Privacy Policy

bizzme is an AI-powered business advisor platform for New Zealand small and medium enterprises (SMEs). We are committed to protecting your personal information in accordance with the Privacy Act 2020 (NZ) and its 13 Information Privacy Principles (IPPs).

Privacy Officer contact: privacy@bizzme.nz

• Account information: your name, email address, and password (hashed — we never see it in plain text).
• Business information: trading name, entity type, NZBN, IRD number (optional), GST filing frequency, industry type, employee count band, payroll system, and revenue band. You provide this during onboarding and can update it at any time.
• Employee payroll data: if you use the payroll features — employee names, IRD numbers, tax codes, KiwiSaver rates, pay rates, and leave balances. This information is encrypted at rest and in transit and is only used to calculate PAYE, KiwiSaver, and Holidays Act entitlements.
• Financial documents: invoices, receipts, GST returns, and other business documents you upload for AI extraction. Documents are processed by Anthropic (claude-sonnet) and stored in Supabase. We do not retain the raw file after extraction is complete.
• Transaction data: financial transactions you enter or that are extracted from documents. Used for GST preparation and anomaly detection.
• Chat history: questions you ask bizzme and the AI responses. Stored to allow conversation continuity and to improve the service.
• Usage data: pages visited, features used, and error logs (via Sentry). This helps us fix bugs and improve the platform. No personally identifiable information is included in error logs.

• To provide the bizzme service — tax guidance, payroll calculations, GST return preparation, anomaly alerts, and AI chat advice.
• To calculate NZ PAYE, KiwiSaver, ACC earner levy, and Holidays Act entitlements for your employees.
• To prepare GST return summaries for your review. We do not file returns with IRD on your behalf.
• To send you weekly digest emails with key financial alerts and upcoming GST due dates (if you opt in).
• To improve and debug the platform using anonymised usage and error data.
• To process subscription payments via Stripe (we do not store card details — Stripe handles payment data under PCI-DSS).

We do not use your information for advertising, and we do not sell your data to any third party.

We share your data only with the following service providers, solely to operate the platform:

We may disclose your information if required by NZ law or a court order.

IRD numbers are highly sensitive personal information under NZ law. We handle them as follows:

• Encrypted at rest using AES-256 within Supabase.
• Only used for payroll calculations and compliance guidance — never disclosed to third parties.
• Access is limited to your account and bizzme operations staff under strict need-to-know controls.
• Not transmitted to Anthropic or OpenAI — IRD numbers are stripped from any data sent to AI providers.

• Payroll and tax records: retained for 7 years from the date of the transaction, as required by the Tax Administration Act 1994 and IRD guidelines.
• Chat history: retained for 2 years, then anonymised.
• Account data: retained while your account is active. Deleted within 30 days of account closure, except where retention is required by law.
• Uploaded documents: raw files deleted after extraction. Extracted data retained as part of your transaction records (7-year rule applies).

You have the right to:

• Access the personal information we hold about you — request via privacy@bizzme.nz. We will respond within 20 working days.
• Correct any inaccurate information — use the Profile settings in the app or email us.
• Delete your account and personal data — email us. Note: payroll and tax records may be retained for the statutory 7-year period.
• Object to certain uses of your information — email us with your concerns.
• Complain to the Office of the Privacy Commissioner (OPC) at privacy.org.nz if you believe we have breached the Privacy Act 2020.

In the event of a privacy breach that is likely to cause serious harm, we will:

• Notify the Office of the Privacy Commissioner as soon as practicable.
• Notify affected individuals directly, unless doing so is not reasonably practicable.
• Take immediate steps to contain the breach and prevent further exposure.

To report a suspected privacy breach: privacy@bizzme.nz

We use cookies solely to maintain your login session (via Supabase Auth). We do not use advertising cookies, tracking pixels, or third-party analytics cookies. The Sentry error monitoring SDK collects anonymised technical data only — no personally identifiable information.

Some of our service providers (Anthropic, OpenAI, Stripe, Vercel, Sentry) process data in the United States. These transfers are made under standard contractual clauses and data processing agreements. Anthropic and OpenAI do not retain your data after generating a response, per their enterprise data processing agreements.

Your database (Supabase) is hosted in AWS Sydney (ap-southeast-2) — your core business data does not leave Australia/NZ.

We will notify you of any material changes to this policy via email and by updating the effective date above. Continued use of bizzme after changes take effect constitutes acceptance of the updated policy.