PAVE Privacy
How we collect, use, and protect your personal information.
PAVE is a New Zealand mortgage platform. Our handling of personal information is governed by the Privacy Act 2020 and the thirteen Information Privacy Principles. This page explains, in plain language, what we collect, why, how we protect it, and how you can exercise your rights.
Who we are
This site is operated by PAVE, a mortgage platform connecting borrowers, licensed mortgage advisers, and bank lenders. Where we act as a processor on behalf of a brokerage, that brokerage is the data controller for borrower information held inside their workspace. For information you provide directly to PAVE (for example via the demo request form on this site), we are the controller.
What we collect on this website
When you submit the demo request form we collect your name, email, optional phone number, optional brokerage or company name, the persona you select (broker, borrower, or showcase), and any message you write. Our server records the IP address and browser user agent of the request to deter spam. We do not use third-party advertising trackers. We do not sell personal information.
Why we collect it
We use the information you provide to contact you about your demo request, to tailor the walkthrough to your role, and to keep an internal record of who has been in touch. We do not add you to a marketing list and we do not share your details with third parties for marketing. Our lawful basis is your consent in submitting the form.
Service providers we use
We use the following processors. Each is named with the country of processing and the basis we rely on for any cross-border transfer under IPP12:
• Akahu (apply.akahu.nz, NZ) — open-banking data-sharing platform. Hosts the portal where you share your bank data via a broker-issued sharing request. NZ Privacy Act applies natively. See Section 08 below for the full data flow.
• Mandrill / Mailchimp Transactional (United States) — transactional email delivery. Disclosed under your consent (IPP12); Mailchimp is on the EU-US Data Privacy Framework which the NZ Privacy Commissioner accepts as comparable protection.
• Amazon S3 (AWS Sydney, ap-southeast-2, Australia) — encrypted document storage. Australian Privacy Principles apply, accepted by the NZ Commissioner as comparable.
• SiteHost (NZ) — primary application hosting. NZ Privacy Act applies natively.
• Google Maps Platform (United States) — address autocomplete only. Sends only the partial address string you type; no other PII is transmitted. Not invoked on this marketing site.
We do not use third-party advertising trackers and we do not sell personal information.
How long we keep it
Demo requests are retained for up to 24 months from the date of submission so we can follow up if a conversation continues over time, then deleted unless you have become a customer. If you ask us to delete your record sooner, we will do so within ten working days of receiving your request.
How we protect it
All traffic to PAVE is encrypted in transit via HTTPS. Production passwords are hashed with bcrypt; sensitive privilege fields are protected against mass-assignment. Every action inside the platform is recorded in an append-only audit log with the actor, timestamp, IP, and user agent. Access to internal databases is restricted to a small number of authorised staff.
AI agents and your data
PAVE is agent-first: any Model Context Protocol (MCP) AI assistant you trust can act on your behalf. We use OAuth 2.1 with dynamic client registration — you authorise each assistant explicitly on a branded consent screen; the assistant receives a bearer token scoped to your account; we email you the moment a new assistant is connected so you know. The assistant's authority is identical to yours and can never reach another user's data. Every action it takes is recorded in your audit log and listed at Settings → AI agents, where you can revoke any connection at any time. PAVE is agnostic about which assistant you bring; we do not share your account data with the AI vendor beyond what the assistant explicitly requests through our defined tools, and we don't use your personal information to train any third-party model.
Bank data sharing via Akahu Apply
When your broker requests bank data, they create an Akahu Apply sharing request — a secure one-off link we email you. Tapping the link takes you to Akahu's hosted portal, where you can connect your bank (or upload PDF statements) and decide what to share. PAVE never sees your bank password, and we never hold a long-lived token against your bank — every share is a single, time-boxed transaction you control.
What Akahu shares with us. After you complete the share, Akahu builds a synthesised Report containing your account list (name, type, balance), categorised transactions for the period you authorised, derived insights (recurring income, debt repayments, savings velocity), and loan details where applicable. We never see your bank login credentials.
What PAVE stores. The synthesised Report (cached as encrypted JSON), a normalised set of accounts / transactions / insights / data sources for the broker UI, the Akahu Application + Sharing Request identifiers, and an HTML archive of the report for audit. We do not hold an ongoing connection — to refresh data, your broker issues a new sharing request and you complete the flow again.
Retention. Report data and the associated Akahu rows are retained for up to 24 months after your application closes (Proceeding / Closed / Withdrawn). Audit log entries are kept for 7 years to satisfy NZ AML/CFT mortgage record-keeping requirements. Sharing-request links expire after 30 days by default (7-60 days, broker-configurable).
How to revoke. Each Sharing Request is single-use and finite by design. To stop new data sharing on an application, simply ignore or cancel the most recent sharing-request link your broker sent you — there's nothing to disconnect on Akahu's side. To request immediate deletion of report data PAVE has already received, email [email protected] and we'll process within twenty working days.
Lawful basis. Your consent collected by Akahu at the point of sharing under Privacy Act 2020 IPP3, plus the platform consent share_with_banks for downstream disclosure to your selected lenders. You may withdraw share_with_banks at any time at /settings/consents — we live-check the ledger at submission time, so a revocation between wizard completion and bank submission still blocks the submission.
Processor. Akahu Limited (apply.akahu.nz, registered in New Zealand) operates the Akahu Apply platform and the hosted sharing portal. Their privacy notice is at akahu.io/privacy. We authenticate to Akahu Apply with a single organisation-level API key; we do not receive any borrower-specific token.
Your bank. When your broker submits to a bank, they receive a packaged PDF that includes the verified financial summary derived from your Akahu Apply report, plus the application metadata. Banks see only what's in that packet, scoped to the application reference you authorised. You can review what each bank received under your application at /borrower/applications.
Cookies
This marketing site uses one strictly necessary cookie for cross-site request forgery protection on the demo form. We do not use analytics or advertising cookies on the marketing surface. Once you sign in to the platform, a session cookie is set so you stay logged in.
Your rights under the Privacy Act 2020
You may request a copy of any personal information we hold about you, ask us to correct anything that is wrong, or ask us to delete information we no longer need. Contact us at the address below and we will respond within twenty working days. If you are unhappy with our response, you can raise a complaint with the Office of the Privacy Commissioner at privacy.org.nz.
Changes to this policy
We will update this page if our practices change. The date at the top of the page reflects the most recent revision. Material changes will be communicated to active customers by email.
How to reach us
Privacy queries, access requests, and deletion requests: [email protected]. For demo or sales matters, use [email protected].