OnDeck

Privacy Policy

Last updated: December 2, 2025

NS BROTHERS LIMITED ("us", "we", or "our") operates the OnDeck application (the "Service"). This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

Information Collection and Use

We collect several different types of information for various purposes to provide and improve our Service to you:

  • Personal identification information (Email Address, First and Last Name)
  • Usage Data (how you interact with our Service)
  • Google Calendar data (when you connect your Google Calendar)
  • Microsoft Outlook Calendar data (when you connect your Outlook Calendar)
  • CRM data from HubSpot or Salesforce (when you connect these integrations)
  • Payment and transaction data (when you connect Stripe or make payments)

Google User Data

When you choose to connect your Google Calendar to our Service, we request access to the following Google user data:

  • Google Calendar Events: We access your calendar events to check your availability and automatically create booking events when appointments are scheduled through our Service.
  • Calendar Metadata: We access calendar names and settings to allow you to select which calendars to sync with our Service.

How We Use Google User Data

Google user data accessed through our Service is used exclusively for the following purposes:

  • Checking your calendar availability to prevent double bookings
  • Creating calendar events for confirmed bookings
  • Syncing booking updates and cancellations to your Google Calendar
  • Displaying your calendar availability to clients when they book appointments

Data Sharing and Transfer

We do not sell, rent, or share your Google user data with third parties. Your Google Calendar data is:

  • Not shared with third parties: We do not provide your Google user data to any third-party services, advertisers, or data brokers.
  • Not used for advertising: We do not use your Google Calendar data for targeted advertising or marketing purposes.
  • Only accessed by our Service: Your data is only accessed by our application servers to provide the booking and calendar synchronization functionality you have requested.
  • Stored securely: Calendar event data is stored in our secure database only for the purpose of managing your bookings and is encrypted both in transit and at rest.

We may share aggregated, anonymized data that cannot identify you personally for analytics and service improvement purposes.

Data Security and Protection

We implement industry-standard security measures to protect your Google user data and all sensitive information:

  • Encryption in Transit: All data transmitted between your browser, our servers, and Google's servers is encrypted using TLS/SSL protocols.
  • Encryption at Rest: All sensitive data, including Google Calendar data, authentication tokens, and personal information, is encrypted when stored in our database.
  • Secure Authentication: We use OAuth 2.0 for Google authentication, which means we never see or store your Google password.
  • Access Controls: Access to user data is strictly limited to authorized personnel who require it to maintain and improve our Service.
  • Regular Security Audits: We regularly review and update our security practices to protect against unauthorized access, alteration, disclosure, or destruction of data.
  • Token Security: Google OAuth tokens are stored securely and are never exposed in client-side code or logs.

Data Retention and Deletion

We retain your Google user data only for as long as necessary to provide our Service:

  • Calendar Event Data: We store calendar event data related to your bookings for the duration of your active account. Past booking records are retained for up to 2 years for historical reference and accounting purposes.
  • Access Tokens: Google OAuth access and refresh tokens are stored for as long as you keep your Google Calendar connected to our Service.
  • Account Deletion: When you delete your account, all associated Google user data, including calendar events and OAuth tokens, is permanently deleted from our systems within 30 days.
  • Calendar Disconnection: When you disconnect your Google Calendar from our Service, we immediately revoke access tokens and delete all cached calendar data within 48 hours. Booking records created while connected are retained as described above but no longer sync with Google.
  • Data Backup Retention: Deleted data may remain in encrypted backups for up to 90 days before being permanently purged.

You can request deletion of your data at any time by contacting us or using the account deletion feature in the application.

Payment Processing and Stripe

We use Stripe, Inc. as our third-party payment processor. When you make payments for subscriptions or when you connect a Stripe account to accept payments from your clients, certain data is shared with and processed by Stripe.

Data We Share with Stripe

When processing payments, we share the following information with Stripe:

  • For subscription payments: Your email address, name, and payment card details (entered directly into Stripe's secure payment form).
  • For event booking payments: The booking amount, event details, and client contact information necessary to process the payment and send receipts.
  • For Connected Account holders: Business information required for identity verification under financial regulations, including name, email, and business details you provide during Stripe onboarding.

Payment Data We Store

We store limited payment-related information for record-keeping and to provide our Service:

  • Transaction records: We store transaction IDs, amounts, dates, and status for booking and subscription payments.
  • Stripe identifiers: We store Stripe customer IDs, subscription IDs, and Connected Account IDs to manage your account and process payments.
  • We do not store: Full credit card numbers, CVV codes, or other sensitive payment credentials. All sensitive payment data is processed and stored securely by Stripe.

Stripe's Privacy Practices

Stripe processes payment data in accordance with their own privacy policy. We encourage you to review Stripe's Privacy Policy to understand how they collect, use, and protect your data.

If you connect a Stripe account to accept payments, you are also subject to Stripe's Connected Account Agreement.

Your Rights and Control

You have the following rights regarding your data:

  • Access: You can request a copy of all personal data we hold about you.
  • Revoke Access: You can disconnect your Google Calendar, Stripe account, or other integrations at any time through the Integrations page in our application.
  • Delete Your Data: You can request deletion of your account and all associated data at any time.
  • Data Portability: You can export your booking data from our Service.
  • Manage Permissions: You can manage which calendars we can access through your Google Account settings.

Use of Data

NS BROTHERS LIMITED uses the collected data for various purposes:

  • To provide and maintain our Service
  • To notify you about changes to our Service
  • To provide customer support
  • To gather analysis or valuable information so that we can improve our Service
  • To monitor the usage of our Service
  • To detect, prevent and address technical issues
  • To fulfill the purposes for which you provided the information

Legal Basis for Processing (GDPR)

If you are from the European Economic Area (EEA), our legal basis for collecting and using your personal information depends on the data and context in which we collect it:

  • You have given us permission to do so
  • The processing is in our legitimate interests and not overridden by your rights
  • To comply with the law

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights regarding your data, please contact us at:

Email: privacy@ondeck.nz
NS BROTHERS LIMITED
New Zealand