← Back

Privacy Policy

Version 1.0 — Last updated 16 February 2026

1. Who We Are

This Privacy Policy explains how Vortex Access Systems Limited (“we”, “us”, or “our”), a company registered in New Zealand, collects, uses, stores, and protects your personal information when you use the Friday web application (“the Service”).

We are committed to protecting your privacy in accordance with the New Zealand Privacy Act 2020 and its Information Privacy Principles.

2. Information We Collect

We collect the following categories of personal information:

2.1 Account Information (from Google OAuth)

  • Full name
  • Email address
  • Profile photograph
  • Google account identifier

2.2 Profile Information (provided by you or an administrator)

  • Job title, company, phone number, mobile number
  • Address, city, country
  • LinkedIn profile URL, biography, notes

2.3 User Content

  • Tasks, comments, checklists, and attachments you create
  • File uploads (documents, images)

2.4 Usage and Technical Data

  • IP address and browser user-agent (recorded at sign-in for consent tracking)
  • Session data (authentication tokens)
  • Timestamps of account activity

2.5 Third-Party Integration Data

  • Google Calendar events (read access for meeting scheduling)
  • Gmail messages (read-only access for meeting extraction)
  • Google Drive file metadata (for document linking)

3. How We Use Your Information

We use your personal information for the following purposes:

  • Authentication and access control — to verify your identity and manage your access to the Service.
  • Providing the Service — to enable task management, team collaboration, notifications, and scheduling.
  • Communication — to send you email notifications about task assignments, deadlines, and comments.
  • Consent tracking — to record your acceptance of our Terms of Service and this Privacy Policy.
  • Service improvement — to understand usage patterns and improve the Service.
  • Legal compliance — to comply with applicable laws and respond to lawful requests.

4. Legal Basis for Processing

Under the New Zealand Privacy Act 2020, we collect and process your personal information based on:

  • Consent — by signing into the Service, you consent to the collection and use of your information as described in this Policy.
  • Legitimate interest — the Service is an internal business tool for Vortex Marine, and processing your information is necessary for the legitimate business operations of the team.
  • Lawful purpose — in accordance with Information Privacy Principle 1, we collect personal information only for a lawful purpose connected with our business functions.

5. How We Share Your Information

We may share your personal information with the following categories of recipients:

  • Other Vortex Marine team members — your name, profile photo, and task activity are visible to other authorised users of the Service.
  • Google — authentication data is exchanged with Google via OAuth 2.0 for sign-in purposes. Google's privacy policy applies to their processing of your data.
  • Hosting providers — the Service is hosted on Vercel (United States). Your data is stored in a PostgreSQL database managed by our cloud database provider.
  • Email service provider — we use a third-party email service to deliver notification emails.

We do not sell, rent, or trade your personal information to any third party.

6. International Data Transfers

Your personal information may be transferred to and processed in countries outside New Zealand, including the United States, where our hosting and third-party service providers operate. By using the Service, you consent to the transfer of your information to these countries.

In accordance with Information Privacy Principle 12, we take reasonable steps to ensure that any overseas recipients of your personal information are subject to comparable privacy protections.

7. Data Retention

We retain your personal information for as long as your account is active and for a reasonable period thereafter for legitimate business purposes, legal compliance, and dispute resolution.

Consent records (including the version of terms accepted, timestamp, and IP address) are retained indefinitely as part of our legal compliance audit trail.

In accordance with Information Privacy Principle 9, we will not keep your personal information for longer than is necessary for the purposes for which it may lawfully be used.

8. Your Rights Under the NZ Privacy Act 2020

Under the New Zealand Privacy Act 2020, you have the following rights:

  • Right of access (Principle 6) — you may request a copy of the personal information we hold about you.
  • Right of correction (Principle 7) — you may request that we correct any inaccurate or incomplete personal information we hold about you.
  • Right to request deletion — you may request that we delete your personal information, subject to our legal obligations and legitimate business interests.

To exercise any of these rights, please contact us using the details in Section 13 below. We will respond to your request within 20 working days, as required by the Privacy Act 2020.

9. Cookies and Session Data

The Service uses essential cookies to maintain your authenticated session. These cookies are strictly necessary for the operation of the Service and cannot be disabled.

  • Session cookie (authjs.session-token) — stores your authentication session. Expires when your session ends or after a set period of inactivity.

We do not use advertising cookies, tracking pixels, or analytics cookies.

10. Data Security

We take reasonable steps to protect your personal information from unauthorised access, use, modification, or disclosure. Our security measures include:

  • All data transmitted between your browser and the Service is encrypted using HTTPS/TLS.
  • Database access is restricted to authorised application processes only.
  • Authentication is handled by Google OAuth 2.0 — we do not store passwords.
  • Access to the Service is restricted to whitelisted email addresses.

No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

11. Information Collected from Third Parties

In accordance with Information Privacy Principle 3A of the Privacy Act 2020 (effective 1 May 2026), we inform you that we may collect personal information about you from the following third-party sources:

  • Google — your name, email address, and profile photo are provided by Google when you sign in via OAuth.
  • Vortex Marine administrators — your email address and basic contact details may be added to our access whitelist by a team administrator before you first sign in.

12. Children

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If you believe that a child has provided us with personal information, please contact us immediately.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or want to make a complaint about how we have handled your personal information, please contact:

Privacy Officer
Vortex Access Systems Limited
Email: tony@vortexmarine.com

If you are not satisfied with our response, you have the right to make a complaint to the Office of the Privacy Commissioner at privacy.org.nz.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the version number and date at the top of this page. Your continued use of the Service after changes are published constitutes acceptance of the updated Policy.

© 2026 Vortex Access Systems Limited. All rights reserved.