable whakapapa-linked access controls
For our complete framework on how we handle cultural data, including classification systems, decision-making frameworks, and technical safeguards, see our Māori Data Sovereignty and Data Use document.
We never:
Sell your personal information to third parties
Use your content for advertising
Share your information with data brokers
Train AI models on your content
Use your data for purposes you haven't agreed to
Share learner information with creators beyond what's necessary for course delivery
Access your content without authorisation
We share information only with trusted service providers who help us run the platform, and only the minimum information needed to deliver our services. All service providers are contractually obligated to protect your information and use it only for the purposes we specify.
Infrastructure and Hosting:
AWS Services Used:
S3: File storage
Cognito: User authentication
Bedrock: AI processing and safety
MediaConvert: Video processing
Transcribe: English language transcription
CloudFront: Content delivery
RDS: Database backup
EventBridge: Workflow automation
Neon (Database Service)
What we share: Structured data including accounts, content metadata, quiz questions, learning outcomes
Why: Database hosting and management
Location: US-based service with data stored on AWS infrastructure in ap-southeast-2 (Sydney, Australia)
Protection: SSL-encrypted connections, automated backups
Payment Processing:
What we DON'T share: Your payment card details never touch our servers - they go directly to Stripe.
Content Processing:
Note: Te Hiku Media is used only when you specifically request te reo Māori transcription.
Analytics and Monitoring:
If you access Kaha Create through an organisational account:
Organisation administrators can view:
Your learning progress and completion status
Content you've accessed
Organisation administrators CANNOT view:
Your password
Personal messages to creators
Content you access outside the organisation
Your payment information
Quiz scores and assessment results
Time spent on content
This visibility enables organisations to:
Track professional development
Meet compliance requirements
Assess learning outcomes
Support your learning journey
For Privacy Act purposes:
The school/organisation is the "agency" responsible for student/member privacy
Schools and organisations must obtain appropriate parental consent for minors
Privacy requests (access/correction) should be directed to the school or organisation first
Kaha Create assists schools and organisations in responding to privacy requests
We require schools and organisations to have privacy policies covering their use of Kaha Create
We only disclose information to law enforcement when legally required (warrant, court order, or subpoena). Specific circumstances include:
Required by law: Court orders, warrants, subpoenas
Protecting rights: Enforcing our Terms of Service, investigating policy violations
Safety concerns: Preventing harm to individuals or communities
Fraud prevention: Detecting and preventing fraudulent activity
Tax compliance: Reporting to Inland Revenue as required
Notice: We will notify affected users of legal requests for information unless we're prohibited by law or if notification could compromise an investigation. If you have specific concerns about data access by authorities, contact us at privacy@kahacreate.co.nz to discuss additional protections.
If Kaha Create is involved in a merger, acquisition, or sale of assets:
We will provide 45 days' notice before any transfer of your information
You will have the opportunity to delete your account and content before the transfer
The acquiring company must honour this Privacy Policy until they provide notice of changes
We may share information with other parties when you give explicit consent:
Sharing content with specific learners or organisations as you direct
Featuring your success story in our marketing (only with written permission)
Academic research projects (only with explicit opt-in)
Integration with third-party tools you choose to connect
Payment card details (we never see them)
Your password (it's hashed)
Learner personal information with other learners
Content marked as culturally sensitive without proper protocols
Personal information for advertising purposes
Any information to data brokers or marketing companies
Encryption:
At rest: All data encrypted using AES-256 encryption
In transit: All connections use TLS 1.2+ encryption
Database: SSL-encrypted database connections
Passwords: Hashed using industry-standard algorithms (bcrypt/Argon2) - we can never see your actual password
Access Controls:
Role-based permissions limiting who can access what
Multi-factor authentication available for accounts
Regular access audits and reviews
Principle of least privilege (staff can only access what they need)
Staff Access to Your Content: Kaha Create staff may access your content only when:
You request support and grant permission
Required to investigate security incidents
Legally compelled (with notice to you unless prohibited)
Necessary to prevent harm
All staff access is logged and audited. Staff sign confidentiality agreements.
Infrastructure Security:
24/7 intrusion detection and monitoring
Automated vulnerability scanning
Regular security audits and penetration testing
DDoS protection on all services
Firewall protection and network segmentation
Automated backup systems with point-in-time recovery
API rate limiting to prevent abuse and data scraping
Row-level security ensuring users only access authorised content
Application Security:
Secure coding practices
Regular security updates and patches
Input validation to prevent injection attacks
CSRF and XSS protection
Rate limiting to prevent abuse
If a privacy breach occurs:
Detection: Automated systems monitor for unusual activity
Assessment: We immediately assess scope and impact within 24 hours
Notification: We notify affected users and the Privacy Commissioner as soon as practicable after becoming aware of a notifiable breach
Remediation: We take immediate steps to contain and remedy the breach
Transparency: We publish incident reports on our status page
What we tell you in a breach notification:
What information was affected
When the breach occurred
What we're doing to fix it
Steps you should take (e.g., password reset)
How to contact us with questions
To protect your account:
Choose a strong, unique password
Enable two-factor authentication
Keep your login credentials confidential
Log out from shared devices
Report suspicious activity immediately
Keep your email account secure
No system is 100% secure. While we use industry best practices for security, we cannot guarantee absolute security. We continuously improve our security practices and respond quickly to emerging threats.
Kaha Create is built on principles of data sovereignty - particularly for Māori data and Cultural Content. We believe you have the right to know where your data is stored and to make informed decisions about data location.
Primary Data Storage:
Database: Hosted by Neon on AWS infrastructure in ap-southeast-2 (Sydney, Australia)
Files (videos, images): AWS S3 in Sydney, Australia (ap-southeast-2)
Backups: AWS Sydney, Australia
Processing Services (temporary):
AI Processing: AWS Bedrock (processes data temporarily in Sydney region, no retention)
Payment Processing: Stripe (global infrastructure)
Video Transcoding: AWS MediaConvert (Sydney region)
Transcription: AWS Transcribe (Sydney region) and Te Hiku Media (for te reo Māori)
Analytics:
Google Analytics: Data processed in multiple locations, anonymised
Coming in 2025: We are developing New Zealand-only data storage options:
AWS Auckland region for file storage
Local database hosting options
Available for organisations requiring data to remain in Aotearoa
Trade-offs: Aotearoa-only hosting may impact:
Service costs (reflected in pricing)
Performance for international learners
Available features (some services not yet available in NZ)
Environmental impact (data centre energy and water use)
We provide guidance in the platform to help you make informed decisions about these trade-offs.
Why Transfers Occur: Some services we use are headquartered overseas (USA, EU) even when data is stored in the Pacific:
Stripe for payment processing
Anthropic for AI services
Google for analytics
How We Protect Transferred Data:
When we transfer personal information overseas, we ensure:
Comparable privacy protections through Standard Contractual Clauses (EU-approved contracts)
Contractual obligations requiring service providers to protect your data
You are informed of overseas disclosure and can make informed choices
Encryption and security measures remain in place throughout transfer and storage
No training usage: AI providers contractually prohibited from using your data to train models
Regular audits: We review service provider compliance regularly
This approach satisfies Information Privacy Principle 12 (Disclosure of personal information outside New Zealand).
AWS and other US-based providers are subject to US law, including the Cloud Act, which could allow US government access to data under certain circumstances.
Our risk mitigation:
All data is encrypted at rest and in transit
Access would require legal process and would likely be disclosed publicly
We use Pacific region data centres (Australia) to minimise risk
We monitor for any legal requests and will notify users unless prohibited
High-Sensitivity Content: If you believe your content might be targeted by government surveillance, consider:
Waiting for Aotearoa-only hosting options (coming 2025)
Discussing additional protections with our team at tikanga@kahacreate.co.nz
Evaluating whether any cloud platform is appropriate for your needs
For mātauranga Māori and Cultural Content:
Regional priority: Pacific region storage prioritised for cultural data
Cultural flagging: Content can be flagged to prevent AI processing
Community control: Iwi and hapū can specify data location requirements
Traditional Knowledge Labels: Metadata-level attribution and restrictions (coming soon)
Collective governance: Community access controls supersede individual settings
Under New Zealand's Privacy Act 2020, you have the following rights:
Right to Access:
Request copies of all personal information we hold about you
Understand how we collected your information
