OwdynOwdynBETA
Public Beta

Owdyn is live — and it's free.

Sign up now and get full Wise access — every feature, no credit card, free for the entire beta.

No card required · Cancel anytime

Privacy Policy

Your privacy matters. Here's what we collect, how we use it, and the choices you have.

Last updated: 14 March 2026

Owdyn LogoOwdyn's Privacy Principles

No data selling

We don't sell your financial data — ever.

Protected by design

We use industry-standard security measures and encryption to protect your data.

Minimal collection

We collect what we need to provide Owdyn — and avoid what we don't.

Your control

You can request deletion of your account and data. Data export (CSV) is available on all plans.

1. Information We Collect

Account information

When you create an Owdyn account, we collect:

  • Email address (required for authentication)
  • Name (optional)
  • Profile picture (optional, if using Google OAuth)
  • Password (stored as a secure hash — we never store your plain password)

Financial data

To use Owdyn, you provide (manually, or optionally via bank sync on Plus and Wise):

  • Accounts and balances
  • Transactions (amount, date, description, category)
  • Budgets and categories
  • Goals (where used)

This is your data. We use it to provide the service you request.

Feedback data

When you submit in-app feedback, we collect:

  • Feedback type (Bug Report, Feature Request, or Other)
  • Your feedback message
  • The page you were on when you submitted feedback
  • Your account plan (to help us prioritise)
  • Browser and device type (included automatically for bug reports)

Feedback is stored in our database and also forwarded to Canny (our feedback management platform) — see Section 3 for details.

Usage and security information

We also collect limited technical information to protect accounts and run the service:

  • Device type and browser
  • IP address (for account security, rate limiting, and abuse prevention)
  • Pages visited and features used
  • AI feature usage counts (to enforce Free-tier limits)
  • Security audit events — including sign-in, sign-out, 2FA enable/disable, and plan changes. These are used for fraud detection, account recovery, and security investigation. Events are logged with a timestamp and IP address.

2. How We Use Your Information

We use your information to:

  • Provide Owdyn: show accounts, track budgets, display analytics
  • Generate insights and suggestions: including optional AI features
  • Improve Owdyn: understand feature usage and process feedback you submit
  • Communicate with you: service messages, security alerts, and (if you opt in) marketing updates
  • Process payments: subscriptions via Stripe
  • Maintain security: protect accounts and prevent abuse

AI Features – How Your Data is Processed

Owdyn uses Anthropic's Claude AI to help categorise your transactions and generate spending insights. This happens in two ways:

Automatic categorisation (happens on import)

When you import transactions via CSV upload or bank auto-sync, Owdyn automatically sends those transaction descriptions and amounts to Anthropic to suggest categories. This happens as part of the import process — you don't need to separately opt in to AI. Suggested categories are shown to you for review and you can change any of them before saving.

Optional AI features (require deliberate use)

Spending insights, pattern detection, and natural language queries (Wise plan) only run when you actively request them. If you never use these features, that data is not sent to Anthropic.

What we send to Anthropic:

  • Transaction descriptions — sanitised before sending (emails, phone numbers, card numbers, account numbers, and IRD numbers are automatically stripped and replaced with placeholders before leaving your device)
  • Transaction amounts and income/expense type
  • Available category names (as options for the AI to choose from)
  • Aggregated spending summaries (for insights, only when you request them)

What we DON'T send:

  • Your email address or password
  • Payment information (credit cards, bank details)
  • Personal identification documents

Anthropic's data handling:

According to Anthropic's Data Processing Addendum:

  • Data is processed only to generate AI responses for you
  • Data is NOT used to train AI models
  • Data is NOT retained long-term on their servers
  • Data is deleted per the timelines set out in their DPA — review it at anthropic.com/legal/dpa

Subprocessors:

Anthropic uses additional service providers to deliver AI services. View the current list at: anthropic.com/subprocessors

Your control:

  • Suggested categories are always shown for your review — you can change any suggestion before saving
  • You can manually enter or edit transactions without using CSV import or bank sync
  • Optional AI insight features only run when you actively request them

⚠️ AI Accuracy Disclaimer

AI outputs may be inaccurate, incomplete, or misleading. Always review AI suggestions before accepting them. For personalized financial advice, consult a qualified financial adviser.

Automated decision-making:

AI features generate suggestions only — they do not make binding decisions about your account, access, or finances without your explicit confirmation. You retain full control and can override, ignore, or dismiss any AI output at any time. No decision with a legal or similarly significant effect is made solely by automated means.

Learn more: Anthropic Privacy Policy | Owdyn Security

3. How We Share Your Information

We do not sell your data.

We share information only with service providers needed to run Owdyn:

Anthropic (AI Provider)

Data shared: Sanitised transaction descriptions, amounts, and income/expense type — sent automatically on import for categorisation, and on request for insights

Purpose: Generate category suggestions and spending insights

Akahu (Bank Data Aggregation — Plus and Wise only) — coming soon

Data shared: Your NZ bank account data — account names, balances, and transactions — retrieved via read-only OAuth connection with your bank

Purpose: Connect to your NZ bank accounts and retrieve transactions for auto-sync

Akahu is a NZ-based open banking provider. Your bank credentials are entered directly with your bank — Owdyn and Akahu never see your internet banking password. View Akahu's privacy policy at akahu.nz

Stripe (Payment Processor)

Data shared: Payment information (we never see your full card number)

Purpose: Process Owdyn Plus and Wise subscriptions

Neon (Database Hosting)

Data shared: All application data (to store it)

Purpose: Securely store your financial data

Vercel (App Hosting)

Data shared: All application data (to operate the service)

Purpose: Host and deliver the Owdyn application

Upstash (Rate Limiting)

Data shared: Anonymised identifiers derived from your IP address and account ID — used solely to enforce rate limits (e.g. maximum login attempts per minute). No financial data, transaction data, or personal details are sent.

Purpose: Protect accounts from brute-force and abuse attacks by limiting the rate of authentication requests

Upstash is a US-based serverless database provider. Rate limit counters expire automatically and are not used for profiling or any purpose other than abuse prevention.

Resend (Email Service)

Data shared: Email address, name (for transactional emails)

Purpose: Send account notifications and security alerts

Canny (Feedback Management)

Data shared: Your name, email address, and the feedback you submit (type, message, and the page you were on)

Purpose: Collect, manage, and prioritise product feedback; power the public roadmap at owdyn.canny.io

Canny is a US-based feedback platform. When you submit feedback, a Canny user account is created (or matched) using your name and email — this is what allows Canny to notify you when the status of your feedback changes (e.g., when a feature you requested is marked as Planned or shipped). We do not share your financial data, transaction data, or any other sensitive account information with Canny. View Canny's privacy policy at canny.io/privacy.

We may also share data if required by law, court order, or valid legal process, or during a business transfer (we'll notify you).

4. Data Security (High Level)

We use industry-standard safeguards to protect your data, including:

  • Encryption in transit: HTTPS/TLS 1.2+ on all connections
  • Encryption at rest: AES-256 disk-level encryption on our database (Neon)
  • Application-layer encryption: AES-256-GCM encryption applied within Owdyn itself for the most sensitive fields — specifically your 2FA secret and any bank OAuth tokens. These are encrypted before being written to the database, meaning the data is protected even at the database layer.
  • Password security: Passwords are hashed using bcrypt (cost factor 12) — we never store your plain password
  • Rate limiting: Authentication endpoints are rate-limited to protect against brute-force attacks
  • Audit logging: Key security events (sign-in, sign-out, 2FA changes, plan changes) are logged for fraud detection and account recovery

For details, see our Security page.

No system is 100% secure. Please use a strong, unique password, enable two-factor authentication, and keep your email account secure.

4A. Security Incident Notification

In the unlikely event of a security breach affecting your information, we will:

  • Notify you as soon as reasonably practicable (as required by the NZ Privacy Act 2020) — we target within 72 hours where possible
  • Explain what data was affected and how the breach occurred
  • Describe the steps we're taking to fix it
  • Provide guidance on steps you should take to protect yourself
  • Report to the NZ Privacy Commissioner if the breach is likely to cause serious harm, as required by Part 6 of the Privacy Act 2020

If Anthropic (our AI provider) notifies us of a breach affecting your transaction data, we'll notify you as soon as possible after learning about it.

Report Security Concerns

Email: support@owdyn.nz
Response time: Priority response within 24 hours

5. Your Rights and Choices

Under the NZ Privacy Act 2020 (Information Privacy Principles 6 and 7), you can:

Access your information (IPP 6)

You have the right to confirm whether we hold personal information about you and to access it.

