Privacy Policy

Last updated: 18 May 2026 · Effective: 18 May 2026

This Privacy Policy describes how FSM Developments Ltd (New Zealand company number 7900576, registered office at 139 Kohimarama Road, Kohimarama, Auckland 1071, New Zealand) (“FSM”, “we”, “us”, “our”) collects, uses, discloses, stores and protects personal information in connection with our website at fsmdevelopments.co.nz and the FSManager software-as-a-service product (collectively, the “Services”).

We comply with the New Zealand Privacy Act 2020 and the thirteen Information Privacy Principles.

Contents

  1. Who we are
  2. Information we collect
  3. How we use information
  4. Legal basis for processing
  5. When we share information
  6. Sub-processors
  7. Email integration
  8. Storage and international transfers
  9. Data retention
  10. Security
  11. Your rights
  12. Cookies and similar technologies
  13. Children
  14. Changes to this policy
  15. How to contact us

1. Who we are

FSM Developments Ltd is a New Zealand company that develops and operates FSManager, a business management platform for the aluminium joinery industry. For the purposes of the New Zealand Privacy Act 2020 we are the “agency” collecting and holding personal information. Where we process personal information on behalf of a customer using FSManager, the customer is the controller of that information and we are a processor acting on their documented instructions.

2. Information we collect

2.1 Information you provide

  • Enquiry and account details — name, email, phone number, company, and any message you send through our contact form or during sign-up.
  • Billing information — company name, billing address, and payment card details. Card details are collected and stored by our payment processor (Stripe); we never see the full card number.
  • Customer content — data you enter into FSManager, including records about your customers, employees, quotes, jobs, and supporting documents.
  • Support correspondence — messages and files you send us when requesting help.

2.2 Information collected automatically

  • Usage data — pages viewed, features used, IP address, browser type, device information, and approximate location inferred from IP.
  • Log data — server logs, timestamps, error traces, and security events.

2.3 Information from third-party services you connect

If you choose to connect a third-party service to FSManager (for example, your email provider for outbound drafts, or Xero for accounting sync), we receive information from that service only to the extent needed to deliver the feature you enabled. See Section 7 for details on the optional email integration.

3. How we use information

We use the information we collect to:

  • provide, maintain and improve the Services;
  • create and manage user accounts and tenants, including authentication and access control;
  • process payments, issue invoices, and administer subscriptions;
  • respond to enquiries and provide technical and customer support;
  • send service-related notices (for example, security alerts, billing messages, and material changes to the Services or this policy);
  • monitor for, investigate, and prevent fraud, abuse, and security incidents;
  • comply with legal obligations and enforce our Software Licence Agreement; and
  • with your consent, send you marketing communications about FSManager — you can unsubscribe at any time.

We do not sell personal information, and we do not use personal information for targeted advertising.

5. When we share information

We share personal information only as described in this policy:

  • With sub-processors that help us run the Services (see Section 6). Each is bound by written agreements that require appropriate security and confidentiality.
  • With your authorisation — for example, when you connect a third-party integration.
  • For legal reasons — where disclosure is reasonably necessary to comply with a law, regulation, court order, or enforceable governmental request, or to protect the rights, property, or safety of FSM, our users, or the public.
  • In a business transfer — if we are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to this policy.

6. Sub-processors

We engage the following sub-processors to provide the Services. Each is bound by a written data-processing agreement (DPA) that requires appropriate security and confidentiality safeguards.

Sub-processorPurposeData processedRegionDPA / security
Microsoft AzureMicrosoft Ireland Operations LimitedApplication hosting, SQL databases, blob storage, Key Vault, Application InsightsAll customer business data — jobs, customers, quotes, attachments, user identitiesPrimary: Australia East (Sydney). Geo-redundant backups: Australia Southeast (Melbourne).View DPA
StripeStripe Payments Australia Pty Ltd (or Stripe, Inc. depending on contracting entity)Subscription billing, payment processing, Customer PortalTokenised payment instrument details, billing address, email, company name, subscription stateGlobal; primary processing United States and IrelandView DPA
ResendResend Inc.Transactional email delivery (welcome, password reset, billing notifications)Recipient email addresses, email contents, delivery and bounce eventsPrimarily United StatesView DPA
CloudflareCloudflare, Inc.DNS, CDN, edge TLS termination, DDoS protection, Cloudflare Access (Zero Trust auth for the Admin app), Cloudflare Workers (warmup ping)All HTTP request metadata in transit; Cloudflare Access maintains email-based auth records for admin usersGlobal edge networkView DPA
SentryFunctional Software, Inc. d/b/a SentryApplication error tracking and performance monitoringException stack traces, browser/server context, user identifiers as they appear in error messagesEuropean Union (Germany)View DPA
Google Cloud (Places API)Google LLCAddress autocomplete for customer and job-site address entryPartial address strings as typedGlobal Google infrastructureView DPA
GitHubGitHub, Inc. (a Microsoft subsidiary)Issue tracking for production errors (Sentry creates GitHub issues for production exceptions)Tenant identifiers and exception summaries as they appear in Sentry-created issuesUnited StatesView DPA
XeroXero (NZ) LimitedAccounting and payroll integration — only when the customer enables it (invoice/contact sync and payroll sync)Customer/contact records, invoice line items, and — when payroll sync is enabled — employee identifiers, pay rates, hours, leave balances, and payroll line items as configured by the customerAustralia (AWS Sydney) primary; data also resides in the customer's Xero org regionView DPA
Anthropic, PBCAnthropic, PBCAI features (workflow automation, custom chatbot) — only on plans that include AI AutomationPrompts and contextual data necessary to fulfil the AI request. No training on customer data.United StatesView DPA

This list is current as at the effective date above and is reviewed at least annually. When we add or replace a sub-processor we will update this page and notify active customers by email or in-product banner before the new sub-processor begins processing personal information.

7. Email integration

FSManager helps users prepare business emails (for example, quote covering letters, job updates, and site-measure confirmations). Depending on how the user chooses to work, FSManager handles outbound email in one of two ways.

7.1 Download as .eml (default)

By default, FSManager generates an .eml file that the user downloads and opens in their own email client (Outlook, Apple Mail, Thunderbird, Gmail web, etc.). In this mode FSManager never connects to the user's mailbox and never stores mailbox credentials of any kind. The user remains solely responsible for sending the message from their own email client.

7.2 Optional mailbox integration

Where the user prefers a more integrated workflow, FSManager supports connecting to their existing mailbox so that drafts prepared in FSManager can be placed directly into the user's drafts folder (and, at the user's option, sent). Supported connection methods are:

  • IMAP / SMTP using a username and app-specific password supplied by the user; and
  • Microsoft 365 via Microsoft-issued OAuth 2.0 tokens, limited to the scopes required to create drafts (and, if enabled, send email) as the signed-in user.

7.3 What we access and what we do not

  • We access the user's mailbox only to place a draft (or, when the user opts in, to send a message) that has been prepared in FSManager.
  • We do not read incoming mail. We do not scan, index, analyse, or otherwise examine the contents of the mailbox.
  • We do not access mail folders, labels, contacts, calendars, attachments, or any other data in the connected account.
  • We do not use the contents of any email or mailbox to serve advertising, and we do not sell email content or mailbox metadata.
  • We do not use the contents of any email to train machine learning or large language models.

7.4 How credentials are stored

IMAP/SMTP app passwords and Microsoft 365 OAuth refresh tokens are stored encrypted at rest, scoped to the individual user and tenant, and used only by the FSManager server to perform the actions described above. They are deleted immediately when the user disconnects the integration, rotates their app password, or revokes access through their provider.

7.5 How to disconnect

The user may disconnect a mailbox integration at any time from FSManager's account settings. Where the integration uses Microsoft 365 OAuth, the user may also revoke FSManager's access directly from their Microsoft account security page. For IMAP/SMTP connections the user should additionally rotate or delete the app-specific password they issued to FSManager.

8. Storage and international transfers

Customer content and most operational data are stored on Microsoft Azure infrastructure in Australia East (Sydney), with geo-redundant backups in Australia Southeast (Melbourne). Some sub-processors operate outside New Zealand and Australia:

  • United States — Stripe, Resend, GitHub, Anthropic, and Google (Places API).
  • European Union (Germany) — Sentry (error monitoring).
  • Global edge network — Cloudflare (DNS, CDN, edge TLS, DDoS protection, Cloudflare Access).

When personal information is transferred outside New Zealand, we take reasonable steps under Information Privacy Principle 12 of the Privacy Act 2020 to ensure it is protected by comparable safeguards, including contractual commitments (the DPAs linked in Section 6) and the sub-processor's own certifications (for example, ISO 27001, SOC 2).

9. Data retention

We retain personal information only for as long as is necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Typical retention periods:

  • Active customer content — for the life of the subscription.
  • Customer content after termination — up to 90 days after subscription termination, after which tenant databases are deleted unless a longer period is required by law or specifically agreed.
  • Billing records — at least 7 years, as required by New Zealand tax law.
  • Enquiry records — up to 24 months from last contact unless you have become a customer.
  • Mailbox integration credentials (IMAP/SMTP app passwords, Microsoft 365 OAuth tokens) — stored only for as long as the integration is connected; deleted immediately upon revocation or disconnection.

10. Security

We take the security of personal information seriously and implement appropriate technical and organisational measures, including:

  • TLS 1.2 or higher for all data in transit;
  • encryption at rest for databases and file storage;
  • role-based access control, with production access limited to authorised personnel and protected by multi-factor authentication;
  • isolated tenant databases and application-level tenant scoping to reduce the risk of cross-tenant data exposure;
  • regular dependency and infrastructure patching, logging, monitoring, and backup;
  • written agreements with all sub-processors requiring appropriate security and confidentiality obligations.

No system is completely secure. If we become aware of a privacy breach that has caused or is likely to cause serious harm, we will notify the Office of the Privacy Commissioner and affected individuals in accordance with the Privacy Act 2020.

11. Your rights

Under the New Zealand Privacy Act 2020 you have the right to:

  • access personal information we hold about you and request a copy;
  • request correction of personal information that is inaccurate or out of date;
  • withdraw consent where processing is based on consent;
  • ask us to delete personal information where we are no longer required to keep it; and
  • complain to the Office of the Privacy Commissioner (privacy.org.nz).

To exercise any of these rights, contact us at support@fsmdevelopments.co.nz. Where a request concerns customer content held on behalf of an FSManager customer, we will generally direct the request to the relevant customer (the controller) and assist them in responding.

12. Cookies and similar technologies

Our website uses a small number of cookies to support essential site functionality (for example, keeping you signed in). We do not use third-party advertising cookies. Most browsers let you reject or delete cookies; doing so may affect the way the site works.

13. Children

The Services are not intended for individuals under the age of 16 and we do not knowingly collect personal information from children.

14. Changes to this policy

We review this policy at least annually and update it when our practices or sub-processors change. When we make a material change — for example, adding a new sub-processor or expanding how we use personal information — we will update the “last updated” date at the top of the policy and notify active customers by email or by an in-product banner in FSManager. We do not currently operate a separate subscription channel for sub-processor change notices; the in-product banner and email notice serve the same purpose.

15. How to contact us

For any privacy question or request, please contact:

FSM Developments Ltd
Privacy Officer
139 Kohimarama Road, Kohimarama, Auckland 1071, New Zealand
Email: support@fsmdevelopments.co.nz

See also our Software Licence Agreement.