StopBy

Privacy

Privacy · StopBy
Privacy

Privacy.

How StopBy treats your data — in plain English.

Last updated · 1 May 2026
In short
  • StopBy is being built. There’s no app yet. The only personal data we hold right now is your email — if you’ve joined the waitlist.
  • When the app launches, your location is processed on your phone. It does not leave your device in raw form.
  • We will never sell your data, show you ads, or share it with data brokers. Ever.

01Who we are

StopBy is being built by Tom Hartley, a sole trader based in Havelock North, New Zealand. References to StopBy, we, us, or our in this policy mean Tom Hartley, operating under the StopBy brand.

The website at stopby.ai is operated under that legal entity. When the iOS app launches, it will be published under the same.

The Privacy Officer for StopBy is Tom Hartley. You can reach him at privacy@stopby.ai.

02What this policy covers

This policy covers two things:

  • The stopby.ai website and any data we collect when you visit it
  • A forward-looking statement about how the StopBy iOS app will handle data when it launches

The app itself doesn’t exist yet, so most of this document is about the website. When the app launches, this policy will be updated with specific app-data sections, and we’ll notify everyone on the waitlist before the change takes effect.

03What we collect right now

The website collects very little.

From you, directly

  • Your email address, if you’ve joined the waitlist. That’s the only personal information you actively give us.
  • Anything you write to us — for example, replies to our emails or messages to hello@stopby.ai.

Automatically, when you visit

  • Standard server logs: your IP address, browser type, the pages you visited, the page that referred you. This is automatic for any website. We use it to spot abuse, fix errors, and understand which content people are reading.
  • No advertising trackers, no third-party analytics scripts, no fingerprinting.

From third parties

Nothing. We don’t buy personal data from brokers, scrape it from social media, accept it from recruiters, or import it from marketing-data providers. New Zealand’s new Information Privacy Principle 3A — introduced by the Privacy Amendment Act 2025 and in force from 1 May 2026 — requires organisations to notify individuals when their personal information is collected indirectly from any source other than themselves. We don’t do indirect collection, so we have nothing to notify anyone about. If that ever changes, we’ll tell the affected person, in line with IPP3A.

04How we use your data

Your email

We use it to send you occasional pre-launch updates and to tell you when the app is available. That’s it. Every email contains a one-click unsubscribe link, and unsubscribing deletes your address from our list.

Server logs

Aggregated, kept for 30 days, then deleted. Used to detect abuse and understand traffic patterns. Not linked to individuals.

Things we won’t do with your email: sell it, rent it, share it with advertisers, hand it to other companies for their marketing, or use it to build a profile for advertising.

05Who we share with

We share your email address with our email service provider so that we can send you the updates you signed up for. They process this data on our behalf as a processor under their own privacy commitments. The current provider is named in our contact-us reply, and we’ll update this section once the choice is finalised pre-launch.

We may share data with our website hosting provider (which automatically processes server logs), and with a payment processor when the app launches and you choose to pay for a subscription.

Beyond these necessary processors, we don’t share your data with anyone. We never sell it. We never share it with advertisers, data brokers, or third parties for marketing purposes.

We may disclose data if required to by law (for example, in response to a valid court order under New Zealand law), but we will tell you about that disclosure unless legally prohibited.

06Your rights

Under the New Zealand Privacy Act 2020, the Australian Privacy Act 1988 (as amended by the Privacy and Other Legislation Amendment Act 2024), the EU/UK GDPR (where applicable to you), and similar privacy laws, you have the right to:

  • Ask what personal information we hold about you
  • Have it corrected if it’s wrong or out of date
  • Have it deleted
  • Object to processing or withdraw consent (for example, by unsubscribing)
  • Receive a copy of your data in a portable format
  • Lodge a complaint with the New Zealand Privacy Commissioner (privacy.org.nz), the Australian Office of the Australian Information Commissioner (oaic.gov.au), or your local data protection authority

To exercise any of these rights, email privacy@stopby.ai. We respond within 20 working days, often faster.

07Data retention

  • Your email address: kept for as long as you’re subscribed. If you unsubscribe, deleted within 30 days.
  • Server logs: 30 days, then deleted.
  • Messages you’ve sent us: kept for up to 24 months in case we need to follow up, then deleted.

08Security

The website runs over HTTPS. Your email is stored in our email service provider’s encrypted database, accessible only to authenticated administrators (currently a list of one — the founder). We don’t store payment information today because there’s nothing to pay for yet. When the app launches, payments are handled by Apple via the App Store, and we never see your card details.

No system is perfect. If we ever experience a privacy breach that affects you, we will notify you in line with the New Zealand Privacy Act 2020 notifiable-breach requirements, the Australian Notifiable Data Breaches (NDB) scheme, and (where applicable) GDPR’s 72-hour reporting standard.

09International users

StopBy is a New Zealand business, but the website is accessible globally. Whichever country you’re visiting from, we apply the strongest applicable standard from these:

  • NZ Privacy Act 2020 — the baseline for everyone
  • Australian Privacy Act 1988 (as amended by the Privacy and Other Legislation Amendment Act 2024) and the 13 Australian Privacy Principles (APPs) — for visitors and users in Australia
  • EU/UK GDPR — for visitors based in those regions
  • California CCPA/CPRA — for California residents

If you’re in a region with stronger protections, those protections apply to your data with us.

10Cookies and analytics

The stopby.ai website uses no advertising cookies, no tracking pixels, and no third-party analytics that profile individuals. We may use a single, privacy-respecting analytics tool that records aggregate page-view counts without setting cookies or recording personal data.

If we ever introduce anything that requires consent under the EU’s ePrivacy directive or similar law, we’ll show a clear consent banner before doing so.

11Children

StopBy is intended for adults. The website doesn’t knowingly collect personal data from anyone under 16. If you are a parent or guardian and you believe a child has signed up, email privacy@stopby.ai and we’ll delete the record promptly.

When the iOS app launches, family sharing will permit children’s accounts under parental control, with restricted categories (no liquor alerts, etc.). Specific details will be added to this policy at launch.

12Changes to this policy

We’ll update this policy when we add the app or change anything material. The last updated date at the top will change.

If a change is significant — for example, the app launching, or a new third-party processor being added — we’ll email everyone on the waitlist before the change takes effect. Continuing to use the website (or the app, when it ships) after a change means you accept the updated policy.

13When the app launches

The StopBy app is being designed privacy-first by architecture. When it launches, this policy will be expanded to cover specifics, but the architectural commitments are:

  • Location is processed on your phone. Raw location coordinates do not leave your device in normal operation. Region-monitoring is handled by iOS itself; StopBy receives notifications when you’re near a relevant store, processes them locally, and decides whether to alert you.
  • What syncs to the cloud is errand metadata only. Your shopping items, categories, and preferences sync via Apple’s CloudKit, which is end-to-end encrypted. They never touch our servers.
  • Family sharing is between members you’ve added. Closest-member alerts are computed using only distances (not coordinates) shared between your family devices, end-to-end encrypted via CloudKit.
  • Payments are handled by Apple. Subscription billing goes through the App Store. We never see your card or banking details. Subscription status is managed by RevenueCat, a third-party processor under their own privacy commitments.
  • No analytics on your locations. We do not log, analyse, or aggregate where you go. Aggregate event analytics (the app was launched, an alert was acknowledged) are reported only at counts-without-identity level.

Full details — including the specific cloud regions, processor list, and your rights to delete app data — will be published before launch.

14Contact

For privacy enquiries: privacy@stopby.ai

For everything else: hello@stopby.ai

Postal: Tom Hartley · StopBy · Havelock North · New Zealand. (Specific street address available on request via the privacy email.)

Questions, or want your data deleted?

Email privacy@stopby.ai and we’ll respond within 20 working days, usually faster.