NextSheet ("the app", "we", "us") is a project, time, and job-sheet management tool used by Australian trade businesses. This policy explains what data we collect, why, where it's stored, and your rights under the Australian Privacy Principles (APPs).
Plain-English summary: You and your team enter business data (projects, time, materials, notes, photos) into the app. We store it so the app works on your devices and so your team can collaborate. We don't sell or share it. You can delete it at any time. We use a small number of trusted third-party services to deliver the app.
1. What we collect
We only collect what's necessary to operate the app for you:
Business data you enter: project and job details, time entries, materials, expenses, invoices, scope items, notes, and photos.
Client information you choose to record: names, contact details, addresses (typically pulled from your Xero contacts).
Employee profiles you create: employee name, role, PIN, avatar colour, labour classification, cost and charge-out rates.
Xero integration data: your Xero organisation name, Xero user IDs, OAuth access and refresh tokens (encrypted in storage) so the app can read your projects and write time entries on your behalf.
Photos: images you choose to attach to projects or jobs. These are resized to a maximum of 1280px wide and stored both locally on your device and in our cloud storage so your team can view them.
Receipts and invoice scans: uploaded for OCR processing to extract line items.
What we don't collect
We don't collect tracking data, advertising identifiers, location data, biometric data, browsing history, or anything outside the app. PINs are stored locally on your device for tile login — they are not sensitive credentials and should not be reused from other accounts.
2. Where your data is stored
On your device: the app caches data in browser storage (localStorage and IndexedDB) for fast, offline-capable use.
In our cloud database (Supabase): business data is synchronised so your team can see the same information across devices. Servers are operated by Supabase Inc. (United States and EU regions).
Cloud file storage (Supabase Storage): photo image files are stored in a publicly-readable bucket so authorised devices can fetch them. URLs include random photo IDs, but anyone with a specific photo URL could view that image. Don't upload photos you would not be comfortable sharing.
Xero: time entries, materials, and invoices are written to your own Xero account via the Xero API.
3. Third-party services
To deliver the app we use the following third-party services. Each has its own privacy policy governing how it handles data we send to them:
Xero — accounting integration (your data flows to and from your own Xero account). Xero privacy policy
Mindee — OCR processing of uploaded receipts and tax invoices. Images are sent for extraction; we don't retain them at Mindee long-term. Mindee privacy policy
Solely to operate the app for you: rendering screens, synchronising between devices, talking to Xero on your behalf, processing receipt OCR, and storing photos. We don't use your data for marketing, advertising, training AI models, or selling to third parties.
5. Data retention and deletion
We retain your data for as long as you use the app. You can:
Delete individual records (projects, jobs, notes, photos, time entries, etc.) from within the app.
Use Settings → "Clear all data" to wipe local-device data.
Request full deletion of all cloud-stored data for your business by emailing us. We will action within 30 days.
When you delete a record, it is removed from both your device and our cloud database. Photo image files are deleted from cloud storage at the same time.
6. Security
We take reasonable technical measures to protect your data:
All connections use HTTPS / TLS.
Xero OAuth tokens are stored encrypted at rest in our database.
Cloud storage is scoped per-business with random identifiers in URLs.
No system is perfectly secure. You should keep your devices protected with passcodes and avoid logging in on shared or public devices.
7. Your rights
Under the Australian Privacy Principles you have the right to:
Access the personal information we hold about you.
Request correction of inaccurate information.
Request deletion of your information.
Make a complaint about how we have handled your personal information.
NextSheet is a business tool not intended for or marketed to anyone under 18. We do not knowingly collect data from minors.
9. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of the page reflects when changes were last made. Material changes will be flagged within the app.
10. Contact us
Questions, requests, or complaints about this policy: