Privacy Policy

Last updated: January 2026

1. Introduction

Finlo ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

We collect information that you provide directly to us:

  • Account Information: Name, email address, and password when you create an account.
  • Xero Data: When you connect your Xero account, we access read-only financial data including transactions, invoices, bills, and contacts to perform health checks.
  • Usage Data: Information about how you use our service, including features accessed and actions taken.
  • Payment Information: Billing details processed securely through Stripe.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Run daily health checks on your connected Xero organisations
  • Send you email digests and notifications
  • Process payments and manage subscriptions
  • Respond to your comments, questions, and support requests
  • Monitor and analyze trends, usage, and activities in connection with our services

4. Xero Data Access

We access your Xero data using Xero's official OAuth 2.0 authentication. We only request read-only access to the data necessary to perform health checks. We do not modify, delete, or write any data to your Xero account.

Your Xero access tokens are encrypted and stored securely. You can disconnect your Xero account at any time from your settings.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide you services. Health check results are retained according to your subscription tier (7-90 days). If you delete your account, we will delete your personal data within 30 days.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Regular security assessments
  • Access controls and authentication
  • Secure hosting on industry-leading platforms

7. Your Rights

Under UK data protection law (UK GDPR), you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Object to processing of your data
  • Request data portability

To exercise these rights, contact us at hello@finlo.uk.

8. Cookies

We use essential cookies to maintain your session and preferences. We do not use tracking or advertising cookies.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at hello@finlo.uk.