Privacy Policy

Last updated: 25 June 2025

Permanent URL: https://mydataxport.com/privacy-policy

1 – Who we are

MyDataXport Limited (“MyDataXport”, “we”, “our”) is a New Zealand limited company (company no. 9352172, NZBN 9429052935992) incorporated on 25 June 2025.

Registered office & address for service

Empire St Limited, 23 Empire Street, Cambridge 3434, New Zealand

2 – What this Policy covers

It applies to (i) the MyDataXport web application, (ii) any mobile or desktop apps that link to it, and (iii) the marketing site at mydataxport.com.

3 – Information we collect

Category

Typical items

Purpose / lawful basis*

Account data

Name, email, organisation

Contract – create & secure your account

MYOB data

Accounting records & attachments obtained via MYOB API

Contract – performing automated backups

Cloud-storage credentials

Google Drive, OneDrive, Dropbox OAuth tokens

Consent – upload backups you request

Usage logs

IP address, timestamps, error traces

Legitimate interests – security & support

Payment data

Stripe customer ID, last-4 digits of card

Contract – process annual subscription

Cookies / analytics

GA4, HubSpot on marketing site

Consent – improve site performance

* “Contract” = needed to deliver the Service you request; “Legitimate interests” = necessary for running the business in a way that does not override your privacy rights.

4 – How long we keep it

Data set

Retention period

Backup payloads on our servers

Automatically deleted once successfully transferred to your cloud drive (typically < 5 minutes).

Encrypted OAuth tokens

Until you disconnect the integration or close your account.

Usage & error logs

12 months, then aggregated or erased.

Billing records

7 years (NZ Tax Administration Act).

5 – Where data is processed

Primary servers are in New Zealand. Backups are stored by your chosen cloud-storage provider, which may host data outside NZ or Australia. We rely on NZ Privacy Act 2020 s22 and Australian Privacy Principle (APP) 8, and we use contractual safeguards with sub-processors.

6 – Security measures

• TLS 1.3 in transit, AES-256-GCM at rest
• Split-key KMS for token storage
• Annual penetration tests; ISO 27001-aligned controls

7 – Your rights

You may access, correct, or erase personal data we hold. Email [email protected] and we’ll respond within 20 working days (NZ) / 30 days (AU). If unsatisfied you can contact the NZ Privacy Commissioner or the Australian OAIC.

8 – Children

Our Service is not intended for children under 16; we do not knowingly collect data from them.

9 – Google API disclosure

Use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

10 – Changes to this Policy

We’ll post changes here and email account holders 14 days before substantive revisions take effect.

11 – Contact

Privacy Officer – MyDataXport Limited
Email: [email protected]
Postal: PO Box 680, Cambridge 3434, New Zealand