Last updated: 3 April 2026
IDL Creations Limited, trading as CNEX ("IDL Creations," "CNEX," "we," "us," or "our"), a New Zealand limited liability company, operates the CNEX-Flow platform ("Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Platform.
We are committed to protecting your privacy and handling your data in accordance with the New Zealand Privacy Act 2020, the EU General Data Protection Regulation (GDPR) where applicable, and other relevant data protection laws.
This Privacy Policy describes how we handle your data. Our lawful bases for processing are set out in Section 8. If you do not agree with any part of this Privacy Policy, you must immediately stop using the Platform and delete your account. This Privacy Policy may be updated from time to time, and it is your responsibility to review it regularly.
Account Information:
Financial & Business Data:
Employee & Payroll Data:
Content & Documents:
Credentials & Secrets:
Usage Data:
Device & Technical Data:
Authentication Data:
When you connect Third-Party Services, we may receive:
We use your information for the following purposes:
The Platform uses multiple external AI providers to power different features:
| Provider | Uses | Data Sent |
| Anthropic (Claude) | Document drafting, Connekz AI assistant, analysis, code generation | Prompts, contextual data from your Organization relevant to the task |
| OpenAI | Embedding generation, content analysis, AI features | Text content for embedding/analysis |
| xAI (Grok) | Search, analysis, AI features | Search queries, contextual data |
| Google (Gemini) | AI features, analysis | Prompts, contextual data |
We may add, change, or substitute AI providers at any time. An up-to-date list is maintained at https://cnexflow.com/legal/sub-processors and you may subscribe to notifications of changes.
When you use AI Features, the following data may be sent to the applicable AI provider for processing:
CNEX-Flow automates the process of interacting with AI providers on your behalf. Instead of you manually crafting prompts, copying data into separate AI tools, and transferring outputs back into your workflow, the Platform handles this entire process seamlessly — constructing prompts with the right context, sending them securely to the appropriate AI provider, receiving the response, and presenting it within the Platform.
This automation means your data is transmitted to external AI services as part of normal Platform operation. You would need to share the same data if you used these AI services directly — CNEX-Flow simply removes the manual steps.
We maintain contractual agreements with all AI providers that include:
We apply data minimization principles to AI processing:
You may choose not to use AI Features. AI-powered functionality is clearly labeled within the Platform. The core Platform features (invoicing, project management, client management) function fully without AI. Disabling AI features does not affect your subscription or access to non-AI functionality.
We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes.
We share data with third-party service providers who process data on our behalf to deliver the Platform:
| Provider | Purpose | Data Shared |
| Amazon Web Services (AWS) | Cloud infrastructure, data hosting, storage, compute, backups | All Platform data (encrypted at rest and in transit) |
| Stripe | Payment processing, subscription billing | Billing contact, payment method, plan details |
| Twilio | Phone calls, SMS messaging | Phone numbers, call/SMS content as configured |
| Nylas | Email and calendar integration | Email and calendar data from connected accounts |
| Anthropic (Claude) | AI-powered features: drafting, analysis, Connekz assistant | Prompts and contextual data for AI tasks |
| OpenAI | AI-powered features: embeddings, content analysis | Text content for processing |
| xAI (Grok) | AI-powered features: search, analysis | Search queries and contextual data |
| Google (Gemini) | AI-powered features: analysis | Prompts and contextual data |
A complete and up-to-date list of sub-processors is maintained at https://cnexflow.com/legal/sub-processors. You may subscribe to notifications of changes to this list. When we add or replace a sub-processor that processes personal data, we will provide at least 30 days' notice before the change takes effect. If you have a reasonable objection to a new sub-processor, you may notify us at admin@cnexflow.com within that 30-day period. We will work with you in good faith to address your concerns. If we cannot resolve your objection, you may terminate your subscription and receive a pro-rata refund for any pre-paid period.
All sub-processors are bound by data processing agreements that require them to protect your data, use it only for the specified purpose, and not use your data for training AI models or any purpose other than providing the contracted service.
CNEX-Flow operates as an orchestration platform that automates data flow between multiple services on your behalf. During normal use, your data may pass through several Third-Party Services in sequence. For example:
This is the same data you would need to share if you used each service independently — CNEX-Flow automates the connections so you do not have to. By using the Platform, you acknowledge that your data will be transmitted to the applicable Third-Party Services as necessary to deliver the features you use.
