Privacy Policy

The agency responsible for collecting and holding your personal information is:

Moshims MMK Ltd
47 Takapu Road, Takapu Valley, Wellington, New Zealand
Email: info@moshims.co.nz • Phone: 027 MOSHIMS (027 667 4467) • Web: moshims.co.nz

Moshims is a family-owned fresh produce, fruit, vegetable, and grocery business operating across Wellington, New
Zealand. We offer home delivery, wholesale supply, and Saturday market sales.

Junior MMKS Limited is a subsidiary company of Moshims MMK Ltd and may process your personal information for the
purposes of marketing and product distribution on our behalf.

We may collect the following types of personal information depending on how you interact with us:

• Identity: Full name
• Contact details: Email address, phone number, delivery address, billing address
• Order information: Products ordered, order history, delivery preferences, order value
• Payment: Payment card details (processed securely by Stripe — we do not store your full card number)Account Username, password (encrypted), account preferences
• Communications: Emails, SMS messages, phone call records, customer service interactions
• Wholesale accounts: Business name, contact person, ABN/NZBN, credit terms, order history
• Website usage: IP address (anonymised), pages visited, browser type, device type, referral source
• Marketing preferences: Email and SMS opt-in status, communication preferences

We only collect personal information that is necessary for the purposes described in this policy. We do not collect sensitive
information (such as health data, religious beliefs, or ethnic origin) unless you voluntarily provide it to us.

Direct collection
We collect your personal information directly from you when you:

• Place an order on moshims.co.nz or by phone
• Create an account on our website
• Subscribe to our email or SMS marketing
• Contact us by email, phone, or social media
• Visit our Saturday markets and provide your details
• Apply for or manage a wholesale account
• Provide feedback, complete a survey, or enter a promotion

Indirect collection (IPP 3A)

In some cases, we collect your personal information from sources other than you directly. This is known as indirect collection under the New Zealand Privacy Act 2020 (Information Privacy Principle 3A), which came into force on 1 May 2026.

The following describes situations where your personal information may be collected by a third-party provider from a source other than you, and the source from which that information originates:

Receiving provider, source of information, what is collected and why

• Base44 (operations platform):  Your order on moshims.co.nz
  (WooCommerce). Name, contact details, delivery address,and order history are transferred tomanage order fulfilment and delivery scheduling.
• Stripe (payment processor): Your order on moshims.co.nz
  (WooCommerce). Name, email, billing address, and payment card details are transferred at checkout to securely process your payment.
• Xero (accounting): Orders on moshims.co.nz and
  wholesale invoices. Name, contact details, and invoice amounts are transferred for invoicing, payment reconciliation, and GST compliance.
• Anthropic (Claude AI): Our operations platform (Base44) and WooCommerce. Name, contact details, order history, and delivery address may be processed to assist with order management and customer communications.
• OpenAI (ChatGPT): Our operations platform (Base44). Name, contact details, and order details may be processed to assist with content drafting and business communications.Google (Gemini AI): Our operations platform (Base44) and Google Workspace. Name, email address, and order details may be processed to assist with analytics and operational support.
• Mailchimp (Intuit): Your account on moshims.co.nz or in-store sign-up. Name and email address are transferred to send marketing emails, delivery notifications, and promotional offers.
• SMS Gateway (sms-gate.app): Your account on moshims.co.nz or in- store sign-up.  Name and mobile phone number are transferred to send SMS marketing messages and delivery notifications.
• Meta (Facebook / Instagram):  Browsing activity on moshims.co.nz (via
  Meta Pixel) and customer email lists. Browsing behaviour and email address may be collected or matched by Meta for social media advertising and audience targeting.
• Google Analytics: Browsing activity on moshims.co.nz. Anonymised IP address, pages visited,device type, and browsing behaviour are collected automatically when you visit our website.
• Junior MMKS Limited (subsidiary): Moshims MMK Ltd customer records: Name, contact details, delivery address,order history, and product preferences are shared for marketing, promotional campaigns, and product distribution.

If you are a wholesale customer whose details were provided to us by a referral, business partner, or another organisation,
we will notify you directly at the time we first make contact with you, or as soon as reasonably practicable thereafter.

We collect and use your personal information for the following purposes:

• To process and fulfil your orders, including delivery scheduling and payment processing
• To create and manage your customer account
• To manage wholesale accounts, invoicing, and credit terms
• To communicate with you about your orders, deliveries, and account
• To send you marketing communications (where you have opted in)
• To improve our products, services, and website based on usage patterns and feedback
• To comply with legal and regulatory obligations, including tax and accounting requirements

To operate our internal business systems, including AI-assisted tools for order management, delivery scheduling,
and customer communications.To detect and prevent fraud or other unlawful activity.

Legal basis for collection

Contractual necessity: Where the collection is necessary to fulfil an order, deliver products, or manage your
wholesale account (IPP 1).
Legal obligation: Where we are required by law to retain records, including under the Tax Administration Act 1994
(minimum 7-year retention) and the Goods and Services Tax Act 1985.
Consent: Where you have opted in to receive marketing communications via email or SMS. You may withdraw
consent at any time (see Section 9).
Legitimate business purpose: Where the collection is necessary for internal operations including analytics, delivery
scheduling, stock management, and customer service (IPP 1).

