Last updated: 25 June 2025
Permanent URL: https://mydataxport.com/privacy-policy1 – Who we are
MyDataXport Limited (“MyDataXport”, “we”, “our”) is a New Zealand limited company (company no. 9352172, NZBN 9429052935992) incorporated on 25 June 2025.
Registered office & address for service
Empire St Limited, 23 Empire Street, Cambridge 3434, New Zealand
2 – What this Policy covers
It applies to (i) the MyDataXport web application, (ii) any mobile or desktop apps that link to it, and (iii) the marketing site at mydataxport.com.
3 – Information we collect
Category |
Typical items |
Purpose / lawful basis* |
Account data |
Name, email, organisation |
Contract – create & secure your account |
MYOB data |
Accounting records & attachments obtained via MYOB API |
Contract – performing automated backups |
Cloud-storage credentials |
Google Drive, OneDrive, Dropbox OAuth tokens |
Consent – upload backups you request |
Usage logs |
IP address, timestamps, error traces |
Legitimate interests – security & support |
Payment data |
Stripe customer ID, last-4 digits of card |
Contract – process annual subscription |
Cookies / analytics |
GA4, HubSpot on marketing site |
Consent – improve site performance |
* “Contract” = needed to deliver the Service you request; “Legitimate interests” = necessary for running the business in a way that does not override your privacy rights.
4 – How long we keep it
Data set |
Retention period |
Backup payloads on our servers |
Automatically deleted once successfully transferred to your cloud drive (typically < 5 minutes). |
Encrypted OAuth tokens |
Until you disconnect the integration or close your account. |
Usage & error logs |
12 months, then aggregated or erased. |
Billing records |
7 years (NZ Tax Administration Act). |
5 – Where data is processed
Primary servers are in New Zealand. Backups are stored by your chosen cloud-storage provider, which may host data outside NZ or Australia. We rely on NZ Privacy Act 2020 s22 and Australian Privacy Principle (APP) 8, and we use contractual safeguards with sub-processors.
6 – Security measures
• TLS 1.3 in transit, AES-256-GCM at rest
• Split-key KMS for token storage
• Annual penetration tests; ISO 27001-aligned controls
7 – Your rights
You may access, correct, or erase personal data we hold. Email [email protected] and we’ll respond within 20 working days (NZ) / 30 days (AU). If unsatisfied you can contact the NZ Privacy Commissioner or the Australian OAIC.
8 – Children
Our Service is not intended for children under 16; we do not knowingly collect data from them.
9 – Google API disclosure
Use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
10 – Changes to this Policy
We’ll post changes here and email account holders 14 days before substantive revisions take effect.
11 – Contact
Privacy Officer – MyDataXport
Limited
Email: [email protected]
Postal: PO Box 680, Cambridge 3434, New Zealand