Support › Operations › Privacy & security
Privacy, security & data retention
A practical, plain-language summary of how TrueBooks protects your data and how long we keep things for.
Account security
Passwords
Passwords are required to be at least 12 characters with a mix of upper-case, lower-case, digit and special character. They're hashed with bcrypt before they hit the database — we never store, log, or transmit your plaintext password, and even our own admins can't see it. Use a unique password per service; a password manager is the right tool here.
Two-factor authentication
From Settings → Security you can enable time-based 2FA (TOTP) — the same flavour Google Authenticator, 1Password, Authy and similar apps generate codes for. Setup walks you through scanning a QR code, entering a confirmation code, and downloading a set of recovery codes for the case where you lose your authenticator app. We strongly recommend turning this on; it's the single biggest defence against account takeover.
Brute-force protection
Sign-in attempts are rate-limited per source IP. After 10 failed attempts from a single IP within 10 minutes we send an alert to our security inbox; after 20 failures the IP is blocked for the rest of that window. Successful logins reset the counter. The IP we measure on is the real client IP, not a header value the client controls — so this can't be bypassed by spoofing.
Sessions
Sign-in sessions are JWT-backed with a 30-day expiry. The session is re-validated against your account every 5 minutes — so if your account is deactivated or your trial expires, you'll be signed out within five minutes. The Settings → Security page lists every active session you have, with the device user-agent and IP, and lets you revoke any of them with one click (handy if you ever sign in on a borrowed machine).
How your data is encrypted
Anything on the line is over TLS 1.2+ — the app domain runs HSTS with a two-year window and is preloaded into modern browsers' HSTS lists, so even an active network attacker can't downgrade you to plaintext.
At rest, the things that matter most are encrypted at the application layer with AES-256-GCM before they hit the database:
- Your Amazon refresh token — the credential that lets us pull settlements on your behalf.
- Your Xero access and refresh tokens — the credentials that let us post invoices.
- Your 2FA secret, if you've set up TOTP.
The encryption key lives outside the database in a separate environment variable, so a database backup or a leaked DB dump on its own isn't enough to derive these tokens. The key itself is rotatable via a one-shot script that re-encrypts every stored ciphertext under a new key in a single transaction.
What data TrueBooks holds about you
The short answer: enough to do the job, and no more. Specifically:
- Your account details — name, email, password hash, optional avatar, optional 2FA secret, optional company-profile fields.
- Your Amazon and Xero connection records — the encrypted tokens, the connected marketplace IDs, when you connected, when each was last synced.
- The settlement reports Amazon delivers to us, and the line-by-line transaction data inside them. This is the raw input to the classifier and the audit trail you'd want if anyone ever queried a posted figure.
- The posting history — which settlement was posted to which Xero invoice, when, by whom.
- An audit log of significant actions — sign-ins, posts, rollbacks, mapping changes — for security and accountability.
We don't ingest order-level customer PII (names, addresses) — Amazon's settlement files don't carry it for sellers anyway.
Retention windows
| Data type | Retention |
|---|---|
| Settlement & financial line data | 6 years (HMRC / Companies Act) |
| Billing events | 6 years |
| Audit log | 12 months |
| User account | Life of account + 30 days |
| Active sessions | 30 days after expiry / revocation |
| Password reset tokens | 30 days after use / expiry |
| Website analytics (page views) | 90 days |
| Amazon LWA refresh token | Until disconnected |
| 2FA recovery codes | Until regenerated or 2FA disabled |
A cleanup job runs daily at around 03:00 UTC and removes records that have aged out of these windows. The day's deletions are logged so we can prove compliance if asked.
If you need to leave
Closing your account is a self-serve action from Settings → Account → Close account. We mark your account closed immediately (revoking access), and 30 days later your personal data is purged. The 6-year retention applies only to the financial records you'd be required to keep for tax purposes anyway — those stay quarantined and inaccessible during the retention window, and are purged at the end of it.
If you'd rather we delete everything immediately rather than respect the 6-year window, email support and we'll handle it as a GDPR erasure request. We'll do the same on legal hold or active investigations as soon as those clear.
Reporting a security issue
Found a vulnerability? Email security@truebooks.co.uk directly. We aim to respond within one working day. We're a small team, so we don't run a public bounty programme, but we acknowledge and credit responsible disclosure.