Last updated: March 2026
What we collect
- Your Xero account details (organisation ID, name) via OAuth2
- Employee document metadata (filename, document type, upload date)
- Encrypted file content stored in AWS S3
What we don't collect
- We never see your file contents — all files are encrypted in your browser before leaving your
device using AES-256-GCM encryption
- We do not sell or share your data with third parties
How we store your data
- Document metadata is stored in a secure AWS RDS PostgreSQL database
- Encrypted files are stored in AWS S3 (eu-north-1)
- Encryption keys are stored server-side, encrypted with a separate key
Authentication
- We use Xero OAuth2 for authentication. We store Xero access tokens to maintain your session.
Data deletion
- Deleting a document removes it from both S3 and our database permanently
- To delete your account and all data, email us at [email protected]
Contact
[email protected]