Privacy Policy

DocStow is operated by Infadale Solutions ("DocStow", "we", "us", "our"), a New Zealand business committed to protecting your privacy. This Privacy Policy applies to the DocStow website (docstow.com), the DocStow web application, and any related services (collectively, the "Service"). We comply with the Privacy Act 2020 (New Zealand), the thirteen Information Privacy Principles (IPPs), and where applicable the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Who we are

DocStow is operated by Infadale Solutions, New Zealand. NZBN: 9429053662200. Infadale Solutions is the data controller for the personal information you provide when using the Service. You can contact us at any time at privacy@docstow.com.

2. What information we collect

Information you provide to us

• Account information: your name, email address, and a password (stored only as a salted hash).
• Household information: household name, family member names and email addresses you choose to invite.
• Document content: the files you upload (passports, insurance policies, vehicle certificates, etc.) and any metadata you add (tags, expiry dates, notes).
• Billing information: if you subscribe to a paid plan, payment details are collected and processed directly by our payment processor Stripe. DocStow does not see or store your full card number.

Information we collect automatically

• Usage data: pages visited, features used, timestamps, and approximate location derived from IP address.
• Device data: browser type and version, operating system, and device identifiers.
• Log data: error reports and diagnostic information needed to keep the Service running.

3. How we use your information

We use your personal information only for the purposes below:

• To provide, maintain and improve the Service;
• To send you renewal reminders, account notifications and essential service emails;
• To process payments and manage subscriptions (via Stripe);
• To respond to your support requests and communicate with you;
• To detect, prevent and investigate fraud or abuse;
• To comply with legal obligations, court orders, and lawful requests from New Zealand authorities.

We do not sell, rent or trade your personal information. We do not use the contents of your documents to train AI models.

4. Legal basis for processing (GDPR)

For users in the EU, UK and EEA, our legal bases for processing are contractual necessity (to deliver the Service you signed up for), legitimate interest (to keep the Service secure and improve it), consent (for optional analytics and marketing emails), and legal obligation (where required by law).

5. Where your data is stored

Your documents and account data are stored in Supabase's Sydney (ap-southeast-2) region on encrypted infrastructure operated by Amazon Web Services. We chose an ANZ region for proximity to New Zealand and Australian households. Some sub-processors (see section 8) may process limited data in other regions; these transfers are protected by Standard Contractual Clauses or equivalent safeguards where required.

6. How we protect your data

• Encryption at rest: provider-managed encryption for document storage, database services, and backups.
• Encryption in transit: HTTPS for traffic between your device and DocStow.
• Row Level Security: enforced at the database layer so only you and people you choose to share with can see the items made available to them.
• Access controls: DocStow staff do not access customer documents except where strictly necessary for support and only with your explicit consent.
• Audit logging: privileged actions are logged and retained for incident investigation.

For the full technical picture, see our Security page.

7. How long we keep your data

We retain your personal information for as long as your account is active. If you delete your account, we will permanently delete your documents, metadata and account data within 30 days, except where we are legally required to retain certain records (e.g. tax invoices for 7 years under New Zealand tax law). Backups are purged within 90 days of deletion.

8. Sub-processors

We use a small number of carefully vetted third parties to operate the Service. Each is bound by data processing agreements that require them to protect your data to the same standard we do.

• Supabase Inc. — database, authentication and document storage (Sydney region).
• Amazon Web Services (AWS) — underlying cloud infrastructure (Sydney region).
• Stripe, Inc. — payment processing for paid subscriptions.
• Resend — transactional email delivery (notifications, reminders, password resets).
• OpenAI, L.L.C. — used on an opt-in basis for AI-powered document extraction. Data sent for extraction is not used to train OpenAI models under OpenAI's business API terms.
• Google Analytics and Microsoft Clarity — optional website analytics loaded only after consent where configured. These tools help us understand public-site and product usability without advertising targeting.

9. Cookies

We use a minimal set of first-party cookies strictly necessary to keep you logged in and to protect against cross-site request forgery. We may also use consent-controlled analytics on the public website and app to understand page performance, navigation, and product usability. We do not use advertising or cross-site ad tracking cookies. You can disable cookies in your browser, but parts of the Service will not work.

10. Your rights

Under the New Zealand Privacy Act 2020, and (where applicable) the GDPR, you have the right to:

• Access the personal information we hold about you;
• Request correction of information that is inaccurate or incomplete;
• Request deletion of your personal information (the "right to be forgotten");
• Export your data in a portable format (ZIP download available from your account settings);
• Object to or restrict certain processing;
• Withdraw consent for optional processing such as analytics or marketing emails;
• Lodge a complaint with the Office of the Privacy Commissioner (New Zealand) or your local supervisory authority.

To exercise any of these rights, email privacy@docstow.com. We will respond within 20 working days. You can also change analytics consent from the cookie preferences control in the landing page footer.

11. Children

DocStow is not intended for use by children under 16. We do not knowingly collect personal information directly from children. Parents and guardians may, of course, store documents relating to their children within their own DocStow household.

12. Data breach notification

In the unlikely event of a privacy breach that is likely to cause serious harm, we will notify affected users and the Office of the Privacy Commissioner as required by Part 6 of the Privacy Act 2020, and (where applicable) the relevant supervisory authority under the GDPR.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post a prominent notice on the Service at least 14 days before the changes take effect.

14. Contact us

Questions, concerns or requests about this Privacy Policy?
Email: privacy@docstow.com
Post: Infadale Solutions, Privacy Officer, Auckland, New Zealand