Privacy Policy
Last updated: 1 June 2026
1. Introduction
Kodapro ("Company", "we", "us") operates the Redsetta platform ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.
We are committed to protecting your privacy and complying with the New Zealand Privacy Act 2020 and, where applicable, the General Data Protection Regulation (GDPR).
2. Information We Collect
2.1 Information You Provide
- Account information: name, email address, and password when you create an account or are invited to an organization.
- Organization information: organization name, billing address, and payment details (processed securely via Stripe).
- Work data: time entries, project details, expense records, invoices, and related business information you enter into the Service.
- Communications: information you provide when contacting our support team.
2.2 Information Collected Automatically
- Usage data: pages visited, features used, and actions taken within the Service.
- Device information: browser type, operating system, and device identifiers.
- Log data: IP address, access times, and referring URLs.
- Cookies: as described in our Cookie Policy.
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process transactions and send related information (e.g., invoices, receipts)
- Authenticate users and enforce access controls
- Send administrative notifications (e.g., invitation emails, password resets)
- Respond to support requests and communications
- Monitor usage patterns to improve performance and reliability
- Detect, prevent, and address fraud or security issues
- Comply with legal obligations
4. How We Share Your Information
We do not sell your personal information. We may share your information in the following circumstances:
- Within your organization: administrators and managers can view data for users in their organization as determined by role-based access controls.
- Service providers: we use third-party providers to operate the Service, including:
| Provider | Purpose | Data shared |
|---|---|---|
| Neon | Database hosting | Application data |
| Cloudflare R2 | File storage | Uploaded files (e.g. organization logos) |
| Stripe | Payment processing | Billing details, subscription information |
| Resend | Transactional email | Email addresses, notification content |
| Vercel | Application hosting | Log data, request metadata |
- Legal requirements: we may disclose information if required by law, regulation, or legal process.
- Business transfers: in the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.
5. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. When you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., financial records, audit logs).
Audit logs are retained for a minimum of 7 years to comply with financial record-keeping requirements.
6. Data Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Row-level security policies isolating organization data
- Role-based access controls within the application
- Regular security audits and monitoring
- Secure cookie-based session authentication with automatic expiry
While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access: request a copy of the personal information we hold about you.
- Correction: request correction of inaccurate or incomplete data.
- Deletion: request deletion of your personal data, subject to legal retention requirements.
- Portability: request your data in a structured, machine-readable format.
- Objection: object to processing of your data in certain circumstances.
To exercise any of these rights, contact us at [email protected]. We will respond within 20 working days as required by the New Zealand Privacy Act 2020.
8. International Data Transfers
Your data may be processed in countries outside New Zealand, including the United States (where our infrastructure providers operate). We ensure appropriate safeguards are in place for any international transfers, including contractual protections with our service providers.
9. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.
11. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
- Email: [email protected]