Draft — pending legal finalisation. Please treat the text below as representative of our intent rather than a finalised contract.

Privacy Policy

Effective 8 May 2026 · Last reviewed draft 17 June 2026

ClearHold is operated in New Zealand and is subject to the Privacy Act 2020. This policy explains what personal information we collect, why we collect it, what we do with it, who we share it with, and the rights you have over it. If you would like the short version: we collect rental-tax records that you enter or that your bank passes to us via Akahu, we use them to prepare your figures for IR3R, we never sell them, and you can export or delete them at any time.

1. What we collect

  • Account: your name, email address, and password (bcrypt-hashed).
  • Property data: addresses, purchase dates, loan details, estimated values, ownership shares, and chattels that you enter.
  • Transactions: rental income and expense records you enter, or that we receive via Akahu bank sync.
  • Billing: Stripe payment records (subscription state, invoice references, receipts). We don't store card details — Stripe handles that.
  • Eligibility and pack-generation records: when you generate a tax pack, we record what was generated, what disclosures we showed you at the time, and what you acknowledged.
  • Operational telemetry: server-side request logs, error reports, session and audit metadata. See section 5 for detail.

1A. Information we collect indirectly

Some information about you reaches ClearHold from third parties rather than from you directly. The Privacy Act 2020 (IPP 3A, in force 1 May 2026) requires us to make you aware of this. The third parties below are services you have separately authorised — but the data they pass back to ClearHold is information about you that we are receiving indirectly, and you have rights over it.

  • Akahu (NZ): when you connect your bank, Akahu retrieves transaction records from your bank under a read-only consent you grant inside Akahu. ClearHold then receives those transactions (date, amount, description, counterparty, account identifier). Detail of how the sync works is in section 1B.
  • Stripe (USA / NZ): when you pay or update billing, Stripe sends ClearHold confirmation records (subscription status, invoice references, last-4 of card brand for support). Purpose: to keep your subscription state current and produce receipts. We never receive full card numbers.
  • Google Maps Platform (USA): when you enter a property address, ClearHold's server proxies a request to Google to retrieve a Street View / static-map image and a geocode (latitude / longitude). Purpose: to display the property image and pin the property location. The geocode is stored on the property record. Requests are made server-side, so Google receives ClearHold's server request rather than your browser's IP address; Google does receive the property address or coordinates needed to return the map or image.
  • Addy Solutions (NZ): address-autocomplete suggestions are returned to ClearHold as you type. Purpose: to validate the property address. The data we keep is the address you select, not the search history.

For each of these, you have the same rights described in section 8 — to access the information we hold, correct it, or have it deleted. The processors we use are listed in section 6. We are the agency you can contact about indirect collection: see section 15.

1B. Akahu bank-sync mechanics

Because bank-feed sync is a privacy-significant operation, here is what actually happens:

  • Consent scope. ClearHold requests Akahu's ENDURING_CONSENT scope, which is read-only. We cannot move money. We cannot initiate payments. We never see your bank password.
  • Account selection. You choose which accounts to expose during the Akahu authorisation flow inside Akahu's UI. We receive transactions only from the accounts you selected.
  • Initial import. The first time a connection runs, ClearHold imports the last 90 days of transactions from the selected accounts so you can categorise the recent past.
  • Ongoing sync. Subsequent syncs pull a rolling 7-day window. Sync runs when you trigger it from the app and on a scheduled basis while your account remains active and entitled.
  • Token storage. The Akahu user token is stored encrypted at rest using ActiveRecord encryption. It is decrypted in memory only at the moment we make a request to Akahu on your behalf.
  • Revocation. You can revoke ClearHold's access at any time from your Account page or directly inside Akahu. After revocation, no further transactions are imported. Transactions already imported into your ClearHold account remain there as your records, and you can edit or delete them through the standard rights in section 8.
  • External revocation. If Akahu invalidates the consent (your bank disconnected it, you revoked at Akahu, the consent expired), our next sync detects the rejection, marks the connection inactive, and prompts you to reconnect.

2. How we use it

We use your information to:

  • provide the ClearHold service — store your records, prepare the figures that feed into your IR3R, generate accountant packs;
  • send transactional emails (receipts, activation, renewal reminders, breach or service notices);
  • support you when you ask us for help;
  • improve transaction categorisation rules using rules and patterns derived from your own usage on your own account (see section 4 for what we do not do);
  • monitor service health and investigate errors, abuse, and suspected fraud;
  • comply with our own legal, tax, and accounting record-keeping obligations;
  • obtain professional advice (legal, accounting, security) where needed, on a confidential basis.

We don't sell, rent, or share your data for marketing, advertising, or third-party analytics. We don't use your records to train AI models — see section 4.

3. Information about other people you provide

Rental-property records routinely contain personal information about people other than you — tenants, co-owners, spouses, contractors, accountants, property managers — and may also reveal occupied addresses. By uploading or syncing this information, you confirm you have a lawful basis to provide it to ClearHold for the purposes of preparing your tax records.

