Privacy Policy
Last updated: 24 March 2026
About This Policy
This Privacy Policy explains how Instilligent Limited (NZBN 9429051796498), trading as Mastering MOSS ("we", "us", "our"), collects, uses, stores, and discloses personal information through the Mastering MOSS platform ("Platform").
We are committed to protecting your privacy in accordance with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs) set out in that Act.
Privacy Contact: privacy@instilligent.com
1. Information We Collect IPP 1–4
Under IPP 1 (Purpose of Collection) and IPP 3 (Collection from Subject), we only collect personal information that is necessary for providing our services, and we collect it directly from you wherever possible.
- Account Information: Name, email address, organisation or vessel operator name, phone number, and billing details (processed via Stripe — we do not store full card numbers).
- Maritime Operator Information: Vessel details, operator certifications, crew information, and organisational structure relevant to MOSS compliance.
- Safety Records: Safety management system records, hazard registers, incident reports, maintenance logs, audit findings, corrective actions, and evidence documents.
- MOSS Compliance Data: Progress against MOSS elements, self-assessment results, audit preparation records, and regulatory correspondence notes.
- Payment Information: Subscription and payment data is processed by Stripe. We store only transaction references and subscription status.
- Usage Data: Pages visited, features used, timestamps, IP addresses, and device/browser information.
- Communications: Support enquiries and email communications.
2. How We Use Your Information IPP 10
Under IPP 10 (Limits on Use), we use personal information only for the purpose for which it was collected or a directly related purpose:
- Provide, maintain, and improve the Platform and MOSS compliance tracking features
- Enable you to create and manage safety records, hazard registers, and compliance documentation
- Process payments and manage your subscription via Stripe
- Generate compliance reports and audit readiness assessments
- Communicate with you about your account, updates, and support requests
- Monitor and analyse usage patterns to improve our services
- Comply with legal and regulatory obligations
3. Sensitive Safety and Regulatory Data
We recognise that maritime safety records, incident reports, and MOSS compliance data are sensitive. We apply enhanced protections:
- All safety data is encrypted at rest and in transit
- Access is restricted on a per-organisation basis
- Audit logs record all access to safety records
- We do not share your safety data with Maritime New Zealand or any regulatory body unless you direct us to or we are compelled by law
- Incident reports and hazard data remain under your control at all times
4. Data Sharing and Third Parties IPP 11
Under IPP 11 (Limits on Disclosure), we do not sell, rent, or trade your personal information. We share data only with:
| Provider | Purpose | Location |
|---|---|---|
| Railway | Application hosting and infrastructure | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional emails | United States |
All service providers are contractually obligated to protect your information.
We may disclose information if required by law, regulation, or governmental request. In a maritime safety context, this could include lawful requests from Maritime New Zealand under the Maritime Transport Act 1994.
5. Overseas Disclosure of Personal Information IPP 12
Under IPP 12 of the Privacy Act 2020, before disclosing personal information to a foreign person or entity, we must either believe on reasonable grounds that the recipient is subject to comparable privacy protections, or obtain your express authorisation.
Your personal information is hosted in the United States by Railway (infrastructure), Stripe (payments), and Resend (email). The United States does not have privacy legislation that provides comparable protections to the New Zealand Privacy Act 2020 at the federal level.
We mitigate this through:
- Contractual data processing agreements with all overseas providers
- Minimising the personal information transferred overseas
- Encrypting all data in transit (TLS 1.2+) and at rest
- Selecting providers with robust security certifications (PCI DSS for Stripe)
By using the Platform, you acknowledge and consent to the transfer of your personal information to the United States for the purposes described in this policy. You may withdraw this consent by closing your account.
6. Data Security IPP 5
Under IPP 5 (Storage and Security), we implement appropriate technical and organisational measures:
- TLS 1.2+ encryption for all data in transit
- Encryption for data at rest
- Role-based access controls
- Regular security monitoring
- Secure software development practices
- Incident response procedures
While we take reasonable steps to protect your information, no method of transmission or storage is completely secure.
7. Data Retention IPP 9
Under IPP 9 (Retention), we do not keep personal information for longer than is necessary.
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of subscription + 90 days |
| Safety management records | 7 years (regulatory best practice) |
| Incident reports | 7 years (maritime safety requirement) |
| MOSS compliance / audit records | 7 years |
| Payment records | 7 years (Tax Administration Act 1994) |
| Support communications | 2 years after resolution |
| Usage/analytics data | 12 months |
After account closure, we retain your data for 90 days to allow for export, then securely delete it (except records legally required to be retained).
8. Your Rights IPP 6–7
Under the Privacy Act 2020, you have the following rights:
- Right of Access (IPP 6): You may request access to the personal information we hold about you. We will respond within 20 working days.
- Right of Correction (IPP 7): You may request correction of any inaccurate, incomplete, or misleading personal information.
- Right to Deletion: You may request deletion of your personal information, subject to our legal obligations to retain certain records (e.g., maritime safety records required by regulation).
- Right to Data Export: You may export your data at any time through the Platform.
- Right to Complain: You may lodge a complaint with the Office of the Privacy Commissioner.
To exercise any of these rights, contact us at privacy@instilligent.com.
9. Cookies
We use essential cookies for session management and authentication. No third-party advertising or tracking cookies are used. You can manage cookie preferences through your browser settings.
10. Children's Privacy
The Platform is designed for maritime operators and safety professionals. It is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Platform at least 14 days before they take effect.
12. Contact Us
Instilligent Limited
Trading as Mastering MOSS
NZBN: 9429051796498
Email: privacy@instilligent.com
Auckland, New Zealand
Privacy Commissioner (New Zealand): www.privacy.org.nz