Privacy Policy

1. Who we are

In plain English: Little Gems is a New Zealand business that supplies custom-branded merchandise. This policy explains what personal information we collect when you use littlegems.kiwi, why we collect it, and your rights over it.

1.1 This Privacy Policy describes how Little Gems Merch Limited (NZ company number 9398628, NZBN 9429053383297), trading as Little Gems ("Little Gems", "we", "us", "our"), handles personal information.

1.2 We are the agency responsible for the personal information we collect, and we comply with the New Zealand Privacy Act 2020 and its Information Privacy Principles (IPPs).

1.3 If anything here is unclear, email us before you submit an enquiry — see Section 9.

2. What we collect and why

In plain English: We collect the details you type into an enquiry (your name, email, phone, company, quantity, and any notes), the logo file you upload, and — if you accept a quote — your delivery address. We collect it to prepare your quote, fulfil your order, and stay in touch about it. We don't ask for anything we don't need for that.

2.1 Enquiry information you give us. When you submit a product enquiry, we collect your first name, email address, phone number, company or organisation name, the quantity you want, and your stated use-case, decoration preference, and timeframe. You may also add a free-text note and upload a logo image. All of these are used to prepare your quote and respond to you. (IPP1, IPP2 — collected directly from you, for that purpose.)

2.2 Account and order information. Submitting an enquiry creates a customer account for you, signed in by a one-time "magic link" emailed to you (we do not store a password). If you accept a quote, we collect the delivery address needed to ship your order and to raise a GST invoice.

2.3 Website analytics. As you browse the site we record anonymous usage events — pages and products viewed, and where you are in the enquiry flow — to understand how the site is used and improve it. These events include your browser type (user-agent), the page that referred you, and a one-way hashed (unreadable) form of your IP address. We do not store your raw IP address against these events.

2.4 Advertising attribution. If you arrive from one of our Google ads, we capture the ad-click identifier (gclid) and any campaign tags (UTM parameters) from the link and store them in your browser. If you then submit an enquiry, those tags are attached to your enquiry so we can tell which ad led to it. See Section 4.

2.5 We do not collect sensitive information (such as health, racial, or political information), and we don't ask for it. Please don't include it in your enquiry notes.

3. Cookies and browser storage

In plain English: We keep a couple of small identifiers in your browser: one to recognise your session for analytics, and one to remember which ad you came from. The Google advertising tag also sets its own cookies. You can clear these any time in your browser settings.

3.1 We store a randomly generated session identifier ("lg_session_id") in your browser's local storage so we can group your anonymous usage events into a single visit.

3.2 If you arrive from an ad, we store the ad-click and campaign tags ("lg_attribution") in your browser's local storage, so they can be attached to an enquiry if you submit one. The most recent ad click overwrites any earlier one.

3.3 The Google advertising tag (gtag.js) loads on our pages when our Google Ads account is active, and may set its own cookies for conversion measurement and advertising. You can opt out of personalised advertising at your Google account settings (see Section 4) and clear all of the above through your browser settings at any time.

4. Advertising and Google

In plain English: We run Google ads. To learn which ads actually lead to quote requests, we use Google's conversion tag. When you submit an enquiry, we send Google a scrambled (hashed) version of your email address that Google can match but cannot read back into your real address — and nothing else identifying. We never send your name, phone, company, or what you enquired about to any advertising platform.

4.1 We use Google Ads conversion tracking to measure which of our ads result in enquiries. This is the only advertising platform we share any data with.

4.2 When you submit an enquiry, your email address is converted locally in your browser into an irreversible SHA-256 hash before being passed to Google as part of the conversion event. The raw email address is never sent to Google from our site. This lets Google confirm a conversion without us disclosing your readable email to it.

4.3 We do not send your name, phone number, company name, delivery address, logo, or the contents of your enquiry to Google or any other advertising platform.

4.4 You can review and turn off personalised advertising in your Google account at Google My Ad Center.

5. Who we share it with

In plain English: We don't sell your personal information, ever. We share it only with the service providers we need to run the business — our database, hosting, email, invoicing, and courier providers — and only the parts each one needs. Our supplier (PromoBrands) receives the product and quantity for your order, but not your personal details.

