Legal
Privacy Policy
Last updated: 24 May 2026
Covers the NZ Privacy Act 2020 · AU Privacy Act 1988 · GDPR (where applicable)
Plain-English Summary
- → We collect only what we need to provide the service.
- → Your financial data is never sold or used to train AI models.
- → Data is stored in Supabase (ap-northeast-1 region, ISO 27001 + SOC 2 Type II certified).
- → You can export, correct, or delete your data at any time.
- → We use named subprocessors — no mystery third parties.
1. Who We Are
Owner CFO Ltd ("Owner CFO", "we", "us") is a company registered in New Zealand [Company Number: pending registration], operating a financial management service for sole traders and small businesses in New Zealand and Australia.
We act as a data processor for your business's financial data. You are the data controller. This means you decide what data enters the system and retain full ownership.
Privacy Officer contact: privacy@ownercfo.com
2. What We Collect
Account information
Name, email address, and password (hashed; we never see your plaintext password). Optionally: business name, phone number.
Business data (Customer Data)
Financial transactions, bank account names, invoices, quotes, receipt images, mileage logs, time entries, client and project names, GST registration details, IRD number (NZ) or ABN (AU).
This data is provided voluntarily by you. It is used exclusively to deliver the Service.
Payment information
Billing name, address, and card last-four digits. Full card details are processed and stored by Stripe — we never see or store your card number.
Usage data
Pages visited, features used, error logs, IP address, browser type, and session timestamps. Used for product improvement and security monitoring.
Communications
Emails you send to support, in-app feedback, and chat messages with our AI advisor (stored to provide context in future sessions within the same account).
3. How We Use It
We use your personal information to:
- Provide, maintain, and improve the Service
- Process payments and send billing communications
- Send essential service communications (security alerts, terms updates, downtime notices)
- Respond to support requests
- Detect and prevent fraud, abuse, or security incidents
- Comply with legal obligations (NZ tax record requirements, court orders)
With your explicit consent, we may also:
- Send product updates, feature announcements, and educational content
- Use anonymised, aggregated data for product analytics
We do not use your financial data to train AI models, sell data to data brokers, or share data with advertisers.
4. Legal Basis for Processing
For customers in the EU or UK (GDPR applies), our legal bases are:
- Contract performance — processing necessary to deliver the Service you signed up for.
- Legitimate interests — security monitoring, fraud prevention, product improvement (balanced against your privacy rights).
- Consent — marketing emails, optional analytics. Withdrawable at any time.
- Legal obligation — complying with tax authority requests, court orders.
For NZ customers, our basis is the NZ Privacy Act 2020. For AU customers, it is the AU Privacy Act 1988 (Australian Privacy Principles).
5. Subprocessors
We use the following named subprocessors to deliver the Service. We maintain Data Processing Agreements with each.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | ap-northeast-1 (Tokyo) |
| Vercel | Web hosting, edge functions | Global CDN |
| Stripe | Payment processing | US / Global |
| OpenRouter | AI routing (categorisation, OCR) | US |
| DeepSeek | AI text (categorisation, advisor) | Via OpenRouter |
| Qwen (Alibaba) | AI vision (receipt OCR) | Via OpenRouter |
| Resend | Transactional email | US (EU relay available) |
| Sentry | Error monitoring (optional) | US |
We will notify you by email of any material changes to our subprocessor list at least 14 days in advance.
6. Data Residency
Your Customer Data is stored in Supabase's ap-northeast-1 (Tokyo) region. This is the primary storage location for all database records and uploaded files (receipts).
Certain data may be temporarily processed in other regions when using AI features (via OpenRouter, which routes to US-based model providers). This processing is transient — the model inputs and outputs are not persistently stored by the AI provider.
Supabase holds ISO 27001 and SOC 2 Type II certifications for its infrastructure. Details at supabase.com/security.
7. Retention
We retain your Customer Data for as long as your account is active. After account deletion:
- 30-day grace period — data remains accessible and deletion can be cancelled.
- After 30 days — personal data and Customer Data are hard-deleted from production databases.
- Backups — encrypted backups are rotated within 90 days of deletion.
- Legal obligations — if you have used Owner CFO for tax purposes, NZ law requires you to retain tax records for 7 years. We may retain anonymised aggregated data for longer for legal compliance purposes; we will tell you if this applies to your account.
8. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — correct inaccurate or incomplete data.
- Deletion — request deletion of your data ("right to be forgotten"). Use Settings → Account → Delete my account, or email us.
- Portability — export your data in machine-readable JSON format at any time from Settings → Account → Export my data.
- Objection — object to processing based on legitimate interests.
- Restriction — request restriction of processing in certain circumstances.
To exercise any right, email privacy@ownercfo.com. We will respond within 20 working days (NZ Privacy Act 2020 requirement).
If you are unsatisfied with our response, you may complain to:
- New Zealand: Office of the Privacy Commissioner — privacy.org.nz
- Australia: Office of the Australian Information Commissioner — oaic.gov.au
- EU/UK: Your relevant Data Protection Authority.
10. Children
The Service is not directed at individuals under 18. We do not knowingly collect personal data from children. If we become aware that a child has created an account, we will delete it promptly.
11. Contact
Privacy Officer: privacy@ownercfo.com
General support: support@centriweb.com
Postal: Owner CFO Ltd, [Address pending registration], New Zealand
We take privacy seriously and aim to respond to all enquiries within 5 working days.
See also: Terms of Service · Data Processing Addendum · Cookie Policy