← Back to home

Privacy Policy

Last updated: February 2026

Overview

Xero Expense Report Generator (“the App”) is a web-based tool that helps you generate PDF expense reports from your Xero accounting data. We are committed to protecting your privacy and being transparent about how we handle your information.

Data We Access

When you connect your Xero account, we request read-only access to:

  • Your Xero profile information (name and email, via OpenID Connect)
  • Organisation settings (for organisation name and details)
  • Invoices and transactions (to list and display expense data)
  • Attachments (to retrieve receipt images for your reports)
  • Contacts (to display payee information)

If you choose to attach a generated PDF report to an invoice in Xero, the App will request additional write permissions. This is done via a separate authorisation prompt and only when you explicitly request it.

Data Storage

We do not store your data on our servers. Specifically:

  • Your Xero access tokens are stored only in your browser’s session storage. They are automatically cleared when you close the browser tab.
  • No Xero data (invoices, contacts, attachments, or other accounting information) is persisted on our servers or in any database.
  • PDF reports are generated entirely in your browser and are not uploaded to or stored on our servers.
  • All communication with Xero’s API is proxied through our server solely for authentication purposes. No request or response data is logged or retained.

Cookies

The App uses only essential cookies required for the OAuth 2.0 authentication flow:

  • xero_oauth_state — A CSRF protection token, valid for 10 minutes, used during the Xero login process.
  • xero_pkce_verifier — A PKCE code verifier, valid for 10 minutes, used to securely complete the OAuth exchange.

Both cookies are HTTP-only, short-lived, and used solely for legitimate security purposes during authentication. We do not use any tracking, analytics, or advertising cookies.

Third-Party Services

The App relies on the following third-party services:

  • Xero (Privacy Policy) — Your accounting data provider. Access is governed by Xero’s OAuth 2.0 consent flow and their own privacy policy.
  • Vercel (Privacy Policy) — Our hosting and infrastructure provider. Vercel acts as a data processor and may process request metadata (IP addresses, request logs) as part of standard web hosting operations.

Your Rights

Since we do not store your personal data, there is no persistent data to access, correct, or delete. You can revoke the App’s access to your Xero account at any time from your Xero Connected Apps settings.

Children’s Privacy

The App is not intended for use by individuals under the age of 18. We do not knowingly collect information from children.

Changes to This Policy

We may update this privacy policy from time to time. Any changes will be reflected on this page with an updated date. Your continued use of the App constitutes acceptance of the revised policy.

Contact

If you have any questions about this privacy policy, please open an issue on our GitHub repository.