ClearHold uses information about other people only to:

  • provide the service to you (e.g. classifying a rent payment from a named tenant as rental income);
  • generate tax records and packs you choose to produce;
  • provide support when you ask us for help;
  • meet legal obligations and maintain security and audit trails.

If a third party named in your records contacts us with an access, correction, or deletion request, we will work with you to handle it, because in most cases you are the agency holding that information and ClearHold is processing it on your instruction.

4. AI and automated processing

The tax-eligibility and figure-preparation logic inside ClearHold is deterministic — written rules, not AI models. We do not send your account, property, transaction, or pack data to OpenAI, Anthropic, Google's Gemini APIs, or any other generative-AI provider for processing or training.

Transaction categorisation uses an in-app rules engine plus per-user pattern matching against your own prior categorisations. It runs entirely on ClearHold's servers and does not send your data to third-party model providers. Categorisation is decision-support: every Akahu-imported transaction starts in a "needs review" state until you confirm or change the suggested category.

If we ever introduce AI-assisted features that involve sending your data to a model provider, we will update this section and notify you before that processing begins.

5. Cookies, logs, and session data

  • Session cookies. ClearHold uses a signed, HTTP-only, secure, SameSite=Lax session cookie to keep you signed in. Sessions expire after 12 hours of inactivity.
  • CSRF tokens. Standard Rails cross-site-request-forgery tokens are issued per session. They never leave your browser session.
  • Login-step-up cookies. When email-OTP step-up authentication is enabled, a short-lived signed cookie identifies the pending login challenge. It is cleared as soon as you complete the challenge.
  • Server logs. Our hosting provider (Railway) records standard request and response metadata (timestamp, request path, status code, IP address, user-agent). Sensitive parameters (passwords, tokens, OTP codes) are filtered before logs are written. Logs are retained for the period Railway operates its log aggregation, then rotated out.
  • Error reporting. Unhandled errors are reported to Sentry for investigation. We strip parameters from breadcrumbs and do not send transaction amounts, descriptions, or property details to Sentry by default.
  • Audit trail. Edits to property, transaction, and chattel records are versioned with PaperTrail so we can investigate "what changed" if you ask us to.
  • Email tracking. Transactional emails sent via Postmark do not include open- or click-tracking pixels. We rely on Postmark's delivery and bounce reports only.
  • Marketing site analytics. The marketing site at clearhold.nz uses Plausible — cookieless and anonymous. The app at app.clearhold.nz does not run third-party analytics or trackers.

6. Subprocessors

We use a small set of trusted service providers to run ClearHold. The table below lists each one, where they process data, what we send them, and the basis we rely on for using them.

Provider Location Purpose Data processed Basis
Railway USA Hosting and managed Postgres database Account, property, transaction, pack, billing, log data Public privacy commitments and security posture; SOC 2 Type II.
Akahu NZ Read-only bank-feed connection (you authorise directly) Bank account metadata, transaction records, encrypted user token NZ-based; covered by NZ Privacy Act 2020.
Stripe USA / NZ Payment processing (merchant of record) Email address, name, billing country, subscription and invoice metadata Data Processing Addendum; Stripe Privacy Policy.
Postmark USA Transactional email delivery Email address, message subject and body, delivery metadata Data Processing Addendum; Postmark Privacy Policy.
Google Maps Platform USA Geocoding and Street View / static-map images for property pages Property address or coordinates (server-side request) Google Maps Platform Terms.
Addy Solutions NZ NZ address autocomplete Address search and selection data NZ-based; covered by NZ Privacy Act 2020.
Sentry USA Application error reporting Error stack traces and request metadata (sensitive params filtered) Sentry Data Processing Addendum.

We do not use any third-party advertising networks, analytics trackers, AI model providers, or data brokers. If you would like to see the contractual basis for any of the providers above, email us and we will share what we hold.

7. Cross-border processing (IPP 12)

Some of the processors above operate outside New Zealand. Under IPP 12, we may disclose personal information overseas only where the recipient is subject to comparable safeguards or another exception applies. Our position is:

  • Akahu and Addy Solutions are NZ-based and remain inside the Privacy Act 2020 framework.
  • Stripe and Postmark operate under written Data Processing Addendums that bind them to comparable confidentiality, security, and onward-transfer commitments.
  • Railway, Google Maps Platform, and Sentry rely on their published privacy commitments and security posture (including SOC 2 reporting where applicable) as the basis we have used to assess comparable safeguards.

We do not disclose your personal information to any other overseas recipient outside the list above without your consent or another lawful basis.

8. Your rights

Under Information Privacy Principles 6, 7, and 9 of the Privacy Act 2020, you have the right to:

  • Access the personal information we hold about you. Sign in and visit your Account page to download a complete JSON export of your records at any time. You may also request the same data by email and we'll send it within 20 working days.
  • Correct it if it's wrong. Most fields are editable inline in the app; if a record won't update, email us and we'll fix it.
  • Delete your account from the same Account page, or by emailing us. We mark the account immediately, sign you out, and delete personal records 90 days later (the 90-day window lets you change your mind without losing the records). Billing records are retained per Tax Administration Act 1994 s 22 — typically 7 years — but only ClearHold's own billing records, not your underlying tax records (see section 9).
  • Complain to the Office of the Privacy Commissioner at privacy.org.nz if you believe we've mishandled your information.

9. Retention, deletion, and backups

We keep your data while your account is active. When you ask us to delete your account, personal records (properties, transactions, bank-connection metadata, loans, chattels, category rules, ring-fenced loss balances) are exportable for a 90-day grace window, then permanently deleted from the live database.

Backups. Our hosting provider (Railway) takes automated daily backups of the production database. Backups are encrypted and rotated on Railway's standard retention cycle. After we delete your records from the live database, residual copies may persist in those rolling backups until they age out of rotation. We do not restore from backups except for disaster recovery; we do not mine backups for analytics or training; and we do not selectively re-extract individual users' deleted data from backups.

Billing records. ClearHold's own billing records — Stripe customer ID, subscription history, refund history — are retained for at least 7 years to satisfy our obligations under the Tax Administration Act 1994. These are our business records of the transaction we had with you, not a statutory archive of your tax records.

Eligibility and pack-generation records. When you generate a tax pack, ClearHold creates a record of what was generated and what disclosures were shown to you at the time. These records are retained for 7 years from the relevant tax year (or from the date of the latest pack you generated for that year, whichever is later). They contain timestamps, the eligibility status ClearHold assessed at the time, the disclosures you acknowledged, and an internal identifier — but not your name or email after account deletion.

Your own record-keeping. You remain responsible for keeping your own tax records, exports, and accountant packs for the period required by law, even after deleting your ClearHold account. ClearHold is a tool you use to prepare and export your records; it is not your statutory archive.

10. Security

The list below describes controls we actually have in place. We have deliberately not claimed certifications we don't hold.

  • Transport encryption. All traffic to and from ClearHold is HTTPS only, with HSTS and modern TLS configured at the edge.
  • Authentication. Passwords are bcrypt-hashed (minimum 10 characters, with a character-class variation rule). Sessions expire after 12 hours of inactivity. Email-OTP step-up authentication is implemented and can be enforced.
  • Encryption at rest. Sensitive tokens — including the Akahu user token — are encrypted at rest in the database using ActiveRecord encryption. Railway's managed Postgres also encrypts the underlying volume.
  • Bank access. Read-only via Akahu's ENDURING_CONSENT scope. ClearHold cannot move money. We never see your bank password.
  • Card data. Card numbers never touch ClearHold. Stripe acts as merchant of record and hosts the payment forms.
  • Secrets management. Application secrets live in Rails encrypted credentials and Railway environment variables. Pre-commit hooks scan staged diffs for accidentally committed secrets.
  • Access control. Every controller defaults to authenticated; public endpoints are an explicit allowlist. Per-record authorisation scopes every database query to the signed-in user.
  • Operator access. Only the operator has production access. Production access is least-privilege and used only for support, security, or legal reasons. Routine manual review of user transactions does not occur. Database actions are auditable through Railway logs and the in-app audit trail.
  • Vulnerability management. Dependabot, bundler-audit, and Brakeman run on every change. An independent grey-box penetration test by a trusted NZ security professional is scheduled before Phase 1 opens.
  • Incident response. Sentry pages the operator on unhandled errors. We maintain a one-page incident runbook covering Sentry storms, Stripe webhook failures, Akahu sync outages, suspected breach, and database recovery, with a post-incident timeline and 5-day post-mortem cadence.

11. Notifying you of a serious privacy breach

Under Part 6 of the Privacy Act 2020, if ClearHold suffers a notifiable privacy breach — a breach where there is a real risk of serious harm — we will notify you and the Office of the Privacy Commissioner as soon as practicable, where practicable within 72 hours of becoming aware of it. The notification will tell you what happened, what data was involved, what we're doing about it, and what you can do to protect yourself.

12. Lawful disclosures

We may disclose personal information where required by law, court order, lawful regulator request, to enforce our terms, to protect the security of our service or our users, or to obtain professional advice — but only to the extent reasonably necessary and only after we are satisfied the request is valid. Where the law allows, we will tell you about the request before disclosing.

13. Children

ClearHold is built for adult landlords managing tax for their own rental properties. We do not knowingly collect information from anyone under 16. If you believe a minor has signed up, email us and we'll delete the account.

14. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email to your account address at least 14 days before they take effect. Continued use of the Service after the effective date means you accept the updated policy.

15. Operator identity and contact

ClearHold is operated by:

  • Operator: Andy McInnes
  • Trading name: Clearhold
  • Entity: ClearHold Limited (registration in progress; NZBN to be added once issued)
  • Postal address: 173A St Heliers Bay Road, St Heliers, Auckland 1071, New Zealand
  • Privacy Officer: Andy McInnes
  • Email: hello@clearhold.nz

For access, correction, deletion, or any other privacy request, email the Privacy Officer at the address above. We respond within 20 working days as required under the Act.

A summary Privacy Impact Assessment covering ClearHold's data flows and risk treatments is available on request.

Questions? hello@clearhold.nz