Privacy Policy

Centra One is a wholesale business management platform developed and operated by Centra One Limited, a company based in New Zealand. Our platform helps wholesale businesses manage their inventory, orders, purchasing, and customer relationships.

Contact: hello@centra-one.ai

Website: centra-one.ai

We collect information in three ways:

Information you provide directly

• Account information: name, email address, company name, and password when you create an account
• Business data: products, customers, suppliers, orders, invoices, and other wholesale business data you enter into the platform
• Payment information: billing details processed securely via Stripe — we do not store card numbers
• Communications: emails or messages you send to our support team

Information collected automatically

• Usage data: pages visited, features used, actions taken within the platform
• Device information: browser type, operating system, IP address
• Log data: server logs including timestamps, error reports, and performance data
• Cookies: session cookies for authentication and preference cookies for settings

Information from third parties

• Xero: invoice, payment, and contact data when you connect your Xero account
• Shopify: order, customer, and product data when you connect your Shopify store
• Other integrations: data from any third-party services you choose to connect

We use your information to:

• Provide and operate the Centra One platform
• Process your subscription and billing
• Send transactional emails (order confirmations, quote notifications, system alerts)
• Provide customer support
• Improve and develop new features
• Send product updates and changelog notifications (you can unsubscribe at any time)
• Comply with legal obligations
• Detect and prevent fraud and security incidents

Your data is stored on Supabase infrastructure hosted on AWS in the Asia-Pacific region. We implement the following security measures:

• Row-level security (RLS) on all database tables — your data is isolated from other tenants
• Encryption in transit (TLS 1.2+) for all data transfers
• Encryption at rest for all stored data
• Regular automated backups
• Access controls — employees only access customer data when required for support
• API keys and secrets stored as environment variables — never in source code

While we take security seriously, no system is 100% secure. We will notify you promptly in the event of a data breach that affects your information.

We share your data only in these circumstances:

Service providers

We use trusted third-party services to operate the platform:

• Supabase (database hosting)
• Vercel (application hosting)
• Anthropic (AI features — query content only, not stored)
• Stripe (payment processing)
• Resend (transactional email)

All service providers are bound by data processing agreements.

Integrations you authorise

When you connect third-party services (Xero, Shopify, etc.) we share relevant data with those services as required to provide the integration.

Legal requirements

We may disclose your information if required by law, court order, or to protect the rights and safety of Centra One or others.

Business transfers

If Centra One is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you before this happens.

Depending on your location you may have the following rights regarding your personal information:

• Access: request a copy of the personal data we hold about you
• Correction: request that we correct inaccurate or incomplete data
• Deletion: request that we delete your personal data — subject to legal retention requirements
• Portability: request your data in a machine-readable format
• Objection: object to certain uses of your data
• Restriction: request that we restrict processing of your data

New Zealand residents have rights under the Privacy Act 2020. Australian residents have rights under the Privacy Act 1988. EU/UK residents have rights under GDPR/UK GDPR.

To exercise any of these rights: email hello@centra-one.ai with the subject "Privacy Request". We will respond within 30 days.

We use cookies for:

• Authentication: keeping you logged in during your session
• Preferences: remembering your settings and preferences
• Analytics: understanding how the platform is used (aggregated, not individual tracking)

We do not use advertising cookies or track you across other websites.

You can disable cookies in your browser settings — note that disabling session cookies will prevent you from logging in.

We retain your data for as long as your account is active. If you cancel your subscription:

• Your data remains accessible for 30 days after cancellation
• After 30 days your data is permanently deleted from our systems
• Backups containing your data are purged within 90 days

Some data may be retained longer where required by law (e.g. financial records for 7 years under NZ tax law).

You can request immediate deletion of your data by contacting hello@centra-one.ai.

Centra One is a business-to-business platform intended for use by adults operating wholesale businesses. We do not knowingly collect personal information from anyone under 18 years of age. If you believe we have inadvertently collected such information please contact us immediately.

We may update this privacy policy from time to time. When we make material changes:

• We will update the "Last updated" date at the top of this page
• We will notify account holders by email at least 14 days before changes take effect
• Continued use of the platform after changes take effect constitutes acceptance

We encourage you to review this policy periodically.

If you have any questions about this privacy policy or how we handle your data:

Email: hello@centra-one.ai

Subject line: "Privacy Enquiry"

Response time: We aim to respond within 2 business days.

For formal privacy complaints:

• New Zealand: Office of the Privacy Commissioner — privacy.org.nz
• Australia: Office of the Australian Information Commissioner — oaic.gov.au