Skip to main content

Privacy Policy

Last updated: March 2026

Overview

XO Report ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our Excel add-in and related services.

XO Report is the data controller for your personal data. For privacy-related inquiries, contact us at privacy@xo-report.com.

Data Controller

XO Report is operated by Clovis Global. For privacy inquiries: privacy@xo-report.com.

Information We Collect

Account Information

When you authenticate with Xero, we collect:

  • Your email address and name (from your Xero profile)
  • Your Xero user identifier
  • Names and identifiers of Xero organizations you authorize
  • Subscription and billing information (via Stripe)

Xero Data Access

XO Report connects to Xero using OAuth 2.0 with read-only access to your accounting data. We never create, modify, or delete any data in your Xero account. We access your Xero data only to provide the functionality you request (pulling data into Excel) and do not store your Xero financial data permanently on our servers.

We access the following Xero data based on your usage (read-only):

  • Chart of Accounts
  • Contacts (customers and suppliers)
  • Invoices and Bills
  • Payments and Credit Notes
  • Financial Reports (P&L, Balance Sheet, etc.)
  • Tracking Categories
  • Tax Rates and Currencies

Usage Data and Error Reporting

We collect data to improve our service and fix issues:

  • Which features you use (anonymized)
  • Error reports via Sentry (includes error messages, stack traces, and device/browser info)
  • Performance metrics

Error reports help us identify and fix bugs. They may include technical details about your session but do not include your Xero financial data.

How We Use Your Information

We use your information to:

  • Provide the XO Report service
  • Process your subscription and payments
  • Send important service updates
  • Provide customer support
  • Improve our product

We process your data based on:

  • Contract performance: Providing the service you subscribed to
  • Legitimate interests: Error reporting, security, and service improvement
  • Legal obligations: Tax records and fraud prevention

Data Security

We implement industry-standard security measures to protect your data:

  • All data is transmitted using TLS encryption
  • OAuth tokens are stored securely and never shared
  • We use Supabase for secure data storage with row-level security
  • We do not store your Xero password

AI and Machine Learning

Your Xero financial data is never used for AI training, machine learning, or any form of automated profiling. We do not sell, share, or provide your data to third parties for AI/ML purposes. Your data is used solely to deliver the XO Report service to you.

Data Retention

We retain your account information for as long as your account is active. Xero financial data is cached temporarily to improve performance and automatically purged:

  • Financial reports (P&L, Balance Sheet, etc.): cached for up to 5 minutes
  • Reference data (Chart of Accounts, Contacts, Tax Rates, etc.): cached for up to 1 hour

No Xero financial data is permanently stored on our servers. You can request deletion of your account data at any time.

Third-Party Services

We use the following third-party services:

  • Xero:Accounting data provider (subject to Xero's privacy policy)
  • Stripe:Payment processing (subject to Stripe's privacy policy)
  • Supabase: Database and authentication
  • Sentry: Error monitoring and performance tracking
  • Microsoft: Excel add-in platform
  • Formspree:Contact form processing (subject to Formspree's privacy policy)

Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR) and similar laws, you have the following rights regarding your personal data:

  • Right to Access (Art. 15): Request a copy of all personal data we hold about you
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data
  • Right to Erasure (Art. 17):Request deletion of your personal data ("right to be forgotten") — available self-service via Settings or by contacting us
  • Right to Restriction (Art. 18): Restrict the processing of your personal data in certain circumstances
  • Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format
  • Right to Object (Art. 21): Object to processing of your personal data based on legitimate interests
  • Automated Decision-Making (Art. 22): We do not make automated decisions about you. Your data is never used for profiling or automated decision-making.

How to Exercise Your Rights

You can exercise your rights in two ways:

  • Self-service deletion:Use "Delete My Account" in Settings > Advanced within the Excel add-in. Your account enters a 30-day cooling-off period during which you can cancel the deletion. After 30 days, all personal data is permanently deleted.
  • Email: Contact privacy@xo-report.com for any rights request. We will respond within 30 days as required by GDPR.

Delete Your Account

You can permanently delete your account and all associated personal data at any time. Here is how the process works:

  • How to request:Go to Settings > Advanced > "Delete My Account" in the Excel add-in, or email privacy@xo-report.com.
  • 30-day cooling-off period: After requesting deletion, your account enters a 30-day cooling-off period. During this time, you can cancel the deletion and restore your account.
  • Immediate effects: Upon requesting deletion, your Xero connection tokens are revoked, API cache is cleared, and your active subscription is cancelled immediately.
  • After 30 days: All personal data is permanently and irreversibly deleted, including your account information, Xero organization data, authentication tokens, and error reports linked to your account.
  • Billing records: Anonymized billing records (with no personally identifiable information) are retained for 7 years as required by applicable accounting law.
  • Audit trail: An anonymized record of the deletion event is kept for compliance purposes. This record contains only a one-way hash of your user ID (not reversible to your identity) and the deletion timestamp.

Cookies

Our website uses essential cookies only for authentication and session management. These cookies are strictly necessary for the service to function and cannot be disabled.

We do not use advertising, analytics, or tracking cookies. No cookie consent banner is required because we only use essential cookies.

Children's Privacy

XO Report is not intended for use by children under 16. We do not knowingly collect information from children.

International Data Transfers

Your data may be processed in countries outside your own, including the United States (where our infrastructure providers operate). We ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes via email or through our service.

Governing Law

This Privacy Policy is governed by the laws of the European Union, specifically the General Data Protection Regulation (GDPR).

Contact Us

If you have questions about this Privacy Policy, please contact us or email privacy@xo-report.com.