Trust at Admitto
Admitto is built for IAA-licensed immigration advisers. Every assessment is auditable, every citation is traceable, every record is defensible.
At a glance
Region
Encryption
Audit hash
Compliance alignment
Engineering change control: every push to main runs TypeScript typecheck, a production build, and offline test suites in GitHub Actions — we do not claim SOC 2 or ISO 27001 certification.
New Zealand Privacy Act 2020 — Information Privacy Principles
The table below summarises how Admitto approaches each IPP in the context of our product and published Privacy Policy. It is not legal advice; your firm should satisfy itself for regulatory filings.
| IPP | Principle | How Admitto addresses it |
|---|---|---|
| IPP 1 | Purpose of collection | We collect personal information only to operate the assessment platform, authenticate advisers, bill subscriptions, and meet legal obligations — as described in our Privacy Policy. We do not sell data or use it for unrelated advertising. |
| IPP 2 | Source of personal information | Account and billing data come from you (or Stripe for payment metadata). Client case data is entered by the licensed adviser on behalf of their client. Technical logs may be generated automatically when you use the service. |
| IPP 3 | Notification of collection | Our Privacy Policy and Terms describe what we collect and why. We do not operate a separate “collection notice” beyond those documents and in-product disclosure; advisers remain responsible for their own client-facing privacy notices. |
| IPP 4 | Manner of collection | Information is collected through the web application (forms, uploads) and standard HTTP requests. We do not use covert tracking or third-party advertising pixels for client case data. |
| IPP 5 | Storage and security of personal information | Data is stored with Supabase (encrypted at rest by the platform) and transmitted over HTTPS. Database row-level security restricts each adviser’s access to their own applications. Passwords are handled by Supabase Auth (not stored in plaintext by us). We are not independently certified to SOC 2 or ISO 27001. |
| IPP 6 | Access by individuals to personal information | Advisers can access their own account and client records through the product. For formal Privacy Act access requests, contact privacy@admitto.co; we will respond within statutory timeframes. |
| IPP 7 | Correction of personal information | Advisers can update account and case data in the product where the UI allows. For corrections to information we hold outside self-service, contact privacy@admitto.co. |
| IPP 8 | Accuracy of personal information | We rely on advisers to supply accurate client information. The product may surface inconsistencies (for example between profile fields and extracted document text); final accuracy remains the adviser’s professional responsibility. |
| IPP 9 | Retention of personal information | Retention periods are set out in our Privacy Policy (including post-closure and assessment record retention). We do not retain personal information indefinitely without a stated basis. |
| IPP 10 | Limits on use of personal information | We use personal information only to provide and improve the service, bill, communicate operationally, comply with law, and secure the platform — not for unrelated sale or profiling, as stated in the Privacy Policy. |
| IPP 11 | Limits on disclosure | We disclose personal information only to sub-processors necessary to run the service (listed on this page), when legally required, or as you direct. We do not sell personal information. |
| IPP 12 | Disclosure outside New Zealand | Primary hosting is outside New Zealand today (see Data residency). Sub-processors in the United States and other jurisdictions process data under our agreements and, where applicable, standard contractual terms. A Sydney-region migration is planned to better align with NZ data-residency expectations. |
| IPP 13 | Unique identifiers | We use technical identifiers (for example user IDs, application UUIDs) only as needed for authentication, authorisation, and audit logs — not for merging unrelated datasets about individuals across unrelated contexts. |
Full policy: Privacy Policy.
