Privacy Policy

All the legal information about our products and services.

How we manage your data and protect your privacy.

This policy may be updated from time to time Actionstep reserves the right to change the provisions of this Policy at any time. We will alert You of changes that have been made by indicating on the Policy the date it was last updated. We encourage You to review this policy from time to time to make sure that You understand how any personal Information you provide will be used.

This policy references the Actionstep Terms of Use.

This policy includes the definitions set forth in the Actionstep Terms of Use, which can be found at here. Actionstep processes personal data in two general contexts: 1) as a business engaging with clients, suppliers, prospects, and other stakeholders through a number of channels including its website, email, phone, webinars, advertising, and social media (“Actionstep as a Business”), and 2) as a provider of an online business and practice management services (“Actionstep as a Service Provider”).

For clarity the privacy considerations are presented in each of these contexts.

1. Actionstep as a Service Provider

As a service provider Actionstep allows You to store Your business data in a dedicated database and operate on the data via the Actionstep online application. You own Your Data The Data entered, or imported on instruction, by You remains Your property and Actionstep will not use nor make available for use any of this information without Your permission.

You control who has access to Your Data

The Data entered, or imported on instruction, by You is stored securely in a database, or electronic file system, and is only accessible to any person You have authorised to use the Service. It is Your responsibility to delete login credentials when they are no longer needed.

Actionstep monitors system usage

The Data entered, or imported on instruction, by You is stored securely in a database and is only accessible to persons You have authorised to use the Service. It is Your responsibility to keep Your password safe. Actionstep, Actionstep’s staff and Actionstep’s partners do not have access to Your password. Actionstep may need to access some of Your Data to resolve system errors or to recreate scenarios to resolve support requests, however this will not be done without first obtaining permission from You. Actionstep will need to access Your data as a whole for backup, system maintenance, integrity checking, and load-balancing purposes. Actionstep staff and key commercial partners can access non-identifying and aggregated usage information and transaction volumes in order to better understand how our customers are using the Service so we can improve the system design and where appropriate have the system prompt users with suggestions on ways to improve their own use of the system.

Your Data is sent securely across the Internet

Actionstep’s servers have SSL Certificates so all Data transferred between users and the Service is encrypted. However, the Internet is not in itself a secure environment. Users should only enter, or instruct the importation of, Data to the database within a secure environment. This means that Your browser must support the encryption security used in connection with the Service.

Actionstep does not store any credit card details

Any credit card details are encrypted and securely stored by payment processors to enable Actionstep to bill the cards. Credit card details are not stored by the Service and cannot be accessed by Actionstep staff.

Privacy policies of any optional third-party applications the service links to

You may optionally connect the Service to other applications using the Actionstep API, API services such as Zapier, email servers or services, external hyperlinks, or by installing integrations and add-ons from the Actionstep Marketplace. If You do so then You are solely responsible for checking the Privacy Policy of any third-party applications the Service links to and satisfying Yourself that they meet Your needs.

Breaches and complaints

If Actionstep becomes aware that Your Data has been accessed by, or disclosed to, an unauthorised party, then Actionstep will notify You as soon as possible. Actionstep will cooperate with investigations conducted by the Privacy Commissioner or other duly-authorised government privacy bodies. If You suspect a breach of privacy please contact Actionstep via email to

Please read our Terms of Use

Use of the Service is subject to Actionstep’s Terms of Use, and this Privacy Policy should be read in conjunction with these Terms of Use. In the event of a conflict or disagreement between this Privacy Policy and the Terms of Use, the Terms of Use will prevail.

2. Actionstep as a Business

When You visit our website or engage in marketing activities such as events and webinars we may collect personal information from You. What personal information do we collect?

Active Collection

We may collect certain information You voluntarily provide to us which may contain Personal Information. For example, when You fill out a form, submit a comment, or contact us by e-mail or other means. Automatic Collection when you visit our website, some information is also automatically collected, such as your internet protocol (IP) address, your operating system, the browser type, the address of a referring web site, and your activity on the sites.

We treat this information as personal information if we combine it with or link it to any of the identifying information mentioned above. Otherwise, it is used in the aggregate only (non-identifying).

Your Rights

You can unsubscribe from any marketing communication by following the unsubscribe instructions contained in the communication (usually in the footer section), or send Your request to Under the European General Data Protection Regulation (also know as “GDPR”) You also have rights which include:

• knowing what personal data we hold about You;

• asking us to correct any personal data we hold about You; and

• asking us to delete or restrict any personal data we hold about You.

You can exercise these rights by sending an email to

Additional information about GDPR can be found in the “Data Processing Agreement” section below.


A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about You may be linked to the information stored in and obtained from cookies.

We use cookies for the following purposes:

• authentication: to identify You when You visit our website and as You navigate our website;

• personalisation: to store information about Your preferences and to personalise the website for You;

• analysis: to help us to analyse the use and performance of our website and services; and

• cookie consent: to store Your preferences in relation to the use of cookies more generally.

Cookies used by our service providers

Our service providers use cookies and those cookies may be stored on Your computer when You visit our website. We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google’s privacy policy is available at: 

We use Hubspot to personalise the website for You and to gather information about website usage. Hubspot’s privacy policy is available at:

We use Intercom to provide in-product customer support and to analyse how our product is used so that we can make improvements to the product. Intercom’s privacy policy is available at:

Google Data

Actionstep’s use of information received, and Actionstep’s transfer of information to any other app, from Google APIs will adhere to Google’s Limited Use Requirements.

Actionsteps use and transfer to any other app of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements


Any capitalized terms used in this Agreement will have the meaning set forth in the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) with effect on 25 May 2018. In the context of the GDPR ‘You’ are the Data Controller and Actionstep is acting as the Data Processor, collectively “the Parties”. Each party will comply at all times with all applicable data protection laws, including without limitation the GDPR. Where the Data Processor Processes Personal data on behalf of the Data Controller in the context of this Agreement, the Data Processor will comply with its obligations under this Agreement. For such Processing, the Data Controller will be qualified as Data Controller (or Controller under the GDPR) and the Data Processor will be qualified as Data Processor (or Processor under the GDPR). The Data Processor will Process Personal Data solely as permitted under this Agreement and only in accordance with the Data Controller’s instructions.

The Parties agree that the Data Controller’s complete and final instructions to the Data Processor for the processing of Personal Data shall be, in principle, defined within the boundaries of the services defined by the Actionstep Terms of Service and this Agreement. Processing outside the scope of these instructions without mandatory law-based requirement will require additional prior written agreement between the Parties. If the Data Processor is required to otherwise Process Personal Data by applicable data protection law, it will inform the Data Controller of such legal requirement before processing, unless the GDPR prohibits such information on important grounds of public interest.

Also, the Data Processor will immediately inform the Data Controller if, in its opinion, an instruction constitutes a violation of applicable laws relating to the protection of personal data. The Data Processor will limit access to and use of Personal Data to such staff that is necessary to comply with its obligations under this Agreement, with applicable law, or as otherwise directed by the Data Controller. The Data Processor will ensure that persons authorized to Process Personal Data have committed themselves to obligations of confidentiality no less onerous than those set out in confidentiality agreements between the Parties, or are under an appropriate statutory obligation of confidentiality. The Data Processor will adopt, implement and maintain appropriate technical and organizational measures having regard to the risks inherent in the processing and to the nature of the Personal Data in order to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

The Data Processor will give the Data Controller written notice as soon as possible upon becoming aware of any breach of this Agreement or of any applicable data protection law, and in no event later than 1 business day after the occurrence of such event. The Data Processor will take all steps necessary to investigate and prevent its recurrence.

The Data Controller, at its sole discretion, will determine (in accordance with applicable data protection law) whether and when to notify any Data Subjects or data protection authorities regarding a breach.

The Data Processor will not transfer any Personal Data to a third country outside the European Economic Area (EEE) or an international organization except where this is permitted under GDPR, and will in any case:

• Make sure that this information is at all time available to the Data Controller,

• Ensure beforehand that such data transfer outside the EEE will be compliant with the GDPR (e.g. EU Commission adequate protection decision, EU Commission template of data transfer outside of the EU, EU data protection authority-validated corporate binding rules) If the Data Processor is unable or unwilling to provide the Data Controller with sufficient information to demonstrate that the Data Controller is meeting its obligations under the GDPR then the Data Controller is entitled to meet with the Data Processor to agree on the operational, security and financial conditions of a technical inspection on site. In all cases any audit or technical inspection will be subject to the following conditions:

• must not affect the safety of other Data Controllers of the Data Processor;

• will be at the Data Controller’s reasonable expense, paid for in advance;

• any non-public information provided to the Data Controller during the audit shall be treated as confidential by the Data Controller;

• the right to audit can only be exercised to the extent that the verifications made are demonstrably related to the verification of the Data Processor’s compliance with the GDPR;

• the Data Processor shall not give access to its premises for the purposes of such an audit or inspection: – to any individual unless he or she produces reasonable evidence of identity and authority with respect to its quality as a duly mandated representative of the Data Controller; – outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Data Controller or the relevant Data Controller Affiliate undertaking an audit has given notice to Data Processor or the relevant Data Processor Affiliate that this is the case before attendance outside those hours begins;

• No more than 1 audit or technical inspection may be carried out by the Data Controller in any one 36 month period except or any additional audits which:

– The Data Controller or the relevant Data Controller affiliate or affiliated person undertaking an audit reasonably considers necessary because of genuine concerns as to Data Processor’s compliance with this Agreement; or

– the Data Controller is required or requested to carry out such audit by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws;

• moreover the Data Processor will allow the Data Controller reasonable access to audit and/or inspect Data Processor’s compliance with this Agreement always provided that:

– any audit or inspection is limited to those Processing activities and facilities that are directly involved in the Processing of the Personal Data;

– the Data Controller gives Data Processor reasonable prior written notice of at least 30 days before any audit or inspection (unless a shorter notice period is required by privacy laws, an order of a regulatory or supervisory authority, in the event of a Personal Data Breach or is otherwise agreed between the Parties in writing);

