Privacy Policy
Common Ground (we / us) provides a community governance app for residents' associations, body corporates, and lifestyle villages in New Zealand. We take privacy seriously and comply with the New Zealand Privacy Act 2020.
This policy explains what personal information we collect, why, how we store it, and what rights you have.
If you only read one thing: we collect the minimum we need to run your community's governance, we never sell your data, and you can delete your account at any time.
1. Who we are
Common Ground is operated by Common Ground, based in New Zealand.
Contact: hello@thecommonground.nz
2. What we collect
When you sign up:
- Email address — to send you sign-in codes and notifications
- Name — to display your contributions in the app (issues you raise, comments, votes)
- Lot number / property reference — to scope your access to the right community
- Role within your association (owner, committee, chair, etc.) — to determine your permissions
- Phone number (optional) — only if you choose to provide it
When you use the app:
- Posts, comments, issues, votes, and other content you create — stored against your account
- Files you upload — meeting minutes, photos, documents
- Sign-in records and activity logs — for security and audit
- Device and browser information — IP address, browser type, operating system, captured automatically when you access the app
We do not collect:
- Your bank or credit card details (payments are processed by Stripe — see Section 7)
- Your physical location (other than what you tell us via your lot/property)
- Marketing or behavioural tracking data
- Information from any third-party data brokers
3. Why we collect it
Each item we collect serves a specific purpose:
| What | Why |
|---|---|
| Sign in, send notifications you've opted into | |
| Name | Attribute your contributions; display in member directory |
| Lot/property | Scope you to your community; calculate levies |
| Role | Apply correct permissions |
| Content (posts, votes, etc.) | The product itself wouldn't work without it |
| Files | Storage of community documents — constitutions, minutes |
| Logs | Security, audit trail for legal/governance purposes |
| Device info | Spam prevention, troubleshooting, security |
4. Who we share it with
We share your information only with:
- Other members of your association, per the access rules of your community (e.g. your name is visible to your committee but not to other communities)
- Google Firebase (sub-processor) — our database, authentication, file storage, and hosting are operated by Google's Firebase platform. Data is stored in Google's Australia region (australia-southeast1)
- Postmark (sub-processor) — handles transactional email delivery (sign-in codes, notifications)
- Stripe (sub-processor) — handles payment processing, when applicable
- Cloudflare (sub-processor) — manages our DNS
We do not sell or rent your personal information to any third party, ever.
We may disclose information if legally required — e.g. by court order or to comply with NZ law. We will tell you about any such request unless legally prohibited.
5. Where your data is stored
Your data is stored on Google's servers in Sydney, Australia (region: australia-southeast1). This is a cross-border transfer of personal information from New Zealand to Australia.
Australia is recognised by the New Zealand Office of the Privacy Commissioner as providing comparable privacy protection under the Privacy Act 2020. We have no current plans to move data to any other jurisdiction.
6. How long we keep it
| Data | Retention |
|---|---|
| Active account data | While your account exists |
| Deleted accounts (soft-delete window) | 180 days after deletion request, then permanently removed |
| Backups | Up to 90 days, then overwritten |
| Sign-in logs / security records | 12 months |
| Financial records (invoices, payments) | 7 years, as required by NZ tax law |
When you delete your account (see Section 9), your account is disabled immediately and permanently removed after 180 days (during which you can email support to restore).
By default, content you created — notices, comments, issues raised, votes cast, meeting minutes you signed — stays attached to your name so your community keeps a complete governance history when members move on.
If you'd like your name removed from these records too, you can request that as part of your deletion (or any time after) by emailing us. Under the Privacy Act 2020, we'll process the request within 20 working days. Where governance integrity allows (e.g. for closed votes), we replace your name with "Former member" rather than deleting the content outright.
7. Payments
If your association subscribes to a paid plan, payments are handled by Stripe Inc. We never see or store your card details.
Stripe's privacy policy: https://stripe.com/privacy
8. Cookies and tracking
We use only the cookies necessary to make the app work — to keep you signed in and remember your settings. We don't use analytics, advertising, or behavioural tracking cookies.
9. Your rights
Under the Privacy Act 2020, you have the right to:
- Access the personal information we hold about you
- Correct it if it's wrong
- Delete your account and have your data removed
- Object to how we use your data
- Take your data with you (data portability)
- Complain to the Office of the Privacy Commissioner
To exercise any of these rights, email us at the address in Section 1. We'll respond within 20 working days.
To delete your account: go to Settings → Danger zone → Delete my account. After confirmation, your account is disabled immediately and permanently deleted after 180 days. During the 180-day window, you can email support to restore.
10. Security
We use the following safeguards:
- All connections are encrypted (HTTPS) using TLS 1.2 or higher
- Email sign-in codes (no passwords stored)
- Multi-tenant isolation enforced at the database rule layer
- Service accounts follow least-privilege principle
- Secrets stored in Google Secret Manager
- Regular internal security audits
No system is perfectly secure. If a data breach affecting your personal information occurs, we will notify you and the Privacy Commissioner within 72 hours, as required by NZ law.
11. Children
Common Ground is not designed for use by children under 16. We do not knowingly collect information from children under 16. If you believe we have, please contact us and we'll delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be announced via an in-app notice and a notification email at least 30 days before they take effect.
The "Effective date" at the top of this policy tells you when the current version took effect.
13. Complaints
If you're unhappy with how we handle your privacy:
- Email us first — we'll do our best to address it
- If unresolved, complain to the Office of the Privacy Commissioner:
- Website: https://www.privacy.org.nz
- Phone: 0800 803 909