Legal

Privacy Policy

Last updated: 9 April 2026. This policy explains what personal information DocStow collects, how we use it, and the rights you have over it.

DocStow Ltd ("DocStow", "we", "us", "our") is a New Zealand company committed to protecting your privacy. This Privacy Policy applies to the DocStow website (docstow.com), the DocStow web application, and any related services (collectively, the "Service"). We comply with the Privacy Act 2020 (New Zealand), the thirteen Information Privacy Principles (IPPs), and where applicable the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Who we are

DocStow Ltd is the data controller for the personal information you provide when using the Service. You can contact us at any time at privacy@docstow.com.

2. What information we collect

Information you provide to us

  • Account information: your name, email address, and a password (stored only as a salted hash).
  • Household information: household name, family member names and email addresses you choose to invite.
  • Document content: the files you upload (passports, insurance policies, vehicle certificates, etc.) and any metadata you add (tags, expiry dates, notes).
  • Billing information: if you subscribe to a paid plan, payment details are collected and processed directly by our payment processor Stripe. DocStow does not see or store your full card number.

Information we collect automatically

  • Usage data: pages visited, features used, timestamps, and approximate location derived from IP address.
  • Device data: browser type and version, operating system, and device identifiers.
  • Log data: error reports and diagnostic information needed to keep the Service running.

3. How we use your information

We use your personal information only for the purposes below:

  • To provide, maintain and improve the Service;
  • To send you renewal reminders, account notifications and essential service emails;
  • To process payments and manage subscriptions (via Stripe);
  • To respond to your support requests and communicate with you;
  • To detect, prevent and investigate fraud or abuse;
  • To comply with legal obligations, court orders, and lawful requests from New Zealand authorities.

We do not sell, rent or trade your personal information. We do not use the contents of your documents to train AI models.

4. Legal basis for processing (GDPR)

For users in the EU, UK and EEA, our legal bases for processing are contractual necessity (to deliver the Service you signed up for), legitimate interest (to keep the Service secure and improve it), consent (for optional marketing emails), and legal obligation (where required by law).

5. Where your data is stored

Your documents and account data are stored in Supabase's Sydney (ap-southeast-2) region on encrypted infrastructure operated by Amazon Web Services. We deliberately chose an ANZ region so Kiwi and Australian families can be confident that their data never leaves the neighbourhood for storage. Some sub-processors (see section 8) may process limited data in other regions; these transfers are protected by Standard Contractual Clauses or equivalent safeguards.

6. How we protect your data

  • Encryption at rest: AES-256 on all document storage and database backups.
  • Encryption in transit: TLS 1.3 on every connection between your device and our servers.
  • Row Level Security: enforced at the database layer so only you and the family members you invite can ever see your household's data.
  • Access controls: DocStow staff do not access customer documents except where strictly necessary for support and only with your explicit consent.
  • Audit logging: privileged actions are logged and retained for incident investigation.

For the full technical picture, see our Security page.

7. How long we keep your data

We retain your personal information for as long as your account is active. If you delete your account, we will permanently delete your documents, metadata and account data within 30 days, except where we are legally required to retain certain records (e.g. tax invoices for 7 years under New Zealand tax law). Backups are purged within 90 days of deletion.

8. Sub-processors

We use a small number of carefully vetted third parties to operate the Service. Each is bound by data processing agreements that require them to protect your data to the same standard we do.

  • Supabase Inc. — database, authentication and document storage (Sydney region).
  • Amazon Web Services (AWS) — underlying cloud infrastructure (Sydney region).
  • Stripe, Inc. — payment processing for paid subscriptions.
  • Resend — transactional email delivery (notifications, reminders, password resets).
  • OpenAI, L.L.C. — used on an opt-in basis for AI-powered document extraction. Data sent for extraction is not used to train OpenAI models and is deleted within 30 days.

9. Cookies

We use a minimal set of first-party cookies strictly necessary to keep you logged in and to protect against cross-site request forgery. We do not use advertising or cross-site tracking cookies. You can disable cookies in your browser, but parts of the Service will not work.

10. Your rights

Under the New Zealand Privacy Act 2020, and (where applicable) the GDPR, you have the right to:

  • Access the personal information we hold about you;
  • Request correction of information that is inaccurate or incomplete;
  • Request deletion of your personal information (the "right to be forgotten");
  • Export your data in a portable format (ZIP download available from your account settings);
  • Object to or restrict certain processing;
  • Withdraw consent for optional processing (such as marketing emails);
  • Lodge a complaint with the Office of the Privacy Commissioner (New Zealand) or your local supervisory authority.

To exercise any of these rights, email privacy@docstow.com. We will respond within 20 working days.

11. Children

DocStow is not intended for use by children under 16. We do not knowingly collect personal information directly from children. Parents and guardians may, of course, store documents relating to their children within their own DocStow household.

12. Data breach notification

In the unlikely event of a privacy breach that is likely to cause serious harm, we will notify affected users and the Office of the Privacy Commissioner as required by Part 6 of the Privacy Act 2020, and (where applicable) the relevant supervisory authority under the GDPR.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post a prominent notice on the Service at least 14 days before the changes take effect.

14. Contact us

Questions, concerns or requests about this Privacy Policy?
Email: privacy@docstow.com
Post: DocStow Ltd, Privacy Officer, Auckland, New Zealand