Hour Cap

Xero Privacy & Data Security

How Hour Cap handles your Xero data, what we access, and how we keep it secure.

Overview

Hour Cap integrates with Xero to let you turn tracked time into draft invoices. The integration syncs a limited set of reference data from your Xero organisation and pushes draft invoices back when you choose to create them.

This page explains exactly what data Hour Cap accesses from your Xero account, how that data is stored and protected, and what happens when you disconnect. It is intended to help you evaluate whether the integration meets your organisation's privacy and security requirements.

For general documentation on using the Xero integration, see the Xero Integration Support page.

OAuth permissions & scopes

When you connect Hour Cap to Xero, you are asked to authorise a specific set of permissions (OAuth 2.0 scopes). Hour Cap requests the following scopes:

  • accounting.contacts — Read and create contacts. Used to sync your active customer contacts and optionally create new contacts when invoicing.
  • accounting.transactions — Read and create invoices. Used to push draft invoices to your Xero account.
  • accounting.settings — Read-only access to chart of accounts, tax rates, branding themes, currencies, items, and tracking categories. Used to populate invoice configuration options.
  • openid, profile, email — Standard OpenID Connect scopes. Used only during the Xero signup flow to pre-fill your name and email address when creating a new Hour Cap account.
  • offline_access — Allows Hour Cap to refresh your access token without requiring you to re-authorise. This is what keeps the connection active between sessions.

Hour Cap does not request access to bank transactions, payroll, reports, or any other Xero data beyond the scopes listed above.

Single organisation access only

If your Xero login has access to multiple organisations, Hour Cap only connects to the single organisation you select during the authorisation flow. It has no access to any of your other Xero organisations. The connection is scoped to one Xero tenant ID, and all API calls are made exclusively against that organisation.

The authorisation flow uses Proof Key for Code Exchange (PKCE) with the S256 challenge method. This prevents authorisation code interception attacks by ensuring that only the application that initiated the authorisation request can exchange the code for tokens.

Data read from Xero

Hour Cap reads the following data from your Xero organisation:

Contacts

Hour Cap syncs contacts that are both active and flagged as customers in Xero. For each contact, only two fields are stored locally: the contact name and the Xero contact ID (an internal identifier used for linking). No email addresses, phone numbers, physical addresses, or other contact details are stored in Hour Cap's database.

Items

Xero inventory items marked as "sold" are synced to Hour Cap. The fields stored are: item code, name, description, unit price, account code, and tax type. These are used to pre-fill invoice line item configuration.

Tracking categories

If you use tracking categories in Xero (e.g. departments, cost centres), Hour Cap syncs their names, statuses, and options. These are stored locally so you can assign tracking to invoice line items.

Cached reference data (not stored in the database)

The following data is fetched from Xero and held in a temporary cache for up to 1 hour. It is used to populate dropdown menus when configuring invoice defaults and is never written to the database:

  • Tax rates
  • Revenue accounts (chart of accounts, filtered to revenue type only)
  • Branding themes
  • Currencies

After the 1-hour cache expires, the data is fetched again from Xero on the next request that needs it.

Data written to Xero

Hour Cap writes only two types of data to your Xero account, and only when you explicitly initiate the action:

  • Draft invoices: When you create an invoice in Hour Cap and push it to Xero, it is created as a draft invoice. You must review and approve it in Xero before it is sent to your client. Invoice data includes the contact reference, line items (description, quantity, rate, account code, tax type, tracking), due date, reference number, currency, and branding theme.
  • New contacts: If you choose to invoice a client that is not yet linked to a Xero contact, you can optionally create a new contact in Xero. Only the client name is sent.

Hour Cap never modifies or deletes existing data in your Xero account. It cannot edit existing contacts, update invoices after they have been pushed, delete records, or access data outside the scopes listed above.

