Privacy Policy

Xeler respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, and protect your data when you use our tools and services.

2.1 Automatically Collected Data

• Email address (for account access)
• Usage data (which tools you use and when)
• Device information
• IP address and location data

2.2 Data You Provide

• Business and personal expenses
• Lead information and contact details
• Income goals and financial data
• Subscription and service information

2.3 Proposal Signing Data

When you sign or decline a proposal, we collect the following data to execute the agreement and maintain a legally required audit trail (GDPR Art. 6(1)(b) — contract performance):

• Full legal name and email address
• Signature image (drawn or typed)
• IP address and browser information
• Consent acknowledgment text
• Timestamp of signing

• To provide and improve our tools and services
• To process payments and manage your account
• To calculate rates and provide financial insights
• To track leads and manage your business data
• To comply with legal obligations

All your data is encrypted and stored securely. We use industry-standard encryption methods to protect your information. Your financial data and business information are never shared with third parties without your explicit consent.

We retain your data for the following periods, after which it is permanently deleted:

• Signed proposals and audit trail: 7 years from the date of signing (required by Dutch tax law — AWR Art. 52)
• Rejected proposals: 2 years from the date of rejection
• Proposal view records: 2 years
• Draft proposals: Deleted upon request or account closure
• Account data: Deleted upon account closure, except where retention is legally required

We use the following third-party sub-processors to deliver our services:

• Neon — PostgreSQL database hosting (EU region). Processes and stores all application data.
• Resend — Transactional email delivery. Processes email addresses for verification codes and notifications.
• Vercel — Application hosting and edge network. Processes requests and serves the application.

We also use Stripe (payment processing) and Upstash (rate-limit and session caching), and — only when you connect it — Google Workspace APIs (Slides/Drive export for strategy presentations). The complete, always-current list with locations and DPA links is published on our Subprocessors page. All sub-processors are bound by GDPR-compliant Data Processing Agreements (DPAs). Where data is transferred outside the EU/EEA, Standard Contractual Clauses (SCCs) are in place to ensure adequate protection.

You have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data (note: signed proposals and their audit trail are retained for 7 years as required by Dutch tax law — AWR Art. 52)
• Export your data
• Object to processing of your data

If you have questions about this privacy policy or wish to exercise your rights, please contact us at support@rawww.online

9.1 Data We Access

• Calendar events (titles, start/end times, descriptions) — via the calendar.readonly scope
• Your email address — via the userinfo.email scope, used to identify your account

9.2 How We Use This Data

• Calendar events are matched against user-defined mapping rules to create time entries in Moneybird
• Your email address is used to link your Google account within the app
• Data is only used for the purpose of syncing time entries — never for advertising, analytics, or any other purpose

9.3 Data Storage

Calendar event data is stored locally on your device in an encrypted SQLite database (AES-256-GCM via SQLCipher). OAuth tokens are encrypted at rest and stored in your operating system's secure keychain where available. The email addresses linked to your Google accounts are sent to our license server only for seat-count verification of your subscription. No calendar event content ever leaves your device except when you choose to sync it to your own Moneybird account.

9.4 Revoking Access

You can disconnect your Google account at any time from the Connections tab in TimeSync. You can also revoke access from your Google Account settings at myaccount.google.com/permissions. Upon disconnection, all stored tokens and calendar data are deleted from your device.