Privacy Policy

Last updated: March 3, 2026

This Privacy Policy applies with effect from March 3, 2026, unless agreed otherwise.

Cotiss understands that protecting your personal data is important.

When we say "Cotiss", "we", "us" or "our", we mean the Cotiss Group of companies. Our headquarters are in New Zealand, but we operate and have offices in other jurisdictions. Please see the section headed "contact details" below.

This Privacy Policy sets out our commitment to protecting the privacy of personal data provided to us, or otherwise collected by us when you use and interact with our website or services, communicate with us, visit our office or attend our events, among other things. We have used examples in this Privacy Policy to help explain some points - please remember that these examples describe common scenarios but do not necessarily cover all situations.

This Privacy Policy does not apply to personal data that our customers (i.e. the people who pay for a subscription to our platform services) or their invited users (i.e. people other than our customers who have been invited to use our services by a customer) enter into our services about their own customers, suppliers, personnel or other third parties. In those instances, our customers control that personal data and Cotiss processes on their behalf. If you're not a customer and have questions about this type of personal data, you'll need to contact the customer that controls it.

The Cotiss Platform itself has its own Terms of Service that may include specific privacy-related terms. To the extent that any such terms conflict with this Privacy Policy, then the Terms of Service supersede and will apply instead.

We encourage you to read this policy carefully as it contains important information on what, how and why we collect, use, disclose, sell, share, store, and retain your personal information. It also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint or request. If you provide personal data to us, you understand we will process it in accordance with this Privacy Policy. If you do not provide personal data to us, however, it may impact our ability to provide our services to you and your use of the services. If you have any questions, please contact us using the details set out at the bottom of this Privacy Policy.

For consumers in the United States, further information on what we use your personal information for, the reasons for doing so and your rights as a consumer under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA) can be found in the addendum titled "Additional Information if you are in the United States". The General Data Protection Regulation (GDPR), which governs companies operating in the European Union, does not apply to this Privacy Policy, nor any member of the Cotiss Group operating outside of the European Union.

This Privacy Policy explains:

  • the types of personal data we may collect about you;
  • how we might collect your personal data;
  • how we may use your personal data and the reasons we collect it
  • how we will store your personal data;
  • if we are likely to disclose your personal data overseas, and if so, which countries we are likely to disclose your personal data to;
  • your rights in relation to your personal data; and
  • how you can contact us if you have any other questions regarding our processing of your personal data.

1. Personal data

In this policy:

  • Personal data means identifiable data about you, for example your name, email, address, telephone number and so on. If you cannot be identified (for example, when personal data has been aggregated and anonymised to the extent you can't reasonably be identified) then certain parts of this policy may not apply to that information. This includes "personal information" as it is defined under applicable privacy laws;
  • Applicable privacy laws means the requirements of privacy laws, codes and regulations relevant to you in the country you reside in, including as applicable the New Zealand Privacy Act 2020, the Australian Privacy Act 1988, and the CCPA as amended by the CPRA;
  • Cookie means a file that stores information about you and your behaviour on the internet. Cookies are created by a web server when you browse a website and are stored on your web browser. Cookies are accessed by a web server upon entering a website.
  • Where we refer to processing of your personal data, we mean all activities relating to our use of that personal data, from its collection through to its storage and disposal and everything in between, and process shall be interpreted accordingly.

2. The types of personal data we may collect about you

The types of personal data we may collect about you include:

  • Identifiers (including first name, middle name, last name, date of birth, email address, job title and employer organisation);
  • Personal information (including billing address, telephone numbers and bank account and payment card details through our third-party payment processor Stripe);
  • Commercial information (including details about payments from you to us and other details of services you have purchased from us or we have purchased from you);
  • Geolocation data (including internet protocol (IP) address and your location information (for example your GPS location);
  • Internet or other electronic network activity information (including your browser session, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour, information about your access and use of our website, including through the use of internet cookies, your communications with our website, the type of browser you are using, the type of operating system you are using, the domain name of your internet service provider, your preferences in receiving marketing from us and our third parties and your communication preferences);
  • Account information (including your login for our services, support requests you have made, your interests, preferences, feedback and survey responses, additional personal data that you provide to us, directly or indirectly, through your use of our services, associated applications or accounts from which you permit us to collect information); and
  • Requested data (including any other personal data requested by us and/or provided by you or a third-party).

To the extent that we collect any personal data which is defined as "sensitive information" under applicable privacy laws, this will only be with your consent and where the collection is reasonably necessary for Cotiss's functions or activities, or where collection is authorised by the law.

3. How we might collect your personal data

The ways we collect your personal data can be categorised into: (a) information you provide us directly, (b) information that is collected automatically and (c) information we indirectly collect from third parties.