Know who we've shared your information with
How to exercise: Contact privacy@kahacreate.co.nz
Response time: Within 20 working days
Format: We provide information in accessible format (PDF, CSV, JSON)
Right to Correction:
Request correction of inaccurate information
Update incomplete information
Challenge information you believe is wrong
How to exercise: Update in Account Settings or contact privacy@kahacreate.co.nz
Response time: Within 20 working days
Process: We'll either correct the information or note your disagreement
Right to Complain:
Complain to us about privacy concerns
Lodge a complaint with the Privacy Commissioner
Our commitment: We take all complaints seriously and investigate thoroughly
Beyond your legal rights under the Privacy Act 2020, Kaha Create offers:
Account Deletion:
Request deletion of your account and personal information
Remove content you've created
Withdraw from the platform entirely
How to exercise: Account Settings > Delete Account or contact privacy@kahacreate.co.nz
Timeline: 30-day soft deletion (recoverable), then permanent deletion
Exceptions: We may retain some information for legal obligations (tax records for 7 years)
Data Export:
On account deletion, you can download your content and data
Receive information in a machine-readable format
Transfer your content to another platform
How to exercise: Account Settings > Export Data or request via privacy@kahacreate.co.nz
Format: JSON, CSV, or native video files
Response time: Within 20 working days
Marketing Opt-Out:
Opt out of marketing communications (if any)
Unsubscribe from promotional emails
How to exercise: Click "unsubscribe" in any marketing email or contact privacy@kahacreate.co.nz
Processing Restrictions:
Object to processing of your information for certain purposes
Restrict use of your data
How to exercise: Contact privacy@kahacreate.co.nz
Response time: Within 20 working days
How to Contact Us:
Email: privacy@kahacreate.co.nz
Subject line: "Privacy Rights Request - [Type of Request]"
Include: Your name, account email, specific request, any relevant details
What We Need From You:
Verification of your identity (to prevent fraud)
Specific information you're seeking (for access requests)
Clear description of corrections needed (for correction requests)
Our Response Process:
Acknowledge your request within 5 working days
Verify your identity
Process your request
Respond within 20 working days (may extend to 40 days for complex requests with notice)
Explain any limitations or reasons for refusing requests
When We Might Refuse a Request:
Identity cannot be verified
Request is clearly frivolous or vexatious
Complying would interfere with law enforcement
Information relates to ongoing legal proceedings
Request violates others' privacy rights
If we refuse a request, we'll explain why and inform you of your right to complain to the Privacy Commissioner.
If you're not satisfied with our response:
Office of the Privacy Commissioner
Website: privacy.org.nz
Email: enquiries@privacy.org.nz
Phone: 0800 803 909
Address: PO Box 10094, Wellington 6143
For mātauranga Māori and Cultural Content, you also have:
Right to flag content for cultural sensitivity review
Right to specify community access restrictions
Right to request iwi or hapū governance involvement
Right to apply Traditional Knowledge Labels
Right to designate future beneficiaries for content control
Cookies are small text files stored on your device when you visit our website. They help us remember your preferences, keep you logged in, and understand how you use our platform.
Essential Cookies (Required):
Authentication: Keep you logged into your account
Security: Protect against fraud and suspicious activity
Session management: Remember your actions as you navigate
Load balancing: Ensure optimal performance
You cannot disable these cookies as they're necessary for the platform to function.
Functional Cookies (Optional):
Preferences: Remember your language, timezone, display settings
Features: Enable specific functionality you've chosen
Video playback: Remember playback position and quality settings
You can disable these, but some features may not work properly.
Analytics Cookies (Optional):
Usage patterns: Understand which features are used most
Performance: Monitor page load times and errors
Improvement: Help us make the platform better
We use Google Analytics with IP anonymisation. You can disable these cookies.
Browser Settings:
Most browsers allow you to view, manage, and delete cookies
You can block third-party cookies while allowing first-party cookies
Browser help pages explain how to manage cookies
Opt-Out Tools:
Google Analytics opt-out: tools.google.com/dlpage/gaoptout
Browser extensions for cookie management
Local Storage:
We use browser local storage to save your preferences
Cleared when you clear browser data
Used for video playback progress and draft content
Pixels and Web Beacons:
Used in support emails to know if you've opened them
Help us understand email effectiveness
Can be disabled through email client settings
We currently don't respond to browser "Do Not Track" signals because there's no industry standard for how to respond. However, you can control cookies and tracking through the methods described above.
