Trust & security

Your data stays in NZ.
You stay in control.

bizzme reads your Xero ledger with the scopes you approve and nothing more. You confirm before anything posts back. Your financial data is never sold, never used to train AI models, and never shared beyond the sub-processors listed on this page.

AI boundary

AI-assisted. Human-confirmed. Always.

What AI does

✓Suggests transaction categories based on your Xero history

✓Drafts payroll calculations using NZ PAYE rules

✓Flags anomalies — unusual amounts, potential duplicates

✓Retrieves NZ regulatory guidance from IRD and employment.govt.nz

✓Extracts data from receipts and invoices

What AI never does

✗Post any transaction without your explicit confirmation

✗File a GST return or payroll with IRD

✗Make a bank payment

✗Create a legally binding employment agreement

✗Give formal tax advice (that requires a licensed NZ tax agent)

Xero integration

Exact scopes we request

When you connect Xero, we request only these OAuth scopes. You can revoke access from Xero at any time under My Apps.

accounting.transactions.readRead invoices and receipts to suggest GST coding

accounting.contacts.readIdentify suppliers for categorisation

payroll.employees.readRead employee records for payroll calculations

payroll.payruns.readRead pay run history to detect anomalies

payroll.payruns.writePost confirmed pay runs back to Xero Payroll

accounting.transactions.writePost confirmed coded transactions back to Xero

IRD and Akahu connections use separate OAuth flows with equivalent principle-of-least-privilege scoping.

Data residency

Where your data lives

Primary database

Sydney (ap-southeast-2)

Supabase / PostgreSQL

Frontend

Singapore (ap-southeast-1)

Vercel edge network

API processing

Sydney (ap-southeast-2)

Railway

AI processing: Document extraction (Anthropic) and AI guidance (OpenAI) are processed in the US. Neither provider retains your data for model training. Standard API data processing agreements are in place.

Sub-processors

Third parties with access to your data

We maintain a complete list. Updates are notified 30 days in advance via email.

Processor	Role	Region
Supabase	Database & authentication	ap-southeast-2 (Sydney)
OpenAI	AI guidance (GPT-4o)	US — data not retained for training
Anthropic	Document extraction (Claude)	US — data not retained for training
Vercel	Frontend hosting	ap-southeast-1 (Singapore)
Railway	API hosting	ap-southeast-2 (Sydney)
Stripe	Payments	US / Global (PCI DSS Level 1)
Xero	Accounting integration	NZ / AU

Compliance posture

NZ regulatory obligations

Privacy Act 2020

Compliant

NZ Privacy Act obligations met. Privacy Policy published.

UEMA 2007

Compliant

All marketing campaign sends follow NZ Unsolicited Electronic Messages Act rules.

GST Act 1985

Guidance only

bizzme prepares GST summaries. Filing remains with the registered person.

Employment Relations Act 2000

Guidance only

bizzme provides compliance templates. Employment agreements require legal review.

Holidays Act 2003

Compliant engine

Leave calculations follow the Act. Remediation not in scope.

Tax Agents Services Act

Not a tax agent

bizzme provides guidance only. Formal tax advice requires a licensed NZ tax agent.

Questions or a security concern?

Email our Privacy Officer at privacy@bizzme.co.nz for Privacy Act requests or data deletion.
Report a security vulnerability to security@bizzme.co.nz — we respond within 24 hours.

Get early access →