Legal
Privacy Policy
Effective 8 June 2026
Samcorp Limited, a company registered in New Zealand with its registered office at 43 Grande Avenue, Mt Albert, Auckland, 1025, New Zealand (“Samcorp”, “we”, “us” or “our”), provides Conduit, a service that connects Cal.com to Xero to automate invoice creation (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it — including the rights granted to you under the EU/UK General Data Protection Regulation (“GDPR”) and the New Zealand Privacy Act 2020 (as amended by the Privacy Amendment Act 2025).
For the purposes of the GDPR, Samcorp is the data controller of the personal data described in this policy in respect of your Conduit account, and a data processorin respect of personal data contained within bookings, invoices, and other records that you sync through the Service on behalf of your own clients (your “End Users”). If you are a business using Conduit, you are the controller of your End Users’ data, and you are responsible for having a lawful basis to share that data with us and for meeting any notification obligations you have toward your End Users, including under IPP 3A of the NZ Privacy Amendment Act 2025 (see §2 below). EU and UK business customers who require a formal GDPR Article 28 Data Processing Agreement (“DPA”) may request one at privacy@conduit.samcorp.co.nz.
1. What we collect
We collect the following categories of personal data:
- Account data: your name and email address, and authentication identifiers from sign-in providers (Google, GitHub, LinkedIn, or magic-link email) used to create and secure your account.
- Connection credentials: Cal.com webhook secrets and API keys, and Xero OAuth access and refresh tokens, which we store encrypted so the Service can sync data on your behalf. We never see or store your Cal.com or Xero account passwords.
- Configuration data: your invoicing preferences, such as Xero account and bank codes, tax settings, and invoice due-date rules.
- Booking and invoice data: details of bookings received via Cal.com webhooks (including event details, prices, and the names, email addresses, and time zones of attendees and organisers) and the invoices generated from them in Xero. This may include personal data about your End Users, which we process as a data processor on your instructions.
- Billing data: your subscription plan, trial and renewal dates, and identifiers from our payment processor, Stripe. We do not store your card details — these are handled directly by Stripe.
- Usage and technical data: log data, IP addresses, browser/device information, and error reports collected automatically when you use the Service, used for security, debugging, and service improvement.
2. How we use your data and our legal bases
Where the GDPR applies, we rely on the following legal bases to process personal data:
- Performance of a contract — to create and administer your account, operate the Service, sync bookings from Cal.com, and generate invoices in Xero;
- Legitimate interests — to maintain the security and reliability of the Service, prevent fraud and abuse, analyse and improve our product, and communicate service-related updates, in each case balanced against your rights and interests. Our legitimate interests are: operating a secure and reliable SaaS service, preventing misuse, and improving the product for all users;
- Consent — for optional marketing communications (which you can withdraw at any time by clicking the unsubscribe link in any marketing email or by contacting us) and for the use of any non-essential cookies; and
- Legal obligation — to meet our tax, accounting, and regulatory record-keeping requirements.
We use your data to:
- provide, operate, and maintain the Service, including syncing bookings and creating invoices;
- authenticate you and keep your account secure;
- process subscription payments and manage billing;
- respond to support requests and communicate important changes to the Service;
- monitor, debug, and improve the Service’s performance and reliability; and
- comply with our legal and regulatory obligations.
We do not sell your personal data, and we do not use your booking or invoice data to train third-party AI models or for advertising purposes.
NZ Privacy Amendment Act 2025 — indirect collection (IPP 3A). IPP 3A (effective 1 May 2026) requires agencies that collect personal information about individuals indirectly to notify those individuals as soon as reasonably practicable. Where Conduit collects End User personal data via Cal.com webhooks on your behalf, you (as the data controller) are responsible for ensuring your End Users are notified that their information will be processed by Conduit and its sub-processors. In Samcorp’s own controller capacity, we comply with IPP 3A in respect of any information we collect about individuals from sources other than those individuals directly.