– the Data Controller carries out the audit or inspection during normal business hours and without creating a business interruption to Data Processor;

– the Data Processor is not required as part of the audit to disclose or provide access to any information relating to its own business operations or third parties to whom Data Processor owes a duty of confidence;

– the audit or inspection is carried out in compliance with Data Processor’s relevant on-site policies and procedures, including without limitation, those relating to access to premises, equipment, security, health and safety, and data;

– where the audit or inspection is carried out by a third party on behalf of the Data Controller, such third party is bound by equivalent obligations to those set out in this Agreement and is not a direct competitor of Data Processor;

• notwithstanding the foregoing, the Data Controller is entitled to respond to requests from the relevant supervisory authority provided that any disclosure of information is strictly limited to what is requested by that authority.

In this case, and unless the applicable law prohibits it, the Data Controller must first consult the Data Processor regarding any required disclosure. In the event that an audit requires the cooperation of a sub-processor acting as subcontractor of the Data Processor the Data Controller hereby expressly accepts that the Data Processor may be bound by contractual obligations to sub-processor that may prevent the Data Processor from fully fulfilling its obligations under this Agreement, in particular with respect to the transfer of the right to audit the sub-processor. Nevertheless, in the context of such an audit, the Data Processor undertakes to implement all the rights it has with regard to sub-processors for the benefit of the Data Controller.

The Data Processor undertakes in particular to

• provide, in accordance with the conditions imposed by subprocessors, all documents that sub-processors may make available to the Data Processor, such as, for example, external verification reports of the security measures of the physical data centres from which sub-processors provide the Services;

• provide, in accordance with the conditions imposed by subprocessors, any audit report that sub-processors may make available to the Data Processor;

• request sub-processors to provide, in accordance with the conditions imposed by sub-processors and taking into account the nature of the services and information available to sub-processors, the assistance required to assist the Data Controller in complying with their obligations regarding data protection impact assessment and prior consultation in accordance with Articles 35 and 36 of the GDPR, by providing the information that sub-processors makes available to the Data Processor.

List of Sub-Processors

Listing Subprocessor, Entity, Country, Purpose, Controller of the Personal Information

  • Amazon Web Services Inc, USA Cloud service provider (infrastructure) Subscriber
  • Microsoft Corporation USA Cloud service provider (Calendar, Documents, Email) Actionstep and Subscriber
  • Google Inc USA Cloud service provider (Calendar, Documents, Email, Analytics) Actionstep and Subscriber
  • Hubspot Inc USA Cloud sales and marketing automation provider Actionstep
  • Mailgun Technologies Inc USA Cloud email service provider Subscriber
  • Intercom Inc USA Cloud based customer support services Actionstep
  • LawPay USA Cloud based payment provider Subscriber
  • Xero Limited New Zealand Cloud based accounting services Subscriber
  • Intuit Inc (QuickBooks) USA Cloud based accounting services Subscriber
  • Zendesk Inc USA Cloud based customer support services Actionstep
  • Rocket Science Group (Mail Chimp) USA Cloud based email and marketing services Actionstep
  • TSYS U.S Holdings Inc (ProPay) USA Cloud based payment provider Subscriber
  • Windcave New Zealand Cloud based payment provider Subscriber
  • PayPal Inc USA Cloud based payment provider Subscriber
  • MessageMedia Australia Cloud based SMS service provider Subscriber
  • CloudConvert Germany Cloud based document conversion services Subscriber
  • AbacusNext (HotDocs) USA Cloud based document automation services Subscriber
  • NetDocuments USA Cloud based document management services Subscriber
  • LawToolBox Inc USA Cloud based calendar automation services Subscriber
  • Zapier Inc USA Cloud based task and workflow automation Subscriber
  • USA Cloud based content management and file sharing service Subscriber
  • DropBox Inc USA Cloud based content management and file sharing service Subscriber
  • Braintree - Cloud based payment provider Subscriber
  • Payrix Solutions LLC USA Cloud based Payment Facilitation Service Subscriber

If the Data Processor engages another processor or sub-processor for specific processing activities on behalf of the Data Controller, the Data Processor will notify the Data Controller and will ensure that this processor or sub-processor will comply with the obligations under this Agreement. The Data Processor will remain fully liable to the Data Controller for the performance of such processor’s or sub-processor’s obligations. The Data Processor will provide reasonable assistance to the Data Controller in undertaking any data protection impact assessment and/or any similar data protection analysis at the Data Controller’s reasonable expense, paid for in advance. Upon expiration or termination of this Agreement, the Data Processor will delete or return to the Data Controller all Personal Data received in the context of this Agreement and delete all existing copies of such Personal Data in accordance with Data Processor’s Terms of Use.

The Data Processor’s obligations under this Agreement will survive the expiration or termination of this Agreement for such period as the Data Processor still has access to Personal Data that it received in the context of this Agreement

Last updated: 1 November 2021 

Updated credit card storage details clause “The Service does not store any Credit Card information”

Added Sub-Processor Payrix Solutions