Privacy Policy for Radley Technologies Limited

1. Introduction

Radley Technologies ("Radley", "we", "us") is a New Zealand technology company that provides tax automation services. We take our obligations under the Privacy Act 2020, including the Information Privacy Principles (IPPs) and the Notifiable Privacy Breach regime, seriously. This Privacy Policy explains what personal information we collect, why we collect it, how we protect it, and the choices available to you.

If anything in this policy is unclear, please contact our Privacy Officer via the details in section 14 before using our services.

2. Scope

This policy covers personal information collected through our website, waitlist and early-access programme, customer support channels, and the Radley platform (together, the "Services"). It also applies to information we receive from trusted service providers who support the Services. If a separate agreement governs the processing of data (for example, a customer contract), that agreement prevails to the extent of any inconsistency.

Our Services may contain links to tools or websites we do not operate. Their privacy practices are governed by their own policies, so we encourage you to review them.

3. Information we collect and receive

We collect and receive the following categories of information:

• Service Data: Information you provide to use the Radley platform, including details required to generate tax documentation, reports, calculations, and other outputs. This may include financial data, business information, and personal details necessary for tax compliance purposes.
• Contact Information: Your name, business name, role or title, email address, and phone number when you join our waitlist, request early access, or register for our Services.
• Communications: Records of your correspondence with us, including support requests, feedback, questions, and troubleshooting exchanges.
• Usage Information: Data about how you interact with the Services, including pages viewed, features accessed, on-site events, and session information collected through first-party analytics via Google Analytics 4. For more information about how Google processes data, please see Google's Privacy Policy.
• Device and Technical Information: Browser type and version, device type, operating system, and coarse geolocation data (typically city or region level).
• Log Data: Technical information automatically recorded by our infrastructure providers (Google Cloud), including aggregated request volumes, error logs, timestamps, and IP addresses used for security monitoring and service protection.
• Third-Party Service Data: Customers can connect third-party services (such as GitHub, Jira, and Notion) to the Radley platform to enable integrations and enhance functionality. When you enable a third-party service, its provider may share certain information with Radley to facilitate the integration. For example, we may receive usernames, email addresses, repository names, project identifiers, or document metadata, depending on the service and the permissions you grant. You should review the privacy settings and notices of any third-party service you connect to understand what data may be shared with Radley. When a third-party service is enabled, Radley is authorized to access information made available in accordance with the permissions you have granted. We do not receive or store passwords for third-party services.

We do not knowingly collect information about children under 16 years old. If we learn that we have collected such information without appropriate consent, we will delete it.

4. How we collect information

We collect personal information in the following ways:

• Directly from you when you complete forms, request support, or use the Radley platform.
• Automatically through Google Cloud services that secure our platform. We rely on their default logs and do not build additional behavioural profiles.
• From third-party services and integrations that you choose to connect to your Radley account. This may include data from GitHub, Jira, Notion, or other third-party services to enable the functionality you've requested.

We only collect information that is necessary for the relevant purpose (IPP1). If we need to use personal information for a new purpose that is materially different, we will seek your consent or provide an opportunity to opt out.

5. How we use information

We use personal information in line with IPPs 10 and 11, including to:

• Provide, maintain, and improve the Services, including generating required tax documentation.
• Communicate with you about onboarding, feature updates, maintenance notices, and responses to your requests.
• Meet legal obligations, including Inland Revenue record-keeping requirements and responding to lawful requests.
• Protect the security, integrity, and availability of the Services.
• Conduct internal analytics that use aggregated or de-identified information, so we can improve our product roadmap.

Where we rely on consent (for example, for optional communications), you can withdraw it at any time by using the unsubscribe link in the message or contacting us.

6. Retention and disposal

We keep personal information only for as long as it is needed for the purpose for which it was collected (IPP9), or to meet our legal obligations. We apply these retention rules:

• Waitlist and early-access records: Retained until the public launch of the platform and deleted within 90 days of launch, unless you choose to become a customer.
• Generated tax documentation and related records: Retained for seven years to meet Inland Revenue audit requirements (or longer if we are legally obliged to keep them).
• General Service data: Retained for one year after your account closure, then securely deleted. This includes profile information, preferences, and other data not required for tax or legal purposes.
• Support communications: Retained for three years after the request is resolved. Where a communication relates to a transaction, warranty, or potential dispute, it is retained for seven years or until the matter is closed.

When we no longer need personal information, we delete it securely or de-identify it, and we instruct our processors to do the same. Personal information may persist in encrypted system backups for up to 100 days after deletion from active systems. We maintain a retention schedule and review it regularly.

