Privacy notice

Privacy, without vague promises.

This notice explains how Atlas Flow handles information for the Agent Atlas website and the read-only Agent Atlas – Xero Connector pilot.

Effective: 14 July 2026 · Contact: support@atlas-flow.com

Operational draft. This notice describes the implemented pilot. It should receive suitable Australian legal and privacy review before commercial rollout or broader use.

1. Who operates Agent Atlas

Agent Atlas is operated by Atlas Flow. Privacy questions, access or correction requests, complaints, and deletion requests can be sent to support@atlas-flow.com.

2. Information associated with this website

The website is static. Site code does not set analytics or advertising cookies, run tracking scripts, embed third-party media, or provide a data-entry form. The hosting and network providers may process ordinary request metadata—such as IP address, browser user-agent, requested URL, timestamps and security events—under their own terms and privacy practices.

If you email support, Atlas Flow receives the contact details and message contents you choose to provide. Do not send passwords, OAuth tokens, Xero accounting payloads or other unnecessary sensitive information.

3. Information handled by the Xero connector

After a connected user reviews the Xero data-processing notice and provides affirmative consent, the connector may handle:

Xero passwords are entered on Xero’s website. Agent Atlas does not receive them. OAuth uses Authorization Code with PKCE and does not use a client secret.

4. Why information is processed

Information is processed to establish and maintain the connection selected by the user, answer the user’s requested accounting-context questions, keep credentials refreshed securely, enforce read-only capability boundaries, diagnose failures, satisfy disconnect requests and protect the service. Agent Atlas does not sell Xero information or use it for advertising.

5. AI processing and consent

When a user asks Agent Atlas to analyse Xero information, the minimum information needed for that request may be sent to the AI or model provider configured in the user’s Hermes installation. The connected-user notice must be reviewed and accepted before OAuth begins. Xero API data must not be used to train, fine-tune, adapt, enhance or improve an AI model.

The configured provider may process information in another jurisdiction. The person controlling the Hermes installation must review that provider’s location, retention, security and contractual terms before connecting a real organisation. The first acceptance run uses a Xero Demo Company.

6. Storage and security

OAuth credentials are encrypted locally for the current Windows user using operating-system DPAPI protection. Credential replacement is atomic and refresh operations use cross-process locking. Tokens, OAuth codes, tenant identifiers and accounting payloads are excluded from customer bundles and payload-free audit records.

Accounting responses are returned to the requesting Hermes session and are not intentionally persisted by the Xero connector itself. The surrounding Hermes installation and configured AI provider may have their own session, log or retention behavior, which must be reviewed separately.

7. Retention and deletion

The one-time OAuth code and PKCE verifier are held only while completing the local authorisation transaction. Encrypted connection credentials remain until they expire, are replaced during refresh, or the connection is removed. Non-payload audit events may be retained locally for security and troubleshooting according to the installation owner’s practices.

Disconnecting attempts remote Xero connection removal or refresh-token revocation and local encrypted credential deletion. The interface reports remote and local outcomes separately. Users can also revoke the app through Xero. Support correspondence is retained only as reasonably needed to respond, keep an operational record, meet legal obligations or resolve a dispute.

8. Disclosure

Information may be disclosed to Xero to operate OAuth and the Xero APIs; to the configured AI provider after consent and only as needed for the request; to hosting, security or support providers needed to operate the service; or when required by law. Atlas Flow does not authorise those recipients to use Xero data for model training.

9. Access, correction and complaints

Contact support@atlas-flow.com to request access to, correction of or deletion of information held by Atlas Flow, or to raise a privacy complaint. Identify the relevant connection without emailing credentials or accounting payloads. Atlas Flow may need to verify the requester’s authority before acting.

10. Children and authorised business use

The connector is intended for authorised business users, not children. Only a person authorised to access the relevant Xero organisation should connect or request its information.

11. Changes

This notice may change when the pilot, providers, legal requirements or data practices change. The effective date above will be updated for material revisions. A material expansion—especially future write capabilities—requires separate technical release, permission and acceptance controls rather than silent policy wording.