ēkotrace
AI Use Statement
v1.0 · May 2026
ēkotrace™

AI Use Statement

How we use artificial intelligence within the ēkotrace platform, what data flows through AI systems, what does not, how human oversight is built in, and how the platform aligns with applicable AI governance and data sovereignty frameworks. This statement is published publicly and updated whenever the AI footprint changes.

Last reviewed: May 2026 · v1.0

On this page
  1. AI Models in Use
  2. What Data Flows Through AI
  3. What Data Does NOT Flow Through AI
  4. Human-in-the-Loop Design
  5. Data Sovereignty & International Data Flows
  6. What We Will Never Do
  7. Contact & Review
Section 1

AI Models in Use

ēkotrace currently uses one AI model in production:

ModelPurposeProviderData sent
OpenAI gpt-5-miniOCR extraction of structured fields from weighbridge tickets and gate documents uploaded by operatorsOpenAI (via Replit-managed integration)Document image only — see Section 2

No AI model is used in the SHA-256 hash chain, the cascade routing engine, the emission calculation engine, or the artefact issuance service. Those components are deterministic — they produce the same output from the same input every time. The chain of custody is not AI-generated.

This page describes the AI footprint as designed. Specific contractual and regulatory claims about third-party AI providers are subject to the underlying provider's published terms and to ongoing legal review.

Section 2

What Data Flows Through AI

When an operator uploads a weighbridge ticket or gate document, the image is sent to OpenAI's gpt-5-mini model to extract the following fields:

  • Mass / net weight
  • Date and time of transaction
  • Supplier or carrier name (as printed on the document)
  • Material type or waste code (as printed on the document)
  • Site or facility identifier

Data sovereignty note: document images are processed on OpenAI servers located in the United States. See Section 5 for full data sovereignty disclosure and mitigations.

Each extracted field is returned with a confidence score between 0.000 and 1.000. Fields scoring below 0.85 are flagged for mandatory human review before any data is accepted into the chain.

Section 3

What Data Does NOT Flow Through AI

The following data categories are never sent to any AI model:

  • Operator authentication credentials (NFC identifiers, PIN hashes)
  • SHA-256 chain event records or hash values
  • Certified artefact records (CRM Certificates, Digital Material Passports, Carbon Disclosure Certificates, EPR Compliance Certificates)
  • Client commercial data — pricing, contract terms, procurement volumes
  • Personal data identifying individual consumers or end-users
  • Carbon calculation inputs or emission factor methodology data

What this means in practice: the core evidence layer — every hash-chained event record, every certified artefact, every carbon calculation — is produced entirely by deterministic, auditable code. No AI model touches the evidence that ends up in a CRM Certificate or a regulatory submission.

Section 4

Human-in-the-Loop Design

The OCR pipeline is designed so that no AI output enters the chain of custody without a human checkpoint. The process is:

  1. 1
    Document upload
    Operator uploads the weighbridge ticket or gate document.
    Operator action
  2. 2
    AI extraction
    gpt-5-mini extracts structured fields from the document image.
    Automated
  3. 3
    Confidence scoring
    Each field receives a confidence score of 0.000–1.000.
    Automated
  4. 4
    Review modal
    Any field with a confidence below 0.85 is displayed for operator correction; all fields are visible to the operator.
    Human reviews and confirms or corrects
  5. 5
    Chain insertion
    Confirmed fields are SHA-256 hashed with the preceding event and appended to the chain.
    Automated — only proceeds after human confirmation

This design is intended to align with the human-oversight expectations set out in the NZ AI Forum Trustworthy AI Principles, the Algorithm Charter for Aotearoa New Zealand (as applied to ēkotrace outputs used by government clients), MBIE's Responsible AI Guidance for Business, and the human-oversight provisions of the EU AI Act. Formal conformity assessments where required by client jurisdiction are conducted separately.

Section 5

Data Sovereignty & International Data Flows

ēkotrace operates in a cross-border data environment. This section discloses all international data flows and the mitigations in place.

