FNA Manager Privacy Policy
Version 2.0 — Effective 30 March 2026
This Privacy Policy explains how FnA Manager Limited (Company Number 9348543, NZBN 9429052913075), trading as FNA Manager, collects, uses, stores, and protects personal information when you use our services. We are committed to complying with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs).
We process your information on the basis of our contract with you (our Terms and Conditions), our legitimate business interests, and our legal obligations — not solely on the basis of consent.
Privacy Officer
Our Privacy Officer is responsible for ensuring compliance with the Privacy Act 2020. You can contact them at:
- Email: william@fnamanager.com
- Post: FnA Manager Limited, 59a Jack Boyd Drive, RD 2, Mangawhai 0573, New Zealand
What personal information we collect
We collect the following categories of personal information:
Information you provide directly
- Account information: Your name and email address, provided via Xero single sign-on (SSO) when you register.
- Billing information: Payment method details (processed and stored by Stripe — we do not store your credit card numbers).
- Support and communications: Any information you provide when you contact us, submit a contact form, or send us feedback.
Information synced from Xero (indirect collection)
When you connect your Xero account, we sync the following data from your Xero organisation:
- Contacts: Names, email addresses, phone numbers, and addresses of your customers and suppliers.
- Employees: Names, pay rates, wages, and employment details from Xero Payroll NZ.
- Financial data: Invoices, bills, chart of accounts, assets, and financial reports (P&L, balance sheet).
Important: Employee and contact data is collected indirectly — these individuals may not have interacted with FNA Manager directly. We rely on you, as the Xero account holder, to have appropriate authority to share this data with us for the purposes of providing the Services. If you employ staff whose data is synced via Xero Payroll, you should inform them that their employment data is processed by FNA Manager.
Information collected automatically
- Usage data: IP address, browser type, pages visited, and interaction patterns — collected via Google Analytics to help us understand how the Services are used.
- Session data: Authentication tokens and session identifiers necessary to keep you logged in.
Why we collect your information
We collect and use personal information for the following purposes:
| Purpose | Legal basis |
|---|---|
| Providing the Services (syncing data, displaying dashboards, job costing, etc.) | Contract |
| Processing payments and managing your subscription | Contract |
| Sending service-related communications (billing, security alerts, legal notices) | Contract |
| Verifying your identity for security purposes | Contract / Legitimate interest |
| Improving the Services and fixing bugs | Legitimate interest |
| Understanding how the Services are used (analytics) | Legitimate interest |
| Preventing fraud and ensuring security | Legitimate interest / Legal obligation |
| Retaining financial records as required by law | Legal obligation (Tax Administration Act 1994) |
| Sending marketing communications (optional — you can unsubscribe at any time) | Consent |
We do not use your personal information for advertising, profiling, or automated decision-making.
Who we share your information with
We share personal information only with the service providers necessary to operate FNA Manager. We never sell your data.
| Service provider | Purpose | Data shared | Location |
|---|---|---|---|
| Xero | Accounting data sync (bidirectional) | Contacts, invoices, employees, financial data | Australia / Global |
| Stripe | Payment processing | Billing details, email address | United States |
| Digital Ocean | Cloud hosting and data storage | All application data (encrypted) | Australia |
| Resend | Transactional email delivery | Email addresses, email content | United States |
| Sentry | Error monitoring and debugging | Error context (may include user IDs, request data) | United States |
| Analytics (Google Tag Manager) and bot prevention (reCAPTCHA) | IP address, browser data, usage patterns | United States |
We may also disclose personal information if required by law, court order, or to protect our rights, property, or safety.
In the event of a merger, acquisition, or sale of our business, your information may be transferred to the successor entity, who will be bound by this Privacy Policy.
Cross-border data transfers
Your data may be transferred to and stored in countries outside New Zealand, specifically Australia (AWS hosting) and the United States (Stripe, Resend, Sentry, Google). We take the following steps to protect your data:
- All data is encrypted in transit using TLS and at rest where supported by our hosting provider.
- Our service providers are bound by their own privacy policies and, where applicable, contractual obligations to protect your data.
- We only transfer data to providers that maintain security practices comparable to those required under New Zealand law.
Cookies and tracking
FNA Manager uses the following types of cookies:
Essential cookies (required)
- Session cookie: Keeps you logged in while you use the Services. Expires when you close your browser or after inactivity.
- CSRF token: Protects against cross-site request forgery attacks. Expires with your session.
Analytics cookies (optional)
- Google Analytics / Google Tag Manager: Collects anonymous usage data (pages visited, time on site, browser type) to help us understand how the Services are used. You can opt out by using a browser extension such as Google's Analytics opt-out add-on or by adjusting your browser cookie settings.
reCAPTCHA
- Google reCAPTCHA: Used on our contact form and registration page to prevent automated abuse. This may set cookies and collect usage data. Google's Privacy Policy and Terms of Service apply.
Data retention
We retain personal information for the following periods:
- Active account data: Retained for the duration of your subscription.
- Paused account data (post-trial): Retained for 90 days after your trial ends, then deleted.
- Post-termination data: Retained for 30 days after account termination to allow for data export, then permanently deleted.
- Financial and billing records: Retained for 7 years as required by the Tax Administration Act 1994.
- Error logs (Sentry): Retained for up to 90 days, then automatically purged.
- Analytics data (Google): Subject to Google's own retention policies.
After the applicable retention period, your data is permanently deleted or anonymised.
Data security
We take the security of your personal information seriously. Our measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS.
- Encryption at rest: Data stored on AWS is encrypted using server-side encryption.
- Access controls: Access to personal information is restricted to authorised personnel who need it to provide the Services.
- Authentication: We use Xero OAuth2 for authentication — we do not store passwords.
- Regular updates: We keep our software dependencies up to date and monitor for security vulnerabilities.
No system is 100% secure. While we use reasonable measures to protect your data, we cannot guarantee absolute security against all threats.
Privacy breach notification
In accordance with Part 6 of the Privacy Act 2020, if we become aware of a notifiable privacy breach — a breach that it is reasonable to believe has caused, or is likely to cause, serious harm to any affected individual — we will:
- Notify the Office of the Privacy Commissioner as soon as practicable;
- Notify affected individuals as soon as practicable, including details of the breach, what information was involved, and steps they can take; and
- Take reasonable steps to contain the breach and prevent recurrence.
Your rights
Under the New Zealand Privacy Act 2020, you have the following rights:
- Access (IPP 6): You can request a copy of the personal information we hold about you. We will respond within 20 working days.
- Correction (IPP 7): You can request that we correct any inaccurate or incomplete personal information.
- Deletion: You can request that we delete your personal information, except where we are required by law to retain it (such as financial records).
- Data export: You can request an export of Your Data in a common format (such as CSV) at any time during your subscription.
- Withdraw from marketing: You can unsubscribe from marketing communications at any time using the unsubscribe link in our emails.
To exercise any of these rights, contact our Privacy Officer at william@fnamanager.com.
Children
FNA Manager is a business service intended for users aged 18 and over. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a person under 18, we will take steps to delete it.
Anonymised and aggregated data
We may collect and use anonymised and aggregated data (from which you cannot reasonably be identified) to improve the Services and develop industry benchmarks. This data is not personal information and is not subject to this Privacy Policy.
Third-party services
The Services integrate with third-party services (principally Xero). Each third-party service has its own terms and privacy policy that govern your use of that service. We are not responsible for the privacy practices of third-party services.
International users
FNA Manager is a New Zealand company primarily serving New Zealand businesses. This Privacy Policy is governed by New Zealand law, including the Privacy Act 2020. If you are located outside New Zealand and have questions about how your local privacy laws may apply, please contact us at william@fnamanager.com.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email. The updated policy will be posted on the Site with a new version number and effective date.
Complaints
If you are not satisfied with how we have handled your personal information, you can:
- Contact our Privacy Officer at william@fnamanager.com.
- If we cannot resolve your concern, you may lodge a complaint with the Office of the Privacy Commissioner.
Contact
For any questions about this Privacy Policy or our privacy practices, contact us at william@fnamanager.com.
Version 2.0 — Last updated: 30 March 2026
Previous version: 1.0 (24 June 2024)