How we handle your data.

When you sign up, we collect the email address you submit.

When you connect Xero, we receive an OAuth access token and refresh token from Xero, along with the unique identifier (tenant ID) for the organisation you chose. We use these to read your bank transactions, invoices, contacts, chart of accounts, and any attachments already in Xero. We do not write, modify, or delete anything in your books.

When you connect Gmail, we receive an OAuth access token and refresh token from Google, along with the email address of the connected inbox. We use these to search for messages and attachments that look like receipts or invoices for transactions we have seen in your Xero account.

We collect standard request metadata (IP address, user agent, timestamps) from our hosting provider for security and abuse prevention.

We store your email address, the OAuth tokens described above (encrypted at rest), and the matched-and-unmatched transaction list we produce for your report. We do not store the full contents of your inbox. When we search for a receipt and find a match, we record the message identifier and extract only the structured data we need (date, amount, merchant, file reference) — not the email body.

• ▸Read messages in your inbox that are not relevant to receipt matching.
• ▸Send email from your account.
• ▸Modify, delete, or move messages.
• ▸Write, modify, or delete anything in your Xero account.
• ▸Sell your data to third parties.
• ▸Use your data to train AI models for any other customer.

Trace is operated by a small team. Only members of that team with a direct operational need (running your match report, fixing a bug you have reported, handling a deletion request) can access your data, and only as much of it as is needed.

We use the following sub-processors: MongoDB Atlas (database hosting, EU region), Vercel (web hosting), Xero (for the transaction data you have authorised us to read), and Google (for the Gmail data you have authorised us to read).

We retain your account, tokens, and reports while your account is active. If you disconnect Trace from Xero or Google, the tokens become unusable immediately. If you ask us to delete your data, we remove your account, tokens, and reports from our active systems within 30 days, and from backups within 90 days.

If you are in the UK or the EU, the UK GDPR and EU GDPR give you the right to: access the personal data we hold about you, ask us to correct it, ask us to delete it, ask us to restrict how we process it, ask us to provide it in a portable format, and object to processing on legitimate-interest grounds. Email privacy@gettrace.co.uk and we will respond within 30 days.

You can also complain to the UK Information Commissioner's Office (ICO) at ico.org.uk if you think we have not handled your data correctly.

We set a single session cookie (trace_session) so we know who you are between page loads. It is encrypted, HTTP-only, and expires after 30 days of inactivity. We do not use third-party analytics or advertising cookies.

If we make material changes to this policy we will email you and post a notice on this page. Less important changes will be summarised in the changelog visible from the footer.

Privacy questions, deletion requests, and concerns: privacy@gettrace.co.uk.