§ Privacy policy
Effective · 21 April 2026

How we handle your data.

This Privacy Policy explains what personal information Ziroo collects, how we use and disclose it, where it is stored, and the choices and rights you have. It applies to ziroo.work and the Ziroo web application. We operate in Australia and comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Plain-English summary. We only collect the information we need to deliver daily backups of your accounting records: your account details, the OAuth credentials you authorise for Xero and your cloud-storage provider, and the invoice, quote and purchase-order metadata we fetch on your behalf. We don’t sell data, we don’t run analytics or advertising trackers, and we don’t share your Xero data with anyone other than the storage provider you chose.

1. Who we are

For the purposes of the Privacy Act, the APP entity responsible for the handling of your personal information is [Legal Entity Name] (ABN [ABN]), a company registered in Australia with its registered office at [Registered Address], trading as “Ziroo” (“we”, “us”, “our”).

Our contact point for any privacy enquiry or request is [email protected]. Please include “Privacy” in the subject line so it reaches the right person quickly.

2. Scope of this policy

This policy covers:

  • The ziroo.work website and marketing pages;
  • The Ziroo web application, when you are signed in;
  • Emails we send to you as part of the service (daily backup digests, transactional notices, billing receipts).

It does not cover third-party services you connect or use alongside Ziroo — including Xero, Dropbox, Google Drive, Microsoft OneDrive, Stripe, or Amazon Web Services. Your dealings with those services are governed by their own privacy policies. Where relevant, we link to them below.

3. Information we collect

3.1 Account information

  • Your name and email address;
  • A password (stored as a bcrypt hash — we never see the plaintext);
  • Two-factor authentication secrets and recovery codes, if you enable 2FA (encrypted at rest);
  • An optional profile photo if you upload one;
  • Which team you are currently acting for inside the app.

3.2 Billing information

  • The Stripe customer identifier linked to your team, the type of card on file (e.g. Visa, Mastercard) and its last four digits, your plan, and subscription status;
  • A record of any additional one-off charges (e.g. paid archive downloads) and the amount charged.

Card numbers and other full payment credentials are handled directly by Stripe in its PCI‑DSS certified environment; we do not receive or store them.

3.3 Third-party credentials (OAuth tokens)

When you connect Xero, Dropbox, Google Drive, or OneDrive, we receive and store an OAuth access token and a refresh token for that connection. These are encrypted at rest. We do not receive your username or password for any of those services.

3.4 Accounting data fetched from Xero

On your schedule, we call Xero’s Invoices, Quotes and Purchase Orders endpoints and store the returned metadata — document numbers, dates, references, statuses, currency, contact names, line totals, and amounts. For each document, we fetch the PDF copy Xero renders and stream it to the cloud-storage destination you chose.

This data may include personal information about your customers, suppliers, and contacts (for example, their names and company details). As the Xero account holder, you are the entity that controls that data and is responsible for having a lawful basis to have us process it on your behalf. Under this arrangement, we act as your processor for that personal information and handle it only to deliver the backup service.

3.5 Usage and audit logs

  • Team activity log — records meaningful actions taken inside a team (e.g. a new Xero organisation connected, a manual backup triggered, a storage provider changed), including who performed the action and when;
  • Backup-run log — one entry per scheduled or manual backup run, including the organisation, document count, trigger source, delivery outcome and any error code;
  • Standard web-server access logs, which typically include IP address, user-agent, request path and timestamp.

3.6 Communications you send us

If you email support, reply to a notification, or send us a security report, we keep a record of that correspondence.

3.7 Information we don’t collect

We don’t run Google Analytics, Mixpanel, PostHog, advertising pixels or session-replay tools. We don’t buy personal information about you from data brokers.

4. How we use information

We use personal information to:

  • Authenticate you and secure your account;
  • Fetch, package, and deliver your daily or on-demand backups;
  • Process subscription payments and any one-off charges;
  • Provide support, respond to your questions, and investigate incidents;
  • Detect, prevent, and respond to fraud, abuse, or security threats;
  • Send transactional messages about the service (receipts, failed-payment notices, backup errors, password changes, legal updates);
  • Meet legal, tax, accounting, and record-keeping obligations.

We do not use your accounting data or your customers’ personal information for any purpose other than running the service for you. We do not sell your personal information, and we don’t use it to train machine-learning models.

5. Legal basis for processing

Under Australian law we rely on the grounds permitted by the APPs, in particular that the collection and use of personal information is reasonably necessary for our functions or activities as a backup service provider.

For users in jurisdictions that require a specified legal basis (for example the GDPR for people located in the EU or UK), we process personal information on one or more of the following bases:

  • Performance of a contract — to provide the service you have signed up for;
  • Legitimate interests — to secure and improve the service, detect fraud and abuse, and run our business, balanced against your rights;
  • Consent — where you’ve given it (for example, by authorising a Xero or cloud-storage connection);
  • Legal obligation — where we must retain information to comply with law.

