Data Handling & Privacy Policy
This policy explains what data Statey processes, why it is processed, how it is protected, and how it can be deleted.
1. Roles Under Data Protection Law
For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”) and UK GDPR:
- Customers are the data controllers of personal data processed through Statey.
- Statey (Vaalies, Inc.) acts as a data processor, as further described in the Data Processing Addendum (DPA) incorporated into the Terms of Service.
2. Data Transparency
Statey synchronises the following data from Xero for each connected organisation:
- Contacts
- Contact groups
- Invoices
- Credit notes
- Overpayments
- Prepayments
- Payment allocations
- Organisation metadata (such as name, currency, address, tax number, etc.)
Within Statey, users may also generate and store:
- Emails sent to contacts
- Notes associated with contacts
3. Purpose Limitation
Personal data is processed solely to provide customer statements and related communications.
Statey does not sell, mine, or use customer data for advertising, profiling, or analytics unrelated to the service.
4. Data Retention
Customer data is retained for the duration of the active account.
Upon account deletion, all customer data—including synced Xero data, notes, and emails—is permanently deleted within a reasonable operational timeframe (normally within 2 hours).
Account deletion is irreversible.
5. International Data Transfers
Statey is incorporated in the United States. Customer data is hosted in the European Union (Netherlands).
Authorised personnel may access systems from outside the EU/UK where necessary to operate or support the service. Where applicable, such access is governed by:
- EU Standard Contractual Clauses (SCCs)
- UK International Data Transfer Addendum
6. Sub-processors (3rd party service providers)
Statey uses the following sub-processors:
- SendGrid (Twilio) – email delivery - their privacy policy is available here.
- DigitalOcean (Amsterdam, Netherlands) – infrastructure hosting - their privacy policy is available here.
Each sub-processor is engaged under contractual data protection obligations.
7. Right to Erasure
Customers may request deletion of all data at any time via: