Overview
Steady ("we", "our", or "us") is operated by Sam Wilson, New Zealand. We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our personal finance application at steady.nz.
We comply with the New Zealand Privacy Act 2020 and are committed to handling your personal information responsibly and transparently.
Our Privacy Officer can be contacted at privacy@steady.nz
Information We Collect
- Account Information: Email address, name, and authentication details when you create an account via Clerk (our authentication provider).
- Financial Data: Transaction data, account balances, and recurring payment information from your connected bank accounts via Akahu (a licensed NZ open banking provider). This includes merchant names, amounts, dates, and categories.
- App-Generated Data: Goals you create, budgets you set, AI chat conversations, spending personality assessments, gamification progress (XP, streaks, achievements), and preferences you configure.
- Usage Data: How you interact with the app (pages visited, features used, session duration) via PostHog analytics — only with your explicit consent.
- Payment Data: Subscription and billing information processed by Stripe. We never see or store your full credit card number.
How We Use Your Information
- To provide personalised financial insights, spending analysis, and AI-powered answers
- To track your spending, goals, budgets, and recurring bills
- To detect and categorise transactions automatically
- To send you relevant alerts about your finances (bill reminders, goal milestones, spending anomalies)
- To calculate your financial health score and safe-to-spend amount
- To enable social features (friends, challenges) if you opt in
- To process subscription payments
- To improve our service and develop new features (using anonymised, aggregated data)
Artificial Intelligence
Steady uses AI (powered by Anthropic's Claude API) to provide personalised insights, answer financial questions, and assist with transaction categorisation.
When you use the "Ask Steady" chat feature or when we categorise transactions, the following financial context is sent to Anthropic:
- Your total account balance (aggregated, not per-account)
- Monthly spending totals (current and previous month)
- Top 5 spending categories with amounts
- Recent transactions (merchant name, amount, category, and date)
- Recurring payments (merchant, amount, and frequency)
- Savings goals (name, current amount, target, and progress)
- Monthly income estimate
- Your spending personality label
We do not send your name, email address, bank account numbers, or other direct personal identifiers to AI services. The data shared is limited to aggregated financial context needed to answer your question.
Your data is used solely to generate a response within that conversation. Anthropic does not store your prompts or responses after the request completes, and does not use your data to train their models when accessed via their API.
Data Security
We use industry-standard security measures to protect your data:
- All data is encrypted in transit (TLS 1.2+) and at rest
- We never store your bank login credentials — Akahu handles authentication directly with your bank
- Bank connections provide read-only access — we cannot move money or make payments
- Security headers (CSP, X-Frame-Options, HSTS) on all responses
- Rate limiting on all API endpoints to prevent abuse
- Webhook signature verification (HMAC-SHA256) for all incoming data
Data Sharing
We do not sell your personal information. We share data only with the following service providers, each essential to operating Steady:
- Akahu Limited (NZ) — Secure bank connections. FMA-registered provider of prescribed intermediary services. Operates under their own privacy policy.
- Stripe (USA) — Payment processing. PCI-DSS Level 1 compliant.
- Clerk (USA) — Authentication and account management.
- Anthropic (USA) — AI-powered insights and chat. Financial context only (no direct PII).
- Sentry (USA) — Error tracking and monitoring. May capture technical error data.
- PostHog (USA/EU) — Analytics, only with your explicit consent.
- Railway (USA) — Application hosting infrastructure.
- Neon (USA) — Database hosting (PostgreSQL).
- Upstash (USA) — Redis caching.
International Data Transfers
Several of our service providers are based in the United States. Your data may be processed outside New Zealand. We ensure appropriate safeguards are in place as required by the NZ Privacy Act 2020, Information Privacy Principle 12 (disclosure of personal information outside New Zealand).
Cookies and Analytics
We use essential cookies for authentication and session management. These are necessary for the service to function and cannot be disabled.
We use PostHog for analytics to understand how our app is used and improve the experience. Analytics are only activated after you provide explicit consent via our cookie banner. You can change your preference at any time in Settings.
We do not use advertising cookies, tracking pixels, or sell data to advertisers.
Data Retention
We retain your data for as long as your account is active. When you delete your account:
- All personal data is permanently deleted within 30 days
- Bank connections are immediately revoked via Akahu
- AI chat history is deleted
- Anonymised, aggregated data (e.g., average category spending across all users) may be retained for service improvement
Your Rights
Under the NZ Privacy Act 2020, you have the right to:
- Access your personal information (Information Privacy Principle 6)
- Correct inaccurate data (Information Privacy Principle 7)
- Delete your account and all associated data
- Export your data in a portable format (available via Settings or the /api/user/export endpoint)
- Withdraw consent for analytics at any time
- Complain to the Office of the Privacy Commissioner if you believe your privacy has been breached
Children's Privacy
Steady is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. If you are under 18, please do not use this service.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.