Xero

Comprehensive scope statement, clear definitions, detailed table of contents, specific contact information, current version date, and multiple accessibility formats. Strong navigation and clarity features exceed basic requirements.

Comprehensive list of primary purposes, explicit secondary use limitations, detailed marketing and analytics disclosures, and clear consent requirements. Strong commitment to purpose limitation with specific use cases enumerated.

Clear update notification process, version history with archived versions available, specific contact details, and SOC 2 audit framework mentioned. Good governance structure though lacks specific review frequency commitments.

Detailed enumeration of specific data categories collected, clear collection methods, explicit sensitive data handling, and comprehensive legal basis disclosure. Goes beyond generic categories with granular data type specifications.

Clear categories of third parties with specific purposes, named service provider types, and detailed safeguards for international transfers. Good specificity on sharing contexts though some recipients remain categorical rather than named.

General security commitment with SOC 2 certification available on request and some specific monitoring tools mentioned. Adequate but lacks detailed technical safeguards and specific encryption or breach notification commitments.

Specific countries named (Australia, New Zealand, US), adequacy mechanisms for EEA/UK transfers, and standard contractual clauses mentioned. Clear disclosure of transfer locations with appropriate safeguards specified.

Complete enumeration of consumer rights including access, correction, deletion, and objection rights with clear exercise mechanisms. Response timeframe is vague ('reasonable time') but complaint escalation pathways are specified.

AI/ML usage disclosed for service delivery and improvement, with rights against wholly automated decisions clearly stated. However, lacks detailed transparency about decision-making logic and specific opt-out mechanisms for automated processing.

No relevant claims found in policy.

No specific findings.