Privacy Policy

Effective Date: 01 July 2025 | Last Updated: 01 July 2025

TROYE PTY LTD ("we," "us," or "our") runs FeedConnector (the "Service"), a Xero marketplace app.

FeedConnector helps connect external data feeds from Xero to wherever you like. We care about your privacy and follow laws like the Australian Privacy Principles (APPs) under the Privacy Act 1988, GDPR for EU users, and CCPA for California residents.

By using the Service, you agree to this Privacy Policy. If you don't, please don't use it.

Questions? Email us at privacy@troye.co

Table of Contents

  1. Information We Collect
  2. How We Use Your Information
  3. Sharing and Disclosure of Your Information
  4. Data Retention and Deletion
  5. Security Measures
  6. International Data Transfers
  7. Your Rights
  8. Third-Party Integrations
  9. Changes to This Privacy Policy
  10. Contact Us

1. Information We Collect

Summary: We only collect what's needed to make the Service work, like your account details and financial data you choose to sync.

We gather personal information (data that identifies you or relates to you) in these ways:

Personal Information

  • Account Details: Your name, email, business name, and contact info when you sign up.
  • Login and Access Info: Xero API details, credentials for external sources (e.g., API keys for banks like Commonwealth Bank or platforms like Shopify), and other login data for connections.
  • Tech Data: IP addresses (just for security, like spotting unauthorized logins).

Financial and Business Data

  • Transaction Data: Financial info from external sources, such as transactions, balances, and metrics you allow us to sync to Xero.
  • Setup Choices: Your settings for how data connects and syncs.

We might collect sensitive personal information if it's in your financial data (e.g., bank account details that include personal identifiers like names or addresses considered sensitive under laws like GDPR or APPs). We don't collect it unless you provide it to us via Xero.

We get this info directly from you when you:

  • Set up an account or links.
  • Allow data to flow from sources to Xero.
  • Use the Service.

2. How We Use Your Information

Summary: We use your data only to run and improve the Service, keep things secure, and follow laws—not for ads or anything else.

We use it for:

  • Running the Service: Sync data from sources like Stripe to Xero, manage connections, and handle your requests.
  • Account Handling: Check who you are, save your settings, and offer support.
  • Security and Rules: Use IP logs to stop threats, fraud, or illegal access; meet legal needs.
  • Fixing Issues: Keep short-term logs to solve problems and make the Service better.

We don't use data for marketing, ads, or unrelated things. No anonymizing for AI or other uses.

Under APPs, we stick to the main reason we collected it or something related you'd expect. For GDPR, our reasons include contract performance (to deliver the Service), legitimate interests (like security), and your consent (for data syncs). For CCPA, we don't "sell" or "share" your info as defined by the law.

3. Sharing and Disclosure of Your Information

Summary: We don't sell or rent your data. We only share what's needed for the Service, with your consent where required.

We share:

  • With Xero: Data via their API for syncing, only if you authorize it.
  • With Your Data Sources: We access data from your chosen providers via our connections.
  • For Legal Reasons: If law requires, like a court order, or to protect us or others.
  • Business Changes: If we sell or merge, your data might transfer, but with equivalent privacy protection.

We will sign a Data Processing Agreement (DPA) on request.

It covers how we handle data, security, sub-helpers, and your audit rights. Email privacy@troye.co to get one. Our helpers follow GDPR Article 28 and CCPA rules—disclosures aren't "sales."

4. Data Retention and Deletion

Summary: We keep data only as long as needed, then delete it securely.

  • Settings: Kept until you remove the connection or account.
  • Logs: Held 90 days for security/fixes, then deleted.
  • Account Info: Kept 30 days after you end (per our Terms), for possible reactivation.
  • Data: Kept for up to 30 days after you delete your account, for possible retrieval or reactivation.

You can ask to delete anytime (see Section 7). We follow APP 11, GDPR storage limits, and CCPA rules for secure deletion.

5. Security Measures

Summary: We use strong protections, but no system is perfect. We'll tell you quickly if there's a breach.

Our security includes:

  • Encryption: TLS 1.2+ for sending data over any network.
  • Access Rules: Only approved people can see data, with monitoring.

If a breach affects your data:

  • For GDPR: We notify authorities within 72 hours and you if it's high risk.
  • For CCPA: We notify you promptly as required.
  • For APPs: We follow the notifiable scheme and report to the Office of the Australian Information Commissioner (OAIC) if needed.

6. International Data Transfers

Summary: Data is hosted in Australia and the US. We protect transfers under laws.

If you're outside Australia, data might move abroad. For GDPR (EU/EEA users), we use safeguards like standard contractual clauses (SCCs). By using the Service, you agree to this. We follow APP 8 and other local rules.

7. Your Rights

Summary: You have rights to control your data. We'll help as much as law allows, no matter where you are. Requests might affect Service use. Email privacy@troye.co with details to verify you. We respond in legal timeframes (e.g., 30 days for APP, 1 month for GDPR, 45 days for CCPA) and usually for free, unless excessive.

Here are rights by law:

Australian Privacy Principles (APPs)

  • Access and correct your info.
  • Complain to us or OAIC.
  • Ask about our handling.

GDPR (EU/EEA Users)

  • Access, correct, delete, or restrict processing.
  • Get data portability.
  • Object to processing (e.g., based on legitimate interests).
  • Withdraw consent anytime (won't affect past use; may limit Service).
  • Not be subject to automated decisions with legal effects (note: we don't use automated decision-making).
  • Complain to your data authority.
  • Request a DPA for processing details.

CCPA (California Residents)

  • Know what data we have, categories, sources, and purposes.
  • Delete your data.
  • Opt out of sales (we don't sell).
  • No discrimination for using rights.
  • Use an agent for requests.
  • We respond to verified requests.

We aim to give these rights to everyone, but they depend on your location.

8. Third-Party Integrations

Summary: We connect to Xero and your chosen sources. Data flows as you allow, but check their privacy policies—we don't control them. We're just the middle link.

9. Changes to This Privacy Policy

Summary: We might update this for changes in how we work or laws. We'll email or notify in-app for big updates and change the "Last Updated" date. Keeping using means you agree.

10. Contact Us

For privacy questions, requests, or complaints, email privacy@troye.co or support@troye.co. Write to TROYE PTY LTD, For legal matters, use legal@troye.co.

This policy matches our Terms of Service for consistency.