  • Information you provide to us directly

The personal data we collect directly from you may include the below:

  • Information you provide to us during the registration process (user profile data). This user profile data may include your name, address, email address, contact details and professional details such as your trade, job title and qualification;

  • Information contained in or relating to any communication that you send to us or that we send to you (communication data). The communication data may include the communication content and metadata associated with the communication;

  • Data allowing us to get in touch with you (contact data). This contact data may include your name, email address, telephone number, postal address and other information you provide us when you send us communication data;

  • Information relating to transactions, including your purchase of a Cotiss subscription plan (transaction data). The transaction data may include your payment card details or other payment and transaction details; or

  • Website user account data (account data). This account data may include your name, email address, account creation, employer, website settings and marketing preferences.

  • Information that is collected automatically

We collect personal data when you use our website, services and social media platforms. This information could include your IP address, location data and social media handles. We use cookies and similar technologies to collect personal data in these circumstances. Cookies used on this website enable some of the website's essential functionality and help us provide the best possible service to you by tailoring our services to best suit your preferences.

There are two types of cookies, persistent cookies and session cookies. Persistent cookies are stored on a web browser until they expire or are deleted. Session cookies expire upon the user closing their web browser.

Most internet browsers give you the option to reject all cookies, accept all cookies, erase cookies stored on your device or be notified before a cookie is stored on your device. However, if you reject or erase the cookies referred to above some functionality or features of this website may not function properly or be fully available.

Please refer to your internet browser instructions if you want to find out more about rejecting or blocking cookies. If you are based in the United States, you have the right to opt-out of the collection of non-functional cookies. You can make use of this right by opting out via the cookies banner on the Cotiss website.

We may use cookies and similar technologies to:

  • Analyse the use and performance of our website and services;

  • Identify you as you navigate our website;

  • Collect information about the device you use to access the website; and

  • To otherwise protect our user accounts, websites and services generally.

  • Information collected indirectly from third parties

While in most instances, we collect your personal information from you directly, however in limited circumstances we may collect personal information about you from other sources, including third parties. Where we collect personal information about you from third parties (for example, third parties working with us to facilitate the services provided on our website or social media accounts, or in connection with running Cotiss competitions or promotions), will we do so in compliance with all applicable privacy laws.

If you are a third-party providing personal data about somebody else, you represent and warrant that you have such person's consent to provide the personal data to us.

4. How and why we may use your personal data

Under data protection laws, we can only use your personal information if we have a proper reason for doing so (for example to comply with our legal and regulatory obligations, for the performance of our contract with you or to take steps at your request before entering into a contract, for our legitimate business or commercial interests or those of a third-party or where you have given consent). We use your personal data when you apply for our services, while you are a customer and when you use our free services (for example, when you participate in a free trial period offered under your subscription plan). We will use this personal data generally to manage our services and business effectively, as well as for potential development of future products and services.

5. Who we share your personal data with

We may also share your personal data within Cotiss, to our service providers and to other authorised third parties. We will only share personal data when we are allowed to under applicable data protection laws, or when we are legally required to. We may disclose your personal data to:

  • The administrator account of your employer, to the extent that your personal data is related to the provision of potential employment by your employer;

  • Third-party service providers for the purpose of enabling them to provide their services to us and therefore to you (for example, Google Analytics), including IT service providers, content management system providers, data storage, web-hosting and server providers, debt collectors, maintenance or problem-solving providers, marketing or advertising providers, professional advisors and payment systems operators;

  • Our employees and contractors;

  • Our existing or potential agents or business partners;

  • Anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred;

  • Courts, tribunals and regulatory authorities, in the event you fail to pay for services we have provided to you;

  • Courts, tribunals, regulatory authorities and law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights; and

  • Any other third parties as required or permitted by law.

  • Google Analytics

We may have enabled Google Analytics Advertising Features including Remarketing Features, Advertising Reporting Features, Demographics and Interest Reports, Store Visits, Google Display Network Impression reporting etc. We and third-party vendors may use first-party cookies (such as the Google Analytics cookie) or other first-party identifiers, and third-party cookies (such as Google advertising cookies) or other third-party identifiers together. You can opt-out of Google Analytics Advertising Features including using a Google Analytics Opt-out Browser add-on found here. To opt-out of personalised ad delivery on the Google content network, please visit Google's Ads Preferences Manager here or if you wish to opt-out permanently even when all cookies are deleted from your browser you can install their plugin here. To opt out of interest-based ads on mobile devices, please follow these instructions for your mobile device: On android open the Google Settings app on your device and select "ads" to control the settings. On iOS devices with iOS 6 and above use Apple's advertising identifier. To learn more about limiting ad tracking using this identifier, visit the settings menu on your device.

6. How we will store your personal data

We are committed to ensuring that the personal data we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures, to safeguard and secure personal data and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.

While we are committed to security, we cannot guarantee the security of any information that is stored by us or transmitted to or by us over the internet. The transmission and exchange of information over the internet is carried out at your own risk.

  • If we are likely to disclose your personal data overseas, and if so, the countries to which we are likely to disclose your personal data

We usually hold your personal data in New Zealand, but sometimes we may disclose your personal data to countries other than the country you live in - such as Australia. These countries may have laws different to what you are used to. If we do this, we will put in place contractual safeguards if necessary to ensure your personal data remains protected and comply with applicable data protection laws.

7. How long your personal information will be kept

We will keep your personal information while you have an account with us or while we are providing the services laid down in the General Terms of Service to you. Thereafter, we will keep your personal information for as long as is necessary:

  • To respond to any questions, complaints or claims made by you or on your behalf;
  • To show that we treated you fairly: and
  • To keep records required by law

We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information. When it is no longer necessary to retain your personal information, we will delete or anonymize it.

8. Your rights in relation to your personal data

Under certain circumstances and to the extent that such rights are granted in accordance with applicable data protection laws in your country, you, or someone you give authority to, has the right to request access to or correct your personal data:

  • Access: You may request access to the personal data that we hold about you. An administrative fee may be payable for the provision of such information. Please note, in some situations, we may be legally permitted to withhold access to your personal data.
  • Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, out of date, incomplete, irrelevant or misleading. Please note, in some situations, we may be legally permitted to not correct your personal data.

When it comes to marketing communications, you can ask us at any time not to send you these by following the unsubscribe instructions in the marketing communication, or by emailing our privacy representative below.

9. How to exercise your rights

If you would like to exercise any of your rights as described in this Privacy Policy, you can do so by emailing us at privacy@cotiss.com

If you choose to contact us directly by email you will need to provide us with:

  • Enough information to identify you [(e.g., your full name, address and customer or matter reference number)];
  • Proof of your identity and address (e.g., a copy of your driving license or passport and a recent utility or credit card bill); and
  • A description of what right you want to exercise and the information to which your request relates.

We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information or is someone authorized to act on such person's behalf. Any personal information we collect from you to verify your identity in connection with your request will be used solely for the purposes of verification.

10. Changes to this Privacy Policy

We may change this Privacy Policy to reflect changes in our services, and/or to reflect changes in laws we have to comply with. Depending on how significant the changes are, we will either put a notice on our website, send you an email or notify you through the Cotiss platform to inform you of those changes. If we have to make changes to protect the security of your personal data, we can tell you after we've made the change.

11. How to Contact Us for questions regarding your personal data

If you wish to make a complaint, please contact us using the details below and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint. You also have the right to contact the Office of the New Zealand Privacy Commissioner (OPC) or the Office of the Australian Information Commissioner (OAIC), or another relevant data protection authority, where you are not satisfied with our resolution process.

Links to other websites

Our services may contain links to other websites. We do not have any control over those websites, and we are not responsible for the protection and privacy of any personal data which you provide whilst visiting those websites. Those websites are not governed by this Privacy Policy.

Contact details

For any questions or notices, please contact our privacy representative at:

  • New Zealand

    • Cotiss Limited
    • Address: Suite 7/1 Cross Street, Auckland CBD, Auckland, 1010, New Zealand
    • Phone: 0064 21 074 8062
    • Email: privacy@cotiss.com

  • Australia

    • Cotiss AU Pty Limited
    • Address: 333 George St, Sydney, New South Wales 2000, Australia
    • Phone: 0064 21 074 8062
    • Email: privacy@cotiss.com

  • United States (and any other countries excluding NZ and AUS)

    • Cotiss Incorporated
    • Address: 96 South Park St, San Francisco, California 94107, United States
    • Phone: 0064 21 074 8062
    • Email: privacy@cotiss.com

Additional Information if you are in the United States

Last updated: March 3, 2026

For consumers in the United States, we adhere to the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA). We are responsible for your personal information as a "business" under the CCPA/CPRA.

1. How and why we may use your personal data

Under data protection laws, we can only use your personal information if we have a proper reason for doing so. The list below explains what we use (process) your personal information for and our reasons for doing so:

Use of your personal information

  • To enable you access to our services, including to provide you with a login and manage tenders and quotes;
  • To provide our services to you, including to give you access to the Cotiss platform, tech stack, and integrations;
  • To contact and communicate with you about our services and any enquiries you make via our website

Our reason

  • For the performance of our contract with you or to take steps at your request before entering into a contract.

Use of your personal information

  • For internal record keeping, administrative, invoicing and billing purposes;
  • For analytics, market research and business development, including to operate and improve our services;
  • To detect and/or prevent any illegal activity that may threaten us or our services; and
  • For advertising and marketing, including to send you promotional information about our products and services and information that we consider may be of interest to you, noting we will comply with all laws that are relevant to marketing.

