Skip to content

Privacy Policy

Effective Date: February 16, 2026

Last Updated: February 17, 2026

1. Introduction

Adminest Limited ("we," "our," or "us"), based in Wellington, New Zealand, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered document management platform (the "Service"). This policy applies to users in New Zealand, Australia, the United Kingdom, the European Economic Area, California (USA), and globally.

2. Information We Collect

2.1 Information You Provide

  • Account information (name, email address) via Auth0 authentication
  • Documents and files you upload or email for processing
  • Calendar information when you connect Google or Microsoft calendars
  • Task, note, and category data you create within the platform
  • Communication preferences, privacy settings, and consent records
  • Feedback, support requests, and correspondence

2.2 Information Automatically Collected

  • Usage data and analytics via Google Analytics (only with your cookie consent)
  • Device information and browser type
  • IP address and approximate location
  • Application performance and error logs

3. Lawful Basis for Processing

Under GDPR Article 6, we process your personal data on the following bases:

Processing ActivityLawful Basis
Account creation and authenticationContract performance (Art 6(1)(b))
Document storage and AI analysisContract performance (Art 6(1)(b))
Security monitoring and fraud preventionLegitimate interests (Art 6(1)(f))
Analytics and service improvementLegitimate interests (Art 6(1)(f))
Analytics cookies (Google Analytics)Consent (Art 6(1)(a))
Marketing communicationsConsent (Art 6(1)(a))
Tax and accounting complianceLegal obligation (Art 6(1)(c))

4. How We Use Your Information

  • Provide, operate, and maintain the Service
  • Process documents using Azure Document Intelligence (OCR/text extraction) and Anthropic Claude via Azure AI Foundry (AI analysis, task extraction, summarisation)
  • Manage calendar integrations and create tasks from your documents
  • Provide AI chat assistance about your documents
  • Send transactional emails (via Postmark) about document processing and account activity
  • Detect, prevent, and address security issues
  • Comply with legal obligations

For details about AI processing, see our AI Transparency page. You can control AI processing in your Privacy Settings.

5. Sub-Processors and Third Parties

We share data with the following categories of service providers:

  • Auth0 (Okta): Authentication and identity management
  • Microsoft Azure: Cloud hosting, Blob Storage, Document Intelligence, AI Foundry (Claude), Service Bus, Application Insights
  • MongoDB Atlas: Database hosting
  • Postmark (ActiveCampaign): Transactional email delivery
  • Langfuse: AI observability (request metadata only, no PII)
  • Redis (Azure Container Apps): Caching, rate limiting, and distributed locks
  • Microsoft Azure — Application Insights: Application performance monitoring and error tracking
  • Google Analytics: Website analytics (only with cookie consent)

See our complete Sub-Processor Registry for details.

6. Information Sharing

We do not sell, trade, or rent your personal information. We may share your information only:

  • Service Providers: With sub-processors listed above, under data processing agreements
  • Legal Requirements: If required by law or valid legal process
  • Protection of Rights: To protect the rights, property, or safety of Adminest, our users, or others
  • Business Transfers: In connection with a merger, sale, or acquisition
  • With Your Consent: When you explicitly agree

7. International Data Transfers

Adminest is based in New Zealand. Your data may be transferred to the United States and other countries where our sub-processors operate. We ensure appropriate safeguards:

  • EU Standard Contractual Clauses (SCCs): For transfers from the EEA (GDPR Art 46(2)(c))
  • UK International Data Transfer Agreement (IDTA): For transfers from the UK
  • Transfer Impact Assessments: Conducted for each transfer destination

See our International Data Transfers page for full details.

8. Data Retention

Data TypePeriodReason
Account dataAccount lifetime + 90 daysService provision
Financial documents7 yearsTax/accounting compliance
User activity logs3 yearsSecurity, fraud prevention
Email processing logs1 yearDebugging, audit
System logs6 monthsTroubleshooting

Upon account deletion, we permanently delete your data within 90 days, except where retention is required by law.

9. Your Rights

GDPR / UK GDPR

  • Access (Art 15): Request a copy of your personal data
  • Rectification (Art 16): Request correction of inaccurate data
  • Erasure (Art 17): Request deletion ("right to be forgotten")
  • Restriction (Art 18): Request limitation of processing
  • Portability (Art 20): Receive data in a machine-readable format
  • Object (Art 21): Object to processing based on legitimate interests
  • Withdraw consent at any time where processing is consent-based
  • Lodge a complaint with your supervisory authority (e.g., ICO in the UK)

CCPA / CPRA (California)

  • Right to Know: What personal information we collect and how we use it
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate information
  • Right to Opt Out: We do not sell your personal information. You can exercise "Do Not Sell or Share" rights in Settings > Privacy
  • Right to Non-Discrimination: We will not discriminate for exercising your rights

We honour the Global Privacy Control (GPC) signal as a valid opt-out request.

Australian Privacy Act 1988

  • Access (APP 12): Request access to your personal information
  • Correction (APP 13): Request correction of inaccurate information
  • Complaint: Lodge a complaint with us or the OAIC (oaic.gov.au)

New Zealand Privacy Act 2020

  • Access (IPP 6): Request access to your personal information
  • Correction (IPP 7): Request correction
  • Complaint: Lodge a complaint with us or the NZ Privacy Commissioner

To exercise any right, contact privacy@adminest.com. We respond within 30 days (GDPR/UK GDPR) or 45 days (CCPA).

10. Cookies

We use essential cookies for authentication and optional analytics cookies (Google Analytics) with your consent. For full details, see our Cookie Policy.

11. Data Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Secure authentication via Auth0 with PKCE and refresh tokens
  • Hosted on Microsoft Azure with enterprise-grade security controls
  • OAuth token encryption (AES-256-GCM) for calendar integrations
  • Regular security monitoring and vulnerability scanning
  • Access controls and audit logging for all operations

12. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art 33)
  • Notify affected users without undue delay if the breach is likely to result in a high risk to rights and freedoms (GDPR Art 34)
  • Provide details of the breach, its likely impact, and the measures taken to address it
  • Maintain a record of all data breaches and remedial actions taken

13. Children's Privacy

Our Service is not intended for individuals under 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email and display a notice on the Service. Your continued use after changes constitutes acceptance.

15. Representatives

UK Representative (GDPR Art 27): Richard Street, Director, Adminest Limited (dual UK/NZ citizen)

EU Representative (GDPR Art 27): To be appointed if/when required.

Australian Contact: To be appointed before Australian market entry.

15. Contact Us

If you have questions about this Privacy Policy, contact our Data Protection Officer:

Adminest Limited

Data Protection Officer

Email: privacy@adminest.com

Address: Wellington, New Zealand

Related Policies

Compliance Note:

This Privacy Policy is designed to comply with the NZ Privacy Act 2020, UK GDPR, EU GDPR, Australian Privacy Act 1988, and CCPA/CPRA. We are committed to protecting your privacy rights regardless of your location.

We use cookies to improve your experience. Essential cookies are always active. You can choose to enable analytics cookies to help us improve the service. Cookie Policy