We may add new Third-Party Service integrations over time to expand Platform capabilities. When we add a new sub-processor that processes personal data, we will update our sub-processor list at https://cnexflow.com/legal/sub-processors and notify customers who have subscribed to sub-processor change notifications.
We may disclose your information if required to do so by law or if we believe in good faith that such disclosure is necessary to:
In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.
We may share your data with third parties when you explicitly consent to such sharing (e.g., enabling a new integration).
Your data is stored on Amazon Web Services (AWS) infrastructure. Primary data storage is located in the Asia-Pacific region. Backups are stored in geographically separate AWS regions for disaster recovery.
We implement multiple layers of protection following industry best practices and the AWS shared responsibility model:
We maintain multiple backup systems and disaster recovery mechanisms:
Despite these measures, no backup system is infallible. Data loss, corruption, or delayed recovery may occur in exceptional circumstances. We recommend maintaining your own backups of critical business data using the Platform's export features.
Each Organization on the Platform operates within a logically isolated environment using dedicated containerized workspaces. Under normal operation, data belonging to one Organization is not accessible by other Organizations, though no isolation mechanism is infallible. This isolation extends to computing resources, file storage, and database access.
We maintain an incident response plan for data security incidents. In the event of a data breach that affects your personal information, we will:
While we implement industry-standard security measures and invest significantly in protecting your data, no system is completely immune to security threats. Cloud infrastructure, software, and networking technologies inherently carry risks including but not limited to:
We cannot guarantee the absolute security of your data. You acknowledge these inherent risks and accept that your use of the Platform is subject to them. You are responsible for maintaining the security of your account credentials, enabling multi-factor authentication, and promptly reporting any suspected unauthorized access to admin@cnexflow.com.
While your account is active, we retain your data as necessary to provide the Service.
Certain data may be retained beyond the standard deletion period where required by law. Where CNEX acts as a data processor (e.g., for employee data), retention periods are determined by the data controller (your Organization) in accordance with their legal obligations. Where CNEX acts as a data controller, retention periods are as follows:
Aggregated, anonymized data that cannot be used to identify any individual or Organization may be retained indefinitely for analytical and product improvement purposes. Anonymization is performed using industry-standard techniques designed to prevent re-identification of any individual or Organization. While these techniques significantly reduce re-identification risk, no anonymization method can guarantee absolute impossibility of re-identification. Truly anonymized data is not considered personal data under applicable privacy laws.
As a data subject under New Zealand law, you have the right to:
If you are located in the European Union or European Economic Area, you additionally have the right to:
To exercise any of these rights, contact us at admin@cnexflow.com. We will respond to your request within 20 working days (NZ Privacy Act) or 30 days (GDPR), unless an extension is permitted by law. We may need to verify your identity before processing your request.
You can export your data through the Platform's export features where available. We are progressively expanding export capabilities across all data types. For data types where automated export is not yet available, you may request a data export by contacting admin@cnexflow.com and we will provide your data in a structured, commonly used, machine-readable format within a reasonable timeframe.
Where GDPR applies, we process personal data on the following lawful bases:
| Purpose | Lawful Basis |
| Service delivery | Performance of a contract (Article 6(1)(b)) |
| Account management | Performance of a contract |
| Billing and payments | Performance of a contract |
| Security and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Device fingerprinting (browser + IP hash for security) | Legitimate interests (security and fraud prevention) |
| Product improvement (aggregated analytics) | Legitimate interests |
| Legal compliance | Legal obligation (Article 6(1)(c)) |
| Marketing communications | Consent (Article 6(1)(a)) |
| AI feature processing | Legitimate interests where AI enhances requested functionality; Consent where AI processes special categories of data. You may withdraw consent for AI processing at any time by disabling AI features without affecting the core functionality of the Platform |
For employee/payroll data processed on behalf of your Organization, CNEX acts as a data processor and your Organization is the data controller. The lawful basis for processing employee data is determined by your Organization.
Each Organization on the Platform is a separate data boundary. Data entered by one Organization is not accessible by, shared with, or visible to any other Organization.
If a User is a member of multiple Organizations, their personal account data (name, email, preferences) is shared across Organizations. However, Organization-specific data (projects, clients, invoices, etc.) remains isolated within each Organization.
