Back to home

Privacy Policy

Last updated: 27 April 2026

Introduction

Steady Finance Limited (we, us, our) complies with the New Zealand Privacy Act 2020 when dealing with personal information. Personal information is information about an identifiable individual.

This policy sets out how we collect, use, disclose, and protect your personal information when you use Steady. It does not limit or exclude your rights under the Privacy Act. For more information about the Act, see privacy.org.nz.

Changes to this policy

We may change this policy by posting an updated version at steady.nz/legal/privacy. The change applies from the date the updated policy is posted.

What we collect, and why

We collect personal information from you when you sign up, connect a bank account, use the app, or contact us. We also receive information from Akahu (your bank account data) and from Stripe (subscription billing data).

Specifically, we collect:

  • Account information — name, email, authentication identifier (via Clerk).
  • Bank account data via Akahu — account names, balances, transaction history (merchant, amount, date, description). Read-only. We never see your bank password.
  • Payment information — handled by Stripe. We never store your card numbers; Stripe gives us a customer reference and subscription status.
  • App usage data — goals, budgets, settings, AI conversation history (where you have asked Steady questions).
  • Optional analytics — anonymised page views and product interactions, only if you accept the analytics cookie banner.
  • Error and crash reports via Sentry — only technical context (stack traces, user agent), with a scrub pass that strips probable names and account-number-shaped strings before sending.

We use this information to:

  • provide the Steady service to you;
  • bill you for paid subscriptions and process refunds when applicable;
  • respond to your questions, support requests, and feedback;
  • send transactional emails (e.g. payment failures, weekly summaries you have opted into);
  • improve the Service through anonymised, aggregated usage analysis;
  • detect and prevent fraud, security issues, and abuse of the Service;
  • comply with our legal obligations (e.g. tax records, regulatory enquiries).

Who we share with

We do not sell your personal information. We share it only with the providers we need to run the Service:

  • Akahu (NZ) — open-banking platform that connects to your bank with your consent. Akahu has its own privacy policy at akahu.nz.
  • Clerk (US) — authentication provider. Stores your email + sign-in identifiers.
  • Stripe (US) — payment processor. Handles card data; we never see it.
  • Anthropic (US) — provides the Claude AI used for Ask, weekly summaries, and categorisation. When you use those features we send Anthropic relevant financial context (recent transactions, balances, goals) but never your name, email, or bank account numbers. Anthropic does not train its models on this API data.
  • Supabase (US/EU regions) — managed Postgres database where your Steady data lives.
  • Railway (US) — hosts the Steady application servers.
  • Cloudflare (US) — DNS and edge caching for steady.nz.
  • Sentry (US) — error tracking. Receives stack traces, scrubbed of probable names and account-number-shaped strings.
  • PostHog (US) — product analytics. Only receives data if you accept the analytics cookie banner.
  • Resend (US) — transactional email provider. Receives your email address and email content.
  • Upstash (US) — Redis cache for rate limiting and short-lived state. Stores hashed identifiers only, no raw personal information.

We may also disclose personal information when required by law (e.g. a regulator request or court order), to enforce our Terms, or in the event of a sale or merger of our business — in which case we will require the recipient to treat your data on terms at least as protective as this policy.

Storing data outside New Zealand

Some of our providers (Stripe, Clerk, Anthropic, Supabase, Cloudflare, Sentry, PostHog, Resend, Upstash) store and process data in the United States or other jurisdictions outside New Zealand. Under Information Privacy Principle 12 of the Privacy Act 2020, we only use providers we reasonably believe offer protections comparable to NZ law, either through their own privacy commitments or through their contracts with us.

When you sign up, you authorise us to use these providers to deliver the Service.

How we protect your information

Steady uses standard industry security practices:

  • HTTPS / TLS for all network traffic.
  • AES-256-GCM encryption at rest for sensitive tokens (e.g. Akahu access tokens).
  • Role-based access controls — only authorised staff (just Sam, currently) can access production systems.
  • Sentry-side scrubbing rules to strip probable PII from error reports before they leave our servers.
  • Rate limiting and abuse detection on authentication and API endpoints.

We will notify you and the Office of the Privacy Commissioner if a privacy breach has caused or is likely to cause serious harm, within the 72-hour window required by the Privacy Act 2020.

Your rights

You have the right under the Privacy Act 2020 to:

  • Access your personal information that we hold. Settings > Export Data lets you download your data immediately. For a more comprehensive export, email hello@steady.nz.
  • Correct your personal information if it is inaccurate. Most fields are editable from inside the app; for anything else, email us.
  • Delete your account and all associated data. Settings > Delete Account does this immediately — it cancels any active Stripe subscription, revokes Akahu bank connections, deletes your Clerk authentication account, and removes all Data we hold for you.
  • Withdraw consent for analytics or AI features at any time, by changing your preferences in Settings or by clearing the analytics cookie.
  • Complain to the Office of the Privacy Commissioner if you think we have mishandled your information. Contact details at privacy.org.nz.

We may charge a reasonable cost for fulfilling unusually large or repeated information requests, but only as permitted by the Privacy Act.

Cookies & analytics

Steady uses strictly necessary cookies that are required to keep you signed in and to remember your preferences. These are always on.

We also offer optional analytics via PostHog. Analytics are blocked by default and only fire if you click “Accept” on the cookie banner. Declining doesn't change the Service in any way. You can change your choice anytime by clearing your browser's storage for steady.nz — the banner will reappear.

How long we keep your information

We keep your personal information for as long as you have an account with us, plus the period required by law (e.g. Stripe records of transactions, NZ tax-record retention). When you delete your account, your Data is removed from our live database and from backups within 90 days. Anonymised and aggregated information may be kept indefinitely.

Children

Steady is intended for adults (18+). We do not knowingly collect information from children under 18. If you believe a child has signed up for Steady, email us and we will delete the account.

Contact us

For privacy questions, requests for access or correction, or to make a complaint, email hello@steady.nz.

This Privacy Policy is adapted from the Kindrik Partners (Simmonds Stewart) free Privacy Policy template (V2.1, 2022) and tailored to Steady's data flows. It is not a substitute for individualised legal advice.

    Privacy Policy | Steady