Skip to Content

Privacy Policy

External Links and Third-Party Integrations

  • No Implied Affiliation: This Website and our Software may contain links to third-party websites or integrated services (e.g., Sage 100 Contractor, Odoo, payment gateways, or tax filing services). Unless explicitly stated, Xcel Software does not imply any approval, sponsorship, or affiliation with these third parties. All trademarks are the property of their respective owners.
  • Data Exchange and Security: When you enable an integration between Xcel Software and a third-party service, you acknowledge that data may be transmitted outside of our secure environment. Xcel Software is not responsible for the privacy, security, or integrity of data once it is received by a third-party platform.
  • User Responsibility: We strongly recommend that you review the legal statements and data security policies of any third-party service you link to your account. Your use of third-party integrations is at your own risk and subject to the terms of those specific providers.


Xcel Software utilizes cookies to personalize and enhance the User’s navigation experience and ensure the secure functionality of our services. By using our platform, the User acknowledges and consents to our cookie practices:

  • Security Standards: All cookies are transmitted exclusively via HTTPS encryption. We implement strict security flags, including HttpOnly (to prevent script access), Secure (to ensure encrypted transmission), and SameSite attributes to protect against cross-site request forgery.
  • Data Minimization: We adhere to a "minimal data" policy. Cookies are used only for essential session management and performance optimization; we do not store sensitive personal or financial information within cookies.
  • Expiration & Control: We utilize both session cookies (which expire when you close your browser) and persistent cookies (which have a strict Max-Age expiration). Users may manage or disable cookies via their browser settings, though this may impact certain software functionalities.
  • Integrity Protection: Xcel Software monitors for and defends against "cookie poisoning" and session hijacking through automated server-side validation and frequent security patches.

Effective Date: May 2025  ·  Last Revised: 2026-05-18

Xcel Software is committed to protecting the privacy, confidentiality, and security of your personal and business data. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our software and services.

1. Data Collection We collect only the information necessary to provide and improve our services, categorized as follows:

  • Account Information: Name, email, company details, and billing information.
  • System Usage Data: Metadata related to your interaction with our tools.
  • Client Financial Data: Data contained within Sage 100 Contractor, Odoo, or other ERP systems that you provide access to for support, migration, or analysis purposes.

2. Use of Data and Purpose Limitation Your data is used solely for:

  • Delivering, maintaining, and improving our software and services.
  • Providing technical support and responding to specific inquiries.
  • Strict Limitation: Client Financial Data is accessed only to fulfill specific service requests and is never used for independent research, benchmarking, or marketing purposes.

3. Zero-Sale Policy Xcel Software does not sell, rent, or trade your personal information or your business’s financial data to any third party. We do not monetize your data in any form.

4. Data Safeguarding and Security Measures Xcel Software employs industry-standard security practices, including:

  • AES-256 Encryption for data at rest and TLS/SSL for data in transit.
  • Logical Isolation: Ensuring that each client’s financial data environment is isolated from other clients.
  • Multi-Factor Authentication (MFA): Required for all Xcel Software staff accessing support environments.
  • Anti-Malice Guarantee: We do not utilize any "backdoors" or unauthorized access methods.

5. Data Access, Retention, and Sovereignty

  • Location: All data is processed and stored on secured servers located within the United States.
  • Retention: We retain data only for as long as necessary to provide services. Upon termination of service and completion of the data exit process, Xcel Software will securely purge your data from our active support systems upon request.

6. Third-Party Services Where integrations with third-party services are offered, we ensure these partners meet high security and privacy standards. Xcel Software is not responsible for the privacy practices of third-party platforms once data leaves our controlled environment.

7. Your Responsibilities While we take strong measures to secure your data, you are responsible for safeguarding your own account credentials and ensuring your internal team follows secure system-use practices.

We rely on a small, vetted set of third-party processors to deliver our software and run xcel.software itself. Each one is bound by its own SOC2 / GDPR commitments; we do not share Client Financial Data with any of them.

  • Amazon Web Services (AWS): Hosts our application, databases, and backups in us-west-2 (Oregon). All data at rest is AES-256 encrypted.
  • Google Cloud (Firebase Hosting + Cloud Functions): Serves the xcel.software marketing site and runs the contact-form proxy. No customer financial data is ever stored here.
  • PostHog Inc. (us.i.posthog.com): Product analytics on the marketing site. We capture pageviews and click events only, never IP addresses or form contents. Opt out via the consent banner. See xcel-software-web-site/docs/analytics-runbook.html for the full list of events captured.
  • Google Analytics 4: Aggregate traffic measurement on the marketing site. IP anonymization is on.
  • Stripe + Authorize.net: Payment processors. Card data is tokenized client-side and never touches our servers.
  • Cloudflare Turnstile (when enabled): Bot protection on the contact form. Currently disabled; honeypot-only.

