Privacy Policy
1. Introduction
This Privacy Policy explains how eolma ("we", "us", or "our") collects, uses, stores, and discloses your personal information when you use the eolma platform, including the website, mobile application, and related services (the "Platform").
We are committed to protecting your privacy in accordance with the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs) set out in that Act. By using the Platform, you consent to the collection and use of your information as described in this policy.
2. Information we collect and why
We only collect information that is necessary to provide you with the Platform's services. Below is what we collect, and why.
When you sign in with Google, Apple, Facebook, or email, we receive your email address, first and last name where provided, profile photo where provided, and a provider-specific account identifier where applicable. We use this information only to authenticate you, create or identify your account, and keep you signed in.
- Display name and suburb: So other users can identify you and see whether you're in a convenient location for splitting.
- Profile photo: If you choose to upload one, we access the selected image from your photo library and store it as part of your profile.
- Bank account details (optional): If you choose to add them, this makes it easier to share your payment information with split partners so they can reimburse you. Bank details are encrypted before being stored and are only shared with a confirmed split partner when you choose to do so.
- Pickup address (optional): If you choose to add one, this makes it easier to share collection details with a confirmed split partner after a split is confirmed. Pickup addresses are encrypted before being stored and are only shared when you actively choose to send them in chat.
Photos of items, item listings, split requests, chat messages, ratings, and feedback you submit are all stored so the Platform can function. Item photos are processed by an AI service to automatically extract item details, saving you from entering them manually. Only the image is sent to the AI service, no other personal information.
On mobile, we may request location permission after sign-in so the app can identify which store you are in when uploading item photos and show other users whether you are currently in-store. If you upload an item photo, we use your device location at the time of capture to identify the participating store you are in and attach the listing to that store. Your precise coordinates are not shown to other users.
If location permission is granted, in-store status sharing is enabled by default. The app can then use your location while you have it open to show whether you are currently in-store, which helps split partners message and coordinate with each other. Other users see only an in-store status, not your precise coordinates. You can turn in-store status sharing off at any time in Settings. If you deny location permission, in-store status sharing cannot function.
We collect basic usage data to keep you signed in and to help us improve the Platform. This includes authentication and session data such as cookies, refresh tokens, and related security information needed to keep you signed in.
We also collect product analytics events, such as page or screen views and key feature usage, to understand how the Platform is used and where it can be improved. These analytics events may include your internal user ID, app platform, app version, device or browser information, event timestamps, IP address, and approximate website location derived from IP address, such as country, region, or city. We do not send your email, real name, chat message content, bank details, pickup address, item photos, or precise location coordinates as analytics event properties.
On mobile, we may request notification permission after sign-in, so we can send you activity updates. If notification permission is granted, notifications are enabled by default and we store a push notification token for your device so we can send messages, activity and coordination updates, and relevant app alerts. You can disable notifications at any time in Settings or your device settings. We also collect diagnostics such as crash reports, error logs, performance data, device and app version information, and masked session replay data to find and fix technical issues. Text and images are masked in session replays.
3. How we use your information
We collect and use your personal information only for the purposes for which it was collected (IPP 10). These purposes include:
- Providing the service: Creating and managing your account, facilitating split requests, enabling messaging between users, and displaying item listings.
- Authentication and security: Verifying your identity, managing sessions, and protecting against unauthorised access.
- Communication and coordination: Sending system notifications related to your split requests, messages, account activity, and the in-store status that helps users coordinate.
- Improvement: Analysing usage patterns to improve the Platform's functionality, performance, and user experience.
- Legal compliance: Complying with applicable New Zealand law, including responding to lawful requests from government agencies.
4. How we share your information
We do not sell your personal information to third parties. We may share your information in the following limited circumstances:
As part of the Platform's core functionality, certain information is visible to other users:
- Your display name, profile photo, and suburb are visible on your profile and in listings.
- Your shopping cart is visible on your profile so other users can discover items you may want to split. Your favourites are not visible to other users.
- Your chat messages are visible to the other participant in a conversation.
- Your bank account details are only shared with a confirmed split partner when you actively choose to share them.
- Your pickup address is only shared with a confirmed split partner when you actively choose to share it.
- If location sharing is enabled, other users may see that you are currently in-store. This is enabled by default when location permission is granted, can be disabled in Settings at any time, and never shares your precise coordinates with other users.
- When you upload an item photo, the store identified from your location may be shown with the listing.
- Your ratings are visible on your profile.
We use third-party services to operate the Platform. These providers process data on our behalf and are contractually required to protect your information:
- Authentication providers: Google, Apple, and Meta (Facebook Login) across the Platform. We use these providers only to sign you in and retrieve the account information described in section 2.1.
- Cloud hosting: Infrastructure providers that host the Platform and store Platform data.
- Notifications and diagnostics: Push notification and error monitoring providers that help deliver notifications, diagnose crashes, and improve app reliability.
- Product analytics: Analytics providers that help us understand feature usage, page and screen views, and product performance so we can improve the Platform.
- AI image processing: AI service providers that we use to extract item details from item photos you upload.
We may disclose your information if required by law, court order, or a request from a New Zealand government agency, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of eolma, our users, or the public.
5. Data security
We take reasonable steps to protect your personal information from unauthorised access, use, or disclosure (IPP 5). Our security measures include:
- Sensitive personal information, including bank details and pickup addresses, is encrypted before being stored where appropriate.
- All data transmitted between your device and our servers is encrypted in transit.
- Users can only access their own data and data explicitly shared with them.
No system is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
6. Data storage and overseas disclosure
Your personal information may be stored on or processed by servers located outside New Zealand (for example, in Australia or the United States). Where your information is transferred overseas, we take reasonable steps to ensure it is protected by comparable safeguards (IPP 12).
7. Data retention
We retain your personal information for as long as your account is active or as needed to provide the Platform's services.
- Account data: Retained until you request deletion.
- Messages: Retained for as long as reasonably necessary to operate the chat service. When your account is deleted, shared chat and split history may be retained in de-identified form, including display as [Deleted user], while personal details and sensitive shared data are removed.
- Item listings: Retained while active; may be removed after a reasonable period of inactivity.
When your account is deleted, we remove or de-identify your personal information within a reasonable timeframe, unless we are required by law to retain it. This includes deleting your item comments and ratings and removing sensitive shared details such as bank account information and pickup addresses from retained chat history.
8. Your rights under the Privacy Act 2020
Under the Privacy Act 2020, you have the right to:
- Access your information (IPP 6): You may request a copy of the personal information we hold about you.
- Correct your information (IPP 7): You may request that we correct any inaccurate or incomplete personal information. You can also update your profile directly in the Platform's settings.
- Delete your information: You can delete your account directly in Settings, or email privacy@eolma.com if you cannot access the app.
To exercise any of these rights, use the in-app deletion option in Settings or email privacy@eolma.com. Full deletion steps are available on our data deletion instructions page. We will respond to privacy requests within 20 working days, as required by the Privacy Act 2020.
9. Cookies and tracking
We use essential cookies to keep you signed in and to make the Platform work. These are strictly necessary and are not used for advertising.
We use product analytics on the website and mobile app to measure page views, screen views, and key feature usage. We do not use analytics for third-party advertising, and we do not enable broad form, click, or session replay capture through our product analytics provider.
On the website, our product analytics provider may process IP address to infer approximate location for analytics reporting. This is not GPS location and does not use browser geolocation permission.
If you sign in with Facebook, Meta provides the login service and shares the account information described above. On iOS, Facebook Login may trigger Apple's App Tracking Transparency prompt before the standard Facebook login flow. We request this permission only for Facebook Login compatibility with the Meta SDK; eolma does not use it to serve ads or run third-party advertising analytics.
The Android app does not use the Android Advertising ID for advertising or analytics, and eolma does not use the IDFA for its own advertising or product analytics.
10. Children's privacy
The Platform is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a person under 18, we will take steps to delete that information promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Platform. The "last updated" date at the top of this page indicates when the policy was last revised.
12. Contact and complaints
If you have questions about this Privacy Policy or wish to make a privacy-related request, please email privacy@eolma.com.
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner (Te Mana Matapono Matatapu).