5.1 We do not sell, rent, or trade your personal information.

5.2 We share personal information with the third-party service providers ("processors") listed below, each only to the extent it needs to perform its function. Several of these providers are located overseas, which means your information may be stored or processed outside New Zealand. We take reasonable steps to ensure each provider protects your information to a standard comparable to the New Zealand Privacy Act (IPP12).

Neon (PostgreSQL database)

Stores your enquiry, account, organisation, quote, and order records — the core of the information you give us.

Processes data in: Sydney, Australia (ap-southeast-2 region)

Vercel

Hosts the littlegems.kiwi website and stores logo files you upload during an enquiry (Vercel Blob storage).

Processes data in: United States / global edge network

Resend

Sends our transactional emails to you — quotes, order updates, and notifications.

Processes data in: United States

Google (Google Ads / Google tag)

Advertising measurement only. Receives cookies, ad-click identifiers (such as gclid), and — when you submit an enquiry — a hashed (unreadable) version of your email address, used to confirm an ad led to a quote request. We do not send your name, phone number, company, or enquiry details to Google.

Processes data in: United States / global

Shopify

Generates GST invoices and processes orders you place. When you accept a quote, your name, email, phone number, and delivery address are shared with Shopify to raise the invoice and order.

Processes data in: Canada / United States / global

Shippit

Books courier delivery of your order. Receives the recipient name, delivery address, postcode, phone number, and email so the carrier can deliver and provide tracking.

Processes data in: Australia / New Zealand

Our merchandise supplier (PromoBrands, Australia) receives the product and quantity needed to fulfil an order, but does not receive your name, contact details, or any other personal information from us.

6. How long we keep it

In plain English: We keep your enquiry and order records for as long as we have a business relationship with you and as long as we're legally required to keep them — tax and company records in New Zealand generally have to be kept for seven years. Anonymous analytics events are kept to understand site trends. If you'd like us to delete what we can, just ask.

6.1 We retain enquiry, account, and order records for the duration of our relationship with you, and afterwards for as long as we are required to by New Zealand law. Business and tax records (including GST invoices) are generally required to be retained for seven (7) years.

6.2 Anonymous website analytics events are retained to understand usage trends over time.

6.3 When personal information is no longer needed for any lawful purpose, we take reasonable steps to delete or de-identify it (IPP9). You can ask us to delete information we are not legally required to keep — see Section 7.

7. Your rights

In plain English: Under the Privacy Act 2020 you can ask to see the personal information we hold about you, and ask us to correct it if it's wrong. Just email us. We'll respond as soon as we can, and within 20 working days as the Act requires. It's free to ask.

7.1 Access (IPP6). You have the right to ask whether we hold personal information about you, and to be given access to it. Email the address in Section 9 and we will confirm your identity and respond within 20 working days, as required by the Privacy Act 2020.

7.2 Correction (IPP7). If any information we hold about you is wrong, you can ask us to correct it. If we can't agree on a correction, you can ask us to attach a statement of the correction you sought to the information we hold.

7.3 There is no charge for making an access or correction request.

7.4 Complaints. If you're not satisfied with how we've handled your information or your request, you can complain to us first (Section 9), and you have the right to complain to the Office of the Privacy Commissioner at privacy.org.nz.

8. How we protect it

In plain English: We store your information in a secure, access-controlled database, send email over encrypted connections, and keep only what we need. No system is perfectly secure, but we take reasonable steps to protect your information from loss, misuse, and unauthorised access.

8.1 We take reasonable security safeguards to protect personal information against loss, unauthorised access, use, modification, or disclosure (IPP5). These include access controls on our database, encrypted connections (HTTPS) for the website and email transmission, and limiting access to the people and providers who need it.

8.2 Logo files you upload are stored to enable us to prepare your mockup and order. They are held at unguessable storage addresses, and the website only serves them to your signed-in account and to us — they are not browsable or discoverable by anyone else.

9. Contact