myGst.co.nz

Data Use Policy

Last updated: February 2026

1. Our Approach to Your Data

At myGst.co.nz, we believe your business data belongs to you. This policy explains exactly how we use the data you entrust to us.

2. What Data We Process

Data TypeHow We Use ItHow Long We Keep It
Account info (name, email)Authentication, notifications, supportUntil account deletion
Receipt/invoice imagesOCR extraction, storage, displayUntil account deletion*
Extracted data (supplier, amount, GST)GST calculations, reports, exportsUntil account deletion*
Usage logsService improvement, debugging90 days
Email content (forwarded invoices)Attachment extraction onlyDeleted after processing

* NZ tax law requires keeping records for 7 years. We may retain anonymized data for this period even after account deletion.

3. OCR and AI Processing

We use AI/ML technology for OCR (optical character recognition) to extract data from your receipts and invoices:

  • Images are processed using AI/ML services for text extraction
  • Images are not retained by our AI providers after processing
  • We do not use your data to train AI models
  • Processing happens in secure data centers

4. Data Storage Locations

Your data is stored in the following locations:

  • Database: Neon PostgreSQL (US East, encrypted at rest)
  • File storage: Vercel Blob (encrypted, geo-distributed)
  • Backups: Encrypted, same region as primary data

5. What We Do NOT Do With Your Data

  • ❌ We do not sell your data to third parties
  • ❌ We do not use your data for advertising
  • ❌ We do not share your data with other users
  • ❌ We do not train AI models on your private data
  • ❌ We do not access your data without a valid support reason

6. Data Security Measures

We implement the following security measures:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Role-based access controls for staff
  • Regular security audits and penetration testing
  • Automated threat detection and alerting

Important: While we take security seriously and implement industry-standard measures, no system is completely secure. We cannot guarantee that unauthorized access, data breaches, or data loss will never occur. By using the Service, you acknowledge this risk and agree that we are not liable for damages resulting from security incidents, except where prohibited by law.

7. Your Data Rights

You can:

  • Export: Download all your data as CSV anytime
  • Correct: Edit any extracted data that is incorrect
  • Delete: Delete individual records or your entire account
  • Access: View all data we hold about you

8. Open Banking (Future)

When we launch bank linking (Pro/Business plans), this is how it will work:

  • Bank connection requires your explicit consent
  • You can revoke consent at any time
  • We only read transaction data (never initiate payments)
  • Bank credentials are never stored on our servers
  • We are pursuing MBIE accreditation for open banking

9. Data Breach Response

In the event of a data breach:

  • We will notify affected users as soon as reasonably practicable
  • We will report to the Privacy Commissioner as required by law
  • We will provide guidance on protective steps
  • We will conduct a post-incident review

Limitation: Our obligation is to take reasonable steps to respond to breaches. We are not liable for any damages, losses, or harms resulting from data breaches, including but not limited to identity theft, financial loss, or reputational damage, except where such limitation is prohibited by applicable law.

10. Contact

Questions about data use? Contact our data protection officer: privacy@mygst.co.nz