Privacy Policy
Last updated 2 June 2026
Who we are
Snaffle is operated by Snaffle Limited, a New Zealand company (“Snaffle”, “we”, “us”). Snaffle is a tool that captures receipts and supplier invoices and files them into your Xero accounting software, with AI-assisted coding suggestions.
This policy explains what personal information we collect, how we use it, and your rights under the New Zealand Privacy Act 2020. Questions or requests: support@snaffle.co.nz.
Who can use Snaffle
Snaffle is for use by businesses and the people who work in them. It isn’t intended for children, and we don’t knowingly collect personal information from anyone under 16.
Information we collect
We collect only what we need to run the service:
- Account details — for business owners and admins, your name and email address (used for magic-link sign-in). For staff who join via an invite link, your name only.
- Receipts and invoices you upload — the image or PDF, and the details we extract from it: supplier name, amounts, GST, dates, invoice numbers, and supplier bank account numbers where shown.
- Xero data you connect — when you connect your Xero organisation you authorise us to access and create specific data (see “Connecting Xero” below).
- Technical information — strictly necessary sign-in cookies, session and device information, and server logs needed to operate and secure the service.
Where a business owner invites staff, those staff details are collected on behalf of the business, which is responsible for that information; Snaffle holds and processes it to provide the service.
Connecting Xero
When you connect Xero, we request the minimum access needed to do our job. In plain terms, Snaffle can:
- Read your chart of accounts and tracking categories (to suggest and apply coding);
- Read and update supplier contacts, including saving a supplier bank account you ask us to keep (for batch payments and our anti-fraud check);
- Create bills and bank (spend money) transactions for the receipts and invoices you give us;
- Upload your receipt and invoice documents to your Xero Files library and attach them to the transactions we create.
We never request access we don’t use. You can disconnect Xero at any time from your Snaffle settings or from within Xero itself, which immediately revokes our access.
How we use your information
- To file your receipts and invoices into the correct Xero organisation;
- To suggest account coding and a project/job tag, and to apply them when you confirm;
- To run our supplier bank-account check, which flags when a supplier's bank account differs from one you've paid before (to help you spot invoice fraud and typos);
- To improve our coding suggestions for you over time, by learning from how your reconciled transactions are coded in Xero (the “learning loop”);
- To operate, secure, support and improve the service.
AI processing
To read a receipt or invoice, we send the image or PDF and its text to our AI provider, Anthropic, which extracts the details and proposes coding. This is done solely to provide the service. Under Anthropic’s commercial API terms current at the date of this policy, customer inputs and outputs are not used to train Anthropic’s models, though Anthropic may retain data for a limited period for safety and abuse-monitoring purposes. We don’t control Anthropic’s terms and will update this policy if they change materially.
AI suggestions and extracted figures can be wrong. They are a starting point, not professional accounting or tax advice — you and your bookkeeper remain responsible for reviewing what is recorded in Xero.
How we keep it safe
We take reasonable steps to protect your information from loss, misuse and unauthorised access, appropriate to its sensitivity, including:
- Application data is stored in Supabase (PostgreSQL, hosted in Sydney, Australia), encrypted at rest. Each customer’s data is isolated at the database level using row-level security.
- Receipt and invoice files are stored in Cloudflare R2 (Oceania region), encrypted at rest.
- Your Xero access tokens are additionally encrypted by us before storage.
- Data is encrypted in transit using TLS.
No method of storage or transmission is completely secure, but we work to protect your information using safeguards appropriate to financial data.
Who we share it with
We do not sell your information. We share it only with the service providers we use to run Snaffle, acting on our instructions:
- Xero — your accounting platform, where your documents and transactions are filed;
- Anthropic — AI extraction and coding suggestions;
- Supabase — database and authentication;
- Cloudflare — file storage;
- Twilio SendGrid and Resend — email delivery (sign-in, notifications, and invoice forwarding);
- Vercel — application hosting.
We keep this list current as our service providers change. We also share information where required by law.
Sending information overseas
Snaffle is operated from New Zealand, but most of our service providers are based overseas, so your information is stored and processed outside New Zealand:
- Application data and databases: Supabase, hosted in Sydney, Australia.
- Receipt and invoice files: Cloudflare R2 (Oceania region; Cloudflare, Inc. is a United States company).
- AI extraction: Anthropic (United States).
- Email delivery: Twilio SendGrid and Resend (United States).
- Application hosting: Vercel (United States).
- Your connected Xero data is held by Xero under your own Xero agreement.
We take reasonable steps to ensure these providers protect your information under contractual terms and recognised security standards. By using Snaffle and connecting your data, you acknowledge and authorise that your personal information may be disclosed to these providers overseas, and that they may be subject to the laws of their own countries, which may not provide the same level of protection as New Zealand law.
Cookies
We use a small number of strictly necessary cookies to keep you signed in and to operate the service securely. We don’t use advertising, cross-site tracking, or third-party analytics cookies.
How long we keep it
We keep your information only as long as we need it to provide the service. While your account is active, we retain your receipts, extracted data and account details. If you close your account or ask us to delete your data, we will delete it from our active systems within 30 days, except where we’re required to keep it by law (for example, tax records). Documents already filed into your Xero organisation remain in Xero under your control. Coding patterns we learn to improve your suggestions are tied to your account and deleted with it. Information may persist briefly in encrypted backups before being overwritten on our normal backup cycle.
If something goes wrong (data breaches)
We take the security of your financial information seriously. If a privacy breach occurs that we believe has caused, or is likely to cause, serious harm, we will notify the Office of the Privacy Commissioner and any affected individuals as soon as practicable, as required by the Privacy Act 2020. We’ll tell you what happened, what information was involved, and the steps we’re taking.
Your rights
Under the Privacy Act 2020 you can ask to access or correct the personal information we hold about you, and we’ll respond within 20 working days. To protect your information, we may need to verify your identity before acting on a request. If a request concerns a staff member’s information, note that staff details are held on behalf of the business customer whose account they belong to. To make a request or raise a concern, email support@snaffle.co.nz. If you’re not satisfied with our response, you can complain to the Office of the Privacy Commissioner, who can investigate (privacy.org.nz, or call 0800 803 909).
Changes to this policy
We may update this policy from time to time. We’ll change the “last updated” date above, and for material changes we’ll notify you by email or an in-app notice before they take effect.