Privacy Policy

1. What We Collect

When you use XeroClarity we collect:

• Your account email address and hashed password (for login).
• Your Xero OAuth access token and refresh token, stored encrypted at rest using AES-256-GCM.
• Your Xero tenant ID (the identifier for your connected organisation).
• Scan metadata: date range selected, scan timestamp, and organisation name.

We do not store the full contents of your Xero transactions, invoices, or journals. That data is fetched on demand for each scan and held in server memory only for the duration of your session (maximum 2 hours).

2. How We Use Your Data

• To authenticate you and maintain your session.
• To connect to your Xero organisation on your behalf and run forensic analysis.
• To generate and serve your PDF report.
• To maintain aggregated, anonymised usage logs for service improvement.

3. Data Retention

• Scan results: discarded from memory after 2 hours or when the server restarts.
• OAuth tokens: stored until you disconnect Xero or delete your account.
• Account data: retained until you request deletion.

4. Third-Party Services

• Xero — your data is fetched from Xero’s API. Their privacy policy applies to data held within Xero.
• Google Analytics 4 — anonymised usage analytics. No financial data is shared with Google.
• We do not sell, rent, or share your data with any other third parties.

5. Security

OAuth tokens are encrypted using AES-256-GCM before being written to the database. All connections use HTTPS/TLS. Server access is restricted to authorised personnel only.

6. Your Rights

You may disconnect your Xero organisation at any time from the XeroClarity landing page. To request account deletion or a copy of your stored data, contact us at support@thereconciliator.com.

7. Changes to This Policy

We may update this policy. Changes will be posted on this page with a revised effective date. Continued use of the service constitutes acceptance of the updated policy.

8. Contact

support@thereconciliator.com