Privacy Policy

1. Who we are

HazardMap operates this platform. We are the data controller for personal information collected through the Service. You can contact us at privacy@hazardmap.nz.

2. What information we collect

Account information

When you register, we collect your email address and a username you choose. If you sign in with Google, we receive your Google account email and display name.

Location data

If you grant location permission, your browser’s GPS coordinates are used to centre the map on your current position. With your consent, your preferred home location (latitude, longitude, zoom level) is stored in your profile to personalise future visits. We also use your IP address to provide an approximate location if GPS is unavailable — this is not stored beyond the current session.

Hazard reports and comments

Hazards and comments you submit are stored in our database and associated with your user account. If you choose to post anonymously, your username is hidden from the public map, but your account ID is still privately linked for moderation purposes.

Usage data

Firebase (Google) may collect technical usage data as part of providing authentication and database services. This includes IP addresses, device type, and browser information. See Firebase’s privacy information for details.

Cookies and local storage

We use browser local storage (not third-party advertising cookies) to remember your map preferences, active data layers, consent choice, and login session. These are essential to the Service’s operation and cannot be disabled without significantly affecting your experience.

3. Why we collect it

We process your personal information for the following purposes:

• Account management — to create and maintain your account and authenticate your identity
• Service delivery — to display hazards relevant to your location and show your contributions on the map
• Moderation — to review reported content and enforce our Terms of Use
• Safety — to contact you about important updates to your reported hazards
• Platform improvement — aggregated, anonymised analytics to understand how the Service is used

Our legal basis under GDPR is: (a) performance of a contract (account and hazard features); (b) legitimate interests (platform safety and moderation); and (c) consent (location data and optional analytics).

4. Who we share data with

We do not sell your personal information. We share it only with:

• Google Firebase — for authentication, database storage, and file storage. Data is stored in Google Cloud infrastructure.
• Mapbox — your map viewport is sent to Mapbox to render map tiles. See Mapbox’s privacy policy.
• Public map data — hazards you post as “Public” are visible to all users of the platform.
• Law enforcement — if required by a valid legal order under New Zealand law.

5. Data retention

We retain your account information for as long as your account is active. Hazard reports (including resolved ones) are retained indefinitely as part of the platform’s historical record, though resolved hazards are hidden from the live map.

Organisation data is permanently deleted 30 days after an organisation is scheduled for deletion.

If you request account deletion, we will remove your profile and deidentify your hazard reports within 30 days.

6. Your rights

Under the NZ Privacy Act 2020 and GDPR, you have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — ask us to correct inaccurate information
• Erasure — request deletion of your personal information (subject to legal obligations)
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, email privacy@hazardmap.nz. We will respond within 20 working days (as required by the NZ Privacy Act 2020) or within one calendar month (as required by GDPR).

7. Security

We use industry-standard security measures including encrypted data transmission (HTTPS), Firebase Authentication with secure token management, and Firestore security rules that restrict access to authorised users only.

No system is completely secure. If you believe your account has been compromised, contact us immediately at security@hazardmap.nz.

8. Children’s privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has registered without parental consent, please contact us and we will remove their account promptly.

9. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes by email or in-app notice. The date at the top of this page shows when it was last revised.

10. Complaints

If you have a complaint about how we handle your personal information, please contact us first at privacy@hazardmap.nz. If you are not satisfied with our response, you may contact:

• The New Zealand Privacy Commissioner (for NZ users)
• Your national data protection authority (for EU/EEA users)

11. Contact

Privacy enquiries: privacy@hazardmap.nz