Privacy Policy

Last updated: April 2026

Kōrero Tax ("we", "us", "our") is a GST filing reminder service for New Zealand businesses. This policy explains what personal information we collect, how we use it, and your rights under the New Zealand Privacy Act 2020.

What we collect

We collect and store the following information:

• Your email address (provided by you for notifications)
• Your Xero organisation name and GST number
• OAuth access and refresh tokens (encrypted, used to connect to your Xero account)
• GST period data derived from your Xero account (filing status, payment status, due dates)
• For firm accounts: firm name, email address, and hashed password

How we use your information

We use your information solely to:

• Check your GST filing and payment status via the Xero API
• Send you email reminders about upcoming, due, and overdue GST returns
• Display your GST status on your dashboard

We do not sell, share, or disclose your information to any third parties other than as described in this policy.

Xero API access

When you connect your Xero account, we request only the minimum permissions (scopes) needed:

• accounting.settings — to read your organisation name and GST number
• accounting.reports.taxreports.read — to detect filed GST returns
• accounting.banktransactions.read — to match GST payments to IRD

We do not have write access to your Xero data. You can revoke our access at any time through Xero's Connected Apps settings.

Data storage and security

Your data is stored on Amazon Web Services (AWS) in the ap-southeast-2 region (Sydney, Australia). OAuth tokens are encrypted at rest. Passwords are hashed using bcrypt. Sessions use encrypted, HTTP-only cookies.

We take reasonable steps to protect your information against loss, unauthorised access, modification, and disclosure in accordance with Information Privacy Principle 5 of the Privacy Act 2020.

Cross-border disclosure

Your data is stored on AWS servers in Sydney, Australia. AWS operates under data processing agreements that provide protections comparable to the New Zealand Privacy Act 2020. By using our service, you acknowledge this cross-border storage.

Data retention and deletion

We retain your data for as long as your account is active. If you disconnect your Xero account or request deletion, we will remove your organisation record and associated GST period data. Xero OAuth tokens become invalid when you revoke access through Xero.

To request deletion of your data, contact us at the address below.

Your rights

Under the Privacy Act 2020, you have the right to:

• Request access to the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your data

Breach notification

In the event of a privacy breach that is likely to cause serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as required by Part 6A of the Privacy Act 2020.

Contact

For privacy enquiries, data access requests, or complaints:
Email: privacy@korerotax.co.nz