How: Most data is accessible in-app. For other requests, email support@owdyn.nz
Timeline: We'll respond within 20 working days (as required by s44 Privacy Act 2020)
Cost: Free

Correct your information (IPP 7)

You have the right to request correction of any personal information we hold that is inaccurate, out of date, incomplete, misleading, or irrelevant. If we decline to correct it, you may request that a statement of disagreement be attached to the record.

How: Update most data directly in-app. For other corrections, email support@owdyn.nz
Timeline: We'll respond within 20 working days
Cost: Free

Export

Data export (CSV format) is available anytime from Settings page.

How: Settings → Export Data
Timeline: Immediate download

Delete

You can delete your account from Settings page.

Timeline: Permanent deletion within 30 days

Object or Complain

You can object to certain data processing or complain if you believe we've breached your privacy rights.

Contact us first: support@owdyn.nz
If unsatisfied: Contact NZ Privacy Commissioner
• Website: privacy.org.nz
• Phone: 0800 803 909
• Email: enquiries@privacy.org.nz

6. Data Retention

We keep your data while your account is active.

When you delete your account, the following happens immediately and permanently:

Permanently deleted

All personal financial data is erased — including your profile, accounts, transactions, budgets, goals, bills, BNPL plans, categories, category rules, bank connections, CSV import history, forecasting scenarios, credit payoff simulations, spending snapshots, AI insights, notifications, and feedback. This action cannot be undone. We strongly recommend exporting your data before deleting your account.

De-identified (not deleted)

Action audit logs (e.g. "account created", "subscription changed") are anonymised — your name and account link are permanently removed, but the de-identified record is retained for fraud detection and legal defence. These records contain no information that can identify you.

Day 90

Backup systems purged.

After account deletion, Anthropic deletes your transaction data per the retention schedule in their Data Processing Addendum — see anthropic.com/legal/dpa.

Payment processor (Stripe) retains billing records per their own data retention policies and applicable tax law.

Feedback you submitted to Canny is retained on Canny's platform per their own data retention policy. To request deletion of your data from Canny, contact us at support@owdyn.nz and we will submit a deletion request on your behalf.

7. Cookies

Owdyn uses essential cookies for authentication and session management. See our Cookie Policy for details.

We don't use third-party advertising cookies or sell data to advertisers.

8. Geographic Scope & International Users

Owdyn is designed for New Zealand residents

Owdyn is based in Auckland, New Zealand. This service is designed and intended for use by residents of New Zealand. Our features, pricing, bank integrations, and date/currency formats are built for the NZ market.

Data Storage Location

Your data is stored in our database hosted in the AWS Sydney region (Australia). By using Owdyn, you acknowledge that your data may be stored and processed in Australia and the United States (for AI processing via Anthropic, and app hosting via Vercel).

Governing Law

These policies and any dispute about your data are governed by the laws of New Zealand, including the Privacy Act 2020. If you access Owdyn from outside New Zealand, you do so at your own initiative and you remain subject to these terms and NZ law.

If You Are Outside New Zealand

Owdyn is not specifically designed for users in the EU, UK, or other jurisdictions. If you choose to use Owdyn from outside New Zealand, please be aware:

  • Your data will be processed under NZ law and stored on servers in Australia and the US
  • You may have additional rights under your local laws (e.g., GDPR in Europe) — contact us at support@owdyn.nz to exercise them
  • Owdyn's bank integrations currently support New Zealand banks only
  • We cannot guarantee that the service meets the regulatory requirements of jurisdictions outside New Zealand

Data transfers to Anthropic (US-based) are governed by Anthropic's Data Processing Addendum. View their compliance information: anthropic.com/legal

9. Children's Privacy

Owdyn is not intended for users under 13 years old (or 16 in the EU). We do not knowingly collect data from children.

If you believe a child has provided us with personal information, please contact us at support@owdyn.nz and we will delete it immediately.

10. Changes to This Policy

We may update this policy occasionally. Changes will be effective 30 days after we notify you, except:

  • Changes required by law take effect immediately
  • Changes that benefit you may take effect sooner

If changes are significant, we'll notify you via:

  • Email to your registered address
  • In-app notification
  • Updated date at the top of this page

Questions or Concerns?

If you have questions about privacy or your data:

Email: support@owdyn.nz

Legal entity: OWDYN LIMITED (trading as Owdyn)

NZBN: 9429053482907

Address: Auckland, New Zealand

Privacy and security inquiries receive priority response within 24-48 hours.