Privacy Policy

This Policy replaces all previous versions.

1. Who we are

Cassia Limited (“Cassia AI”, “Cassia”, “we”, “us”) is a New Zealand incorporated company that builds an AI-powered bookkeeping assistant integrating with Xero and other accounting tools. We are the data controller for personal information collected via:

• https://heycassia.com and all sub-domains;

• the Cassia AI web and mobile applications;

• customer-support channels (email, chat, voice notes); and

• any other services that link to this Policy (collectively, the “Services”).

2. Scope & governing law

We comply with the Privacy Act 2020 and its 13 Information Privacy Principles. Where we process data about individuals located overseas, we also endeavour to meet comparable international standards (e.g., GDPR) where they apply. This Policy does not cover third-party sites or services you may access via our Services.

3. Information we collect

Category

Typical data elements

How we collect

Account & profile data

Full name, business name, email, phone, billing address, hashed passwords

During sign-up or profile edits

Bookkeeping data

Bank-transaction exports, chart-of-accounts codes, contact names, invoice details, reconciliation actions

Uploads you make or data pulled, under your instruction, from the Xero app

Usage & device data

IP address, browser type, device IDs, pages viewed, click-stream, keystroke timings

Automated logging, cookies, analytics

Support interactions

Emails, chat transcripts, call recordings

When you contact us

Payment data

Last 4 digits of card, expiry, billing history (processed by Stripe®)

Checkout & subscription management

Sensitive data: Cassia AI is designed for financial, not health or biometric, data. Please do not upload sensitive personal data (e.g., health or racial information). If we discover such data we will delete or anonymise it.

4. How and why we use your information

Purpose

Legal basis

Details

Provide, secure and maintain the Services

Contractual necessity

Create your account; import transactions; generate coding predictions; display dashboards; handle authentication

AI/Machine Learning model training & improvement

Legitimate interests (balanced)

We use transaction data to train statistical and large-language models that improve coding accuracy. You can opt out (§ 12). No customer data is sold or shared for unrelated model training.

Automated suggestions & human-in-the-loop decisions

Legitimate interests / contract

Cassia’s predictions are suggestions only; you retain final control. No legally significant decision is made solely by an algorithm.

Billing & account administration

Contract

Invoicing, subscription management, fraud prevention

Service communications

Legitimate interests

Product updates, security notices

Marketing (newsletters, webinars)

Consent

We send electronic marketing only if you opt-in; you may unsubscribe any time

Compliance & dispute resolution

Legal obligation

Meet tax, accounting, and law-enforcement requirements

5. Automated suggestions & configurable review window

Cassia AI generates account-code and contact suggestions using AI and machine-learning models. These suggestions are held in a review queue for a period that you control:

• Review-window length. Each workspace admin may set a window anywhere between 12 and 48 hours. The countdown starts when a suggestion first appears in your Cassia dashboard.
  
  

• Deemed acceptance. If no one in your workspace edits or rejects a suggestion before the window expires, it is automatically finalised and recorded as accepted. Cassia will then post the entry to Xero (or your chosen ledger) and log the action.
  
  

• Human control at all times. You can override or roll back any automated entry, even after deem-acceptance, using the “Remove & Redo” function.
  
  

• Right to an explanation. You may request:
  
  

  1. the main data points the model considered; and
     
     

  2. a manual review of any suggestion you believe is incorrect.
     
     

No legally significant decision is made solely by an algorithm until the review window you have chosen has elapsed.

6. Cookies & similar technologies

We use first-party cookies for authentication and preferences, and third-party analytics cookies (Google Analytics, Hotjar) to understand aggregate usage. Manage cookies in your browser. See our [Cookie Notice] for details.

7. Sharing & international transfers

We share data only with vetted service providers under confidentiality agreements:

Provider

Purpose

Google Cloud Platform

Primary cloud infrastructure

Google Cloud Platform

Model-training workloads

Google Cloud Platform

LLM inference

Stripe

Payment processing

Auth0

Authentication

Transfers outside New Zealand (including US and AU) are safeguarded by standard contractual clauses or equivalent protections. We may also disclose information if required by law, to prevent fraud or security threats, or in connection with a merger or acquisition.

8. Security

• TLS 1.3 encryption in transit; AES-256 at rest
  
  

• Audit logs for model and data-access events
  
  

If you believe your data has been compromised, email [email protected].

9. Retention & deletion

Data type

Retention period

Active customer bookkeeping data

Subscription life + 7 years

Model-training artefacts

Up to 7 years, then re-trained or deleted

Support tickets

7 years

Early deletion requests honoured where legally permissible.

10. Your privacy rights

Under the Privacy Act 2020 you can request access, correction, deletion, objection/restriction, and lodge complaints with the NZ Office of the Privacy Commissioner.

11. Marketing choices

Click “unsubscribe” in any marketing email or email [email protected].

12. Opt-out of model training

Email [email protected] with your workspace ID to exclude your uploaded data from future training runs (may reduce prediction accuracy).

13. Children

Cassia AI is intended for business users aged 18+. We do not knowingly collect data from minors.

14. Changes to this Policy

Material changes will be announced by email or in-app notice at least 14 days before they take effect.

15. Contact us

Privacy queries [email protected]