Privacy Policy
Last updated: 2 July 2026
OZ BookSync (“we”, “us”, “our”) is a service that connects your WooCommerce store to your Xero accounting organisation. It is operated by OZ Web Expert. This policy explains what information we handle when you use OZ BookSync, why, and the choices you have. We handle personal information in line with the Australian Privacy Principles (Privacy Act 1988) and the New Zealand Privacy Act 2020.
Information we handle
| Data | Why | Kept? |
|---|---|---|
| Store details (your site URL and a generated shared secret) | To identify and authenticate your store’s requests | Until you disconnect |
| Xero connection (OAuth access & refresh tokens, organisation id and name) | To create records in your Xero organisation on your behalf | Encrypted; until you disconnect |
| Order details (customer name/email, line items, amounts) sent when an order syncs | To create the matching invoice, credit note or payment in Xero | Not stored — passed through only to Xero |
| Sync metadata (order id, resulting invoice/credit-note id and number, status, any error) | To avoid duplicates, show a sync log, and support you | Retained |
| Contact form (name, email, message) | To respond to your enquiry | Retained |
| Technical data (IP address for rate limiting; diagnostic error reports) | Security and reliability | Short-term / as needed |
We do not store the content of your orders. Order data passes through our service only to create the corresponding record in your Xero organisation, and is not retained afterwards. Diagnostic error reports are configured not to include order personal information.
How we protect it
- Xero tokens are encrypted at rest.
- Requests between your store and our service are signed (HMAC) and sent over TLS.
- Access to our systems is restricted, and we apply rate limiting and monitoring.
Where your data is stored
The OZ BookSync service is hosted in Australia. Your store connection, your encrypted Xero tokens and your sync metadata are stored in Australia. A few supporting providers may process limited data outside Australia, as noted below — but your order content is only ever sent to your Xero organisation, never to those providers.
Who we share it with
We do not sell your information. We use a small number of service providers (“sub-processors”) to run OZ BookSync:
- Xero — the accounting platform you connect; we send your invoices, credit notes and payments there at your instruction.
- Our Australian cloud hosting provider — runs the OZ BookSync service and stores your connection and sync metadata.
- Cloudflare — content delivery and security; may process technical request data (such as your IP address) overseas.
- An error-tracking provider — receives technical diagnostics overseas (no order or Xero information).
- Our messaging workflow — delivers contact-form enquiries to us.
Your choices and rights
- Disconnect at any time from the plugin — this revokes and removes your stored Xero connection and tokens.
- Request access to, or correction of, the personal information we hold about you.
- Request deletion of your data where we are not required to keep it.
- Make a privacy complaint. In Australia you may also contact the Office of the Australian Information Commissioner (oaic.gov.au); in New Zealand, the Office of the Privacy Commissioner (privacy.org.nz).
Changes
We may update this policy from time to time. The “last updated” date above shows the current version.
Contact
For any privacy question or request, please contact us.