Privacy Policy

1. About This Policy

This Privacy Policy explains how Friendswith Limited (NZBN: to be confirmed), trading as Formè Studio (“we”, “us”, “our”), collects, holds, uses, and discloses personal information. We operate the Formè Studio platform available at formestudio.io (the “Platform”).

We are committed to protecting your privacy and handling your personal information in accordance with:

• The New Zealand Privacy Act 2020 and the 13 Information Privacy Principles (IPPs);
• The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
• The Australian Spam Act 2003 (Cth);
• Meta Platform’s developer policies and data handling requirements; and
• Stripe’s connected account and data handling requirements.

By accessing or using the Platform, you agree to the collection and use of your information as described in this policy. If you do not agree, please do not use the Platform.

2. Who We Are

• Legal Entity: Friendswith Limited
• Trading Name: Formè Studio
• Country of Incorporation: New Zealand
• Website: https://formestudio.io
• Contact Email: studio@formestudio.io
• Privacy Enquiries: privacy@formestudio.io

3. Information We Collect

3.1 Information You Provide Directly

• Account information: name, email address, password (hashed), and profile details when you register;
• Payment information: billing name, billing address, and payment card details (processed and stored by Stripe — we do not store raw card data);
• Enquiry & contact information: name, phone number, email, business name, and any message content you submit via our enquiry forms;
• Content: photos, videos, captions, hashtags, and other materials you upload or create on the Platform;
• Communications: messages exchanged with our team through the Platform, including package notes and quote discussions.

3.2 Information We Collect Automatically

• Log data: IP address, browser type, pages visited, referring URL, and timestamps;
• Device information: device type, operating system, and unique device identifiers;
• Usage data: features used, content scheduled, actions taken within the Platform;
• Cookies and similar technologies: session cookies required for authentication and security (see Section 10).

3.3 Information from Third Parties

• Meta / Instagram: when you connect your Instagram Business or Creator account, we receive your Instagram user ID, username, profile picture, account type, access tokens, follower counts, media metadata, and publishing permissions as authorised by you through Meta’s OAuth flow;
• Stripe: payment confirmation, transaction identifiers, and subscription status to manage your billing;
• Google reCAPTCHA Enterprise: anti-fraud signals to protect our forms from automated abuse.

4. How We Use Your Information

We use personal information for the following purposes:

4.1 Providing and Improving the Platform

• Creating and managing your account;
• Scheduling and publishing Instagram content on your behalf;
• Processing package bookings, quotes, and payments;
• Delivering content calendars, templates, and studio resources;
• Responding to your support enquiries and messages;
• Improving Platform features, security, and user experience.

4.2 Communications

• Sending transactional emails (booking confirmations, payment receipts, package updates);
• Sending service notifications and important Platform updates;
• With your consent, sending marketing communications about new features or offers (you may opt out at any time).

4.3 Legal & Safety

• Complying with applicable laws, regulations, and court orders;
• Preventing fraud, abuse, and security incidents;
• Enforcing our Terms of Service;
• Responding to data subject rights requests.

4.4 Legal Basis (Australian users)

We collect and use personal information where it is reasonably necessary for our functions or activities, with your consent, or as otherwise permitted under the Australian Privacy Act 1988.

5. Instagram and Meta Platform Data

Formè Studio uses Meta’s Graph API to publish content to Instagram on your behalf. By connecting your Instagram account, you authorise us to:

• Read your Instagram profile, media, and account insights;
• Publish posts, stories, and reels to your Instagram account on your specified schedule;
• Read and manage Instagram comments where applicable.

5.1 Data We Receive from Meta

We receive and store only the Instagram data necessary to provide the scheduling service, including:

• Instagram user ID and username;
• Long-lived access tokens (stored encrypted);
• Published media metadata;
• Account connection status.

5.2 How We Use Instagram Data

• Instagram data is used solely to provide the content scheduling features of the Platform;
• We do not sell, licence, or share your Instagram data with third parties for advertising or any unrelated purpose;
• We do not use Instagram data to build profiles for advertising targeting;
• Access tokens are stored securely and revoked immediately upon account disconnection.

5.3 Data Deletion

In compliance with Meta’s Platform Policy, you may request deletion of all data we have received from Meta about you. You can do this by:

• Using the “Delete My Data” option in your Account Settings; or
• Visiting our data deletion page at /data-deletion; or
• Revoking access through your Facebook App Settings.

Upon a verified deletion request, we will permanently delete all Meta-sourced data within 30 days and provide you with a confirmation code to verify deletion status.

5.4 Meta’s Privacy Policy

Your use of Instagram is also subject to Meta’s Privacy Policy. We are not responsible for Meta’s data practices.

6. Payment Processing (Stripe)

All payment processing is handled by Stripe, Inc. and its affiliates (“Stripe”). When you make a payment on the Platform:

• Your payment card details are submitted directly to Stripe and are never stored on our servers;
• We receive from Stripe: transaction IDs, last-four card digits, card type, billing address, payment status, and subscription details;
• Stripe processes your data in accordance with the Stripe Privacy Policy and is certified to PCI DSS standards.

We use Stripe payment data solely to process transactions, manage subscriptions, issue refunds, and resolve billing disputes.

7. Disclosure of Personal Information

We do not sell your personal information. We may disclose it to:

7.1 Service Providers

• Google Firebase / Firestore — database, authentication, and file storage (data stored in selected regions);
• Stripe — payment processing;
• Meta Platforms — Instagram content publishing;
• Google reCAPTCHA Enterprise — fraud prevention;
• Vercel — hosting and infrastructure;
• Email delivery providers for transactional communications.

All service providers are contractually required to protect personal information and use it only for the specified purpose.

7.2 Legal Requirements

We may disclose personal information if required to do so by law, court order, or governmental authority, or to protect the rights, property, or safety of Friendswith Limited, its users, or the public.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal information may be transferred to the acquiring entity, subject to the same privacy protections.

7.4 Cross-Border Transfers

Some of our service providers are located outside New Zealand and Australia (including the United States). Where we transfer personal information overseas, we take reasonable steps to ensure the recipient handles it consistently with applicable privacy laws, including through contractual protections.

8. Your Rights

8.1 New Zealand Users

Under the New Zealand Privacy Act 2020, you have the right to:

• Access the personal information we hold about you;
• Request correction of inaccurate personal information;
• Make a complaint to the Office of the Privacy Commissioner if you believe we have breached the Act.

8.2 Australian Users

Under the Australian Privacy Act 1988, you have the right to:

• Access the personal information we hold about you;
• Request correction of inaccurate, incomplete, or out-of-date personal information;
• Opt out of direct marketing communications;
• Make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

8.3 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@formestudio.io. We will respond within 20 working days (as required under the NZ Privacy Act 2020). We may ask you to verify your identity before processing your request.

9. Data Retention

We retain personal information for as long as:

• Your account is active and we are providing you services;
• Necessary to fulfil the purposes described in this policy;
• Required by applicable law (e.g. tax and financial records — generally 7 years in New Zealand and Australia).

When you close your account, we will delete or anonymise your personal information within 90 days, except where we are required by law to retain it.

Meta-sourced Instagram data is deleted within 30 days of an account closure or deletion request.

10. Cookies and Tracking Technologies

We use the following types of cookies:

• Strictly necessary cookies: required for authentication, session management, and security. These cannot be disabled.
• Google reCAPTCHA: anti-fraud and bot detection cookies set by Google on our forms.

We do not currently use advertising cookies, third-party tracking pixels, or behavioural profiling cookies. If this changes, we will update this policy and seek your consent where required.

11. Security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• Encryption of data in transit (TLS/HTTPS);
• Encryption of sensitive data at rest (including access tokens);
• Firebase Security Rules restricting data access to authorised users;
• Role-based access controls for administrative functions;
• PCI-compliant payment processing via Stripe.

In the event of a notifiable privacy breach affecting New Zealand users, we will notify the Privacy Commissioner and affected individuals as required under the Privacy Act 2020. For Australian users, we will comply with the Notifiable Data Breaches scheme under the Privacy Act 1988.

12. Children’s Privacy

The Platform is intended for use by businesses and individuals who are at least 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

13. Links to Third-Party Sites

The Platform may contain links to third-party websites (including Meta, Stripe, and others). We are not responsible for the privacy practices of those sites. We encourage you to read the privacy policies of any third-party sites you visit.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the Platform at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects when the policy was last revised.

Your continued use of the Platform after any changes constitutes your acceptance of the revised policy.

15. Complaints

If you believe we have breached your privacy, please contact us first at privacy@formestudio.io so we can attempt to resolve the issue. If you are not satisfied with our response:

• New Zealand: You may complain to the Office of the Privacy Commissioner at privacy.org.nz.
• Australia: You may complain to the Office of the Australian Information Commissioner at oaic.gov.au.

16. Contact Us

For any privacy enquiries, please contact: