Privacy Policy
Effective Date: February 16, 2026
Last Updated: February 17, 2026
1. Introduction
Adminest Limited ("we," "our," or "us"), based in Wellington, New Zealand, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered document management platform (the "Service"). This policy applies to users in New Zealand, Australia, the United Kingdom, the European Economic Area, California (USA), and globally.
2. Information We Collect
2.1 Information You Provide
- Account information (name, email address) via Auth0 authentication
- Documents and files you upload or email for processing
- Calendar information when you connect Google or Microsoft calendars
- Task, note, and category data you create within the platform
- Communication preferences, privacy settings, and consent records
- Feedback, support requests, and correspondence
2.2 Information Automatically Collected
- Usage data and analytics via Google Analytics (only with your cookie consent)
- Device information and browser type
- IP address and approximate location
- Application performance and error logs
3. Lawful Basis for Processing
Under GDPR Article 6, we process your personal data on the following bases:
| Processing Activity | Lawful Basis |
|---|---|
| Account creation and authentication | Contract performance (Art 6(1)(b)) |
| Document storage and AI analysis | Contract performance (Art 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Art 6(1)(f)) |
| Analytics and service improvement | Legitimate interests (Art 6(1)(f)) |
| Analytics cookies (Google Analytics) | Consent (Art 6(1)(a)) |
| Marketing communications | Consent (Art 6(1)(a)) |
| Tax and accounting compliance | Legal obligation (Art 6(1)(c)) |
4. How We Use Your Information
- Provide, operate, and maintain the Service
- Process documents using Azure Document Intelligence (OCR/text extraction) and Anthropic Claude via Azure AI Foundry (AI analysis, task extraction, summarisation)
- Manage calendar integrations and create tasks from your documents
- Provide AI chat assistance about your documents
- Send transactional emails (via Postmark) about document processing and account activity
- Detect, prevent, and address security issues
- Comply with legal obligations
For details about AI processing, see our AI Transparency page. You can control AI processing in your Privacy Settings.
5. Sub-Processors and Third Parties
We share data with the following categories of service providers:
- Auth0 (Okta): Authentication and identity management
- Microsoft Azure: Cloud hosting, Blob Storage, Document Intelligence, AI Foundry (Claude), Service Bus, Application Insights
- MongoDB Atlas: Database hosting
- Postmark (ActiveCampaign): Transactional email delivery
- Langfuse: AI observability (request metadata only, no PII)
- Redis (Azure Container Apps): Caching, rate limiting, and distributed locks
- Microsoft Azure — Application Insights: Application performance monitoring and error tracking
- Google Analytics: Website analytics (only with cookie consent)
See our complete Sub-Processor Registry for details.
6. Information Sharing
We do not sell, trade, or rent your personal information. We may share your information only:
- Service Providers: With sub-processors listed above, under data processing agreements
- Legal Requirements: If required by law or valid legal process
- Protection of Rights: To protect the rights, property, or safety of Adminest, our users, or others
- Business Transfers: In connection with a merger, sale, or acquisition
- With Your Consent: When you explicitly agree
7. International Data Transfers
Adminest is based in New Zealand. Your data may be transferred to the United States and other countries where our sub-processors operate. We ensure appropriate safeguards:
- EU Standard Contractual Clauses (SCCs): For transfers from the EEA (GDPR Art 46(2)(c))
- UK International Data Transfer Agreement (IDTA): For transfers from the UK
- Transfer Impact Assessments: Conducted for each transfer destination
See our International Data Transfers page for full details.
8. Data Retention
| Data Type | Period | Reason |
|---|---|---|
| Account data | Account lifetime + 90 days | Service provision |
| Financial documents | 7 years | Tax/accounting compliance |
| User activity logs | 3 years | Security, fraud prevention |
| Email processing logs | 1 year | Debugging, audit |
| System logs | 6 months | Troubleshooting |
Upon account deletion, we permanently delete your data within 90 days, except where retention is required by law.
9. Your Rights
GDPR / UK GDPR
- Access (Art 15): Request a copy of your personal data
- Rectification (Art 16): Request correction of inaccurate data
- Erasure (Art 17): Request deletion ("right to be forgotten")
- Restriction (Art 18): Request limitation of processing
- Portability (Art 20): Receive data in a machine-readable format
- Object (Art 21): Object to processing based on legitimate interests
- Withdraw consent at any time where processing is consent-based
- Lodge a complaint with your supervisory authority (e.g., ICO in the UK)
CCPA / CPRA (California)
- Right to Know: What personal information we collect and how we use it
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate information
- Right to Opt Out: We do not sell your personal information. You can exercise "Do Not Sell or Share" rights in Settings > Privacy
- Right to Non-Discrimination: We will not discriminate for exercising your rights
We honour the Global Privacy Control (GPC) signal as a valid opt-out request.
Australian Privacy Act 1988
- Access (APP 12): Request access to your personal information
- Correction (APP 13): Request correction of inaccurate information
- Complaint: Lodge a complaint with us or the OAIC (oaic.gov.au)
New Zealand Privacy Act 2020
- Access (IPP 6): Request access to your personal information
- Correction (IPP 7): Request correction
- Complaint: Lodge a complaint with us or the NZ Privacy Commissioner
To exercise any right, contact privacy@adminest.com. We respond within 30 days (GDPR/UK GDPR) or 45 days (CCPA).
10. Cookies
We use essential cookies for authentication and optional analytics cookies (Google Analytics) with your consent. For full details, see our Cookie Policy.
11. Data Security
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Secure authentication via Auth0 with PKCE and refresh tokens
- Hosted on Microsoft Azure with enterprise-grade security controls
- OAuth token encryption (AES-256-GCM) for calendar integrations
- Regular security monitoring and vulnerability scanning
- Access controls and audit logging for all operations
12. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art 33)
- Notify affected users without undue delay if the breach is likely to result in a high risk to rights and freedoms (GDPR Art 34)
- Provide details of the breach, its likely impact, and the measures taken to address it
- Maintain a record of all data breaches and remedial actions taken
13. Children's Privacy
Our Service is not intended for individuals under 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, contact us immediately.
14. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you via email and display a notice on the Service. Your continued use after changes constitutes acceptance.
15. Representatives
UK Representative (GDPR Art 27): Richard Street, Director, Adminest Limited (dual UK/NZ citizen)
EU Representative (GDPR Art 27): To be appointed if/when required.
Australian Contact: To be appointed before Australian market entry.
15. Contact Us
If you have questions about this Privacy Policy, contact our Data Protection Officer:
Related Policies
Compliance Note:
This Privacy Policy is designed to comply with the NZ Privacy Act 2020, UK GDPR, EU GDPR, Australian Privacy Act 1988, and CCPA/CPRA. We are committed to protecting your privacy rights regardless of your location.