Organization Administrators can view all data within their Organization, including content created by Members. Members should be aware that their activity and content within an Organization is visible to Administrators.
Users with the Client role have restricted access and can only view data that has been explicitly shared with them by the Organization.
The Platform uses browser localStorage (not traditional HTTP cookies) for essential functionality:
A theme preference cookie (`cnex-theme`) is set for server-side rendering compatibility. No other cookies are set by the Platform. These storage mechanisms are essential for the Platform to operate and cannot be disabled.
We may use analytics tools to understand how the Platform is used. Analytics data is aggregated and anonymized. We do not use third-party advertising cookies or tracking pixels.
We do not use cookies for targeted advertising. We do not allow third-party advertisers to place cookies on the Platform.
The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at admin@cnexflow.com.
Your data may be transferred to, stored in, and processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place:
AI prompts may be processed by providers located in the United States. These providers are bound by data processing agreements designed to prohibit the use of your data for model training (see Section 3.4 for details and limitations).
We are committed to compliance with all 13 Information Privacy Principles (IPPs) under the New Zealand Privacy Act 2020:
We conduct Data Protection Impact Assessments (DPIAs) where our processing activities are likely to result in a high risk to the rights and freedoms of individuals, including for our AI-powered features, payroll processing functionality, and any new processing involving sensitive data categories.
When your Organization uses CNEX-Flow's payroll and employee management features, CNEX acts as a data processor processing employee data on behalf of your Organization (the data controller).
Employee and payroll data receives enhanced protection:
Employees whose data is processed through the Platform have the right to request access to and correction of their personal data. These requests should be directed to their employer (your Organization), who can fulfill them through the Platform. If an employee contacts us directly, we will direct them to their employer.
If you enter employee data into the Platform, you are responsible for:
Employees whose data is processed through the Platform may have direct rights against CNEX under applicable data protection laws, including the right to lodge complaints under the NZ Privacy Act 2020 (IPP 5) and the right to compensation under GDPR Article 82 for data security incidents. CNEX acknowledges these rights and will cooperate with employees exercising them. CNEX's liability to employees for data security incidents is limited to the extent caused by CNEX's failure to implement the security measures described in Section 5 of this Privacy Policy, and is subject to the limitations that cannot be excluded by applicable law.
We send transactional emails necessary for the operation of your account (verification codes, password resets, billing receipts, security alerts). These cannot be opted out of while you maintain an active account.
Notifications related to your use of the Platform (task assignments, deadline reminders, system alerts) can be configured through your notification preferences in the Platform settings.
We will only send marketing communications with your explicit opt-in consent. You can unsubscribe from marketing communications at any time by clicking the unsubscribe link in the email or updating your preferences in your account settings.
SMS and phone communications through Twilio integration are initiated by your Organization. CNEX does not send unsolicited SMS or phone calls. Your Organization is responsible for obtaining appropriate consent from recipients.
The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices, content, or security of third-party websites or services. We encourage you to review the privacy policies of any third-party services you access through the Platform.
We may be required to disclose customer data in response to valid legal process, including subpoenas, court orders, search warrants, or regulatory demands. Where permitted by law, we will:
Where we are legally prohibited from notifying the affected Organization (e.g., under a non-disclosure order or suppression order), we will comply with the restriction and seek to have it lifted at the earliest opportunity.
We intend to publish a transparency report summarizing the volume and nature of government data requests received, beginning after our first full year of operation.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
For material changes, we will notify you via:
Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Privacy Policy. If you do not agree with any changes, you must stop using the Platform before the changes take effect and close your account.
It is your responsibility to review this Privacy Policy periodically. We recommend reviewing it at least once every three months.
In the event of a data breach that compromises your personal information, we will:
- The types of data affected
- Likely consequences
- Steps we are taking to address the breach
- Recommendations for actions you can take to protect yourself
If you become aware of any unauthorized access to your account or data, please notify us immediately at admin@cnexflow.com.
For privacy-related inquiries, requests, or complaints, contact our privacy team:
IDL Creations Limited (trading as CNEX)
If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the New Zealand Privacy Commissioner:
If you are located in the EU/EEA, you have the right to lodge a complaint with your local data protection supervisory authority.
*By using CNEX-Flow, you acknowledge that you have read this Privacy Policy in its entirety, understand how your data is collected, used, and protected, and consent to the data practices described herein. If you do not agree, do not use the Service.*