Security

Wrightly holds your business and financial records, so protecting them matters. This page explains, in plain terms, how we keep your data safe: how it is encrypted, where it lives, and the controls that keep one business’s records separate from every other’s.

Last updated 18 July 2026

01

Encryption

All your data is encrypted in transit and at rest. Traffic between your browser and Wrightly is protected with TLS, so nothing travels over the network in the clear, and the records and files we store on your behalf are encrypted at rest on our providers’ infrastructure.

02

Where your data lives

Your database and account records are hosted in Australia, on Supabase in the Sydney region. Your uploaded files, such as receipts and documents, are stored on Cloudflare. Keeping your data on established cloud infrastructure close to home means it stays within a well-regulated jurisdiction rather than scattered around the world.

03

Tenant isolation

Each business’s data is isolated from every other business’s at the database level itself, not only in our application code. We use Postgres row-level security, which means the database enforces the boundary on every single query: a request can only ever see rows that belong to the organisation it is scoped to.

This matters because it does not rely on us getting every line of application code perfect. Even if a bug slipped through, the database would still refuse to return another business’s records. It is one of the strongest ways to keep separate businesses’ data apart, and we build on it as a foundation rather than an afterthought.

04

Sign-in

Wrightly uses passwordless sign-in. You sign in with a magic link or a one-time code sent to your email, so there is no password to choose, reuse, forget or have stolen. That removes the single most common way accounts are compromised.

05

Your documents

Receipts and documents you upload are kept in a private storage bucket. They are never served from public URLs. Instead, when you need to view a file, Wrightly checks that you are a member of the organisation it belongs to and then mints a short-lived, signed link that expires shortly after. Once the link expires it can no longer be used, so a copied URL does not become a permanent open door to your files.

06

Connected services

When you connect an external service, such as a bank feed or an Inland Revenue connection, we store the access token for that connection in encrypted form. The token is used only to provide the feature you enabled, and you can disconnect a service at any time to revoke and remove it.

07

Payments

Card payments are handled entirely by Stripe. Card details never touch Wrightly’s servers. This applies both to your Wrightly Plus subscription and to invoices your clients pay online, which are processed through your own connected Stripe account.

08

AI processing

Wrightly’s AI features, which read receipts and bank statements and categorise transactions, run on Cloudflare Workers AI. Under Cloudflare’s terms, your data submitted for AI processing is used only to return results to us and is not used to train AI models. We never sell your data or share it beyond the providers that help us run the service.

09

Access control, accountability and monitoring

Within a business, access is role-based, so people see and change only what their role allows:

  • Owner: billing and member management, plus full access to the data.
  • Admin: full read and write access to the data.
  • Viewer: read-only access.

Every change to your data is written to an append-only audit log that records who did what, when. Access to your files is logged and monitored. Together these give a durable, tamper-evident record of activity, so nothing happens to your data silently.

10

Privacy and breaches

Our handling of your information is aligned with the New Zealand Privacy Act 2020. If a privacy breach occurs that is likely to cause serious harm, we will notify the affected people and the Office of the Privacy Commissioner as soon as practicable, as the Act requires. For the full detail of what we collect and how we handle it, see our Privacy Policy.

11

A note, and how to reach us

No online service can be perfectly secure, and we will not pretend otherwise. What we can tell you is that Wrightly is built from the ground up to protect your financial information, with the controls described above baked in rather than bolted on.

If you have a security question or want to report a concern, email us at privacy@wrightly.app.