Moshims MMK Ltd has conducted an internal Privacy Impact Assessment in relation to its use of AI tools and third-party service providers. This assessment is reviewed periodically and updated when new tools or providers are introduced.

We use artificial intelligence (AI) tools to help run our business more efficiently. These tools assist us with order management, delivery scheduling, wholesale account management, customer communications, business analytics, and content creation.

Your personal information may be processed by these AI systems solely for the purposes described in Section 5. These are
internal tools operated by and for Moshims — your data is not sold or provided to external AI companies for their own
independent purposes.

AI service providers

Provider, Data processed, Purpose:

• Anthropic (Claude AI): Name, contact details, order history, delivery address AI-assisted order management, delivery scheduling, customer communications, business analytics, and operational automation.
• OpenAI (ChatGPT) Name, contact details, order details AI-assisted content drafting, design feedback, and business communications.
• Google (Gemini AI) Name, email address, order details AI-assisted analytics, operational support, and email communications.

How your data is protected

• All AI providers are accessed via their business API services, contractually separate from their consumer products.
• Under our API agreements, your personal information is not used by these providers to train, improve, or develop
  their AI models.
• AI tools operate under Moshims’ instruction and control — they do not make independent decisions about how your data is used.
• AI-generated content (such as delivery notifications or marketing messages) is reviewed before being sent to you.

Human oversight and accountability

Moshims MMK Ltd retains full responsibility for all decisions made with the assistance of AI tools. No significant decision
affecting you (such as account management, pricing, or service eligibility) is made solely by an automated system without human review.

If you believe an AI-assisted decision has resulted in inaccurate information being held about you, or has adversely affected you, you have the right to request human review. Contact us at info@moshims.co.nz or 027 MOSHIMS.

We regularly review our AI service provider agreements to ensure they meet New Zealand Privacy Act 2020 requirements for
overseas data processing.

In addition to the AI providers described in Section 6, we use the following third-party service providers. These providers
may process your personal information on our behalf and solely for the purposes described in this policy.

Provider, Data processed, Purpose: 

• Stripe (Payment Processing): Name, email, billing address, payment card details. Secure payment processing for online orders. PCI DSS Level 1 certified. Moshims does not store your full card details.
• WooCommerce (WordPress – E-commerce and website): Name, contact details, delivery address, order history. Online ordering platform at moshims.co.nz
• Xero (Accounting and invoicing): Name, contact details, invoice amounts, payment records. Accounting, invoicing, payment reconciliation, and GST compliance.
• Base44 (Business operations): Name, contact details, order history, delivery address, account information. Internal business operations platform (order management, customer records, wholesale account management).
• Junior MMKS Limited (Subsidiary company): Name, contact details, delivery address, order history, product preferences. Marketing, promotional campaigns, product distribution, and order fulfilment. Operates under the same privacy obligations as Moshims MMK Ltd.

Your personal information is only shared with these providers to the extent necessary to deliver the services described above. None of these providers are authorised to use your data for their own marketing or other independent purposes.

Your personal information may be processed or stored by the following providers on our behalf. Each provider processes
data only for the purposes stated below and in accordance with their own privacy policies.

Provider, Data processed / stored, Purpose

• Hostinger: Website data, customer accounts, order records, WooCommerce database. Website hosting for moshims.co.nz
• Cloudflare: Website traffic data, cached content, security logs. Content delivery, DDoS protection, and SSL encryption.
  Base44: Customer records, order data, wholesale accounts, product catalogue. Internal business operations platform.
• Google Workspace: Business email communications. Business email (apex@moshims.co.nz)
• Stripe: Name, email, billing address, payment card details, transaction records. Secure payment processing (PCI DSS Level 1).
• Xero: Name, contact details, invoice amounts, payment records. Accounting, invoicing, and GST compliance
• Mailchimp (Intuit): Name, email address Email marketing and customer communications.
• SMS Gateway: Name, mobile phone number SMS marketing and delivery notifications.
• Meta (Facebook / Instagram): Name, email (custom audiences), interaction data. Social media marketing and advertising.
• Anthropic (Claude AI): Name, contact details, order history, delivery address. AI-assisted order management and
  communications.
• OpenAI (ChatGPT): Name, contact details, order details. AI-assisted content drafting and design.
• Google (Gemini AI): Name, email address, order details. AI-assisted analytics and operational support.
• Junior MMKS Limited: Name, contact details, order history, product preferences. Marketing and product distribution (subsidiary).

For full details on how each provider handles your data, please refer to their respective privacy policies:

• Hostinger: hostinger.com/legal/privacy-policy
• Cloudflare: cloudflare.com/privacypolicy
• Base44: base44.app/privacy
• Google (Workspace and Gemini): policies.google.com/privacy
• Stripe: stripe.com/privacy
• Xero: xero.com/nz/about/legal/privacy
• Mailchimp (Intuit): intuit.com/privacy/statement
• SMS Gateway: sms-gate.app/privacy
• Meta: facebook.com/privacy/policy
• Anthropic: anthropic.com/privacy
• OpenAI: openai.com/policies/privacy-policy

Where your personal information is transferred overseas, we ensure that appropriate safeguards are in place in
accordance with the New Zealand Privacy Act 2020 (Information Privacy Principle 12).

