Privacy Policy

Effective from 1 June 2026

This policy explains what personal information QualCard collects, how we use it, and what your rights are. We've written it in plain English. If anything isn't clear, get in touch.

QualCard is operated by MW Group, based in Christchurch, New Zealand. We comply with the New Zealand Privacy Act 2020.

1. Who this policy covers

This policy applies to three groups of people:

  • Customer admins: the Company Admins and Branch Admins who sign in to manage their business's QualCard account.
  • Workers: the people whose credentials are stored on QualCard by their employer. Workers don't sign in or have accounts; their data is uploaded and managed by their employer.
  • Marketing site visitors: anyone who visits qualcard.co.nz, fills in our contact form, or books a discovery call.

The information we collect and how we handle it differs slightly across these groups. We've broken it out below.

2. What we collect

From customer admins

  • Name
  • Work email address
  • Business name and branch (if applicable)
  • Admin role (Company Admin or Branch Admin)
  • Login activity and the activity log (which admin took which action, and when)

From workers (uploaded by their employer)

  • Name
  • Photo
  • Credentials, qualifications, competencies, site inductions, permits and certificates, along with details like issuing body, dates, and reference numbers
  • The employer the worker is associated with, and the branch they belong to

Workers don't provide this information to QualCard directly. Their employer enters it on their behalf, and confirms each time that they've informed the worker the data is being stored on QualCard.

From marketing site visitors

  • Information you give us in the contact form (name, email, company, team size, phone, message)
  • Information you provide if you book a discovery call via Calendly
  • Basic visitor analytics (page views, traffic sources, country, device type) collected by Vercel Analytics, which is privacy-friendly and doesn't use cookies

3. How we use it

Customer admin data

We use admin data to operate the platform: authenticating logins, attributing actions to specific admins for the activity log, sending operational emails (renewal reminders, security notices, account updates), and supporting your account when you contact us.

Worker data

We use worker data only to display the worker's QualCard. The card's public page shows the worker's name, photo, company, branch, and credentials when scanned. The data isn't used for marketing, analytics, profiling, or any other purpose.

Marketing site visitor data

If you submit the contact form or book a call, we use the information you give us to respond and follow up. We don't add you to a mailing list or use your details for marketing without your consent.

4. Where your data is stored

We try to keep your data close to you where we can. Some services we use to operate the platform are hosted in other regions, and we're upfront about that here.

Stored in Sydney, Australia

  • Customer admin and worker data is stored in Supabase (AWS ap-southeast-2 region, Sydney)
  • Serverless functions that process requests on the QualCard app run on Vercel in the Sydney region
  • Static assets (the website itself, images, fonts) are served from Vercel's global edge network, optimised to deliver content from the nearest server to the visitor

Processed in the United States

  • Transactional email (account notifications, renewal reminders, password resets, contact form responses) is delivered via AutoSend, which processes email content in the US East region. Email content may include your name and email address.
  • Error monitoring (technical diagnostics when something goes wrong) is provided by Sentry, which stores error logs in the US. Error logs may incidentally contain personal data such as email addresses or worker names if an error occurs while processing that data.

Other sub-processors

  • Stripe processes credit card payments for QualCard subscriptions. Payment card details are handled by Stripe and not stored by QualCard.
  • Cloudflare Turnstile protects our forms from spam and abuse. Turnstile may collect limited technical information (such as IP address and browser characteristics) from visitors who submit forms.
  • Upstash provides caching and rate limiting for the platform.

Where personal data is transferred outside New Zealand, we ensure the sub-processor provides protections comparable to those required under the New Zealand Privacy Act 2020.

5. How we keep data secure

We use industry-standard security measures, including:

  • HTTPS encryption across all of our websites and apps
  • Encrypted storage of customer and worker data
  • Access controls limiting who at QualCard can access customer data
  • Activity logging of admin actions inside the platform
  • Spam and abuse protection on public forms

No system is 100% secure, but we take security seriously and review our practices regularly.

6. How long we keep your data

Customer admin data and worker data is retained for as long as your account exists on the platform, including during periods of inactivity. This is so deactivated cards can be reactivated by an admin at any time without losing their credential history.

If a customer requests permanent deletion of a worker's record, an admin's account, or the whole account, we'll action it within a reasonable timeframe. Some data may be retained for legal, compliance, or backup reasons for a limited period after deletion (typically 30 to 90 days).

Marketing site contact form submissions and Calendly booking data are retained for as long as we need them to manage the conversation, then archived.

7. Worker rights

If you're a worker whose data is stored on QualCard by your employer, you have rights under the Privacy Act 2020:

  • Access: you can request a copy of the data we hold about you
  • Correction: you can request that incorrect information be corrected
  • Complaint: you can raise concerns about how your data is being handled

Because your employer uploaded your data and is responsible for keeping it accurate, the first step for any of these requests is to contact your employer directly. Most corrections and access requests can be actioned by your employer's QualCard admin in seconds, without involving us.

If you can't get a satisfactory response from your employer, or if your concern is about QualCard's handling of the data (rather than the data itself), you can contact us at info@qualcard.co.nz.

You also have the right to contact the Office of the Privacy Commissioner directly at any time: privacy.org.nz.

8. Customer admin rights

If you're a customer admin and want to access, correct, or delete the data we hold about you, contact us at info@qualcard.co.nz. You can also see and edit much of your data directly inside the platform.

9. Data breach notification

If a data breach happens that's likely to cause serious harm to affected individuals, we'll notify both the Office of the Privacy Commissioner and the affected parties as soon as practicable after we become aware of it. For customer and worker data, that means we'll notify your Company Admins by email. They're then responsible for notifying affected workers within their business.

This is required of us under the Privacy Act 2020.

10. Cookies and tracking

The QualCard marketing site at qualcard.co.nz uses:

  • Vercel Analytics for basic page-view analytics. This is privacy-friendly and doesn't use cookies or store personal information.
  • Cloudflare Turnstile on form submissions to protect against spam. Turnstile may use technical information (such as your IP address and browser type) to determine whether you're a human or a bot.
  • Calendly if you choose to book a discovery call. Calendly may use cookies and tracking technologies as outlined in their own privacy policy.

The QualCard app at app.qualcard.co.nz uses session cookies necessary for authentication and security. We don't use third-party advertising or marketing cookies.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we'll notify Company Admins by email with at least 30 days' notice before the changes take effect. Minor changes (typo fixes, formatting, clarifications) may be made without notice.

The current version of this policy is always available at qualcard.co.nz/privacy.

12. Our Privacy Officer

QualCard has a designated Privacy Officer responsible for handling privacy enquiries and complaints. You can contact our Privacy Officer at:

info@qualcard.co.nz

Subject line: Privacy Enquiry

We'll do our best to respond within five working days.

13. Contact

QualCard A division of MW Group Christchurch, New Zealand

Email: info@qualcard.co.nz

This policy was last updated on 1 June 2026.