Xovron

Privacy Policy

Last updated: 2026-03-01 · Joorus Inc.

This Privacy Policy explains how Joorus Inc. ("Xovron", "we") collects, uses, discloses, and protects information about you when you use our document automation platform. We comply with GDPR (EU), PIPEDA (Canada), UK GDPR, and other applicable privacy laws.

1. Information We Collect

  • Account information: Email address, company name, country
  • Financial documents: PDFs, images, and scans you upload (processed by AI service provider)
  • Usage data: Login times, feature usage, document processing history
  • Payment data: Stripe customer ID and subscription status (we never store full card numbers)
  • Technical data: IP address (hashed), browser type, device information
  • Consent records: Timestamp, IP hash, and version of consent given

2. How We Use Your Data

  • Delivering the Xovron service: extracting document data, managing approval workflows
  • Processing payments via Stripe
  • Sending transactional emails (login codes, approval notifications, billing alerts)
  • Improving service quality and debugging issues
  • Compliance with legal obligations (tax records, financial regulations)
  • Security monitoring and fraud prevention

3. AI Processing

  • Documents are processed by AI service provider for data extraction
  • AI Service provider's privacy policy applies to this processing
  • We transmit only the document content — no personal identifiers are included in AI prompts
  • AI extractions are reviewed by humans before any accounting entries are created
  • You have the right to know when AI has processed your data (shown on each document)

4. Data Sharing

  • AI Service provider — document content for extraction only
  • Stripe — payment processing and subscription management
  • QuickBooks/Xero — when you connect your accounting software
  • Hetzner — cloud infrastructure hosting in Helsinki, Finland (EU)
  • We do not sell your data to any third parties
  • We do not use your financial data for advertising

5. Your GDPR/PIPEDA Rights

  • Right of access: Download all your data at Settings > Export Data
  • Right to rectification: Edit your profile at any time
  • Right to erasure: Delete your account at Settings > Delete Account (90-day data retention window)
  • Right to data portability: JSON export available at all times
  • Right to object: Contact [email protected]
  • Right to withdraw consent: You may delete your account at any time

6. Data Retention

  • Active accounts: Data retained while account is active
  • After account deletion: Data permanently purged after 90 days
  • Financial audit logs: Retained 7 years (anonymised — no PII)
  • Stripe payment records: Retained per Stripe's legal requirements
  • QB/Xero posted entries: Remain in your accounting software (outside our control)

7. Security

  • AES-256-GCM encryption for OAuth tokens and sensitive data at rest
  • TLS 1.3 for all data in transit
  • Row-level security: each user can only access their own data
  • Multi-factor authentication (TOTP) available for all accounts
  • Regular security audits and automated vulnerability scanning
  • All employee access to production data requires MFA and is logged

8. International Transfers

  • Data is stored in Hetzner servers in Helsinki, Finland (EU)
  • AI processing via AI service provider may involve data transfer to their location under AI service provider's SCCs
  • Stripe processes payments in the USA under their Privacy Shield/SCCs
  • We use Standard Contractual Clauses (SCCs) for all third-party transfers

9. Contact & DPO

Data Protection inquiries: [email protected]

Joorus Inc. · xovron.com · [email protected]