Active Accounts:
Account information: While your account is active
Content: As long as you choose to keep it on the platform
Published shareables: Retained as long as your account is active
Archived shareables: Retained but not publicly accessible
Draft shareables: Auto-deleted after 90 days of inactivity (with warning notification)
Usage data: Up to 2 years, then anonymised or deleted
After Account Closure:
Soft deletion: 30 days (content recoverable if you change your mind)
Permanent deletion: After 30 days, all content and personal information deleted
Backups: Removed from backups within 90 days as backup rotation completes
Legal and Financial Records:
Transaction records: 7 years (IRD requirement for tax purposes)
Payment information: 7 years for GST and income tax compliance
Contracts and agreements: 7 years after termination
Legal disputes: Until dispute is fully resolved plus 7 years
Support and Communications:
Support tickets: 2 years after resolution
Email correspondence: 2 years
Survey responses: 2 years, then anonymised
Analytics Data:
Anonymised usage data: May be retained indefinitely for platform improvement
Personal analytics: 12 months, then anonymised or deleted
Legal compliance: Tax law requires 7-year retention of financial records
Service improvement: Historical data helps us understand trends and improve features
Dispute resolution: Records help resolve payment disputes or account issues
Security: Historical data helps detect and prevent fraud
When we delete your data:
Database deletion: Records permanently removed from all databases
File deletion: Videos and media files deleted from all storage locations
Backup removal: Deleted from backup systems within 90 days
Third-party notification: We instruct service providers to delete your data
Verification: We verify deletion has occurred across all systems
Kaha Create has different age requirements depending on how you use the platform:
For Learners (Accessing Content):
13-15 years old: Can create accounts with parental/guardian consent
16+ years old: Can create accounts independently
Under 13: Cannot create personal accounts (but can access through school/organisational accounts)
For Creators (Making & Monetising Content):
18+ years old required for:
Creating and publishing content
Monetising content (receiving payments)
Setting pricing and managing revenue
All creator features and tools
Why These Requirements:
Legal capacity: 18+ can enter binding contracts and handle financial obligations
Tax responsibilities: Creators must manage IRD reporting and potential GST obligations
Payment processing: Stripe requires users to be 18+ to receive payments
Educational access: Rangatahi (13+) can access valuable mātauranga and learning content
Cultural learning: Young people can learn from kaumātua and iwi knowledge while stewardship responsibility remains with adults
For Learners Aged 13-15:
When creating an account, you must provide a parent or guardian's email address. We will:
Send a verification email to your parent/guardian
Explain what information we collect and how we use it
Obtain explicit consent before activating your account
Provide parents/guardians with access to review and manage your account
Parents/Guardians Can:
Review all personal information we hold about their child
Request corrections or deletion of information
Withdraw consent and close the account at any time
Access their child's learning activity (if enabled by the child)
Contact us with concerns at privacy@kahacreate.co.nz
For Learners 16-17:
Can create accounts independently (no parental consent required under Privacy Act 2020)
Cannot monetise content or receive payments until 18
Cannot access creator features until 18
For Children Under 13:
Children under 13 cannot create personal accounts but can access Kaha Create through:
School or kura accounts: Managed by the educational institution
Marae or iwi accounts: Managed by the organisation
Community organisation accounts: Managed by the entity
Institutional Responsibilities: The institution is responsible for:
Obtaining appropriate parental consent
Managing student/member access
Supervising content access
Ensuring appropriate use
Data protection for children
We Provide:
Bulk account management tools
Age-appropriate content filtering (when requested)
Privacy controls for institutional accounts
Support for New Zealand schools and organisations
We do not knowingly collect personal information from children under 13 without parental consent or institutional authorisation.
If we become aware that we've collected information from a child under 13 without proper consent, we will:
Contact the parent/guardian or institution immediately
Delete the information within 48 hours
Close the account
Prevent future account creation
If your child under 13 has created an account without authorisation:
Contact us immediately at privacy@kahacreate.co.nz
Subject line: "Child Account Removal"
Include: Child's name, email address (if known), date you discovered the account
We'll delete the account and all information within 48 hours
If your child is 13-15 and you want to review their account:
Contact privacy@kahacreate.co.nz with:
Your relationship to the child
Child's account email
Your contact information
We'll verify your relationship and provide account access
To Withdraw Consent:
Email privacy@kahacreate.co.nz stating you withdraw consent
Account will be closed within 5 working days
All personal information will be deleted within 30 days
If you create content featuring children:
Ensure you have appropriate consent from parents/guardians
Consider carefully what information about children you include
Apply appropriate access restrictions to protect children's privacy
Follow our Community Standards regarding content about minors
Remember that children have privacy rights even in educational contexts
For Cultural Content Involving Rangatahi:
Respect tikanga regarding children and young people
Consider collective and whānau consent requirements
Apply culturally appropriate access restrictions
Honour the whakapapa and protection needs of young people in your content
For all users under 18, we provide enhanced protections:
No marketing: We never send marketing communications to under-18 accounts
No profiling: We don't use children's data for behavioural profiling or targeted content
Minimal collection: We collect only essential information for service provision
Enhanced security: Additional monitoring for accounts of users under 18
Easy deletion: Simplified process for parents/guardians to delete children's accounts
Transparency: Clear, age-appropriate privacy information for young users
When You Turn 18:
If you've been a learner and want to become a creator:
Verify your age (date of birth confirmation)
Accept updated Terms of Service (creator provisions)
Provide additional information required for creators (IRD number if monetising, bank details)
Complete creator onboarding
Your learning history and account remain intact - you simply gain access to creator features.
Why We Wait Until 18:
Legal capacity to enter contracts
Ability to handle tax obligations independently
Financial institution requirements (bank accounts, Stripe)
Liability and responsibility for published content
Cultural stewardship responsibilities
For the purposes of this policy, "Cultural Content" includes:
Mātauranga Māori (Māori knowledge, practices, and traditions)
Te reo Māori language content
Content featuring tikanga, whakapapa, or cultural protocols
Indigenous knowledge from other cultures
Content flagged by creators as culturally sensitive
Content using Traditional Knowledge Labels (when available)
Cultural Content receives additional protections and governance as described below.
Our approach to Māori data sovereignty is grounded in:
Tino rangatiratanga: Māori maintain authority over their data and knowledge
Kaitiakitanga: We act as guardians, not owners, of mātauranga Māori
Manaakitanga: We handle cultural data with care and respect
Whakapapa: We honour the origins and connections of knowledge
Kōtahitanga: Collective benefit guides our decisions
Our approach to Māori data sovereignty and data use is comprehensive and tikanga-based. For our complete framework, including:
How we classify different types of mātauranga
Decision-making frameworks for cultural data
Technical implementation of cultural safeguards
Community consent and governance models
AI and data processing protocols for cultural content
Read our full Māori Data Sovereignty and Data Use document: https://docs.kahacreate.com/en/articles/2-kaha-create-maori-data-sovereignty-and-data-use
This Privacy Policy summarises key protections, while the full framework explains the cultural and technical foundations of our approach.
For Individual Māori Creators:
Choose where your data is stored (Pacific region priority)
Flag content as culturally sensitive
Apply access restrictions based on tikanga
Opt out of AI processing for sensitive content
Control who accesses mātauranga
Specify future beneficiaries for content
For Iwi and Hapū:
Organisational accounts with collective governance
Community-level access controls
Data residency choices for all community content
Traditional Knowledge Label integration (coming soon)
Revenue sharing to support collective goals
Priority support and personalised onboarding
For All Cultural Content:
Additional safeguards against misuse
Human review options for sensitive material
Cultural context preserved in metadata
Appropriate attribution and acknowledgment
Protection of sacred and restricted knowledge
For te reo Māori content, we partner with Te Hiku Media's Kaituhi service:
Māori-owned: Supporting Māori technology ecosystem
Cultural alignment: Service designed with tikanga embedded
Quality: Superior transcription of te reo Māori
Sovereignty: Data processed by Māori, for Māori
We're implementing Local Contexts Traditional Knowledge Labels:
Metadata-level attribution: Cultural protocols encoded in the platform
Automatic restrictions: Access controls applied based on label type
Community consent: Tools for managing collective permissions
Visual indicators: Labels visible to learners to indicate cultural protocols
For disputes involving mātauranga Māori:
Cultural advisors may be consulted
Iwi or hapū representatives can participate
Traditional dispute resolution processes may be incorporated
Collective rights take precedence over individual claims
We commit to:
Continuous improvement of cultural protections
Regular consultation with Māori advisors
Supporting Māori-owned technology providers
Transparency about data flows and protections
Contributing to wider Māori data sovereignty movement
If you're accessing Kaha Create from outside New Zealand:
New Zealand law governs our Privacy Policy
Privacy Act 2020 protections apply to your information
Data is primarily stored in Australia (AWS Sydney)
You may have additional rights under your local laws
If you're in the EU, you have additional rights under GDPR:
Right to data portability
Right to restrict processing
Right to object to automated decision-making
Right to lodge complaints with your local data protection authority
We use Standard Contractual Clauses for data transfers to/from the EU.
Australian Privacy Principles apply similarly to New Zealand's Privacy Act. We comply with both frameworks.
We aim to comply with privacy laws in all jurisdictions where our users are located. If you have questions about how your local laws apply, contact privacy@kahacreate.co.nz.
We may update this Privacy Policy to reflect:
Changes to our practices
New features or services
Legal or regulatory changes
Feedback from our community
For Minor Changes:
Updated policy posted on our website
"Last Updated" date at bottom of policy changes
No additional notification required
For Material Changes:
Email notification to all users at least 30 days before changes take effect
In-platform notification when you next log in
Prominent notice on our website
Summary of key changes provided
Material changes include:
New ways of using your information
Sharing with new categories of third parties
Significant changes to your rights
Changes to data retention periods
New data collection practices
If you disagree with policy changes:
You can delete your account before changes take effect
Export your data first using data export tools
Contact us to discuss concerns
Continued use of Kaha Create after changes take effect means you accept the updated Privacy Policy.
We maintain a version history of this Privacy Policy:
Previous versions available on request
Change log shows what was modified
Contact privacy@kahacreate.co.nz for historical versions
General Privacy Questions:
Email: privacy@kahacreate.co.nz
Response time: Within 5 working days
Cultural Data Questions:
Email: tikanga@kahacreate.co.nz
For questions about mātauranga Māori, Traditional Knowledge Labels, and cultural protocols
Support Questions:
Email: support@kahacreate.co.nz
In-platform: Gleap widget (bottom-right corner)
Data Protection Officer:
Name: Pera Barrett
Email: privacy@kahacreate.co.nz
Physical address: 8 Kereru Bend, Tawa, Wellington, New Zealand
To Kaha Create:
Email privacy@kahacreate.co.nz with:
Clear description of your concern
Relevant dates and details
What resolution you're seeking
We'll acknowledge within 5 working days
We'll investigate and respond within 20 working days
If complex, we may extend to 40 working days with notice
To the Privacy Commissioner: If you're not satisfied with our response:
Office of the Privacy Commissioner
Website: privacy.org.nz
Email: enquiries@privacy.org.nz
Phone: 0800 803 909
Address: PO Box 10094, Wellington 6143
If you notice suspicious activity or a potential security issue:
Email: security@kahacreate.co.nz immediately
Subject line: "URGENT: Security Concern"
Include: Details of the issue, when you noticed it, what you were doing
We treat security concerns with highest priority and respond urgently.
Anonymised Data: Information that can no longer be linked to you as an individual
Cloud Act: US law allowing government access to data held by US companies regardless of data location
Encryption: Converting data into code to prevent unauthorised access
GST: Goods and Services Tax (New Zealand's value-added tax)
Hashing: One-way mathematical transformation of data (e.g., passwords) that cannot be reversed
Kaitiakitanga: Guardianship and stewardship (te reo Māori)
Manaakitanga: Hospitality, kindness, and care for others (te reo Māori)
Mātauranga Māori: Māori knowledge, wisdom, and understanding
Metadata: Information about information (e.g., when a file was created, who created it)
Personal Information: Information about an identifiable individual
PII (Personally Identifiable Information): Information that can identify you specifically
SSL/TLS: Security protocols for encrypting internet connections
Tangata Whenua: People of the land, indigenous people (te reo Māori)
Te Tiriti o Waitangi: The Treaty of Waitangi
Tikanga: Māori customary practices and protocols
Tino Rangatiratanga: Self-determination and sovereignty (te reo Māori)
Traditional Knowledge Labels: A system for Indigenous communities to add information about cultural protocols
Whakapapa: Genealogy, lineage, and connections (te reo Māori)
Access - Request copies of your information (Privacy Act right) Correction - Fix inaccurate information (Privacy Act right) Complain - Lodge complaints with us or Privacy Commissioner (Privacy Act right) Deletion - Delete your account and data (Kaha Create feature, subject to legal retention) Export - Download your data on account deletion (Kaha Create feature) Opt-out - Unsubscribe from marketing (Kaha Create feature)
Contact: privacy@kahacreate.co.nz 
Response time: 20 working days 
Your data location: Primarily AWS Sydney, Australia 
Security: Encrypted, monitored, protected 
Selling data: We never sell your personal information 
AI training: We never use your content to train AI models
Version: 2.0 Effective Date: [DATE TO BE SET] Last Updated: 31 January 2025 Next Scheduled Review: 31 July 2025
