Privacy Policy

Last updated: March 31, 2026

Decoded Studios ("we", "us") is based in Auckland, New Zealand. This Privacy Policy describes how we collect, use, store, and share personal information when you visit studio.decoded.digital, use our client portal, or engage with us about custom software services.

This policy is provided for general information and transparency. It does not constitute legal advice. If you need certainty for your organisation, seek independent legal advice.

Information we collect

Account and authentication

• Email address and name when you create or access a client account.
• One-time sign-in codes (OTP) sent to your email, and related session data used to keep you signed in securely (for example, authentication tokens stored in cookies).
• Google account data if you choose to sign in with Google. We receive your name, email address, and profile picture from Google. Your Google profile picture is downloaded and stored on our servers as your account avatar. We do not receive or store your Google password. We use this information solely to create or authenticate your client account and to personalise your portal experience (for example, displaying your name and profile photo).

Project and business details

• Project name, description, and related information you submit through our forms or portal.
• Optional business identifiers and contact details you choose to provide (for example NZBN, phone number, company name).
• Files or links you upload to support your project (for example briefs or reference documents).

Agreements and signatures

• Your typed name and electronic signatures captured when you sign documents in the portal (for example the services agreement and quote), stored as image data together with timestamps.

Promotional codes

• Promo codes you enter, and related discount amounts applied to your project where applicable.

Payments

• When you pay a deposit through our checkout flow, Stripe processes card payments. We receive payment status and references (for example session or payment intent identifiers, amounts, and metadata that links payment to your project). We do not store your full card number on our servers.

Website usage

• Technical information such as IP address, browser type, and pages visited may be collected by hosting infrastructure or analytics tools in the ordinary course of operating the site.
• For details on cookies and similar technologies, see our Cookie Policy.

How we use your information

• To provide and operate the client portal, quotes, and project workflow.
• To communicate with you about your project, account, and related services.
• To authenticate you and protect accounts against misuse.
• To process deposits and reconcile payments with project records.
• To prepare or record invoices and accounting records, including where we use Xero (or similar tools) that may store client and transaction details needed for billing.
• To comply with law, respond to lawful requests, and protect our legal rights.
• To improve our website and services, and to detect fraud or security issues.

How we share information

We share personal information only as needed to run our business and deliver services:

• Google (authentication): if you sign in with Google, authentication data is exchanged with Google's OAuth service. Google's Privacy Policy applies to their handling of your data.
• Stripe (payments): processing card transactions and related fraud prevention in line with Stripe's terms and privacy notice.
• SendGrid (or successor email provider): delivering sign-in codes and transactional email to your address.
• Database and hosting providers: storing application data and serving the site.
• Xero (or similar): invoicing, accounting, and online invoice links where we use those features for your project.
• Professional advisers, regulators, or law enforcement where required or permitted by law.

We do not sell your personal information.

International transfers

Some service providers may process data in countries other than New Zealand. Where that occurs, we rely on appropriate safeguards as required by applicable law (for example contractual protections offered by the provider).

Retention

We keep information for as long as needed to provide the services, meet legal, tax, and accounting obligations, resolve disputes, and enforce our agreements. Retention periods can vary depending on the type of record (for example invoices, signed agreements, and transaction logs).

Security

We use reasonable technical and organisational measures to protect personal information. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

Your rights (New Zealand)

Under the Privacy Act 2020 (New Zealand), you may have the right to access and correct personal information we hold about you, subject to certain exceptions. You may also complain to the Office of the Privacy Commissioner if you believe we have interfered with your privacy (privacy.org.nz).

To exercise access or correction rights, contact us via our Contact page using the details shown there.

Google sign-in and revoking access

If you sign in using Google, you can revoke our access to your Google account at any time by visiting your Google Account permissions page and removing Decoded Studio. Revoking access does not delete your client account or data stored on our systems. To request deletion of your account and associated data, contact us via our Contact page.

Children

Our services are directed at businesses and adults. We do not knowingly collect personal information from children without appropriate consent.

Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will change when we do. Continued use of the site or portal after changes means you acknowledge the updated policy.

Contact

Questions about this privacy policy: use the contact options on our Contact page.