Legal

Privacy Policy

This policy explains what personal information Wrightly collects, why we collect it, who processes it for us, and the rights you have under the New Zealand Privacy Act 2020.

Last updated 13 July 2026

01

Who we are

Wrightly (“Wrightly”, “we”, “us”, “our”) provides record-keeping and bookkeeping software for New Zealand sole traders and small businesses. This policy covers personal information we handle when you use Wrightly at wrightly.app. For how the service itself works, see our Terms of Service.

02

What we collect

We collect:

  • Account information — the email address you sign in with, and the organisations and members you set up. We use magic-link / one-time-code sign-in, so we do not store a password.
  • Your business and financial data — the records you enter or upload: receipts and documents, invoices and quotes, expenses, mileage and trips, clients, capital assets, bank line items, and the GST and income tax figures derived from them. This may include personal information about your own clients and contacts, which you are responsible for having the right to provide.
  • Uploaded files — receipt images and other documents you add to the service.
  • Usage and technical data — basic logs such as requests, timestamps, device and browser information, and errors, used to run and secure the service.
  • Billing information — if you subscribe to Wrightly Plus, your payment is handled by Stripe; we receive subscription status, not your full card details.
03

Why we use it

We use your information to:

  • provide, maintain and secure the service and your account;
  • store your records and produce your indicative GST and income tax figures, reports and invoices;
  • process AI features on the Wrightly Plus plan — reading receipts and bank statements and categorising transactions;
  • take payment for Wrightly Plus and send you service and transactional email (such as sign-in links and invoices you send to your clients);
  • provide support, prevent misuse and abuse, and meet our legal obligations.

We do not sell your personal information, and we do not use your business data to advertise to you.

04

Who processes it for us

We use trusted third-party providers to run Wrightly. They process your information only to provide their service to us:

  • Cloudflare — hosting and storage of uploaded receipts and documents (R2).
  • Supabase — our database and sign-in / authentication.
  • Stripe — subscription billing, and processing card payments on invoices you send (paid to your own connected Stripe account).
  • Resend — sending transactional and service email.
  • Third-party AI model providers — for Wrightly Plus, the documents and bank-statement data you submit for AI processing are sent to these providers to extract and categorise the figures.

Some of these providers, and the infrastructure they use, may store or process data outside New Zealand. Where information is held overseas, we take reasonable steps to ensure it has comparable protection to that required under the Privacy Act 2020.

05

Where it is stored

Your data is held on our providers’ cloud infrastructure — document and file storage on Cloudflare, and the database and authentication on Supabase. Access is restricted, each organisation’s data is isolated from every other organisation’s, and stored access tokens for connected services are encrypted.

06

How long we keep it

We keep your information for as long as your account is active and as needed to provide the service. You can ask us to delete it (see below). Remember that you are legally required to keep your own business and tax records — generally for at least seven years under the Tax Administration Act 1994 — so please export and retain your own copies; deleting your Wrightly data does not satisfy that obligation for you.

07

Your rights

Under the Privacy Act 2020 you have the right to ask for access to the personal information we hold about you, and to ask us to correct it if it is wrong. You can also:

  • export your data from the service at any time;
  • request deletion of your data and account; and
  • ask us questions about how we handle your information.

To make a request, email us at the address below. We may need to verify your identity before we act on it, and we will respond within the timeframes the Privacy Act requires.

08

Security and breaches

We take reasonable technical and organisational steps to protect your information, but no online service can be completely secure. If a privacy breach occurs that is likely to cause serious harm, we will notify affected people and the Office of the Privacy Commissioner as required by the Privacy Act 2020.

09

Changes to this policy

We may update this policy from time to time. If we make a material change we will take reasonable steps to let you know, and we will update the date at the top of this page.

10

Contact us

For any privacy question or request, or to reach our privacy contact, email hello@wrightly.app. If you are not satisfied with our response, you can contact the Office of the Privacy Commissioner at privacy.org.nz.