file storage location != public

My app allows visitors to upload XML files which I parse, store in the DB for review / modification, and then create a new XML file. I want to put the files somewhere other than RAILS_ROOT/public so they’re not publicly visible during the visit. Like maybe RAILS_ROOT/private. What would be really cool is if I could somehow ensure that only the app had access to them. I’d appreciate hearing from anybody who’s got any experience with storing files like this. Any pointers? Any gotcha’s I need to look out for?