If a new processor is added or an existing one is removed, this section is updated within 30 days.

If you are located in the European Economic Area, the United Kingdom, or California, you have specific legal rights regarding personal data we hold about you. Xcel Software honors these rights regardless of where you are located.

Under the EU/UK General Data Protection Regulation (GDPR):

  • Right of Access (Article 15): You may request a copy of all personal data we hold about you, including the categories, recipients, and retention periods.
  • Right to Rectification (Article 16): If any personal data is inaccurate or incomplete, you may request that we correct or complete it.
  • Right to Erasure / "Right to be Forgotten" (Article 17): You may request deletion of your personal data, subject to legal retention obligations (e.g., billing records held for tax/audit).
  • Right to Restriction of Processing (Article 18): You may request that we limit how we use your data, for example while a dispute is being resolved.
  • Right to Data Portability (Article 20): You may receive your data in a structured, commonly-used, machine-readable format (e.g., CSV, JSON) and have it transmitted to another controller where technically feasible.
  • Right to Object (Article 21): You may object to processing based on legitimate interests (e.g., analytics) or for direct marketing.
  • Right to Lodge a Complaint: You may file a complaint with your local supervisory authority (e.g., your national Data Protection Authority).

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know (§1798.110, §1798.115): You may request the categories and specific pieces of personal information we collected, the sources, the business purpose, and any third parties to whom it was disclosed.
  • Right to Delete (§1798.105): You may request deletion of personal information we collected from you, subject to statutory exceptions.
  • Right to Correct (§1798.106): You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing (§1798.120): We do not sell or share personal information for cross-context behavioral advertising. Our Zero-Sale Policy is absolute (see above).
  • Right to Limit Use of Sensitive Personal Information (§1798.121): We do not collect categories of sensitive personal information beyond what is necessary to deliver our services.
  • Right to Non-Discrimination (§1798.125): We will not charge a different price or deny services for exercising any of these rights.

How to exercise these rights: Email privacy@xcel.software with the subject line "Data Subject Request" and identify which right you wish to exercise. We respond within 30 days as required by GDPR Article 12(3) and CCPA §1798.130. There is no fee for the first request in any 12-month period.

Global Privacy Control (GPC): If your browser sends a GPC signal, we treat it as an opt-out of analytics tracking. No further action is required.

Verification: For Right-to-Know and Right-to-Delete requests, we verify your identity via the email address on file plus a confirmation link, to prevent unauthorized requests from impersonators. We will never ask for your password or financial information to verify a DSAR.

We retain personal data only for as long as necessary to deliver our services, meet legal obligations, or resolve disputes. The following table summarizes our default retention periods. Retention starts from the date the data was collected unless otherwise noted.

CategoryRetention PeriodReason
Account information (name, email, company)Duration of the customer relationship + 90 days after closureTo reconcile final billing and respond to closing-period support questions.
Billing & invoice records7 years from invoice dateIRS retention requirement (26 CFR §1.6001-1(e)) for business records.
Client Financial Data (Sage 100 Contractor, Odoo, etc.)Duration of service contract; purged within 30 days of service termination upon written requestHeld only to deliver agreed services. Never used for benchmarking, marketing, or model training.
Support tickets and correspondence24 months after ticket resolutionTo resolve recurring issues and improve product documentation.
System usage metadata (logins, in-app navigation)12 monthsTo debug issues and improve product UX.
Marketing-site analytics (PostHog, Google Analytics 4)12 months default; processor-side retention controls in effectTo measure marketing campaign effectiveness. Opt-out via consent banner at xcel.software.
Cookies (session)Expire when browser closesRequired for authentication.
Cookies (persistent)Max-Age 12 monthsTo remember login session and consent preference across visits.
Backup snapshots (encrypted, AWS)90 days rollingDisaster recovery. Backups are encrypted at rest and access is restricted to a small subset of staff.

Early deletion: You may request earlier deletion of any category above by emailing privacy@xcel.software, subject to legal retention obligations (e.g., we cannot delete billing records before the 7-year IRS retention window expires).

Anonymization: Where data is needed beyond its retention period for aggregate product analytics or AI model improvement, it is irreversibly anonymized — personal identifiers are stripped before further processing.

For privacy questions or to exercise your data-subject rights (access, correction, deletion), contact:

Xcel Software
610 N. Kays Drive, Suite 200
Kaysville, UT 84037, United States
Phone: +1 (801) 436-4298
Email: privacy@xcel.software

We respond to data-subject requests within 30 days.