Privacy Policy

Last updated: 18 April 2026 · Effective: 18 April 2026

This Privacy Policy describes how FSM Developments Ltd (New Zealand company number 7900576, registered office at 139 Kohimarama Road, Kohimarama, Auckland 1071, New Zealand) (“FSM”, “we”, “us”, “our”) collects, uses, discloses, stores and protects personal information in connection with our website at fsmdevelopments.co.nz and the FSManager software-as-a-service product (collectively, the “Services”).

We comply with the New Zealand Privacy Act 2020 and the thirteen Information Privacy Principles.

Contents

  1. Who we are
  2. Information we collect
  3. How we use information
  4. Legal basis for processing
  5. When we share information
  6. Sub-processors
  7. Email integration
  8. Storage and international transfers
  9. Data retention
  10. Security
  11. Your rights
  12. Cookies and similar technologies
  13. Children
  14. Changes to this policy
  15. How to contact us

1. Who we are

FSM Developments Ltd is a New Zealand company that develops and operates FSManager, a business management platform for the aluminium joinery industry. For the purposes of the New Zealand Privacy Act 2020 we are the “agency” collecting and holding personal information. Where we process personal information on behalf of a customer using FSManager, the customer is the controller of that information and we are a processor acting on their documented instructions.

2. Information we collect

2.1 Information you provide

  • Enquiry and account details — name, email, phone number, company, and any message you send through our contact form or during sign-up.
  • Billing information — company name, billing address, and payment card details. Card details are collected and stored by our payment processor (Stripe); we never see the full card number.
  • Customer content — data you enter into FSManager, including records about your customers, employees, quotes, jobs, and supporting documents.
  • Support correspondence — messages and files you send us when requesting help.

2.2 Information collected automatically

  • Usage data — pages viewed, features used, IP address, browser type, device information, and approximate location inferred from IP.
  • Log data — server logs, timestamps, error traces, and security events.

2.3 Information from third-party services you connect

If you choose to connect a third-party service to FSManager (for example, your email provider for outbound drafts, or Xero for accounting sync), we receive information from that service only to the extent needed to deliver the feature you enabled. See Section 7 for details on the optional email integration.

3. How we use information

We use the information we collect to:

  • provide, maintain and improve the Services;
  • create and manage user accounts and tenants, including authentication and access control;
  • process payments, issue invoices, and administer subscriptions;
  • respond to enquiries and provide technical and customer support;
  • send service-related notices (for example, security alerts, billing messages, and material changes to the Services or this policy);
  • monitor for, investigate, and prevent fraud, abuse, and security incidents;
  • comply with legal obligations and enforce our Software Licence Agreement; and
  • with your consent, send you marketing communications about FSManager — you can unsubscribe at any time.

We do not sell personal information, and we do not use personal information for targeted advertising.

5. When we share information

We share personal information only as described in this policy:

  • With sub-processors that help us run the Services (see Section 6). Each is bound by written agreements that require appropriate security and confidentiality.
  • With your authorisation — for example, when you connect a third-party integration.
  • For legal reasons — where disclosure is reasonably necessary to comply with a law, regulation, court order, or enforceable governmental request, or to protect the rights, property, or safety of FSM, our users, or the public.
  • In a business transfer — if we are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to this policy.

6. Sub-processors

We engage the following sub-processors to provide the Services. This list is current as at the “last updated” date at the top of this policy.

Sub-processorPurposeLocation
Microsoft AzureApplication hosting, database, and file storageAustralia / New Zealand (region selected per customer where available)
Stripe Payments Europe, Ltd.Subscription billing and card processingIreland / United States
ResendTransactional email deliveryUnited States / EU
Xero LimitedAccounting integration (only when enabled by the customer)New Zealand
Anthropic, PBCAI features for customers on plans that include AI AutomationUnited States

We will provide reasonable prior notice of new sub-processors to customers who have subscribed to receive such notices.

7. Email integration

FSManager helps users prepare business emails (for example, quote covering letters, job updates, and site-measure confirmations). Depending on how the user chooses to work, FSManager handles outbound email in one of two ways.

7.1 Download as .eml (default)

By default, FSManager generates an .eml file that the user downloads and opens in their own email client (Outlook, Apple Mail, Thunderbird, Gmail web, etc.). In this mode FSManager never connects to the user's mailbox and never stores mailbox credentials of any kind. The user remains solely responsible for sending the message from their own email client.

7.2 Optional mailbox integration

Where the user prefers a more integrated workflow, FSManager supports connecting to their existing mailbox so that drafts prepared in FSManager can be placed directly into the user's drafts folder (and, at the user's option, sent). Supported connection methods are:

  • IMAP / SMTP using a username and app-specific password supplied by the user; and
  • Microsoft 365 via Microsoft-issued OAuth 2.0 tokens, limited to the scopes required to create drafts (and, if enabled, send email) as the signed-in user.

7.3 What we access and what we do not

  • We access the user's mailbox only to place a draft (or, when the user opts in, to send a message) that has been prepared in FSManager.
  • We do not read incoming mail. We do not scan, index, analyse, or otherwise examine the contents of the mailbox.
  • We do not access mail folders, labels, contacts, calendars, attachments, or any other data in the connected account.
  • We do not use the contents of any email or mailbox to serve advertising, and we do not sell email content or mailbox metadata.
  • We do not use the contents of any email to train machine learning or large language models.

7.4 How credentials are stored

IMAP/SMTP app passwords and Microsoft 365 OAuth refresh tokens are stored encrypted at rest, scoped to the individual user and tenant, and used only by the FSManager server to perform the actions described above. They are deleted immediately when the user disconnects the integration, rotates their app password, or revokes access through their provider.

7.5 How to disconnect

The user may disconnect a mailbox integration at any time from FSManager's account settings. Where the integration uses Microsoft 365 OAuth, the user may also revoke FSManager's access directly from their Microsoft account security page. For IMAP/SMTP connections the user should additionally rotate or delete the app-specific password they issued to FSManager.

8. Storage and international transfers

Customer content and most operational data are stored on Microsoft Azure infrastructure in regions serving Australia and New Zealand. Some sub-processors (identified in Section 6) operate outside New Zealand. When personal information is transferred outside New Zealand, we take reasonable steps to ensure it is protected by comparable safeguards, including contractual commitments and the sub-processor's own certifications (for example, ISO 27001, SOC 2).

9. Data retention

We retain personal information only for as long as is necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Typical retention periods:

  • Active customer content — for the life of the subscription.
  • Customer content after termination — up to 90 days after subscription termination, after which tenant databases are deleted unless a longer period is required by law or specifically agreed.
  • Billing records — at least 7 years, as required by New Zealand tax law.
  • Enquiry records — up to 24 months from last contact unless you have become a customer.
  • Mailbox integration credentials (IMAP/SMTP app passwords, Microsoft 365 OAuth tokens) — stored only for as long as the integration is connected; deleted immediately upon revocation or disconnection.

10. Security

We take the security of personal information seriously and implement appropriate technical and organisational measures, including:

  • TLS 1.2 or higher for all data in transit;
  • encryption at rest for databases and file storage;
  • role-based access control, with production access limited to authorised personnel and protected by multi-factor authentication;
  • isolated tenant databases and application-level tenant scoping to reduce the risk of cross-tenant data exposure;
  • regular dependency and infrastructure patching, logging, monitoring, and backup;
  • written agreements with all sub-processors requiring appropriate security and confidentiality obligations.

No system is completely secure. If we become aware of a privacy breach that has caused or is likely to cause serious harm, we will notify the Office of the Privacy Commissioner and affected individuals in accordance with the Privacy Act 2020.

11. Your rights

Under the New Zealand Privacy Act 2020 you have the right to:

  • access personal information we hold about you and request a copy;
  • request correction of personal information that is inaccurate or out of date;
  • withdraw consent where processing is based on consent;
  • ask us to delete personal information where we are no longer required to keep it; and
  • complain to the Office of the Privacy Commissioner (privacy.org.nz).

To exercise any of these rights, contact us at support@fsmdevelopments.co.nz. Where a request concerns customer content held on behalf of an FSManager customer, we will generally direct the request to the relevant customer (the controller) and assist them in responding.

12. Cookies and similar technologies

Our website uses a small number of cookies to support essential site functionality (for example, keeping you signed in). We do not use third-party advertising cookies. Most browsers let you reject or delete cookies; doing so may affect the way the site works.

13. Children

The Services are not intended for individuals under the age of 16 and we do not knowingly collect personal information from children.

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “last updated” date at the top of the policy and, where appropriate, notify customers by email or an in-product notice.

15. How to contact us

For any privacy question or request, please contact:

FSM Developments Ltd
Privacy Officer
139 Kohimarama Road, Kohimarama, Auckland 1071, New Zealand
Email: support@fsmdevelopments.co.nz

See also our Software Licence Agreement.