Privacy Policy

Rowshni (“we”, “us”, “our”) operates the application available at https://www.rowshni.xyz. We provide AI-powered accounting reconciliation services that help finance teams match general ledger balances against subledger records and external data sources.

Questions about this policy can be sent to bashiraziz+rowshni@gmail.com.

We collect the following categories of data:

• Account information — your name, email address, and password (hashed) when you create an account.
• Xero accounting data — trial balance figures, account codes, account names, and your Xero organisation name, fetched on your request via the Xero API. We do not collect transaction-level detail, customer records, or bank feeds unless you explicitly request a report that includes them.
• Uploaded files — CSV, TSV, or TXT files you upload for reconciliation (GL exports, subledger exports, transaction files).
• OAuth tokens — access and refresh tokens issued by Xero when you connect your account. These are stored encrypted at rest and used solely to retrieve data on your behalf.
• Usage data — basic request logs (route, timestamp, status code) for operational monitoring. We do not sell or share this data.

We use the data we collect to:

• Authenticate you and maintain your session.
• Fetch accounting reports from Xero on your behalf and present them within the application.
• Run AI-assisted reconciliation analysis against data you upload or import.
• Save your column mappings and reconciliation history so you do not have to reconfigure on each session.
• Send transactional emails related to your account (password reset, etc.).
• Monitor application health and diagnose errors.

We do not use your accounting data to train AI models, sell to third parties, or for any purpose other than providing the service to you.

When you connect your Xero account, you authorise Rowshni to access your Xero data under the following scopes:

• openid, profile, email — to identify your Xero account
• accounting.reports.read — to fetch trial balance and financial reports
• accounting.transactions.read — to fetch transaction-level data when requested
• offline_access — to refresh your access token without requiring you to re-authenticate

You can disconnect Rowshni from your Xero account at any time from the Integrations page. Disconnecting immediately invalidates your stored tokens. You can also revoke access from within Xero at My Xero → Connected Apps.

Rowshni is built on the Xero API. Your use of the Xero integration is also subject to Xero's developer agreements and policies.

Your data is stored on infrastructure operated by our sub-processors:

• Vercel — application hosting and serverless functions (United States).
• Vercel Postgres (Neon) — database storing your account, mappings, Xero tokens, and reconciliation history. Data is encrypted at rest and in transit.
• Vercel Blob / AWS S3 — file storage for uploaded CSVs. Files are stored with access controls scoped to your account.
• Anthropic / OpenAI — AI providers used to analyse reconciliation results. Data sent to these providers is governed by their respective data processing agreements and is not used to train their models under our agreements.

All data is transmitted over HTTPS/TLS. OAuth tokens are stored encrypted. We apply the principle of least privilege — each system component accesses only the data it needs to function.

• Xero OAuth tokens — retained while your Xero integration is active. Deleted immediately on disconnect.
• Uploaded files — retained for 30 days after upload, then automatically deleted.
• Reconciliation history — retained for 12 months, then purged.
• Account data — retained while your account is active. Deleted within 30 days of a verified account deletion request.

We use strictly necessary session cookies to maintain your login state and OAuth flow security (CSRF state tokens). We do not use advertising or tracking cookies. Our analytics provider (Vercel Analytics) collects aggregate, anonymised page view data only — no individual tracking.

We may update this policy from time to time. Material changes will be communicated by updating the effective date above and, where appropriate, by email. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

For privacy-related questions or requests, contact us at bashiraziz+rowshni@gmail.com.