Privacy Policy
Last updated: February 2025
1. Who we are
Practora (“we”, “us”, “our”) is the data controller responsible for your personal data. If you have questions about how we process your data or wish to exercise your rights, contact us at privacy@practora.com.
2. Data we collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, company/practice name | You, on sign-up |
| Integration data | Slack workspace ID, Microsoft Teams tenant ID, Xero organisation ID | OAuth connections |
| Financial documents | Invoice PDFs, receipt images, extracted data (supplier names, amounts, addresses) | Uploaded by you via Slack/Teams |
| Usage data | Pages visited, features used, commands run | Analytics (with your consent) |
| Technical data | Browser type, device information | Automatically collected |
3. How and why we use your data
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Practora service | Performance of a contract (Art. 6(1)(b)) |
| Authenticate you via magic link email | Performance of a contract (Art. 6(1)(b)) |
| Process invoices and create bills in your accounting software | Performance of a contract (Art. 6(1)(b)) |
| Generate financial reports and CFO briefings | Performance of a contract (Art. 6(1)(b)) |
| Improve GL coding accuracy through learned corrections | Legitimate interest (Art. 6(1)(f)) — improving service quality |
| Analytics to understand usage and improve the product | Consent (Art. 6(1)(a)) — you can opt out via cookie preferences |
| Prevent fraud and ensure security | Legitimate interest (Art. 6(1)(f)) |
4. AI and automated processing
Practora uses AI to extract data from invoices and receipts, predict General Ledger account codes, and generate financial briefings. These automated processes:
- Always produce draft outputs that require your review and approval before any action is taken in your accounting software.
- Learn from your corrections to improve accuracy over time.
- Do not make decisions that produce legal or similarly significant effects without human oversight.
You can request a human explanation of any automated output by contacting us at privacy@practora.com.
5. Who we share data with
We share personal data only with processors that are necessary to deliver the service. Each processor operates under a Data Processing Agreement (DPA).
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and file storage | EU / US |
| Azure OpenAI | Invoice data extraction (AI processing) | EU / US |
| Xero | Accounting software integration | AU / NZ / UK |
| Slack | Chat-based workflow and notifications | US (EU available with Enterprise Grid) |
| Microsoft Teams | Chat-based workflow and notifications | Configurable |
| Resend | Transactional email delivery | US |
| PostHog | Product analytics (with consent only) | EU |
| Langfuse | AI observability and quality monitoring | EU |
| Heroku (Salesforce) | Application hosting | EU / US |
6. International transfers
Some of our processors operate outside the UK/EEA. Where this is the case, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) or Addendum
- Adequacy decisions where applicable
You may request copies of these safeguards by contacting privacy@practora.com.
7. Data retention
We retain your data for the following periods:
| Data type | Retention period |
|---|---|
| Account data | Duration of your account, plus 30 days after deletion request |
| Authentication tokens | Magic links: 15 minutes. Session tokens: 7 days. |
| Invoice and financial data | Duration of your account (written to your accounting software on processing) |
| Analytics data | Up to 24 months, then anonymised or deleted |
| Application logs | 30 days |
8. Your rights
Under GDPR/UK GDPR, you have the right to:
- Access — request a copy of all personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data (“right to be forgotten”).
- Restrict processing — ask us to limit how we use your data.
- Data portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests or for direct marketing.
- Withdraw consent — where processing is based on consent (e.g., analytics cookies), you may withdraw at any time.
To exercise any of these rights, email privacy@practora.com. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with your supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).
9. Cookies
We use cookies and similar technologies. For full details, see our Cookie Policy.
You can manage your cookie preferences at any time using the cookie banner at the bottom of the page, or by clearing your browser's local storage.
10. Security
We protect your data with:
- AES-256 encryption for stored OAuth tokens and API credentials
- TLS encryption for all data in transit
- OAuth-only integrations — we never see or store your accounting software password
- Hashed authentication tokens (magic links are never stored in plaintext)
- Rate-limited authentication endpoints
11. Changes to this policy
We may update this policy from time to time. We will notify you of significant changes via email or through an in-app notice. The “Last updated” date at the top of this page indicates when this policy was last revised.
12. Contact
For any privacy-related questions or requests, contact us:
- Email: privacy@practora.com
- Practora Ltd