Privacy Policy

1. About this policy

This Privacy Policy explains how Cyperi ("Cyperi", "we", "us", or "our") collects, uses, stores, and shares personal information. It applies when you use our website at cyperi.com, our application at app.cyperi.com (and any future Cyperi subdomains), or any related services (collectively, the "Services").

Cyperi is operated by Daniel Chan trading as Cyperi, based in New Zealand. We comply with the New Zealand Privacy Act 2020 and apply equivalent protections for users located outside New Zealand where required.

By using the Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Services.

2. Who this policy applies to

This policy applies to two distinct groups:

Account holders— accounting firms, sole-trader accountants, and their staff who register an account with Cyperi to manage their accounting practice ("Customers" or "You").

End clients— individuals and businesses whose information is uploaded into Cyperi by an Account holder (for example, the clients of an accounting firm). For end clients, the Account holder is the data controller and Cyperi acts as a data processor on their behalf. End clients should refer to their accountant's privacy policy for primary information about how their data is handled.

3. Information we collect

3.1 Information you provide directly

When you register and use Cyperi as an Account holder, we collect:

• Account details — your full name, work email address, firm name, country, password (stored as a one-way hash), and phone number (optional).
• Firm details — business number (NZBN/ABN), tax number, GST registration status, address, fiscal year end, primary contact information, and branding assets (logo, brand colour).
• Billing details — your subscription plan, payment method (processed securely by Stripe — we never see your full card number), billing address, and invoice history.
• Identity verification information — when required for compliance purposes (such as for higher-tier plans or specific features), we may collect identity documents.
• Communications — emails, support tickets, and feedback you send us.

3.2 Information about your end clients (uploaded by you)

If you use Cyperi to manage your clients' accounting work, you may upload or generate:

• Client names, contact details, addresses, IRD/TFN numbers, NZBN/ABN, GST status
• Financial documents (bank statements, invoices, receipts, tax returns, financial statements)
• Communications with your clients (emails, messages, signed documents)
• Client portal access credentials
• Notes, tags, and custom fields you add about clients
• AML/KYC verification information where applicable

You confirm that you have lawful authority (such as an engagement letter or written consent) to upload this information and to use Cyperi to process it on behalf of your clients.

3.3 Information collected automatically

When you use the Services, we automatically collect:

• Device and connection information — IP address, browser type, operating system, device type, language preference, and time zone.
• Usage information — pages visited, features used, session duration, click patterns, error logs, and performance metrics.
• Cookies and similar technologies — see Section 11 for details.
• Audit logs — every significant action (creating a client, sending an invoice, signing a document, accessing or changing data) is logged with timestamp, user, and IP address for compliance and security purposes.

3.4 Information from connected services

If you choose to connect third-party services to Cyperi, we receive information from those services on your behalf:

• Google Workspace / Gmail — email content, attachments, contacts, and metadata for your connected mailbox, used to power AI Communications features.
• Microsoft 365 / Outlook — same as above for connected Microsoft accounts.
• Xero, MYOB, QuickBooks — client lists, contact details, invoices, transactions, and accounting data needed to provide integration features.
• Stripe — payment status and transaction details for subscription billing.

We only access information necessary to provide the features you have enabled, and we use OAuth tokens that you can revoke at any time.

4. How we use information

We use information to:

• Provide the Services— authenticate you, give you access to your firm's data, deliver features you have requested, generate AI drafts and analyses, send invoices and reminders, store and retrieve documents.
• Process payments — bill your firm for the Cyperi subscription via Stripe.
• Improve the Services — diagnose issues, monitor performance, prioritise new features, and understand which capabilities are most useful. We use aggregated and de-identified data wherever possible for these purposes.
• Communicate with you — respond to support requests, send service notifications (such as security alerts, billing notices, and material changes to terms), and — where you have not opted out — share product updates.
• Comply with legal obligations — meet our obligations under the New Zealand Privacy Act 2020, anti-money-laundering (AML/CFT) requirements where applicable, tax law, and lawful requests from authorities.
• Maintain security and prevent abuse — detect fraud, abuse, and unauthorised access; enforce our Terms of Service.

We will not use end client information uploaded by Account holders for any purpose other than providing the Services to that Account holder, unless required by law.

5. Artificial intelligence (AI) processing

Cyperi uses third-party AI models (currently Anthropic's Claude models) to power features such as drafting email replies, generating financial statement narratives, summarising documents, and producing marketing content.

What this means for your data:

• Information you or your end clients provide may be sent to Anthropic's API to generate AI responses.
• Anthropic, under its commercial API terms, does not use this data to train its models and retains it only briefly for safety review (typically 30 days) before deletion.
• Cyperi does not share your data with any AI provider beyond what is strictly needed to generate the response you requested.
• Generated AI content is treated as a draft and shown to you for review before it is sent or published; we do not auto-send AI-generated communications to your clients.
• You can mark specific clients or threads as "exclude from AI" so their information is never sent to AI providers.

We log AI usage (input tokens, output tokens, cost) per firm to monitor service health and prevent abuse, but we do not retain the actual content of every AI request beyond the 30-day window required for service operation.

