Privacy Policy

1. Information We Collect

1.1 Information you provide

• Account data — name, email address, job title, and organisation name when you register.
• Financial data — invoicing details, billing addresses, and payment information processed through our payment provider.
• Client & project data — briefs, tasks, files, comments, and other content you create within boards, projects, and the client portal.
• Communications — messages sent through in-app chat, email correspondence, and support requests.
• Integration credentials — OAuth tokens and connection details for third-party services you choose to connect (e.g. Xero, Meta Ads, Google Ads).

1.2 Information collected automatically

• Usage data — pages viewed, features used, click events, session duration, and referring URLs.
• Device & log data — IP address, browser type and version, operating system, device identifiers, and access timestamps.
• Cookies & similar technologies — see Section 8 below.

1.3 Information from third parties

When you connect a third-party integration, we receive data from that service as necessary to provide the integration (for example, campaign spend data from Meta Ads or invoice records from Xero). We do not collect data from third parties without your express authorisation.

2. Lawful Basis for Processing

We process personal information on the following legal bases:

• Performance of a contract — to provide the Service, manage your account, and process billing.
• Legitimate interests — to improve the Service, detect fraud, ensure security, and conduct analytics. We balance these interests against your rights and only proceed where the impact on you is proportionate.
• Consent — where required by law, such as for optional marketing communications or AI-assisted features that process your content. You may withdraw consent at any time.
• Legal obligation — to comply with applicable laws, regulations, and enforceable governmental requests.

3. How We Use Your Information

• Provide, operate, and maintain the XeroFlow platform.
• Process transactions and send related billing and service notifications.
• Authenticate users and enforce role-based access controls.
• Facilitate integrations with accounting, advertising, and email services you connect.
• Power AI-assisted features, including the AI chat assistant, intent classification, content suggestions, and anomaly detection (see Section 9).
• Analyse aggregated usage patterns to improve functionality and user experience.
• Detect, investigate, and prevent security incidents, fraud, and abuse.
• Comply with legal obligations and respond to lawful requests.

We do not sell your personal information to third parties.

4. Data Sharing & Third-Party Sub-Processors

We share personal information only where necessary and with appropriate safeguards:

• Infrastructure & hosting — Cloudflare, Inc. (CDN, edge compute, R2 storage, Workers, Durable Objects, AI inference, Vectorize).
• Database — Neon, Inc. (serverless PostgreSQL hosting).
• Email delivery — Resend, Inc. (transactional and notification emails).
• AI processing — Groq, Inc. (LLM inference for AI chat and classification); Cloudflare Workers AI (edge inference and embeddings).
• User-initiated integrations — Xero Limited (accounting), Meta Platforms, Inc. (advertising), Google LLC (advertising). These connections are established by you and governed by each provider's own privacy policy.
• Legal requirements — we may disclose information to law enforcement or regulatory authorities where legally required or to protect rights, safety, or property.

All sub-processors are bound by data processing agreements that require them to process data only on our instructions and to maintain appropriate security measures.

5. International Data Transfers

XeroFlow is operated from Australia. Our sub-processors may store and process data in the United States and other jurisdictions. Where personal information is transferred outside your country of residence, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and we verify that the recipient maintains security practices consistent with this policy. For users in the European Economic Area (EEA) or United Kingdom, transfers are made in accordance with Chapter V of the GDPR or the UK GDPR, as applicable.

6. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes described in this policy, or as required by law:

• Account data — retained for the duration of your account and for 30 days after deletion to allow recovery.
• Financial records — retained for 7 years from the end of the relevant financial year, as required by Australian tax law.
• Usage & log data — retained for up to 12 months, then aggregated or deleted.
• AI conversation data — retained for 90 days to improve AI quality, then automatically purged unless you choose to save a conversation.
• Backups — encrypted backups may persist for up to 30 days after data deletion from the live system.

7. Data Security

We implement technical and organisational measures designed to protect personal information, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256) for all data.
• Role-based access controls with least-privilege principles.
• OAuth 2.0 token management — integration credentials are encrypted and never exposed to other users.
• Web Application Firewall (WAF) and DDoS protection via Cloudflare.
• Regular vulnerability assessments and secure development practices.
• Audit logging of administrative and data-access actions.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Cookies & Similar Technologies

8.1 Essential cookies

Required for the Service to function. These include session tokens for authentication (e.g. session_token, client_session_token) and CSRF protection. These cannot be disabled without impairing the Service.

8.2 Functional cookies

Store your preferences such as colour mode, sidebar state, and notification settings.

8.3 Analytics

We collect aggregated, anonymised usage analytics to understand how the Service is used and to identify areas for improvement. We do not use third-party advertising trackers or sell data to ad networks.

9. Artificial Intelligence & Automated Processing

XeroFlow includes AI-powered features that process your data:

• AI Chat Assistant — answers questions about your agency data using large language models. Conversations are processed by Groq and/or Cloudflare Workers AI.
• Intent classification & anomaly detection — analyses patterns in your data to route queries and surface proactive insights.
• Content suggestions — AI-generated copy and creative recommendations within the banner studio.
• Semantic search — text embeddings are generated to enable vector-based search across your data, stored in Cloudflare Vectorize.

AI features process your data only in the context of your organisation. Your data is not used to train general-purpose AI models and is not shared across organisations. No automated decision-making with legal or similarly significant effects is performed without human oversight.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your personal data, subject to legal retention obligations.
• Restriction — request that we limit processing of your data in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format (JSON or CSV export).
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@xeroflow.agency. We will respond within 30 days (or within the timeframe required by your applicable law). If you are unsatisfied with our response, you have the right to lodge a complaint with a supervisory authority — in Australia, the Office of the Australian Information Commissioner (OAIC); in the EEA or UK, your local data protection authority.

11. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify the relevant supervisory authority and affected users without undue delay, and in any case within 72 hours of becoming aware of the breach where feasible. Notification will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address it.

12. Children's Privacy

XeroFlow is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email or through a prominent notice within the Service at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Governing Law

This Privacy Policy is governed by the laws of the State of New South Wales, Australia, and the Commonwealth of Australia, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where the GDPR or UK GDPR applies to you, nothing in this policy limits your rights under those regulations.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact: