Xovron

Privacy Policy

Last updated: 2026-05-08 · Joorus Inc.

This Privacy Policy explains how Joorus Inc. ("Xovron", "we", "us") collects, uses, discloses, and protects information about you when you use our document automation platform. We are committed to complying with GDPR (EU), PIPEDA (Canada), UK GDPR, and other applicable privacy laws worldwide. By using Xovron you agree to the practices described in this policy.

1. Information We Collect

  • Account information: Email address, company name, billing country
  • Financial documents: PDFs, images, and scans you upload — processed for data extraction only
  • Usage data: Login times, feature interactions, document processing history
  • Payment data: Stripe customer ID and subscription status — we never store card numbers or bank details
  • Technical data: IP address (hashed within 24 hours), browser type, device type, session identifiers
  • Consent records: Timestamp, IP hash, Terms version accepted, and whether links were opened prior to acceptance
  • Support data: Messages sent via our contact form or support channels

2. How We Use Your Data

  • Providing the Xovron service: document extraction, approval workflows, accounting integration
  • Processing payments via Stripe (we are not PCI-DSS certified — Stripe handles all card data)
  • Sending transactional emails: login codes, approval notifications, billing alerts, security alerts
  • Diagnosing technical issues and improving service reliability
  • Complying with legal obligations including financial recordkeeping requirements
  • Security monitoring, fraud detection, and abuse prevention
  • We do not use your data for advertising, profiling, or to train AI models

3. AI Processing Disclosure

  • Documents you upload are sent to an AI service provider for data extraction — this is core to the service
  • We transmit document content only — we strip account identifiers from AI requests where possible
  • The AI service provider processes data under its own privacy policy and applicable SCCs
  • AI-extracted data is presented for human review — it is NOT automatically posted to any accounting system
  • AI extraction results may contain errors; you are responsible for verifying all extracted values
  • Each document shows whether AI processing was applied (visible in the document detail view)
  • By uploading documents you consent to AI processing as described

4. Sub-processors and Data Sharing

  • Anthropic (AI service provider) — document content for extraction; processes under Anthropic's DPA
  • Stripe — payment processing and subscription billing; headquartered in USA; covered by their SCCs
  • Cloudflare — DDoS protection, CDN, Turnstile bot protection; EU data addendum available
  • Hetzner — cloud infrastructure hosting in Germany (EU); covered by Hetzner DPA
  • Postmark / Mailgun — transactional email delivery; processes email addresses only
  • QuickBooks / Xero / other accounting integrations — only when you explicitly connect these
  • We do not sell, rent, or trade your personal data to any third party for commercial purposes

5. Your Rights (GDPR / PIPEDA / UK GDPR)

  • Right of access: Download all your data at Settings > Export Data (JSON format, includes all documents and ledger entries)
  • Right to rectification: Update your profile information at any time in Settings
  • Right to erasure ("right to be forgotten"): Delete your account at Settings > Delete Account — data is purged after 90 days
  • Right to data portability: One-click export at Settings > Export Data
  • Right to restrict processing: Contact us via xovron.com/contact to request restriction
  • Right to object: You may object to any processing via our contact form
  • Right to withdraw consent: Withdraw by deleting your account; withdrawal does not affect prior lawful processing
  • Right to lodge a complaint: You may contact your local data protection authority (e.g. ICO in the UK, DPC in Ireland)

6. Data Retention

  • Active accounts: Data retained while your account is active
  • After cancellation or deletion request: 90-day read-only grace period, then permanent irreversible deletion
  • Financial audit logs: Retained for 7 years in anonymised form (no personally identifiable information)
  • Stripe payment records: Retained per Stripe's legal requirements (typically 7 years)
  • Entries posted to QuickBooks / Xero: Remain in your accounting software — outside our control after posting
  • Support tickets: Retained for 3 years for legal compliance

7. Security Measures

  • AES-256-GCM encryption for all data at rest, including uploaded documents and extracted fields
  • TLS 1.3 for all data in transit — enforced via Cloudflare, no HTTP fallback
  • Row-level security (RLS) in PostgreSQL — each user can only access their own organisation's data
  • Two-factor authentication (TOTP) available for all accounts
  • Annual third-party penetration testing by an independent security firm
  • Access to production data by Xovron staff requires MFA and is fully audit-logged
  • Automated vulnerability scanning and dependency security monitoring
  • No security system is 100% impenetrable — we cannot guarantee that unauthorised access will never occur

8. International Data Transfers

  • Primary infrastructure is hosted in Germany (Hetzner, EU region)
  • AI processing (Anthropic) may involve transfer to the United States — covered by Anthropic's Standard Contractual Clauses
  • Stripe payment processing occurs in the USA — covered by Stripe's SCCs and Data Processing Agreement
  • Cloudflare operates globally — processes only connection metadata for security purposes; covered by Cloudflare's DPA
  • All transfers outside the EU/EEA are covered by Standard Contractual Clauses (SCCs) or adequacy decisions

9. Cookies and Tracking

  • We use strictly necessary cookies only: session cookies for authentication (httpOnly, Secure, SameSite=Strict)
  • No advertising cookies, no cross-site tracking, no third-party analytics (e.g. Google Analytics)
  • Cloudflare Turnstile (bot protection) uses a privacy-preserving challenge mechanism — no persistent tracking
  • You may not be able to use the service without session cookies as they are required for login

10. Contact & Data Protection Inquiries

For privacy requests, data access, or Data Protection Officer inquiries: Contact form

Joorus Inc. · xovron.com

support@xovron.com · Global Operations

We aim to respond to all privacy requests within 30 days as required by GDPR. EU/UK users may also lodge a complaint with their local supervisory authority.