Zato Trust Centre

Zato Privacy Policy

Zato Origin Limited (“we”, “our”, “us”) is committed to protecting the privacy and security of Personal Information. This Privacy Policy outlines how we collect, use, store, and share Personal Information in connection with our B2B2C Software-as-a-Service platform (“Service”), used by accounting firms (“Firms”) and their clients (“Clients”) via our wholly owned subsidiaries in New Zealand and Australia.

Scope of This Privacy Policy

This Privacy Policy applies to Personal Information of:

- Firms using the Service to manage accounting workflows and process Client data; and

- Clients providing information to Firms via the Service.

For the purposes of this Privacy Policy, “Personal Information” has the meaning given under the applicable privacy law in the user’s jurisdiction, including the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988 (Cth).

Relationship with Our Data Processing Addendum

When Firms use the Service to upload, store, or process Personal Information relating to their own Clients (“Client Data”), the Firm determines the purposes for which that Personal Information is processed. In these cases, the Firm is responsible for compliance with applicable privacy laws, and Zato Origin Limited processes Client Data on behalf of the Firm as a service provider.

The terms that govern our processing of Client Data on behalf of Firms are set out in the Zato Data Processing Addendum, which forms part of our agreement with each Firm.

This Privacy Policy applies to the Personal Information that Zato Origin Limited collects and processes for its own business purposes, including Firm account contact information, billing information, platform security data, and analytics.

Information We Collect

We collect various types of Personal Information which may include:

Information Provided by Firms

Firm details such as company name, registration number, and contact information including email address, phone number, and physical address.

User account information including names, email addresses, job titles, roles, and access levels of Firm staff using the platform.

Client Data uploaded to the platform in accordance with the Firm’s instructions.

Information Provided by Clients

Personal identification information such as name, email address, phone number, tax identification number, and residential address.

Financial and tax data including financial records, income details, tax returns, and other information required for accounting and tax purposes.

Communications including responses to questionnaires and queries submitted via the platform.

Technical Information

To enhance functionality and user experience, our servers, including those operated by third party service providers, may automatically collect certain information from users. This may include browser type, operating system, Internet Protocol address, domain name, and the date and time of access.

We also collect information in log files, including IP addresses, browser type, internet service provider, referring and exit pages, operating system, date and time stamps, and clickstream data. This information is used to analyse usage trends, administer and maintain the platform, monitor user activity, compile aggregated usage statistics, and improve the Service. Except as otherwise stated in this Privacy Policy, automatically collected data is not linked to identified individuals.

Cookies

We use cookies and similar technologies to enhance user experience and improve functionality. Cookies are small data files transferred to a user’s device for record keeping purposes. We use session cookies, which expire when the browser is closed, and persistent cookies, which remain on the device until deleted.

Cookies help us remember preferences, maintain session integrity, and analyse platform usage. Users may disable cookies through browser settings, although this may affect platform functionality.

Documents and Records Uploaded via the Platform

Firms and Clients may upload documents including bank statements, invoices, receipts, tax documents, workpapers, and supporting compliance documentation. These documents may contain Personal Information and financial data and are processed solely for the purpose of providing the Service in accordance with the Firm’s instructions and the applicable Data Processing Addendum.

Purpose of Collection and Use

We collect and use Personal Information for the following purposes.

For Firms

- To provide and manage the platform for accounting workflow automation.

- To facilitate communication between Firms and Clients.

- To manage billing, accounts, and contractual relationships.

- To comply with legal and regulatory obligations.

For Clients

- To enable completion of questionnaires and responses to Firm queries.

- To support accounting, tax preparation, and compliance processes.

- To provide platform functionality and support services.

For Both Firms and Clients

- To ensure security, integrity, and performance of the platform.

- To improve the Service through usage analysis and feedback.

- To comply with applicable laws and regulatory requirements.

We do not use Client Data for direct marketing purposes. We may send administrative, service related, or account communications to Firm contacts.

Anonymity and Pseudonymity

Due to the nature of the Service, users cannot interact with the platform anonymously or under a pseudonym. Accurate identification is required to provide the Service securely and effectively.

Disclosure of Personal Information

We do not sell or rent Personal Information.

Service Providers

We may disclose Personal Information to trusted third party service providers who assist in operating and maintaining the platform. These providers are contractually required to protect Personal Information and may use it only for the purpose of providing services to us.

Hosting Services

We host the platform using Amazon Web Services infrastructure. Personal Information collected in New Zealand is hosted and stored within New Zealand. Personal Information collected in Australia is hosted and stored within Australia.

We do not transfer Personal Information outside the country in which it was collected unless required by law, authorised by the Firm, or permitted under the applicable Data Processing Addendum. Where overseas disclosure is authorised, we take reasonable steps to ensure that the receiving party provides protections comparable to those required under applicable privacy law.

Legal and Regulatory Requirements

We may disclose Personal Information where required or authorised by law, including in response to lawful requests by public authorities.

Third Party Integrations

The Service may integrate with third party applications. When a Firm enables such integrations, Personal Information may be shared between systems under the control of the Firm. We are not responsible for the privacy or security practices of third party applications. Firms are responsible for ensuring appropriate permissions and consents are obtained.

Open Banking and Financial Account Connectivity‍

Where a Firm enables bank data connectivity through an accredited open banking provider (including Akahu), financial account and transaction information may be securely retrieved via authorised application programming interfaces (APIs) with the explicit consent of the relevant account holder.
‍

This may include historical transaction data (for example, up to 12 months of prior transactions) and ongoing transaction updates while the connection remains active. Financial account data accessed through open banking integrations is used solely to provide accounting, reconciliation, financial reporting, compliance, and related Service functionality. We do not sell, rent, or use financial account data for marketing or unrelated profiling purposes. Access to bank data remains active only while consent is maintained. Account holders may withdraw consent at any time by disconnecting the integration through the platform settings or via the relevant open banking provider’s consent management process. Akahu is New Zealand’s open finance platform. When a connection is established via Akahu, data is transmitted securely in accordance with Akahu’s security and compliance standards.

‍

Data Security

We take reasonable technical and organisational measures to protect Personal Information from unauthorised access, loss, misuse, alteration, or disclosure. These measures include encryption, secure infrastructure, and regular security reviews.

While we take appropriate steps to safeguard information, no method of transmission over the Internet or electronic storage is completely secure.

Data Retention

We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected or as required by law. When no longer required, Personal Information will be securely deleted or anonymised.

Your Rights

Subject to applicable law, individuals may have rights to:

- Request access to Personal Information we hold about them.

- Request correction of inaccurate or incomplete Personal Information.

- Request deletion of Personal Information in certain circumstances.

- Object to certain types of processing where permitted by law.

- Request a copy of their Personal Information in a structured format where applicable.

Privacy Complaints

If you have a concern about how we handle Personal Information, you may contact us using the details below. We will acknowledge receipt of your complaint within five business days and aim to investigate and respond within thirty days.

If you are not satisfied with our response, you may contact the relevant regulator.

New Zealand

Office of the Privacy Commissioner
www.privacy.org.nz

Australia

Office of the Australian Information Commissioner
www.oaic.gov.au

Contact Information

Email: team@zatohq.com

Address: Level 2, 125 The Strand, Parnell, Auckland 1010

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. Updates will be published on our website and the Effective Date will be revised accordingly.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.