← Back to home

Privacy Policy

Last updated: 28 May 2026

1. Who we are

Reconcilyo ("we", "our", "us") provides a web application that connects to Xero via OAuth 2.0 and helps you match bulk bank deposits to multiple outstanding invoices. Our support email is support@reconcilyo.com.

2. Data we collect

  • Xero identity: Your Xero user ID, name, and email address — obtained from Xero's OpenID Connect token when you connect your account.
  • Xero organisation tokens: OAuth access and refresh tokens, encrypted at rest using AES-256 (Fernet), required to call the Xero API on your behalf.
  • Invoice and contact data: We fetch outstanding invoices and contact names from Xero in real-time to perform matching. This data is not stored between requests.
  • Reconciliation audit log: When you apply a reconciliation, we store the payment date, amount, reference, invoice IDs, and match metadata. This is your audit trail.
  • Billing data: If you subscribe, your payment is processed by Stripe. We store only the Stripe customer and subscription IDs — not your card details.
  • Session data: A signed, HTTP-only cookie is used to keep you authenticated. It contains only your user ID and cannot be read by JavaScript.

3. How we use your data

  • To authenticate you with Xero and maintain your session.
  • To fetch invoices, contacts, and bank accounts from your connected Xero organisation.
  • To apply payments to Xero when you confirm a match.
  • To provide you with a history of reconciliations you have performed.
  • To manage your subscription via Stripe.

We do not sell your data. We do not share your data with third parties except as necessary to operate the service (Supabase for database hosting, Stripe for billing, Koyeb for hosting).

4. Data storage and security

  • All data is stored in Supabase (PostgreSQL), hosted in a secure cloud environment.
  • Xero OAuth tokens are encrypted at rest using Fernet symmetric encryption before being written to the database.
  • All communication between your browser and our servers is encrypted in transit via HTTPS (TLS 1.2+).
  • Application logs do not contain OAuth tokens, invoice data, or personally identifiable information.

5. Data retention

We retain your organisation tokens and audit log for as long as your account is active. If you disconnect an organisation, its tokens are revoked with Xero and deleted from our database immediately. If you request account deletion, we will delete all your data within 30 days.

6. Your rights

Depending on your location, you may have rights under GDPR, CCPA, or other applicable laws, including:

  • The right to access the data we hold about you.
  • The right to correct inaccurate data.
  • The right to request deletion of your data.
  • The right to data portability.

To exercise any of these rights, email support@reconcilyo.com.

7. Cookies

We use a single HTTP-only session cookie (rcy_session) to authenticate you. This cookie is essential for the service to function and cannot be disabled while you are using the app. We do not use tracking cookies, analytics cookies, or advertising cookies.

8. Third-party services

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated date.

10. Contact

For privacy questions or requests, contact us at support@reconcilyo.com.

HomeTerms of ServicePricing