5.1 Current data flows

Data typeWhere processedJurisdictionMitigation
Weighbridge ticket images (OCR)OpenAI API serversUnited StatesNo training on inputs (Replit-managed integration). No personal data sent where avoidable. See 5.2.
Platform event records and chain dataReplit Autoscale infrastructureUnited States (default)NZ/AU hosting on roadmap — see 5.3.
Client portal data (TWG, Auckland Council)Replit Autoscale infrastructureUnited States (default)NZ/AU residency option for enterprise/government clients — see 5.3.

5.2 OpenAI and the NZ Privacy Act 2020

Under the NZ Privacy Act 2020, Information Privacy Principle 12 requires that, before disclosing personal information to an overseas recipient, ēkotrace take reasonable steps to ensure the recipient provides comparable privacy protections. The Replit-managed OpenAI integration is governed by OpenAI's published API data-usage and enterprise terms (no training on API inputs by default; SOC 2 Type II certification). The specific data-handling guarantees that apply at any point in time are those published by OpenAI and Replit — ēkotrace recommends operators review them directly before submitting documents that may contain personal information. Where weighbridge tickets include any personal identifier (operator name, vehicle registration), operators are instructed to either redact the document before upload or rely on the data-minimisation policy applied in the OCR pipeline.

5.3 Data Residency Roadmap

  • NZ/AU cloud residency — target Q4 2026 — for government clients with data sovereignty requirements (Auckland Council, NZTA, government agency clients under the Public Records Act 2005).
  • EU data residency — target H1 2027 — aligned with the EU DPP deployment timeline and GDPR Article 46 requirements for clients with EU operations.
  • Pacific Island data sovereignty — assessed case-by-case for ocean-bound plastics and regional collection partnerships, in line with emerging Pacific data-governance frameworks.

5.4 International Framework Alignment

FrameworkRelevance to ēkotraceAlignment status
NZ Privacy Act 2020Governs personal data processing and transboundary flows (IPP 12)Designed to comply — data-minimisation policy applied; DPA review scheduled Q3 2026
NZ AI Forum Trustworthy AI Principles (2020)Voluntary NZ framework — increasingly expected in government tendersDesigned to align — human-in-the-loop and per-field confidence scoring address each principle
Algorithm Charter for Aotearoa NZApplies to government agency signatories (Auckland Council, MBIE) who use ēkotrace outputsDesigned to align — per-field confidence scoring and operator review support transparency and accountability
MBIE Responsible AI Guidance for BusinessNZ government guidance for businesses using AIDesigned to align — risk inventory maintained; human oversight built in
ISO/IEC 42001 (AI Management Systems)Emerging international standard — first certifications 2025–26Designed to align with — not yet certified
EU AI Act (August 2026 full applicability)Applies if any client uses ēkotrace outputs in EU operationsLimited-risk tier — document extraction with human review. Monitored.
GDPRApplies to EU-resident personal data if ēkotrace operates in the EU marketData-residency roadmap in place. DPA review Q3 2026.
APEC Cross-Border Privacy RulesNZ is a member. Relevant for data flows to APEC members.Monitored
OpenAI Usage Policies + Data Processing TermsGoverns the OCR integrationCovered by Replit-managed enterprise integration — no per-user key, no training on inputs
Section 6

What We Will Never Do

  • Use AI to make automated decisions about material routing, certification grade, or cascade tier without human confirmation.
  • Send certified artefact data, chain event records, or commercial pricing data to any AI model.
  • Use AI-generated outputs as the sole basis for any regulatory submission or ESG disclosure.
  • Train AI models on client data without explicit written consent.
  • Use AI in any way that would constitute high-risk AI use under the EU AI Act without completing the required conformity assessment.
Section 7

Contact & Review

This statement is reviewed annually and updated whenever the AI footprint changes.

  • Last reviewed: May 2026
  • Contact: connect@ekot.nz
  • Published at: /ai-use (this page)

ēkot Circular Solutions Ltd · Turning Waste Into Value

connect@ekot.nz · ekot.nz · ēkotrace AI Use Statement v1.0 (May 2026)

Patent pending · ēkotrace provisional patent filed at IPONZ 19 May 2026 · Case No. 833133 · Inventors: Cheril Calling, Manjula Sickler, Sam Best. Proprietary platform — all rights reserved.