Receipted AI and Compliance
How AliceHQ's Receipted AI architecture satisfies the specific compliance obligations facing NZ and Australian service businesses — from the Privacy Act 2020 to Australia's incoming ADM requirements.
NZ Privacy Act 2020
The NZ Privacy Act 2020 replaces the 1993 Act and significantly tightens obligations for businesses using automated systems to collect, use, and make decisions about personal information. Three Information Privacy Principles are directly relevant to AI customer interactions.
IPP 2 — Purpose of collection
Information must be collected for a lawful purpose directly related to the business's activities. When an AI agent collects personal information during a call — name, contact details, health or tenancy information — that collection must be justified and logged. AliceHQ receipts every field collected, the context it was collected in, and the downstream use.
IPP 5 — Storage and security
Businesses must protect personal information against loss, unauthorised access, use, modification, or disclosure. AliceHQ's receipt architecture stores interaction records in an immutable, access-controlled format — preventing retrospective modification and providing a clear chain of custody.
IPP 8 — Accuracy
The Office of the Privacy Commissioner has stated that AI systems contributing to decisions affecting individuals should maintain an audit trail. AliceHQ provides that audit trail at the interaction level: what the AI said, what information it received, and what action it took — timestamped at the moment of occurrence.
Residential Tenancies Act (NZ)
The Residential Tenancies Act 1986 creates record-keeping obligations that begin at the point of first tenant contact — including contacts handled by AI agents. Property managers cannot treat an AI-handled interaction as outside the scope of their RTA obligations.
The Tenancy Compliance and Investigations Team (TCIT) conducts 400–500 audits of property management companies each year. When TCIT requests records for a maintenance interaction, a complaint, or a tenancy dispute, property managers need contemporaneous records — not reconstructions. “The AI handled it” is not a compliant response.
AliceHQ receipts every tenant interaction: the call timestamp, information the tenant provided, the maintenance request created in Re-Leased or PropertyMe, the notification dispatched to the property manager. These receipts are TCIT audit-ready — produced at the time of the interaction, not generated on demand.
Health Information Privacy Code 2020 (HIPC)
The Health Information Privacy Code 2020 is the applicable NZ framework for any system handling patient information — including AI agents handling appointment bookings, triage decisions, or clinical enquiries. HIPC imposes prescriptive requirements beyond the base Privacy Act obligations.
For clinics using AliceHQ to handle inbound patient calls, the key obligations are logging (every patient interaction must be documented with sufficient detail to reconstruct what occurred), accuracy (records must reflect what was actually communicated), and access (patients have the right to request their interaction records). AliceHQ satisfies all three through its receipt architecture.
A note on HIPAA
HIPAA is a United States federal regulation. It does not apply to NZ healthcare providers. NZ clinics are governed by HIPC 2020, not HIPAA. If you have seen AI vendors claim “HIPAA compliance” for NZ healthcare use cases, that claim is based on the wrong regulatory framework. The applicable standard is HIPC 2020.
Australian Privacy Act — ADM Requirements (December 2026)
Australia's Privacy and Other Legislation Amendment Act 2024 introduces new App 1.7 (Automated Decision-Making) requirements that take effect from December 2026. Any regulated entity using automated decision-making that significantly affects individuals must:
- Disclose the use of ADM in their privacy policy
- Maintain evidence of the decision-making process sufficient to explain how a decision was reached
- Respond to requests from affected individuals about automated decisions that affected them
Non-compliance penalties reach AUD $2.5 million for serious or repeated breaches. The framework applies to any organisation that handles personal information under the Australian Privacy Act — which includes NZ businesses with Australian operations, Australian customers, or an Australian Privacy Act obligation.
AliceHQ's receipt architecture directly satisfies the App 1.7 evidence requirement. Every automated decision — booking accepted, triage outcome reached, information provided — is logged with the inputs, the decision taken, and the timestamp. NZ businesses with Australian exposure have until December 2026 to implement compliant AI. That window is nine months from now.
Frequently Asked Questions
Meet Your Compliance Obligations with a 30-Day Pilot
A 30-day AliceHQ pilot gives you a full receipt log for every AI-handled interaction. See what your compliance record looks like before it matters.