IAA Code of Conduct 2014 — where the product helps
Licensed advisers remain solely responsible for compliance with the Code. Admitto is a tool that supports consistent documentation and traceability for parts of an adviser's workflow — it does not replace professional judgment or obligations to clients.
| Clause | Topic | Product alignment |
|---|---|---|
| cl. 1 | Confidentiality and due care | Admitto is software used by licensed advisers, not an immigration adviser itself. The platform is designed so sensitive client identifiers are not sent to AI providers in prompts where the pipeline strips them; advisers must still exercise professional confidentiality over all client information they hold. |
| cl. 26 | Record-keeping | Each assessment stores structured outputs, citation metadata, and (where enabled) an assessment snapshot suitable for audit. A SHA-256 audit hash over canonical JSON supports tamper-evident checks; PDF/RFI exports can enforce verify-on-read when the optional integrity flag is turned on in an environment. |
| cl. 31 | File completeness and quality of records | The product encourages traceable INZ citations (tiered authority in the assessment engine) and records which policy snapshot and engine versions were in force. Completeness of the underlying client file remains the adviser's obligation under the Code. |
Terms: Terms of Service (nature of the service, not legal advice).
Audit mechanism
After each assessment, Admitto can persist a structured snapshot (for example sanitised profile fields used in the pipeline, fingerprints of retrieved INZ chunks, deterministic rule outputs, final criteria results, token usage metadata, and a policy snapshot capturing threshold and model identifiers at decision time). A SHA-256 digest is computed over canonical JSON: arrays such as retrieved sections and criteria are sorted by stable keys before hashing so harmless reordering does not change the digest. The digest is stored on the assessment record; on read, the same inputs can be recomputed and compared (for example for PDF export, RFI generation, or scheduled integrity scans when an environment enables that check). A mismatch means something material in the replay inputs changed — not silently ignored.
Data residency
Today, primary relational data and authentication for the product live in Supabase hosted in the Tokyo (ap-northeast-1) region on Supabase infrastructure. Sydney-region hosting is planned to improve alignment with New Zealand data-residency expectations under the Privacy Act 2020 — treat Sydney as a roadmap item, not the current default.
Application compute and static assets are served through Vercel (global edge and serverless regions as routed by that platform). Encryption in transit and at rest follows the practices described above and in our Privacy Policy.
Sub-processors and data flows
Personal information may be processed outside New Zealand. Below is a concise list of key sub-processors and what categories of data typically reach each.
| Processor | Role | Typical data |
|---|---|---|
| Anthropic (United States) | Claude API — eligibility assessment, RFI/cover-letter drafting where used | Sanitised profile and task text you submit to the API routes; no deliberate passport/DOB in model prompts per product rules. |
| Voyage AI (United States) | Embeddings / reranking for retrieval | Query text derived from visa category and profile fields sent for embedding; refer to Voyage AI's published privacy and data-processing terms for retention and subprocessors. |
| Supabase (Tokyo today; Sydney planned) | Postgres database, auth, storage, RLS | Account data, client profiles, assessment results, snapshots, and application metadata. |
| Vercel (global) | Application hosting, serverless functions, CDN | HTTP requests and responses; may include auth tokens in transit; error telemetry if Sentry is initialised from server routes. |
| Resend (United States) | Transactional email | Recipient address, subject, and message bodies for operational emails (for example assessment complete). |
| Stripe (United States) | Subscription billing | Payment and customer metadata handled by Stripe — Admitto does not store full card numbers. |
| Sentry (United States) | Error and performance monitoring | Error payloads, stack traces, and request metadata; configured to avoid logging secrets where possible. |
Incident response
We monitor production health and application errors through Sentry and can run optional audit-hash integrity scans over recent assessments when that feature is enabled for an environment. We classify incidents that may affect personal information — for example suspected unauthorised access to adviser or client data, confirmed exposure of credentials, prolonged platform unavailability affecting access to records, or systematic audit-integrity failures — for adviser notification. Where the Privacy Act 2020 applies and a notifiable privacy breach is assessed, we aim to notify affected advisers within 72 hours of becoming aware of the breach, consistent with the Act's serious harm notification framework (subject to investigation and legal scoping).
Contact
Security: security@admitto.co
Privacy: privacy@admitto.co
Halcyon Technologies Limited · Auckland, New Zealand · Operates Admitto (admitto.co)