3. Who we share data with
We share personal data only where necessary to provide the Service, and always under appropriate contractual safeguards. Our service providers (“sub-processors”) include:
- Amazon Web Services (AWS) — cloud hosting, databases, and infrastructure;
- Xero — to create and manage invoices on your behalf, as directed by you;
- Cal.com — to receive booking webhook data, as directed by you;
- Stripe — to process subscription payments and manage billing;
- Resend — to deliver transactional emails, including magic-link sign-in emails; and
- Sentry — to capture and diagnose application errors.
We will notify you by email or in-app notice at least 14 days before adding or replacing a material sub-processor. If you object to a new sub-processor on data protection grounds, please contact us at privacy@conduit.samcorp.co.nz and we will work with you to find a resolution.
We may also disclose personal data where required by law, to enforce our agreements, or to protect the rights, property, or safety of Samcorp, our users, or others. If Samcorp is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction, subject to this Privacy Policy continuing to apply.
4. International data transfers
Samcorp is based in New Zealand, which is recognised by the European Commission as providing an adequate level of data protection for the purposes of the GDPR. Some of our sub-processors (including AWS, Stripe, Resend, and Sentry) store or process data in other countries, such as the United States. Where we transfer personal data originating in the European Economic Area or the United Kingdom to a country that has not been deemed adequate, we rely on appropriate safeguards recognised under the GDPR, such as the European Commission’s Standard Contractual Clauses or the UK International Data Transfer Addendum, and we require our sub-processors to provide an equivalent level of protection for your data.
5. Data retention
We retain personal data for as long as your account is active and as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. The following category-specific retention periods apply:
- Account, connection, configuration, and booking/invoice data — retained for the life of your account, then deleted or anonymised within 30 days of account deletion, except where we are required to retain certain records to meet legal or regulatory obligations.
- Billing and transaction records — retained for 7 years to meet tax and accounting obligations under the NZ Tax Administration Act 1994 and equivalent legislation in other jurisdictions.
- Usage logs and error data — retained for up to 12 months for security monitoring, debugging, and service improvement, then deleted.
- Backups — backups containing your data are overwritten within 90 days on our standard rolling backup-rotation schedule.
6. Security
We use industry-standard technical and organisational measures to protect your data, including encryption of connection credentials at rest, encryption in transit (TLS), access controls, and monitoring. No system is completely secure, and we cannot guarantee the absolute security of your data. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authorities as required by applicable law (including within 72 hours where required by the GDPR, and promptly under the NZ Privacy Act 2020).
7. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete personal data;
- Erase your personal data (the “right to be forgotten”);
- Restrict or object to our processing of your personal data;
- Receive a copy of your personal data in a portable, machine-readable format (data portability); and
- Withdraw consent at any time, where processing is based on consent.
You can access, export, and delete most of your account data directly from your dashboard. To exercise any of these rights, or if you need help, contact us at privacy@conduit.samcorp.co.nz. We will respond within the timeframes required by applicable law: generally within one calendar month under the GDPR (extendable by a further two months for complex requests), and within 20 working days for access requests under the NZ Privacy Act 2020 (s44).
If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. EU residents may contact the supervisory authority of their EU member state. UK residents may contact the Information Commissioner’s Office (ICO). New Zealand residents may contact the Office of the Privacy Commissioner.
8. Cookies and similar technologies
We use strictly necessary cookies to keep you signed in and to keep the Service secure. We may also use limited analytics cookies to understand how the Service is used and to improve it. Where required by law, we will ask for your consent before setting any non-essential cookies, and you can manage your preferences through your browser settings at any time.
9. Automated decision-making
We do not engage in automated individual decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 of the GDPR. All material decisions affecting your account are made by humans, and no decisions are taken based solely on automated processing of your personal data.
10. Children’s privacy
The Service is intended for business use by adults and is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect, except where changes are required immediately by law or to address an urgent security issue, in which case we will notify you as soon as reasonably practicable. The “Effective” date at the top of this page shows when the policy was last revised. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.
12. Contact us
If you have questions about this Privacy Policy or how we handle your personal data, contact us at privacy@conduit.samcorp.co.nz or write to Samcorp Limited, 43 Grande Avenue, Mt Albert, Auckland, 1025, New Zealand.