Privacy Policy

RateMate ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website at ratemate.co.nz and our mortgage comparison services.

We comply with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs).

Contact: For any privacy-related questions, contact us at hello@ratemate.co.nz

Information We Collect

Information You Provide

When you use RateMate, you may provide:

• Account Information: When you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.
• Mortgage Information: Details you enter about your mortgage, including loan amounts, interest rates, property values, bank names, fixed term expiry dates, and payment frequencies.
• Preferences: Your mortgage goals, risk tolerance, and other preferences.

Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on site
• Device Information: Browser type, operating system, screen size
• Cookies: Session cookies to keep you logged in (see Cookie Policy below)

Information We Do NOT Collect

• Bank account numbers or login credentials
• Credit card or payment information
• Your actual mortgage account access
• Government ID numbers (IRD, passport, etc.)

How We Use Your Information

We use your information to:

• Provide our mortgage comparison and analysis service
• Save and manage your mortgage scenarios
• Improve our service based on anonymised usage data
• Respond to your enquiries

We Do NOT:

• Sell your personal information to third parties
• Share your mortgage details with banks or brokers without your explicit consent
• Use your data for purposes other than those listed above
• Send marketing emails unless you opt in

Email Marketing Consent

We respect your inbox. Marketing emails (mortgage tips, feature updates, and helpful content) are sent only with your explicit consent.

How It Works

When you first visit your dashboard after signing in, we'll ask if you'd like to receive helpful mortgage tips and updates about new features. You can:

• Choose "Yes" to opt in to marketing emails
• Choose "No thanks" to decline
• Change your preference anytime in Account Settings

We record your consent choice and the date you made it. You maintain full control over your email preferences and can update them at any time.

What We Send

If you opt in, you'll receive occasional emails about:

• Tips for saving money on your mortgage
• New features and improvements to RateMate
• Updates to mortgage rates and market trends

Important: Even if you opt out of marketing emails, we may still send you essential service emails (like account security alerts or changes to our terms).

Who We Share Your Data With

Service Providers

We use trusted third-party services to operate RateMate:

• Google: Authentication (Sign in with Google) - Email, name, profile picture - USA
• AWS (Amazon Web Services): Key Management Service (KMS) for encryption key management - Encryption keys only (no scenario data) - Australia (Sydney ap-southeast-2)
• Neon (PostgreSQL): Database hosting - All scenario data (encrypted) - Australia (AWS Sydney)
• Vercel: Website hosting and CDN - Usage logs - Australia (Sydney region for NZ/AU users)

All providers are bound by data processing agreements and maintain appropriate security measures.

Legal Requirements

We may disclose your information if required by law, court order, or government request.

Data Storage & Security

Where We Store Your Data

Your data is primarily stored in Australia: the Neon database is hosted in AWS Sydney (ap-southeast-2), and for New Zealand users, Vercel serves the website from their Sydney edge region. Authentication through Google may involve data transfer to the United States. By using RateMate, you consent to this data storage and transfer.

How We Protect Your Data

We take data security seriously and use industry-leading encryption to protect your sensitive mortgage information:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS with TLS 1.3 (the latest security standard). This prevents anyone from intercepting your data while it travels over the internet.
• Bank-Grade Encryption at Rest: We use AWS Key Management Service (KMS) to encrypt your mortgage scenarios using AES-256-GCM encryption - the same industry-standard encryption used by banks and financial institutions worldwide. Your encryption keys are managed by AWS's secure infrastructure, making it virtually impossible for anyone to access your information without proper authorization.
• Key Isolation: Even if our database were compromised, your data would remain protected because the encryption keys required to decrypt it are stored separately in AWS's secure key vault and can only be accessed through strict authentication controls.
• Access Controls: Only authorised personnel can access production systems, and all access is logged and monitored. No one can view your unencrypted mortgage data without proper authentication.
• Secure Authentication: We use Google OAuth 2.0 for authentication and secure session management with HTTP-only cookies that cannot be accessed by JavaScript (protecting against XSS attacks).
• Regular Backups: Your encrypted data is backed up daily, ensuring it can be recovered if needed while maintaining the same security standards.

Data Retention

• Saved scenarios: Kept while your account is active
• Account data: Kept until you request account deletion
• Usage logs: 90 days, then automatically deleted

When you delete your account, all scenarios and associated data are permanently deleted within 7 business days.

Your Rights (NZ Privacy Act 2020)

Under the New Zealand Privacy Act 2020, you have the right to:

Access Your Data

Request a copy of all personal information we hold about you. We will respond within 20 working days.

Correct Your Data

Request correction of any inaccurate information.

Delete Your Data

You can request deletion of your account and all associated data by contacting us at hello@ratemate.co.nz. We will process your request within 7 business days. This is permanent and cannot be undone.

Export Your Data

You can request a copy of all your scenarios and data in a portable format (JSON) by contacting us at hello@ratemate.co.nz.

How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: hello@ratemate.co.nz
• Response Time: We will respond within 20 working days

Complaints

If you believe we have breached your privacy, you can:

• Contact us at hello@ratemate.co.nz
• Lodge a complaint with the Office of the Privacy Commissioner: www.privacy.org.nz

Cookies

We use cookies to:

• Session: Keep you logged in (30 days)
• CSRF: Security - prevent cross-site attacks (Session)

We do NOT use:

• Advertising or tracking cookies
• Third-party analytics cookies (we use privacy-focused analytics)

You can disable cookies in your browser settings, but this will prevent you from staying logged in.

Children's Privacy

RateMate is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email (if you have an account) or notice on our website.

The "Last updated" date at the top indicates when this policy was last revised.

Contact Us

For privacy-related questions or to exercise your rights, please get in touch →