6. Disclosure and subprocessors

We disclose personal information only to the service providers (“subprocessors”) we rely on to deliver the service, and only to the extent necessary for them to perform their role. We require each of them to protect the information consistently with the APPs.

Provider Role What they receive Policy
Xero Limited Source system (read-only access) We exchange OAuth tokens and call Xero APIs to read your accounting data. xero.com/legal/privacy
Dropbox / Google Drive / Microsoft OneDrive Destination storage (your choice) PDFs and CSV manifests we upload to the folder you authorised. dropbox · google · microsoft
Amazon Web Services Hosting and outbound email (SES) All service data at rest; email contents when we send notifications. aws.amazon.com/privacy
Stripe, Inc. Payment processor Customer identifier, card metadata (last four, type), billing amounts. stripe.com/privacy
Bunny Fonts Font hosting (public pages only) Your browser fetches web fonts; no personal information is sent. fonts.bunny.net/about

We may also disclose personal information where we are required or authorised to do so by law — for example, in response to a valid subpoena, court order, or lawful request from a regulator. Where legally permitted, we will let you know before we do so.

7. International data transfers

Ziroo is operated from Australia, but our hosting, email and payment subprocessors store and process data in the United States and, in the case of Stripe, elsewhere in its global infrastructure. By using Ziroo, you consent to your personal information being transferred to and processed in countries outside Australia.

Under APP 8, we take reasonable steps before disclosing personal information overseas to ensure that the overseas recipient handles it consistently with the APPs. Those steps include choosing established providers with documented privacy programs and relying on the contractual protections in their standard terms (including, where applicable, Standard Contractual Clauses and comparable transfer mechanisms).

8. How long we keep data

  • Account details. Retained while your account is active.
  • OAuth tokens. Retained while the connection is active. When you disconnect Xero or a storage provider, the tokens we hold for that connection are deleted and revoked with the provider where supported.
  • Xero-sourced metadata. Kept while your account is active so that subsequent runs can work incrementally. You can request deletion at any time (see “Your rights” below).
  • PDFs. Not retained on our servers beyond the short window needed to upload them to your cloud storage. The files in your storage are yours; we don’t touch them once uploaded.
  • Billing records. Retained for as long as required by Australian taxation and company law (typically seven years).
  • Logs. Activity and backup-run logs are retained for operational and audit purposes. Web-server access logs are retained for no longer than 90 days in ordinary course.
  • Closed accounts. On account closure, we delete or anonymise personal information within 90 days, except where retention is required by law.

9. Your rights

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you;
  • Correct information that is inaccurate, out of date, incomplete, or misleading;
  • Request deletion of your personal information, subject to records we must retain by law;
  • Withdraw consent you’ve given (for example, by disconnecting a Xero organisation or a cloud-storage provider);
  • Complain about how we have handled your personal information.

If you are in the EU, UK or Switzerland, GDPR-equivalent rights apply, including rights to restriction, portability and objection to certain processing. If you are a California resident, CCPA/CPRA rights apply; note that we do not “sell” or “share” personal information as those terms are defined under the CCPA.

To exercise any of these rights, email [email protected] with “Privacy request” in the subject line. We will verify your request and respond within 30 days. There is no charge for reasonable requests.

If you are not satisfied with our response, you have the right to complain to the Office of the Australian Information Commissioner at oaic.gov.au.

10. Cookies and tracking

Ziroo uses only the cookies required to operate the service:

  • A first-party session cookie (named ziroo_session or equivalent) with a 120-minute lifetime, HttpOnly and SameSite=Lax;
  • A XSRF-TOKEN cookie to guard against cross-site request forgery;
  • A “remember me” cookie, only if you tick the corresponding option when logging in;
  • A local-storage preference (ziroo-theme) that remembers whether you chose light or dark mode. This is set by your browser and never sent to our servers.

We do not use cookies or similar technologies for advertising, analytics, cross-site tracking, or behavioural profiling. There are no third-party trackers on our pages.

11. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, misuse, and unauthorised access. For a detailed, current description of those controls, see our Security page. No service can be guaranteed to be completely secure, but we take the responsibility seriously and describe our controls honestly.

12. Children

Ziroo is a business-to-business service and is not directed at children. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided personal information to us, please contact [email protected] and we will delete it promptly.

13. Changes to this policy

We may update this policy from time to time. When we make a change, we will update the “Effective” date at the top of the page. If we make a material change — for example, adding a new category of personal information we collect, a new subprocessor, or a new purpose of use — we will notify account holders by email or in-app notice before the change takes effect.

14. Data breaches

We maintain an incident response process. If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information we hold, we will notify the Office of the Australian Information Commissioner and the individuals affected without undue delay, as required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. Where the relevant individuals are in the EU, UK or another jurisdiction with its own breach-notification regime, we will also comply with the equivalent obligations there.

15. Contact us

Privacy questions, access and correction requests, or complaints can be sent to our privacy contact:

[Legal Entity Name]
[Registered Address]
Email: [email protected]

This policy is provided in good faith as a plain statement of our practice. It is not legal advice; we encourage you to take your own advice on how it interacts with your regulatory obligations.