Our reasons

  • For our legitimate interests or those of a third-party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you;
  • For our legitimate interests or those of a third-party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price;
  • For our legitimate interests or those of a third-party, i.e., to minimize fraud that could be damaging for us and for you; and
  • For our legitimate interests or those of a third-party, i.e., to promote our business to existing and former customers.

Use of your personal information

  • To comply with our legal obligations and resolve any disputes that we may have; and
  • If otherwise required or authorised by law.

Our reason

  • Compliance.

2. Who we share your personal data with

In the last 12 months, we have not sold or shared your personal information.

In the preceding 12 months, we have disclosed the following categories of personal information for a business purpose:

  • Identifiers (including first name, middle name, last name, date of birth, email address, job title and employer organisation);
  • Personal Information (including billing address telephone numbers and bank account and payment card details through our third-party payment processor Stripe);
  • Commercial Information (including details about payments from you to us and other details of services you have purchased from us or we have purchased from you);
  • Geolocation data (including internet protocol (IP) address and your location information (for example your GPS location);
  • Internet or other electronic network activity information (including your browser session, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour, information about your access and use of our website, including through the use of internet cookies, your communications with our website, the type of browser you are using, the type of operating system you are using, the domain name of your internet service provider, your preferences in receiving marketing from us and our third parties and your communication preferences);
  • Account Information (including your login for our services, support requests you have made, your interests, preferences, feedback and survey responses, additional personal data that you provide to us, directly or indirectly, through your use of our services, associated applications or accounts from which you permit us to collect information);
  • Professional employment-related information (including where you are a worker of ours or applying for a role with us, your professional history such as your previous positions and professional experience);
  • Requested data (including any other personal data requested by us and/or provided by you or a third-party); and
  • Sensitive personal data.

3. Your rights under the CCPA/CPRA

Consumers in California, United States, have the right under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and certain other privacy and data protection laws, as applicable, to exercise free of charge:

  • Disclosure of Personal Information We Collect About You

  • You have the right to know, and request disclosure of:

    • The categories of personal information we have collected about you, including sensitive personal information;
    • The categories of sources from which the personal information is collected;
    • The categories of third parties to whom we disclose personal information, if any; and
    • The specific pieces of personal information we have collected about you.

  • Please note that we are not required to:

    • Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
    • Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or
    • Provide the personal information to you more than twice in a 12-month period.

  • Disclosure of Personal Information Disclosed for a Business Purpose

  • In connection with any personal information we may disclose to a third-party for a business purpose, you have the right to know:

    • The categories of personal information that we disclosed about you for a business purpose and the categories of persons to whom the personal information was disclosed for a business purpose

  • Right to Limit Use of Sensitive Personal Information

  • You have the right to limit the use and disclosure of your sensitive personal information to the use which is necessary to:

    • Perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services;
    • To perform the following services: (1) Helping to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for these purposes; (2) Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer's current interaction with the business, if the consumer's personal information is not disclosed to another third-party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business; (3) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business; and (4) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business; and
    • As authorized by further regulations

  • You have a right to know if your sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes;

  • To limit the use of your sensitive personal information, visit our homepage and by opting out via the cookies banner on the Cotiss website. Alternatively you can email us as privacy@cotiss.com

  • Right to Deletion

  • Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:

    • Delete your personal information from our records;
    • Delete your personal information from our records; and
    • Direct third parties to whom the business has sold or shared your personal information to delete your personal information unless this proves impossible or involves disproportionate effort

  • Please note that we may not delete your personal information if it is reasonably necessary to:

    • Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;
    • Help to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for those purposes;
    • Debug to identify and repair errors that impair existing intended functionality;
    • Exercise free speech, ensure the right of another consumer to exercise their right of free speech, or exercise another right provided for by law;
    • Comply with the California Electronic Communications Privacy Act;
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
    • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us
    • Comply with an existing legal obligation; or
    • Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

  • Right of Correction

If we maintain inaccurate personal information about you, you have the right to request us to correct that inaccurate personal information. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate personal information.

  • Protection Against Retaliation

  • You have the right to not be retaliated against by us because you exercised any of your rights under the CCPA/CPRA. This means we cannot, among other things:

    • Deny goods or services to you;
    • Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
    • Provide a different level or quality of goods or services to you; or
    • Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

  • Please note that we may charge a different price or rate or provide a different level or quality of [goods and/or services] to you, if that difference is reasonably related to the value provided to our business by your personal information. We may also offer loyalty, rewards, premium features, discounts, or club card programs consistent with these rights or payments as compensation, for the collection of personal information, the sale of personal information, or the retention of personal information.

4. How to exercise your rights

If you would like to exercise any of your rights as described in this Privacy Policy, you can do so by emailing us at privacy@cotiss.com

Please note that you may only make a CCPA/CPRA-related data access or data portability disclosure request twice within a 12-month period.