Privacy Policy

Last updated: 4 April 2026

1. Introduction

RecurDesk ("we", "us", "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website (recurdesk.com), web application, and related services (collectively, the "Service").

By using RecurDesk, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, and password when you register.
  • Profile information: Profile picture, display name, and preferences.
  • Workspace data: Company name, billing address, tax identifiers, and workspace settings.
  • Customer and financial data: Customer names, contact details, invoice data, subscription records, and payment information you enter into the Service.
  • Communications: Messages you send via our support or chat features.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, timestamps, and actions performed.
  • Device and browser information: IP address, browser type, operating system, and device identifiers.
  • Authentication data: Login timestamps, session tokens, and two-factor authentication status.

2.3 Information from Third Parties

  • Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from Google.
  • Xero: If you connect your Xero account, we access contacts, invoices, accounts, and payment data from your Xero organisation as authorised by you.

3. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service.
  • Process billing, generate invoices, and manage subscriptions.
  • Send transactional emails (invoice delivery, subscription confirmations, password resets, billing notifications).
  • Authenticate your identity and secure your account.
  • Respond to support requests and communications.
  • Improve, personalise, and develop the Service.
  • Comply with legal obligations.

We do not sell your personal information to third parties. We do not use your data for advertising purposes.

4. Data Storage and Security

Your data is stored on Amazon Web Services (AWS) infrastructure in the Asia-Pacific (Sydney) region, unless you select a different workspace region. We implement industry-standard security measures including:

  • Encryption in transit (TLS/HTTPS) for all communications.
  • Encryption at rest for database storage (AWS RDS encryption).
  • Secure password hashing (bcrypt).
  • JWT-based authentication with 7-day token expiry.
  • Optional two-factor authentication (TOTP).
  • Role-based access control within workspaces.

While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure.

5. Multi-Tenant Data Isolation

RecurDesk uses a database-per-tenant architecture. Each workspace has its own isolated database, ensuring that your business data is completely separated from other customers. No other tenant can access your data.

6. Third-Party Services

We integrate with the following third-party services:

  • Amazon Web Services (AWS): Infrastructure hosting and email delivery (SES).
  • Google: OAuth authentication (sign in with Google).
  • Xero: Accounting integration (contacts, invoices, payments) — only when you explicitly connect your Xero account.

Each third-party service is governed by its own privacy policy. We only share the minimum information necessary for each integration to function.

7. Data Retention

  • Account data: Retained for the life of your account. You can request deletion at any time.
  • Financial records: Invoices, billing logs, and transaction records are retained permanently as required for financial compliance. Invoices can be voided but not deleted.
  • Workspace data: When a workspace is deleted, the tenant database and all its contents are permanently removed.
  • Soft-deleted records: Customers, products, and subscriptions that are "deleted" are soft-deleted (marked inactive) to preserve financial record integrity. They can be permanently removed upon request.

8. Your Rights

You have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your account and associated personal data.
  • Export your data in a portable format.
  • Withdraw consent for optional data processing (e.g., marketing emails).
  • Object to processing of your personal data in certain circumstances.

To exercise any of these rights, contact us at privacy@recurdesk.com.

9. Cookies

RecurDesk uses minimal cookies and local storage:

  • Authentication token: Stored in localStorage to keep you logged in (see our Keep Me Logged In policy).
  • Workspace preferences: Your selected workspace and UI preferences.

We do not use third-party tracking cookies or analytics cookies.

10. Children's Privacy

RecurDesk is a business-to-business service and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: