Privacy Policy
Last updated: 10 June 2026
SpaceARHQ ("we", "us") provides accounts-receivable automation for businesses using Xero. This policy explains what data we process, why, and the rights you have. It applies to spacearhq.com and the application at app.spacearhq.com.
1. Who we are
SpaceARHQ is operated from Ireland and this policy is governed by Irish law and the EU General Data Protection Regulation (GDPR). For any privacy matter, contact hello@spacearhq.com.
2. Data we process
Account data
Name, email address, and authentication identifiers, managed through our sign-in provider (Clerk).
Accounting data from Xero
When you connect Xero, we sync your customer contacts and invoice records (names, email addresses, invoice amounts, due dates, payment status). We access only what is needed to run AR collections. Xero OAuth tokens are stored encrypted at rest.
Email data
When you connect a Microsoft 365 mailbox, we read and send messages in that mailbox to triage AR correspondence and send reminders on your behalf. OAuth tokens are stored encrypted at rest.
Usage data
Standard application logs and error reports (via Sentry) used to keep the service reliable.
3. AI processing
We use Anthropic's Claude models to classify and summarise AR emails. We apply strict data minimisation:
- Only email content (truncated) and anonymised, aggregated ledger summaries are sent to the AI — never your raw Xero records, tokens, or credentials.
- Emails from senders not matching an approved Xero contact are never processed by AI.
- Every AI action is recorded in an audit log you can review in the app.
- AI requests are not used by us to train models.
4. Sub-processors
| Provider | Purpose | Region |
|---|---|---|
| Microsoft Azure | Hosting (API, frontends) | EU (Ireland / West Europe) |
| Supabase | Database | EU (Ireland) |
| Upstash | Cache / queue | EU |
| Clerk | Authentication | EU/US (SCCs) |
| Anthropic | AI email classification | US (SCCs) |
| Microsoft Graph | Mailbox access | Your Microsoft 365 region |
| Xero | Accounting data source | Per your Xero subscription |
| Sentry | Error monitoring | EU |
5. Legal bases
We process data to perform our contract with you (Art. 6(1)(b)), to pursue our legitimate interest in operating and securing the service (Art. 6(1)(f)), and to comply with legal obligations (Art. 6(1)(c)).
6. Retention
We keep your data while your account is active. On termination, or on request, your tenant's data is deleted. Backups roll off on a fixed schedule thereafter.
7. Your rights
You have the GDPR rights of access, rectification, erasure, restriction, portability, and objection. The app includes built-in data export (Art. 20) and deletion request (Art. 17) functions, or you can email hello@spacearhq.com. You may lodge a complaint with the Irish Data Protection Commission (dataprotection.ie).
8. Security
Data is encrypted in transit (TLS) and at rest. OAuth tokens are additionally encrypted at the application layer. Access is isolated per tenant, every query is scoped to your organisation, and all automated actions are written to an immutable audit log.
9. Changes
We will post any changes to this policy on this page and update the date above. Material changes will be notified by email.