Data retention

We retain your personal information only for as long as necessary to fulfil the purposes described in this policy, or as
required by law. Order and transaction records are retained for a minimum of seven (7) years to comply with New Zealand
tax and business record-keeping requirements under the Tax Administration Act 1994.

We may use your personal information to send you marketing and promotional communications about our products,
services, offers, and events. We use the following tools to manage these communications.

Provider, Data processed, Purpose:

• Mailchimp (Intuit): Name, email address. Email marketing campaigns, delivery notifications, promotional offers,
  newsletters, and seasonal announcements.
• SMS Gateway (sms-gate.app): Name, mobile phone number. SMS marketing messages, delivery notifications, order confirmations, and promotional offers.
• Meta (Facebook and Instagram): Name, email (for custom audiences), public interaction data. Social media marketing, targeted advertising, and customer engagement.
• Junior MMKS Limited: Name, contact details, delivery address, product preferences. Marketing campaigns, promotional offers, and product distribution on behalf of Moshims MMK Ltd.

Your marketing choices

You have the right to opt out of marketing communications at any time:

• Click the “unsubscribe” link at the bottom of any marketing email
• Reply STOP to any marketing SMS message
• Contact us at info@moshims.co.nz or 027 MOSHIMS

Opting out of marketing will not affect transactional communications (such as order confirmations and delivery
notifications), which are necessary to fulfil your orders. We will never sell your contact information to third parties for their own marketing purposes.

Under the New Zealand Privacy Act 2020, you have the right to access, correct, and request deletion of your personal information held by Moshims MMK Ltd.

Right to access

You may request a copy of the personal information we hold about you. We will respond within twenty (20) working days,
as required by the Privacy Act 2020.

Right to correction

If any personal information we hold about you is inaccurate, incomplete, or out of date, you may request that we correct
it.

Right to request deletion

You may request that we delete your personal information where:

• The information is no longer necessary for the purpose it was collected
• You withdraw your consent (where consent was the basis for processing)
• There is no legal or regulatory requirement for us to retain the information

We are legally required to retain certain records (such as order and financial transaction data) for seven (7) years under New Zealand tax law. Where a deletion request conflicts with a legal retention obligation, we will inform you and restrict processing of the data instead of deleting it.

How to make a request

To exercise any of your rights, please contact us:

• Email info@moshims.co.nz — subject line “Privacy Request — [Access / Correction /
  Deletion]”
• Phone 027 MOSHIMS (Monday to Saturday, 8:00 AM – 5:00 PM NZST)

Identity verification
To process your request, please include:

1. Your full name, as it appears on your account or order
2. Your email address or phone number associated with your account
3. A description of the information you wish to access, correct, or delete
4. A copy of valid photo identification (for deletion requests only)

Processing timeframes

• Access and correction requests: responded to within twenty (20) working days.
• Deletion requests: actioned within twenty (20) working days. Written confirmation provided once complete, or a
  written explanation if deletion cannot be fulfilled.
• If we refuse a request, we will provide the reason in writing and advise you of your right to complain to the Office
  of the Privacy Commissioner.

Right to complain

If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner of New
Zealand: • Website: privacy.org.nz • Phone: 0800 803 909.

The Services may enable you to post product reviews and other user-generated content. If you choose to submit user generated content to any public area of the Services, this content will be public and accessible by anyone. We do not control who will have access to the information that you choose to make available to others, and cannot ensure that parties who have access
to such information will respect your privacy or keep it secure. We are not responsible for the privacy or security of any information that you make publicly available, or for the accuracy, use or misuse of any information that you disclose or receive from third parties.

Our Site may provide links to websites or other online platforms operated by third parties. If you follow links to sites not affiliated or controlled by us, you should review their privacy and security policies and other terms and conditions. We do not guarantee and are not responsible for the privacy or security of such sites, including the accuracy, completeness, or reliability of information found on these sites. Information you provide on public or semipublic venues, including information you share on third-party social networking platforms may also be viewable by other users of the Services and/or users of those third-party platforms without limitation as to its use by us or by a third party. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators, except as disclosed on the Services.

The Services are not intended to be used by children, and we do not knowingly collect any personal information about children. If you are the parent or guardian of a child who has provided us with their personal information, you may contact us using the contact details set out below to request that it be deleted.

As of the Effective Date of this Privacy Policy, we do not have actual knowledge that we “share” or “sell” (as those terms are defined in applicable law) personal information of individuals under 16 years of age.

Please be aware that no security measures are perfect or impenetrable, and we cannot guarantee “perfect security.” In addition, any information you send to us may not be secure while in transit. We recommend that you do not use unsecure channels to communicate sensitive or confidential information to us.