7. Sharing and disclosures

We do not sell personal information. We share it only where necessary:

• Service providers: We use trusted suppliers under written agreements that include privacy and security protections. Key processors include Google Cloud (including Firebase Hosting, Google OAuth 2.0, and Google Analytics 4) for infrastructure, authentication, and analytics; OpenAI for AI-assisted platform features; and Pipedrive for waitlist and customer relationship management. These providers may use their own sub-processors to deliver services. Where personal information is processed overseas, we apply the safeguards described in section 8.
• Customer-directed integrations: When you connect third-party services (such as GitHub, Jira, or Notion) to your Radley account, you authorize Radley to share relevant information with those services to enable the integration. You control which integrations are enabled and can disconnect them at any time. The data shared is governed by your permissions and the privacy policies of those third-party services.
• Professional advisers: We may share information with auditors, legal advisers, or accountants where necessary to obtain advice or meet regulatory obligations.
• Business transactions: If we undergo a restructuring, merger, or sale, personal information may transfer as part of that process, subject to confidentiality protections and applicable privacy laws.
• Legal requirements: We may disclose information if required by law, court order, or government authority (including Inland Revenue). Where permitted, we will notify the affected customer before disclosure unless prohibited by law or where notification would undermine the purpose of the disclosure.

8. Overseas disclosures and comparable safeguards

Our infrastructure runs on Google Cloud, which uses a global content delivery network and data centers in multiple countries. Personal information may therefore be processed in countries outside New Zealand, including the United States, the European Union, and Australia.

We take reasonable steps to ensure overseas recipients provide comparable safeguards (IPP12), including:

• Using providers with ISO 27001 certification, SOC 2 compliance, and strong contractual privacy commitments.
• Reviewing vendor security documentation, data protection terms, and privacy certifications before onboarding.
• Prioritizing providers in jurisdictions with robust privacy frameworks (such as EU GDPR compliance).
• Limiting personal information sent to third-party processors (such as OpenAI for AI features, or Pipedrive for customer management) to what is strictly required for the requested functionality.
• Maintaining records of data flows so we can answer questions about where information is processed.

Customer-directed integrations: When you connect third-party services (such as GitHub, Jira, or Notion), those providers may also process data in overseas jurisdictions in accordance with their own privacy policies and the permissions you grant. You should review their privacy practices before enabling integrations.

Ongoing assessment: If we need to work with a new overseas service provider, we assess their safeguards first. We will update this policy or notify you if a change materially affects how we handle your information or introduces processing in a jurisdiction we have not previously disclosed.

9. Security safeguards

Security is critical to our mission, and we take the security of personal information seriously. We use industry-standard technical and organizational measures to protect information from loss, misuse, and unauthorized access or disclosure. These measures take into account the sensitivity of the tax and financial information we collect, process, and store, and the current state of technology.

When you connect third-party services or click links to external sites, you will be leaving the Radley platform and we do not control or endorse the security practices of those third-party sites.

If you have specific security questions or requirements, please contact us at privacy@radley.tax.

10. Age limitations

Our Services are designed for business use and are not intended for individuals under 16. If you believe a child has provided us with personal information, please contact us so we can delete it.

11. Your privacy rights

You have the right to:

• Request confirmation of whether we hold personal information about you.
• Access a copy of your personal information.
• Request correction if it is inaccurate or out of date (IPP6 and IPP7).
• Request deletion of your personal information in certain circumstances, subject to our legal retention obligations.

To make a request, email privacy@radley.tax.

We may ask for identification to ensure we do not release information to the wrong person. We will respond as soon as practicable and within the timeframes set by the Privacy Act (generally 20 working days). If we refuse all or part of your request, we will explain why and inform you of your right to complain to the Privacy Commissioner.

12. Complaints and dispute resolution

If you are concerned about how we have handled your personal information, please contact our Privacy Officer in the first instance. We will investigate and respond. If you are not satisfied with the outcome, you can complain to the Office of the Privacy Commissioner at privacy.org.nz or by calling 0800 803 909.

13. Changes to this policy

We may update this policy to reflect changes to our practices or legal requirements. When we make changes, we will update the effective date at the top of this policy. Minor updates (such as clarifications or formatting changes) will be published on this page. We will notify affected customers directly by email if a change is material and impacts how we collect, use, or disclose personal information.

14. Contact us

If you have questions or would like to exercise your privacy rights, please contact:

You can also write to us at the above address. For general support enquiries, please continue to use support@radley.tax.

15. Change history

• 30 October 2025 (Version 1.0): Initial publication of the Privacy Policy.