Privacy Policy

On&On Limited (“On&On”, “we”, “us”, “our”) operates the On&On platform at onon.work, a people operations tool that helps small businesses manage timesheets, document signing, leave, and employee records. This Privacy Policy explains how we collect, hold, use, and disclose personal information, in accordance with the New Zealand Privacy Act 2020 (“Privacy Act”) and applicable international privacy standards.

By using On&On, your organisation (“Customer”) acknowledges this policy on behalf of itself and the employees whose data it submits to the platform.

On&On is the data processor. Your organisation is the data controller. This means your organisation determines the purposes for which employee personal information is collected; On&On processes that information only on your instructions and in accordance with this policy.

Contact: privacy@onon.work

We collect personal information that your organisation submits to the platform. This may include:

• Identity information: full name, job title, employment type
• Contact information: work email address, phone number
• Location information: office location, GPS or IP-based location at clock-in/clock-out
• Timesheet data: clock-in and clock-out times, hours worked, shift records
• Document and signature data: signed documents, completed forms, acknowledged policies, timestamps of signing actions
• Payroll-adjacent information: salary, pay rate, IRD number, bank account details (where your organisation submits this for payroll integration purposes)
• Leave records: leave requests, balances, and types
• Audit trail data: platform actions, timestamps, user identifiers

We do not collect sensitive personal information (such as health, ethnicity, or political opinion) unless your organisation explicitly submits it via documents or forms.

We collect personal information:

• Directly from your organisation’s administrators when they set up and manage employee records
• From employees directly when they clock in or out, sign documents, or submit leave requests
• Automatically through platform use, including access logs, session data, and audit events

We use personal information only to:

• Provide and operate the On&On platform for your organisation
• Enable timesheet tracking, document signing, leave management, and related features
• Facilitate payroll integrations where enabled by your organisation
• Maintain audit trails for compliance and accountability
• Troubleshoot technical issues and improve platform reliability
• Comply with our legal obligations

We do not use employee personal information for marketing, advertising, or any purpose outside of delivering the platform services.

Personal information is stored in Google Firebase (Firestore and Firebase Storage), hosted on Google Cloud infrastructure. Data is encrypted at rest and in transit. We apply access controls, security rules, and audit logging at the infrastructure level.

Payroll-sensitive information (including salary, IRD numbers, and bank account details) is retrieved on demand from authorised payroll integrations only. Where such data passes through our systems, it is not persistently stored in our primary database.

We take reasonable steps to protect personal information from loss, unauthorised access, use, modification, or disclosure. However, no internet-based system is completely secure.

We do not sell, rent, or share personal information with third parties for their own purposes. We may disclose personal information to:

• Google (Firebase/Cloud infrastructure) as our primary cloud provider
• Resend, for transactional email delivery
• Authorised payroll providers (e.g. iPayroll) where your organisation has enabled an integration
• Law enforcement or government agencies, where required by law

All third-party providers are engaged under data processing terms consistent with the Privacy Act.

Our infrastructure providers operate internationally. By using On&On, your organisation agrees that personal information may be transferred to and processed in countries outside New Zealand. We take reasonable steps to ensure such transfers are protected by comparable safeguards, consistent with Information Privacy Principle 12 of the Privacy Act.

Employees whose personal information is held on the platform have the right to:

• Request access to their personal information
• Request correction of inaccurate information
• Be informed of what information is held about them

Requests should be directed to your organisation’s HR administrator in the first instance. To contact us directly, email privacy@onon.work. We will respond within 20 working days, consistent with the Privacy Act.

We retain personal information for as long as your organisation maintains an active account, or as required to fulfil our legal obligations. On account termination, we will delete or anonymise personal data within 30 days, unless retention is required by law.

If we become aware of a privacy breach that is likely to cause serious harm, we will notify affected organisations and, where required, the Office of the Privacy Commissioner, in accordance with the Privacy Act 2020.

We may update this policy from time to time. Where changes are material, we will notify your organisation’s account administrator by email. Continued use of the platform after notification constitutes acceptance of the updated policy.

For privacy-related queries or complaints, contact us at privacy@onon.work. You also have the right to complain to the Office of the Privacy Commissioner at privacy.org.nz.