6. Sharing information

We do not sell your personal information. We share information only as described below:

• With service providers acting on our behalf to operate the Services. Current providers include:
  • Supabase (database and authentication, hosted in Sydney, Australia)
  • Vercel (application hosting)
  • Cloudflare R2 (file storage)
  • Anthropic (AI processing for features you use)
  • Stripe (payment processing)
  • Resend (transactional email delivery)
  • Google, Microsoft (only if you connect these accounts)
  • Xero, MYOB, QuickBooks (only if you connect these accounts)
  All providers are bound by data processing agreements that limit their use of information to providing services to Cyperi.
• With your authorised users — staff members within your firm who you have invited and granted permissions to view or change data.
• With end clients — if you enable client portal access or e-signature features, end clients will see information you have explicitly shared with them.
• For legal reasons — if required by law, court order, or to protect the rights, property, or safety of Cyperi, our users, or others.
• In a business transfer — if Cyperi is acquired by or merged with another company, information may be transferred. We will notify you in advance if this occurs and your data becomes subject to a different privacy policy.

7. Storage and international transfers

Cyperi stores most data in Sydney, Australia (Supabase region ap-southeast-2). Some data may be processed in other regions by our service providers — for example:

• AI requests are processed by Anthropic in the United States.
• Stripe processes payments in the United States and other regions.
• Some support and operational tools may be located in the United States or European Union.

When we transfer information internationally, we rely on standard contractual clauses or other lawful transfer mechanisms, and we ensure that recipients provide privacy protections equivalent to those required under New Zealand law.

8. How long we keep information

We retain information for as long as necessary to provide the Services and to meet legal obligations:

• Active accounts — we keep your information for as long as your subscription is active.
• Cancelled accounts — when you cancel, we keep your information for 90 days to allow account recovery, after which most data is permanently deleted unless we are required to retain it longer.
• Tax and accounting records — under New Zealand law, business records relating to tax must be retained for a minimum of 7 years. Data classified as a tax record (such as invoices, payments, and client tax filings stored in Cyperi) will be retained for at least 7 years from the end of the relevant tax year, even after account cancellation, unless you instruct us otherwise and the law permits earlier deletion.
• E-signature audit trails — signed documents and their cryptographic audit trail are retained indefinitely or for the period required by the New Zealand Electronic Transactions Act 2002 and equivalent law.
• Audit logs — at least 7 years for Practice plan customers, and at least 12 months for other plans.
• Backups — backups are retained for up to 90 days and are then permanently overwritten.

You can request earlier deletion at any time, and we will comply unless legally required to retain the information.

9. Security

We take security seriously. Our measures include:

• Encryption in transit — all communication with Cyperi uses TLS 1.2 or higher.
• Encryption at rest — files and sensitive credentials (such as OAuth tokens) are encrypted on disk.
• Row-level security— our database isolates each firm's data so that one firm's users cannot access another firm's information, even if there is a software bug.
• Authentication — accounts are protected by passwords stored as one-way hashes; we support and recommend two-factor authentication.
• Access controls — Cyperi employees and contractors only access customer data when required for support, debugging, or legal compliance, and such access is logged.
• Monitoring — we maintain audit logs and continuously monitor for unauthorised access or unusual activity.
• Regular updates — we patch software dependencies and security vulnerabilities promptly.

No method of electronic storage is 100% secure. If we become aware of a privacy breach that is likely to cause serious harm, we will notify affected users and the New Zealand Privacy Commissioner as required by the Privacy Act 2020.

10. Your rights

Under the New Zealand Privacy Act 2020, you have the right to:

• Access — request a copy of the personal information we hold about you.
• Correct — request correction of information that is inaccurate, incomplete, or out of date.
• Withdraw consent — disconnect third-party integrations, opt out of marketing emails, or close your account at any time.
• Delete — request deletion of your account and information, subject to the retention requirements in Section 8.
• Complain — lodge a complaint with us or with the Office of the Privacy Commissioner.

To exercise any of these rights, email us at privacy@cyperi.com. We will respond within 20 working days, the timeframe required by the Privacy Act.

If your firm uploads end client information into Cyperi, end clients should direct access and correction requests to your firm in the first instance, as you remain the controller of that information.

11. Cookies and tracking

We use a small number of cookies to operate the Services:

• Essential cookies — required to keep you signed in and to remember your session. These cannot be disabled while using the application.
• Functional cookies — remember your preferences, such as theme and timezone.
• Analytics cookies — measure anonymised usage patterns so we can improve the product. We use Vercel Analytics and similar privacy-respecting tools that do not track individuals across sites.

We do not use third-party advertising cookies and we do not sell information about your browsing behaviour.

You can control cookies through your browser settings. Disabling essential cookies will prevent the Services from working.

12. Children's privacy

Cyperi is intended for accounting professionals and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided information to us, please contact us so we can delete it.

13. Marketing communications

If you are an Account holder, we may send you product updates, tips, and information about new features. You can opt out at any time by clicking the unsubscribe link in any marketing email or by emailing us. Service-related communications (such as billing and security notices) cannot be opted out of while you have an active account.

If you use Cyperi's Marketing Engine to send communications to your end clients, you are responsible for ensuring you have the necessary consent under the Unsolicited Electronic Messages Act 2007 and equivalent law. Cyperi includes unsubscribe functionality in all marketing emails it sends on your behalf.

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top.
• Notify you by email and within the application at least 14 days before changes take effect.

Continuing to use the Services after changes take effect means you accept the updated policy. If you do not agree, you should stop using the Services and may close your account.

15. Contact us

For privacy questions, requests, or complaints:

• Email: privacy@cyperi.com
• General contact: hello@cyperi.com
• Postal: Cyperi, c/o Daniel Chan, [Insert NZ business address before launch]

If you are not satisfied with our response, you can contact the Office of the Privacy Commissioner of New Zealand:

• Website: privacy.org.nz
• Email: enquiries@privacy.org.nz
• Phone: 0800 803 909

This policy is provided in good faith. Cyperi recommends users seek their own legal advice for matters specific to their circumstances. This document is not legal advice from Cyperi to you.