Privacy Policy
Last updated: April 2026
1. Who we are
Rooby (“we”, “us”, “our”) of 51–59 Rose Lane, Norwich, NR1 1BY is the data controller for personal data processed through this service. To contact us about data privacy: hello@rooby.co.uk.
2. What data we collect
We collect and process the following categories of data:
- Account data: your name, company name, email address, and login credentials (passwords are hashed; we do not store them in plain text).
- Xero financial data: profit & loss figures, balance sheet entries, VAT return data, and organisation details drawn from your connected Xero account via the Xero API.
- Usage data: log data including IP addresses, browser type, pages visited, and timestamps, collected automatically when you use Rooby.
We do not collect payment card details. We do not sell your data to third parties.
3. How we use your data
We use your data to:
- Provide the Rooby service, calculate and display tax deadlines and estimates
- Maintain the security and integrity of the platform
- Comply with legal obligations
4. Legal basis for processing
Under UK GDPR, we rely on the following legal bases:
- Contract: processing necessary to provide the Rooby service to you.
- Legitimate interests: security monitoring, fraud prevention, and service improvement.
5. Data storage and security
Your data is stored in London, UK infrastructure. We use industry-standard encryption in transit (TLS 1.3) and at rest (AES-256). Xero OAuth tokens are encrypted with KMS and stored separately from the data they protect.
We retain your data for as long as you have an active account, and for up to 6 years after account closure to comply with HMRC record-keeping requirements.
6. Third parties
We share data with the following sub-processors to operate the service:
- Supabase, database, authentication, and file storage (London, UK)
- Vercel, application hosting and serverless processing (London, UK)
- Stripe UK Ltd, payment processing (handles billing data only; no client financial data is shared)
- Brevo, transactional email, account notifications and alerts (France, EU, covered by UK GDPR adequacy)
- Xero, source of client financial data via OAuth read access, processed under Xero's own data processing terms
- Companies House, UK public company register (director and company data lookup)
We do not sell your data or share it with any other third parties for marketing or advertising purposes.
7. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request erasure of your data (subject to legal retention requirements)
- Object to processing or request restriction
- Data portability
- Withdraw consent for marketing at any time
To exercise any of these rights, email hello@rooby.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies
Rooby uses strictly necessary cookies for authentication (session management). We do not use tracking, advertising, or analytics cookies.
9. Changes to this policy
We may update this policy periodically. The “last updated” date above will reflect any changes. Material changes will be communicated by email.