When you contact us through the website — to request a paper, ask a question, or get in touch — we collect your name, your email address, and the details of your request. Our system records the date and time, which page you were on, and which website you came from (steko.co.nz or stillwaters.nz). We also record which version of this privacy page was current when you submitted your request, so that your consent is linked to the specific commitments we made at that time. That is all we collect. There are no tracking cookies, no analytics profiles, and no advertising pixels.

We collect your details to respond to your inquiry and, where you have asked for something specific, to send it to you. We use anonymised request counts — how many requests were made, which articles are popular — to understand what readers find valuable. This helps us decide what to write next. We do not use your information for marketing, and we do not sell it. We share it only with the service providers described below, and only to the extent necessary to deliver the service you requested.

Some of our services use AI to assist with responses. When they do, the AI operates within strict boundaries that we have designed and that we control. Here is how it works.

Automated responses are composed using Anthropic's Claude API. The AI draws exclusively from a curated knowledge base that we maintain — a collection of our published research, methodology documentation, and approved reference material. The AI cannot access the internet, cannot expand its own knowledge, and cannot compose from material we have not reviewed and approved. If a question falls outside what the knowledge base covers, the response is escalated to Greg rather than answered with a best guess.

Every AI-composed response passes through an automated quality review before it is sent. This is a second, independent check — separate from the system that composed the response — that verifies the content stays within the approved knowledge base, maintains the appropriate tone, and actually answers the question that was asked. If the review flags a concern, the response is not sent and the enquiry is escalated for personal attention.

We apply a systematic quality framework derived from published clinical AI safety research to minimise the risk of inaccurate or inappropriate automated responses. This framework addresses four empirically validated failure patterns that affect AI systems across all domains, not just ours. It is the same framework we apply to our consulting methodology and our product development.

Currently, the paper request service on steko.co.nz operates as a deterministic pipeline — it matches your request to an article in our catalogue and sends the PDF directly, without AI composition. AI-composed responses will be introduced for enquiry handling in a future update, and this page will be updated with specific details when that happens.

Every AI-composed communication is clearly identified as such. We do not pretend that automated responses are personally written. The speed of the response is itself a signal — and every composed email carries a disclosure confirming AI assistance and a direct path to reach Greg personally.

Your information is stored in a database hosted in New Zealand by SiteHost, a New Zealand hosting provider, in their Auckland data centre. It is encrypted in transit. Access to the database is restricted to the specific system that needs it — each part of our platform operates under its own credentials and cannot access information belonging to other parts.

We believe you should know who else handles your information, and where. Under the New Zealand Privacy Act 2020 (Information Privacy Principle 12), we are required to tell you before your personal information is sent overseas. Here is the complete list:

SiteHost (New Zealand) — hosts our website and database. Your information stays in New Zealand. SiteHost privacy policy.

Anthropic (United States) — our AI-assisted services use Anthropic's Claude API, which is hosted in the United States. When an AI-composed response is generated, the content of your enquiry and the relevant material from our knowledge base are sent to Anthropic's API for processing. As of this writing, Anthropic's API terms state that API inputs are not used for model training. If Anthropic's data processing terms change materially, we will review the implications and update this page accordingly. Your name and email address are not sent to the Anthropic API — only the content needed to compose a relevant response. Anthropic privacy policy.

Stripe (international) — if you make a payment through our platform, the transaction is processed by Stripe. Stripe operates internationally and your payment information will be processed outside New Zealand. We do not store your credit card details — Stripe handles that directly. This applies only when you make a purchase; it does not apply to free paper requests or general inquiries. Stripe privacy policy.

That is the complete list. We do not use analytics services, advertising platforms, social media tracking, or any other third-party service that touches your personal information.

You choose. When you contact us, you can tell us your preference:

Minimum retention — we keep your details only for the time required to fulfil your request, then delete your personal information.

Retained — we keep your details until you ask us to remove them.

If you do not state a preference, we retain your details for a reasonable period and then delete them. You can change your preference or request deletion at any time.

Exception — financial records: If you make a purchase, we are required by the Tax Administration Act 1994 to retain transaction records for seven years. This applies to payment amounts, dates, and the fact that a transaction occurred — not to the content of what you purchased or your broader browsing activity. This legal obligation overrides the reader's choice model above for financial records only.

When personal information is deleted, anonymised records are retained — the fact that a request was made, which article was requested, and the date. These records contain no names, no email addresses, and no information that could identify you. They exist so we can understand how many people are reading our work.

Running AI-integrated web services introduces security considerations that did not exist when websites simply served static pages. A form that feeds into an AI composition pipeline is a different kind of attack surface from a traditional contact form, and we treat it accordingly.

Our platform security is built on a three-layer model aligned with the NIST Cybersecurity Framework. The first layer is continuous automated monitoring — the system watches for unusual patterns and will shut down specific components automatically if thresholds are breached, while keeping the rest of the site available. The second layer is periodic threat review, where we assess the evolving landscape of risks specific to AI-integrated services. The third layer is ongoing vigilance on the tools and dependencies our platform relies on.

We are committed to publishing the findings of any resolved security incident in a public transparency log on this site. Each entry will describe what happened, how it was detected, what was done about it, and what was changed to prevent recurrence — without disclosing technical details that could help an attacker. No incidents have been recorded to date.

The security challenges facing AI-integrated web services are a subject we study actively. We are preparing research on the unique threat landscape that emerges when web forms connect to AI composition pipelines — the new attack vectors, the defence architectures, and what operational experience teaches about managing risks that most organisations have not yet encountered. When that work is published, we will link to it here so that readers who want to understand why we do what we do can explore the reasoning in depth.

If we become aware of a privacy breach — unauthorised access to, disclosure of, or loss of your personal information — we will take immediate steps to contain the breach and assess its impact. If the breach is likely to cause serious harm, we will notify the New Zealand Privacy Commissioner within 72 hours, as required by the Privacy Act 2020, and we will notify you directly as soon as practicable with a clear explanation of what happened, what information was affected, and what we are doing about it.

We would rather be honest and direct about a problem than hope you do not notice. That is how we operate in every part of our practice, and it applies here too.

We make reasonable efforts to ensure that all information provided through our services — including AI-composed responses — is accurate and helpful. However, AI-composed content is generated from a curated knowledge base and may not account for every nuance of your specific situation. It is not a substitute for independent professional advice.

If an AI-composed response contains an error or is unhelpful, we want to know — contact thinking@steko.co.nz and Greg will follow up personally. Every enquiry that is escalated from the automated system receives personal attention.

Steko Consulting Limited accepts no liability for decisions made on the basis of AI-composed responses without independent verification. This limitation applies to automated content only — it does not limit our professional obligations on work performed directly by the practitioner under an engagement agreement.

Under the New Zealand Privacy Act 2020, you have the right to ask what personal information we hold about you, to request correction of anything that is inaccurate, and to request deletion at any time. We will respond promptly and in plain language.

If this privacy page is updated, your earlier interactions remain governed by the version that was current when you contacted us. We do not retrospectively change the terms under which you shared your information.

To make a privacy request, contact us at privacy@steko.co.nz. We will acknowledge your request, confirm what action we are taking, and report back to you when it is complete.

Steko Consulting Limited is a sole-practitioner consultancy. Greg Williams is the privacy officer. All privacy inquiries are handled personally — not routed through a call centre or outsourced to a third party. If you write to privacy@steko.co.nz, you are writing to the person responsible.