Privacy Policy
Last updated: February 2026
This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use SocialyBox (the "Service").
1. Information We Collect
- Account data: name, email, business profile details
- Usage data: page views, link clicks, device information
- Content: links, media, profile images you upload
- Technical: IP address, browser, approximate location
- Financial data: POS transactions, sales records, orders, and expenses you create within SocialyBox
2. How We Use Information
- Provide and improve the Service
- Generate analytics and performance insights
- Communicate updates and security notices
- Detect abuse, fraud, or policy violations
- Sync financial records to connected accounting providers at your direction
3. Cookies & Tracking
We use essential and performance cookies. Where legally required we display consent banners and respect preferences.
4. Data Sharing
We do not sell personal data. Limited sharing may occur with infrastructure providers under strict contractual safeguards.
5. Third-Party Accounting Integrations (QuickBooks & Xero)
When you connect an accounting provider, we process additional data as described below. This section is provided to meet the requirements of the Intuit Developer Program and the Xero App Partner Program.
5.1 What Accounting Data We Access
When you authorize a connection, SocialyBox accesses the following from your accounting organization:
- QuickBooks Online: Company information, invoice and bill creation endpoints. We create invoices (for revenue) and bills (for expenses) in draft status.
- Xero: Organisation information, connected tenant details, invoice and bill creation endpoints. We create ACCREC invoices (revenue) and ACCPAY bills (expenses) in draft status.
We do not access your bank feeds, payroll data, employee information, payment card numbers, or any data outside the scopes listed above.
5.2 How We Use Accounting Data
Data from QuickBooks or Xero is used exclusively to:
- Create draft invoices and bills that mirror your SocialyBox POS transactions, sales, orders, and expenses
- Maintain connection status and sync history for audit purposes
- Refresh OAuth tokens to keep the integration active
We do not use accounting data for advertising, profiling, creditworthiness assessments, insurance underwriting, employment screening, or any purpose unrelated to your accounting sync.
5.3 OAuth Tokens & Credential Storage
- OAuth access tokens and refresh tokens are stored server-side in our database. They are never exposed to the browser or included in client-side code.
- Tokens are transmitted exclusively over TLS 1.2+ encrypted connections.
- We do not log, cache, or store your QuickBooks or Xero password at any point. Authentication uses the OAuth 2.0 authorization code flow.
- Refresh tokens are rotated on every refresh cycle — the old token is replaced with the new one.
5.4 Data We Store from Providers
| Data | Purpose | Retention |
|---|---|---|
| OAuth access token | API authentication | Until expiry or disconnection |
| OAuth refresh token | Token renewal | Until disconnection |
| Xero Tenant ID / QB Realm ID | Route API calls to correct org | Until disconnection |
| Xero connected tenants list | Tenant selection | Until disconnection |
| Sync run history (date, status, external invoice/bill IDs) | Audit trail and idempotency | 24 months |
5.5 Third-Party Sharing of Accounting Data
We do not share, sell, or transfer your QuickBooks or Xero data to any third party. Accounting data is transmitted only between SocialyBox servers and the provider's API endpoints.
5.6 Disconnection & Data Deletion
You may disconnect your accounting provider at any time from the SocialyBox dashboard. Upon disconnection:
- OAuth tokens are revoked with the provider (QuickBooks or Xero)
- Stored access tokens, refresh tokens, tenant IDs, and connection metadata are permanently deleted
- Sync history (run dates, status codes, external reference IDs) is retained for up to 24 months for audit purposes
- Draft documents already created in your accounting software remain unless you delete them manually
If you delete your SocialyBox account entirely, all accounting data including sync history, credentials, and configuration is permanently deleted within 30 days.
5.7 Provider Privacy Policies
Your relationship with your accounting provider is governed by their own policies:
- Intuit (QuickBooks): https://www.intuit.com/privacy/
- Xero: https://www.xero.com/legal/privacy/
6. Data Retention
We retain data while your account is active and as needed for legitimate business or legal purposes. Aggregated analytics may persist. For accounting-specific retention, see Section 5.4 above.
7. Your Rights
Depending on your jurisdiction (GDPR, CCPA, Australian Privacy Act, etc.) you may request access, correction, deletion, portability, or export of your data, including all accounting-related data. Contact privacy@socialybox.com.
8. Security
We implement industry-aligned safeguards including TLS 1.2+ encryption in transit, encrypted storage of credentials, rate limiting, access controls, and server-side-only token handling. No system is 100% secure. In the event of a data breach affecting accounting data, we will notify affected users and the relevant provider within 72 hours as required by applicable law.
9. International Transfers
Data may be processed in regions where we or our providers operate, subject to adequate protections including Standard Contractual Clauses where applicable.
10. Changes
We may update this Policy. Material changes will be communicated. Continued use indicates acceptance.
11. Contact
Questions or requests: privacy@socialybox.com.