Data storage & encryption

OAuth tokens

Your Xero OAuth access token and refresh token are encrypted at rest using AES-256-CBC encryption via Laravel's built-in encryption layer. The encrypted values are stored in the database. They can only be decrypted using the application's encryption key, which is stored separately from the database.

Synced data

Contact names, item details, and tracking categories are stored in the application database alongside your other Hour Cap data. This data is used to power the invoicing interface and is scoped to your organisation. No Xero data is shared between organisations.

Cached data

Tax rates, revenue accounts, branding themes, and currencies are held in a temporary application cache. This data expires automatically after 1 hour and is not persisted to the database.

Token security

Hour Cap implements several measures to protect your Xero OAuth tokens:

  • PKCE (S256): The authorisation flow uses Proof Key for Code Exchange with the SHA-256 challenge method, preventing authorisation code interception.
  • Encrypted storage: Both the access token and refresh token are encrypted at rest using AES-256-CBC before being written to the database.
  • Automatic refresh: Access tokens are refreshed automatically 5 minutes before they expire, so your connection stays active without manual intervention.
  • Distributed locking: Token refresh operations use a distributed lock to prevent concurrent refresh attempts from causing token invalidation.
  • Revocation on disconnect: When you disconnect from Xero, Hour Cap sends a revocation request to Xero's identity server to invalidate the refresh token, then deletes the connection record from the database.

Disconnecting

When you disconnect Hour Cap from Xero (via Settings → Xero → Disconnect from Xero), the following cleanup is performed:

  1. Token revocation: The refresh token is revoked with Xero's identity server, immediately invalidating Hour Cap's access.
  2. Connection record deleted: The stored OAuth tokens, tenant ID, and connection metadata are permanently deleted from the database.
  3. Xero contact links cleared: All Xero contact IDs are removed from your client records, unlinking them from Xero contacts.
  4. Xero item and tracking references cleared: Xero item IDs and tracking option assignments are removed from your project records. Organisation-level tracking defaults are also cleared.
  5. Tracking categories deleted: All synced tracking category data is permanently deleted.

What is retained after disconnecting

The following data is not deleted when you disconnect, as it belongs to your Hour Cap account and may be needed for your records:

  • Invoices: Historical invoice records are retained for your audit trail. These are records of invoices that were pushed to Xero and include the line item snapshot at the time of creation.
  • Time entries: All tracked time entries remain unchanged.
  • Clients and projects: Your client and project records remain, with Xero-specific references removed.
  • Synced items: Xero item records are retained for reference but are no longer used once disconnected.

You can reconnect to Xero at any time. Reconnecting will require you to re-authorise and re-map your clients to Xero contacts.

Third-party sub-processors

Hour Cap uses the following infrastructure providers that may process data related to your Xero integration:

  • Hosting provider: The application and database are hosted on secure cloud infrastructure. All data is encrypted in transit (TLS) and the database is not publicly accessible.
  • Queue processing: Xero sync operations and invoice pushes run as background jobs on the same infrastructure as the application.

Hour Cap does not share your Xero data with any other third parties. Your Xero data is not used for analytics, advertising, or any purpose other than providing the invoicing features described in this document.

Compliance

Hour Cap is an Australian company and handles personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988.

  • Data minimisation: Hour Cap only accesses the Xero data necessary to provide time-based invoicing. Contact details beyond the name are not stored. Financial data such as bank transactions and payroll are never accessed.
  • Purpose limitation: Xero data is used solely for the purpose of syncing contacts and items, and creating draft invoices. It is not used for any other purpose.
  • Data retention: Synced Xero data is retained for as long as your Xero connection is active. When you disconnect, the cleanup described above is performed immediately. Invoice records are retained for your audit trail until you delete your account.
  • Right to deletion: You can disconnect from Xero at any time to trigger immediate cleanup of Xero-specific data. To permanently delete your account and all associated data, go to Settings → Close account.

Contact

If you have questions about how Hour Cap handles your Xero data, or if you need additional documentation for your compliance requirements, please contact us at [email protected].