Privacy Policy

Last Updated: 21 November 2025

Introduction

This Privacy Policy explains how we (“Xero Invoice SaaS”, “we”, “us”, “our”) collect, use, store, and protect your personal data when you use our invoice processing service.

By using our service, you agree to the collection and use of information in accordance with this policy.

1. Data Controller

Drakon Systems Ltd
Email: support@drakonsystems.com
Data Protection Officer: support@drakonsystems.com

2. Data We Collect

2.1 Account Information

• Email address (for login and communication)
• Password (hashed using bcrypt)
• Full name (optional)
• Registration date and last login

2.2 Xero Integration Data

• Xero OAuth access tokens (encrypted at rest)
• Xero OAuth refresh tokens (encrypted at rest)
• Xero tenant/organization ID
• Company name, address, phone number, and VAT number (from your Xero organization)

2.3 Invoice Data

• Uploaded invoice PDFs
• Parsed invoice information (supplier names, invoice numbers, amounts, line items)
• Bank account numbers (if present on invoices)
• Processing metadata (status, timestamps, error messages)

3. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

1. Contract Performance (Article 6(1)(b) GDPR): Account creation, invoice processing, Xero integration, subscription management
2. Consent (Article 6(1)(a) GDPR): Email communications, Xero OAuth access
3. Legitimate Interests (Article 6(1)(f) GDPR): Fraud prevention, security, service improvement

4. How We Use Your Data

• Authenticate your account
• Connect to your Xero organization
• Parse uploaded invoices using AI (Claude by Anthropic)
• Match suppliers to Xero contacts
• Create invoices in Xero and attach PDF receipts

5. Data Sharing & Third Parties

We share your data with the following third parties only:

5.1 Xero (Required for Service)

What: Invoice data, supplier information, OAuth tokens
Why: To post invoices to your Xero organization
Privacy Policy: https://www.xero.com/uk/about/privacy/

5.2 Anthropic (Claude AI)

What: Invoice PDFs and text for parsing
Why: To extract invoice details using AI
Data Retention: Anthropic does not store your data (zero retention)

5.3 NO Other Third Parties

We do NOT share your data with advertisers, analytics companies, marketing platforms, social media networks, or data brokers.

6. Data Storage & Security

6.1 Storage Location

• Database: Encrypted PostgreSQL on Fly.io
• PDFs: Encrypted volume storage
• Temp Files: Deleted immediately after processing

6.2 Encryption

• In Transit: All data transmitted over HTTPS (TLS 1.3)
• At Rest: Passwords hashed with bcrypt, Xero tokens encrypted with Fernet (AES-128)

7. Data Retention

• Active Accounts: Invoices retained until you delete them (default 7 years for UK tax compliance)
• Deleted Accounts: Immediate and permanent deletion of all data
• Failed Uploads: 30 days retention for troubleshooting

8. Your Rights (GDPR)

• Right to Access (Article 15): View all your data in the dashboard
• Right to Export (Article 20): Export all data as JSON from Settings
• Right to Erasure (Article 17): Delete your account anytime from Settings
• Right to Rectification (Article 16): Update your profile and supplier mappings
• Right to Lodge a Complaint: UK ICO (ico.org.uk)

9. Data Breach Notification

If we detect a data breach, we will:

1. Notify ICO (UK regulator) within 72 hours
2. Email affected users within 72 hours
3. Take immediate action to contain the breach

10. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect data from children.

11. Cookies & Tracking

• JWT tokens: For authentication (stored in browser localStorage)
• No tracking cookies: We do not track you
• No analytics: Google Analytics, Facebook Pixel, or third-party trackers are NOT used

See our Cookie Policy for full details.

12. Contact Us

Email: support@drakonsystems.com
DPO: support@drakonsystems.com
Response Time: Within 30 days (GDPR requirement)

13. Summary (TL;DR)

• We collect: Email, invoices, Xero data (needed for service)
• We encrypt: Passwords, tokens, database, PDFs
• We share with: Xero (required), Anthropic (AI parsing), Stripe (payments)
• You can: Export all data, delete anytime
• We don't: Track you, sell data, use cookies
• GDPR compliant: All your rights protected