Privacy Policy
We collect the minimum we need to run the product. We don't sell data. We don't share it except to operate the service. Here's the full picture.
Who we are
Papilio is operated by QVT Technology Limited, a company incorporated in New Zealand. We provide payments infrastructure software to businesses under the Papilio brand.
If you have questions about this policy or want to exercise your privacy rights, contact us at quinn@qvt.co.nz.
NZBN: 9429052870699 · Registered address: 12 Manalay Lane, Christchurch, New Zealand
What we collect
We collect three categories of information.
When you request early access or sign up, we collect your name and email address. When you use Papilio, we store the business data you enter — entity schemas, flow configurations, customer records, and payment history. When you contact us, we keep a record of that communication.
When you use the Papilio platform or visit papilio.sh, we automatically collect certain technical information: IP address, browser type, device type, pages visited, and session data. On the marketing site (papilio.sh) we use Google Analytics to understand how visitors find and use the site. In the Papilio web application we use Microsoft Clarity for session recording and UX analysis, Firebase Analytics for product usage data, and Sentry for error tracking and performance monitoring.
When you connect GoCardless, Stripe, or Akahu to Papilio, those providers send us payment event data — amounts, statuses, timestamps, mandate references — as part of operating the service. We do not receive raw card numbers, CVVs, or full bank account numbers from any provider. Those stay with the provider.
How we use it
We use the information we collect to:
Third party services
Papilio uses the following third-party services to operate. Each has its own privacy policy governing how they handle data.
| Service | Purpose | Data sent |
|---|---|---|
| AWS | Cloud infrastructure | All platform data (encrypted) |
| Google Analytics | Marketing site analytics | Anonymised browsing data |
| Microsoft Clarity | UX session recording (web app) | Session interactions |
| Firebase Analytics | Product usage analytics (web app) | Feature usage events |
| Sentry | Error and performance monitoring | Error stack traces, performance |
| Formspree | Contact form submissions | Name, email, message |
| Stripe | Payment processing (if connected) | Payment event data |
| GoCardless | Direct debit (if connected) | Mandate and payment event data |
| Akahu | Open banking NZ (if connected) | Account and transaction data |
| Xero / MYOB | Accounting export (if connected) | Invoice and transaction records |
Payment and accounting integrations are only connected if you explicitly configure them. Connecting an integration is your instruction to Papilio to exchange data with that provider on your behalf.
Where data is stored
Papilio stores data on AWS infrastructure across multiple regions. Depending on configuration, data may be stored in Australia, the United States, or the European Union. We use MongoDB Atlas for the primary database, which runs on AWS.
All data is encrypted at rest (AES-256) and encrypted in transit (TLS 1.2 minimum). Provider credentials — your Stripe secret key, GoCardless token, Akahu credentials — are stored in AWS Secrets Manager and never in application code or environment variables.
By using Papilio, you consent to your data being processed in these regions. If you have specific data residency requirements, contact us before signing up.
How long we keep it
| Data type | Retention | Reason |
|---|---|---|
| Account and contact data | While active + 90 days | Account operation |
| Payment event logs | 7 years | Financial compliance (legal requirement) |
| Entity and configuration data | While active + 90 days | Service operation |
| Error and performance logs (Sentry) | 90 days | Debugging and monitoring |
| Analytics data | 26 months | Product improvement |
| Support communications | 3 years | Support history |
The 7-year retention on payment event logs is a legal requirement in most jurisdictions for financial records. It applies even if you close your account. All other data is deleted within 90 days of account closure on written request.
Your rights
Under the New Zealand Privacy Act 2020, you have the right to:
To exercise any of these rights, email quinn@qvt.co.nz. We will respond within 20 working days as required by the Privacy Act.
If you are located in the European Union or United Kingdom, additional rights may apply under GDPR or UK GDPR. Contact us to discuss your specific situation.
Cookies & analytics
We use the following cookies and tracking technologies:
Google Analytics — we use Google Analytics to understand how visitors find and navigate the marketing site. This sets cookies that track anonymised browsing behaviour. You can opt out using the Google Analytics opt-out browser add-on or by adjusting your browser's cookie settings.
Essential cookies — we set a session cookie to remember your audience preference (founder or developer view). This is stored in localStorage and does not leave your browser.
Microsoft Clarity — records anonymised session interactions to help us improve the product. Clarity may capture mouse movements, clicks, and scroll behaviour. It does not capture passwords or payment credentials.
Firebase Analytics — tracks feature usage events within the application to help us understand which parts of the product are working well.
Sentry — captures error events and performance data. This may include technical information about your session when an error occurs.
We do not use advertising cookies or retargeting pixels on either the marketing site or the application.
Changes to this policy
We will notify you by email if we make material changes to this policy. The current version will always be available at papilio.sh/privacy. The date at the top of this page shows when it was last updated.
Continued use of Papilio after a material change constitutes acceptance of the updated policy.
Contact
For any privacy questions, data requests, or concerns: