Privacy Policy

About Hoist

Hoist Software LTD

• Company Number: 8842848
• NZBN: 9429051507626
• Website: https://hoist.nz
• General Contact: accounts@hoist.nz
• Privacy Inquiries: accounts@hoist.nz

We are a New Zealand company that provides cloud-based workshop management software specifically designed for automotive workshops, mechanics, and related businesses.

What This Policy Covers

This Privacy Policy applies to our website at https://hoist.nz, our web application and dashboard, our mobile applications for iOS and Android, our API and integrations, and any other services we provide.

New Zealand Privacy Act 2020 Compliance

We comply with the Privacy Act 2020 and handle personal information in accordance with the 13 Information Privacy Principles (IPPs). We are subject to New Zealand privacy law and the jurisdiction of the Office of the Privacy Commissioner.

Your Privacy Rights Under New Zealand Law

Under the Privacy Act 2020, you have the right to:

• Know what personal information we hold about you
• Access your personal information
• Request correction of inaccurate information
• Request deletion in certain circumstances
• Complain to the Privacy Commissioner if you believe we have breached the Privacy Act

Your Data vs Your Customers' Data

This Privacy Policy covers two distinct categories of data:

Your Data (Account Data): This is information about you, your business, your workshop, and your staff members who use Hoist. For this information, we are the data controller or “agency” under the Privacy Act 2020.

Your Customers' Data (Customer Data): This is information about your workshop customers that you choose to store in Hoist, such as their names, contact details, vehicle information, service histories, invoices, and payment records. For this information, you are the data controller (“agency”) and we are the data processor. As processor, we will only process Customer Data on your instructions, for the purpose of providing the Service, and in accordance with this Privacy Policy and the Privacy Act 2020.

Information We Collect

Account Registration Information

When you create a Hoist account for your workshop, we collect:

• Workshop business name and trading name
• Business physical address
• Business phone number and email address
• GST number (if registered)
• Business type (sole trader, partnership, limited company, etc.)
• Your full name, email address, and phone number as account owner

Billing and Payment Information

• Billing contact name and email
• Billing address
• Payment method details (processed securely by Stripe; we do not store full card numbers)
• Transaction records including payment dates, amounts, invoice numbers, and payment status

Usage Data and Service Analytics

• Login frequency and session duration
• Features used and pages viewed
• Actions taken within the Service
• Search queries and navigation paths
• Error messages or issues encountered

Error and Performance Data

When errors occur in the Service, our error tracking system (Sentry) automatically collects:

• Your user ID and username (to help us identify and resolve the issue)
• Your company identifier
• The action that triggered the error
• Browser, device, and operating system information
• Error stack traces and technical diagnostics

This data is used solely to identify, diagnose, and fix technical issues in the Service.

Device and Technical Information

• Device type, operating system, and browser
• IP address and geographic location (city/region level)
• Connection type and network performance metrics

How We Use Your Information

To Provide and Operate the Service

• Create and manage your Hoist account
• Authenticate you when you log in
• Store and manage the data you enter
• Process your workshop operations
• Enable multi-user access for your staff
• Synchronize your data across devices
• Backup your data for disaster recovery

To Process Payments

• Process subscription payments
• Generate invoices
• Handle payment failures and refunds
• Maintain financial records for tax compliance

To Communicate With You

• Send account and security notifications (these are transactional and cannot be opted out of)
• Provide customer support
• Announce new features and improvements
• Send marketing communications (only with your consent; see Marketing Communications section below)

To Improve the Service

• Analyze how features are used
• Identify bugs and technical issues
• Test new features and improvements
• Optimize performance and reliability

For Security and Fraud Prevention

• Detect and prevent unauthorized access
• Monitor for suspicious activity
• Detect and prevent payment fraud
• Enforce our Terms of Service

How We Share Your Information

We do not sell your personal information to third parties. We may share your information with:

• Service Providers: Third parties who help us operate the Service (see Service Providers section below)
• Third-Party Integrations: When you connect third-party services such as Xero accounting software (with your authorization)
• Legal Requirements: When required by law, court order, or legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets (we will notify you before your information is transferred and becomes subject to a different privacy policy)

Service Providers (Sub-processors)

We use the following categories of service providers who may process your personal information on our behalf:

• Cloud Infrastructure: Amazon Web Services (AWS) — hosting, database, and compute services. Data is stored primarily in the Asia Pacific (Sydney) region.
• Payment Processing: Stripe — processes subscription payments securely. Stripe's privacy policy governs payment data they collect.
• Error Monitoring: Sentry — captures error reports with limited user context (user ID, username, company ID) to help us diagnose and fix issues.
• Accounting Integration: Xero — when you connect your Xero account, data is shared as you authorize for invoicing and accounting purposes.

All service providers are contractually required to protect your information and use it only for the purposes we specify. We regularly review our service providers to ensure they maintain adequate security practices.

Marketing Communications

In accordance with the Unsolicited Electronic Messages Act 2007:

• We will only send you marketing emails with your prior consent
• All marketing emails will clearly identify Hoist Software LTD as the sender
• All marketing emails will include a functional unsubscribe link
• We will process unsubscribe requests within 5 working days
• You can opt out of marketing communications at any time without affecting your use of the Service

Transactional messages (account notifications, security alerts, billing receipts, service announcements) are not marketing and will continue to be sent as necessary for the operation of the Service.

Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Essential Cookies: Required for the Service to function (authentication, security, session management)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use Hoist

You can manage cookies through your browser settings, but disabling essential cookies may affect how Hoist works.

Data Security

We implement reasonable technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS/SSL)
• Encryption of sensitive data at rest
• Access controls and authentication
• Regular security assessments
• Staff training on data protection
• Incident response procedures

However, no system is completely secure, and we cannot guarantee absolute security.

Privacy Breach Notification

In accordance with sections 112–117 of the Privacy Act 2020, if we become aware of a privacy breach that has caused, or is likely to cause, serious harm to affected individuals:

• We will notify the Office of the Privacy Commissioner as soon as practicable, and no later than 72 hours after becoming aware of the notifiable breach
• We will notify affected individuals as soon as practicable, unless an exception under the Act applies
• Our notification will include a description of the breach, the information involved, what we are doing to respond, and steps individuals can take to protect themselves

We maintain incident response procedures to detect, assess, and respond to privacy breaches promptly.

Data Retention

We retain your information for as long as your account is active or as needed to provide you with the Service. After account closure:

• Your Data is deleted from active systems within 30 days
• Backup copies are deleted within 90 days
• Financial and billing records are retained for 7 years as required by the Tax Administration Act 1994 and Inland Revenue requirements
• Aggregated, anonymized data (which cannot identify any individual) may be retained indefinitely

Your Customer Data

When you store your customers' personal information in Hoist, you are the data controller (“agency”) under the Privacy Act 2020, and we are the data processor. You are responsible for:

• Obtaining appropriate consent from your customers
• Providing them with privacy notices
• Complying with all Information Privacy Principles
• Responding to customer privacy requests
• Notifying the Privacy Commissioner of any notifiable breaches involving your customer data

We will assist you in meeting your obligations by providing data export tools, responding to data access requests you forward to us, and notifying you promptly if we become aware of a breach involving your customer data.

International Data Transfers

Your data is primarily stored in Australia (AWS Asia Pacific — Sydney region). Data may also be processed in:

• United States: By our error monitoring provider (Sentry) and payment processor (Stripe)
• New Zealand: By our team for support and development purposes

In accordance with Information Privacy Principle 12 of the Privacy Act 2020, before disclosing personal information to an overseas recipient, we ensure on reasonable grounds that the recipient is subject to privacy laws or contractual obligations that provide comparable safeguards to the Privacy Act 2020. We use contractual arrangements with our service providers to ensure your information is adequately protected regardless of where it is processed.

Children's Privacy

Hoist is designed for businesses and is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe someone under 18 has provided us with personal information, please contact us at accounts@hoist.nz and we will delete the information.

Exercising Your Privacy Rights

To exercise your privacy rights under the Privacy Act 2020:

• Access: You can access most of your information through your account settings. For additional access requests, contact accounts@hoist.nz
• Correction: You can update most information directly in your account. For other corrections, contact us
• Deletion: You can delete your account through settings or by contacting us

We will respond to privacy requests within 20 working days as required by the Privacy Act 2020. If we need to extend this timeframe, we will notify you of the reason and the expected date of response.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We'll notify you by email at least 30 days before the changes take effect
• We'll post a notice on our website
• We'll update the “Last Updated” date at the top of this policy

Continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

Contact Us

For privacy-related questions, concerns, or requests:

• Email: accounts@hoist.nz
• Include “Privacy Request” in the subject line

Hoist Software LTD
Company Number: 8842848
NZBN: 9429051507626

Complaints

If you believe we have breached the Privacy Act 2020, you can:

1. Contact us first to try to resolve the issue
2. If unresolved, complain to the Office of the Privacy Commissioner:

Office of the Privacy Commissioner
PO Box 10094
Wellington 6143
New Zealand
Phone: 0800 803 909
Website: www.privacy.org.nz