Privacy Policy
Last updated: 1 March 2025
Effective: 1 March 2025
The short version: We connect your Xero account to Attio. We only access the data needed to make that work. We never sell your data. You can disconnect and delete your data at any time.
1. Who we are
Magely for Attio ("the App", "we", "us") is an independent software application that integrates Xero accounting software with the Attio CRM platform. This privacy policy explains how we collect, use, and protect your data when you use our app.
For questions about this policy, contact us at: [email protected]
2. Data we collect
We collect only what is necessary to provide the integration service:
- From Xero: Contact names, email addresses, phone numbers, and company names. Invoice numbers, amounts, due dates, and payment status. Your Xero organisation name and tenant ID. OAuth access tokens and refresh tokens (stored encrypted).
- From Attio: Deal names, deal values, pipeline stage names. Contact and company record IDs. Your Attio workspace ID. OAuth access tokens (stored encrypted).
- Account data: Your email address (via Stripe for billing). Subscription plan and billing status.
We do not collect: bank account details, payroll data, tax identification numbers, passwords, or any data beyond what is required for the sync to function.
3. How we use your data
We use your data exclusively to:
- Sync contacts between Xero and Attio
- Create invoices in Xero from Attio deal records
- Update invoice status on Attio deal records when payments are received
- Send you transactional emails about your subscription (billing, trial expiry)
- Diagnose and fix sync errors
We do not use your data for advertising, analytics resale, or any purpose beyond providing the integration service.
4. Data storage and security
Your data is stored on servers located in the European Union. We use the following security measures:
- OAuth tokens are stored encrypted at rest using AES-256 encryption
- All data in transit is encrypted via TLS 1.2 or higher
- Database access is restricted to application processes only — no human access to production data without explicit incident investigation
- Refresh tokens are rotated on every use
We use Railway (EU region) for hosting and PostgreSQL for data storage, both of which maintain SOC 2 compliance.
5. Third-party services
We share data with the following third parties only as necessary to provide the service:
- Xero Ltd — to read and write accounting data on your behalf. Governed by Xero's Privacy Policy.
- Attio Ltd — to read and write CRM data on your behalf. Governed by Attio's Privacy Policy.
- Stripe Inc — to process subscription payments. We share your email address and a workspace identifier. Governed by Stripe's Privacy Policy. We never store your payment card details.
- Railway Technologies — infrastructure hosting provider. Data does not leave EU servers.
We do not share your data with any other third parties, data brokers, or advertising networks.
6. Data retention
We retain your data for as long as your account is active. Specifically:
- OAuth tokens: retained while your account is connected. Deleted immediately upon disconnection.
- Sync logs: retained for 90 days for debugging purposes, then automatically deleted.
- Account data (workspace ID, plan, billing info): retained for 12 months after account closure to handle any billing disputes, then permanently deleted.
You can request immediate deletion of all your data by emailing [email protected]. We will action deletion requests within 30 days.
7. Your rights (UK GDPR)
If you are based in the United Kingdom or European Economic Area, you have the following rights under GDPR:
- Right of access: Request a copy of all personal data we hold about you.
- Right to rectification: Request correction of inaccurate data.
- Right to erasure: Request deletion of your personal data.
- Right to data portability: Request your data in a machine-readable format.
- Right to object: Object to processing of your personal data.
- Right to restrict processing: Request that we limit how we use your data.
To exercise any of these rights, email [email protected]. We will respond within 30 days. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
8. Disconnecting the app
You can disconnect Magely from your accounts at any time:
- From Attio: Go to Settings → Apps → Magely → Disconnect.
- From Xero: Go to Xero → Settings → Connected Apps → Revoke Magely access.
Disconnecting immediately revokes all access tokens and stops all sync operations. Your existing data in Attio and Xero is not affected — we only remove our stored tokens and sync configuration.
9. Terms of service (summary)
By using Magely for Attio, you agree that:
- You have the right to authorise our access to your Xero and Attio accounts
- You will not use the app for any unlawful purpose
- We are not affiliated with or endorsed by Xero Ltd or Attio Ltd
- The app is provided "as is" — we make no guarantees about uptime or data accuracy, though we work hard to maintain both
- Subscription fees are non-refundable except where required by law
- We reserve the right to terminate accounts that abuse the service
Full terms of service are available on request at [email protected].
10. Changes to this policy
We will notify you of material changes to this privacy policy via email (the address associated with your Stripe account) at least 14 days before they take effect. The current version is always available at this URL.