Tydra
Start free trial

Working draft

Privacy Policy

Effective 16 May 2026. Tydra is operated by Drift Labs Limited, a New Zealand company. We’re committed to the New Zealand Privacy Act 2020 and equivalent obligations in Australia under the Privacy Act 1988.

This document is a working draft pending legal review. The data flows described are accurate; phrasing of obligations will firm up before paid launch.

1. What we collect

Account information. Email, name (optional), and authentication credentials. Provided when you sign up.

Workspace settings. Business name, address, phone, email, GST registration status and number, default labour rate, logo image. Used to render bills and to identify the workspace.

Operational data. Customers, jobs, captured variations (audio recordings, transcripts, structured line items, photos), bill PDFs, customer signatures (when given). All of this is yours; we host it.

Billing. When you subscribe, Stripe collects your card details directly — we never see the card number. We store a Stripe customer ID and subscription status.

Connected accounts. If you connect Xero, we store encrypted OAuth tokens and the tenant ID of the organisation you authorised.

Telemetry. Basic server logs (IP, request time, route, response code). No third-party advertising or analytics pixels.

2. How we use it

  • To provide the service: transcribe your captures, structure them into line items, render bills, send them to your customers, push them to Xero.
  • To bill you (via Stripe).
  • To send transactional and operational emails (sign-in links, bill-delivery notifications, the Friday review prompt, billing receipts).
  • To improve the service in aggregate (e.g. understanding which features get used). We don’t profile individuals.
  • To respond when you contact us.

We do not sell your data, share it for advertising, or use it to train AI models.

3. Where it lives

Primary storage is AWS Sydney (ap-southeast-2) via Supabase. Database, file storage (audio recordings, photos, logos, bill PDFs), and authentication all sit in Sydney.

Brief international transfers happen when we process audio and transcripts through AI providers:

  • OpenAI (United States) — Whisper for transcription, and structured-output models for variation extraction.
  • Anthropic (United States) — Claude structuring (as an alternative or fallback to OpenAI).

We use enterprise API tiers whose terms prohibit training on customer data. Audio and transcripts are processed on demand and not retained by the AI provider beyond what’s required for abuse monitoring (commonly 30 days, then deleted).

Other processors operate from their own regions: Stripe (US), Xero (Australia/New Zealand depending on your tenant), Resend (US).

4. How long we keep it

We keep your data for as long as your account is active. When you cancel, we retain your data for 30 days (in case you change your mind), then permanently delete it. Backups roll out within 90 days.

Records we need to keep for legal/tax reasons (invoices, payments) are kept for the statutory retention period (NZ minimum: 7 years for tax records).

5. Your rights

Under the NZ Privacy Act 2020 (and equivalents in Australia) you have the right to:

  • Know what we hold about you.
  • Correct anything that’s wrong.
  • Ask us to delete your account.
  • Withdraw consent to AI processing (at the cost of the transcription/structuring features — capture by hand still works).
  • Complain to the Office of the Privacy Commissioner if you think we’ve breached your rights.

Most of these you can do yourself in workspace settings or by contacting us. We respond within 20 working days.

6. Cookies & tracking

We use cookies that are strictly necessary for the service: a session cookie for sign-in, an anti-CSRF cookie, and the Stripe checkout session cookie when you’re paying. We don’t use marketing pixels, ad-network tags, or cross-site tracking.

7. Security

We use industry-standard practices: TLS everywhere, encrypted OAuth tokens at rest (AES-256-GCM for Xero tokens), least- privilege database access (row-level security on every domain table). Service-role credentials are limited to server-side code and never exposed to the browser.

No system is invulnerable. If we ever detect a security incident that affects your data, we’ll tell you and the Office of the Privacy Commissioner without delay, as required by the Privacy Act.

8. Children

Tydra is for tradespeople running businesses. We don’t intentionally collect data from anyone under 16. If you think we’ve done so, email us and we’ll delete it.

9. Changes

We may update this policy. Material changes will be notified by email or in-app at least 30 days before they take effect. The effective date at the top of this page always reflects the current version.

10. Contact

Drift Labs Limited, New Zealand. Privacy questions, requests, or complaints: privacy@tydra.app. General queries: hello@tydra.app.

New Zealand Office of the Privacy Commissioner: privacy.org.nz.