PAVE Privacy
How we collect, use, and protect your personal information.
PAVE is a New Zealand mortgage platform. Our handling of personal information is governed by the Privacy Act 2020 and the thirteen Information Privacy Principles. This page explains, in plain language, what we collect, why, how we protect it, and how you can exercise your rights.
Who we are
This site is operated by PAVE, a mortgage platform connecting borrowers, licensed mortgage advisers, and bank lenders. Where we act as a processor on behalf of a brokerage, that brokerage is the data controller for borrower information held inside their workspace. For information you provide directly to PAVE (for example via the demo request form on this site), we are the controller.
What we collect on this website
When you submit the demo request form we collect your name, email, optional phone number, optional brokerage or company name, the persona you select (broker, borrower, or showcase), and any message you write. Our server records the IP address and browser user agent of the request to deter spam. We do not use third-party advertising trackers. We do not sell personal information.
Why we collect it
We use the information you provide to contact you about your demo request, to tailor the walkthrough to your role, and to keep an internal record of who has been in touch. We do not add you to a marketing list and we do not share your details with third parties for marketing. Our lawful basis is your consent in submitting the form.
Service providers we use
Email delivery is handled by Mandrill (Mailchimp Transactional), which processes your email address solely to deliver the message we send. Application hosting is provided by SiteHost in New Zealand. Document storage uses Amazon S3 in our chosen region. We use Google Maps Places for address autocomplete inside the application — this is only invoked once you are signed in and is not used on this marketing site.
How long we keep it
Demo requests are retained for up to 24 months from the date of submission so we can follow up if a conversation continues over time, then deleted unless you have become a customer. If you ask us to delete your record sooner, we will do so within ten working days of receiving your request.
How we protect it
All traffic to PAVE is encrypted in transit via HTTPS. Production passwords are hashed with bcrypt; sensitive privilege fields are protected against mass-assignment. Every action inside the platform is recorded in an append-only audit log with the actor, timestamp, IP, and user agent. Access to internal databases is restricted to a small number of authorised staff.
AI agents and your data
PAVE is agent-first: any Model Context Protocol (MCP) AI assistant you trust can act on your behalf. We use OAuth 2.1 with dynamic client registration — you authorise each assistant explicitly on a branded consent screen; the assistant receives a bearer token scoped to your account; we email you the moment a new assistant is connected so you know. The assistant's authority is identical to yours and can never reach another user's data. Every action it takes is recorded in your audit log and listed at Settings → AI agents, where you can revoke any connection at any time. PAVE is agnostic about which assistant you bring; we do not share your account data with the AI vendor beyond what the assistant explicitly requests through our defined tools, and we don't use your personal information to train any third-party model.
Cookies
This marketing site uses one strictly necessary cookie for cross-site request forgery protection on the demo form. We do not use analytics or advertising cookies on the marketing surface. Once you sign in to the platform, a session cookie is set so you stay logged in.
Your rights under the Privacy Act 2020
You may request a copy of any personal information we hold about you, ask us to correct anything that is wrong, or ask us to delete information we no longer need. Contact us at the address below and we will respond within twenty working days. If you are unhappy with our response, you can raise a complaint with the Office of the Privacy Commissioner at privacy.org.nz.
Changes to this policy
We will update this page if our practices change. The date at the top of the page reflects the most recent revision. Material changes will be communicated to active customers by email.
How to reach us
Privacy queries, access requests, and deletion requests: privacy@pave.legendhasit.co.nz. For demo or sales matters, use demo@pave.legendhasit.co.nz.