Privacy Policy

Version 1.1 — Effective Date: May 10, 2026

1. Introduction

Nxentra ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform. By using Nxentra, you consent to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide

  • Account information: Email address, name, phone number, password, company name, preferred language
  • Financial data: Chart of accounts, journal entries, invoices, bills, bank transactions, inventory records, and other accounting data you enter
  • Integration credentials: OAuth tokens for Shopify, Stripe, and other connected platforms (stored encrypted)
  • Voice data: Audio recordings submitted through the voice entry feature (processed by OpenAI Whisper, not stored permanently)

2.2 Information We Receive From Connected Platforms

When you connect a third-party platform (e.g. Shopify, Stripe), we receive operational data needed to produce your accounting records. This includes data about your customers as well as your business:

  • Order data: Order numbers, line items, prices, taxes, currencies, payment status, fulfillment status, timestamps
  • Customer data: Customer names, email addresses, phone numbers, billing and shipping addresses, and order history. This data is collected from your store and used solely to produce financial reports for you (the merchant). We do not market to your customers, sell their data, or share it outside the scope of providing our Service to you.
  • Payout and settlement data: Gateway payouts, fees, refund amounts, dispute records
  • Shop metadata: Shop domain, store currency, plan, locations, products

For Shopify specifically, we comply with Shopify's mandatory privacy compliance webhooks (customers/data_request, customers/redact,shop/redact) — see Section 6 and Section 7.

2.3 Information Collected Automatically

  • Usage data: Pages visited, features used, actions performed (for product improvement)
  • Device information: Browser type, operating system, IP address
  • Error data: Application errors and crash reports (via Sentry, if configured)

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Process your financial data and generate reports as requested
  • Authenticate your identity and manage your account
  • Send transactional emails (verification, password reset, notifications)
  • Facilitate integrations with third-party platforms you connect
  • Monitor and prevent security threats and abuse
  • Comply with legal obligations

We do not sell your personal information or financial data to third parties.

4. Data Storage and Security

  • Your data is stored in secure, access-controlled databases
  • Financial data is isolated per company using PostgreSQL Row-Level Security (RLS) or dedicated databases
  • Passwords are hashed using industry-standard algorithms (never stored in plain text)
  • Authentication tokens are transmitted via encrypted HTTPS connections and stored in HttpOnly secure cookies
  • All data in transit is encrypted using TLS 1.2 or higher
  • We maintain an immutable audit trail of all financial transactions via our event-sourced architecture

5. Data Sharing

We may share your information only in the following circumstances:

  • With your consent: When you explicitly authorize a third-party integration (Shopify, Stripe, etc.)
  • Service providers: With trusted providers who assist in operating our Service (hosting, email delivery, error tracking), bound by confidentiality agreements
  • Legal requirements: When required by law, regulation, or legal process
  • Business transfers: In connection with a merger, acquisition, or sale of assets (with prior notice)

6. Data Retention

  • Your account and financial data are retained for as long as your account is active
  • Upon account termination, you may request a data export within 30 days
  • After the 30-day export window, your data will be permanently deleted within 90 days
  • We may retain anonymized, aggregated data for analytics purposes
  • Audit trail events may be retained longer where required by applicable financial regulations

6.1 Shopify-specific retention

  • Customer data deletion (customers/redact): When you (or Shopify on your behalf) request deletion of a specific customer's data, we will purge that customer's personally identifiable information from our systems within 30 days, except where retention is required by financial regulation (in which case the data is anonymized).
  • Customer data export (customers/data_request): When you request a copy of a specific customer's data on their behalf, we will deliver it within 30 days.
  • Shop data deletion (shop/redact): When you uninstall the Nxentra app from your Shopify store, we receive Shopify's redaction webhook 48 hours later. We will purge your shop's personally identifiable data within 30 days of that webhook, except for journal entries and audit trail records required by financial regulation (which we retain in anonymized form).

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Export: Receive your data in a structured, machine-readable format
  • Restriction: Request restriction of processing in certain circumstances
  • Objection: Object to processing of your personal data for certain purposes

To exercise any of these rights, contact us at admin@nxentra.com. We will respond within 30 days.

Shopify merchants: you can also trigger a deletion or data-export request directly through Shopify's privacy compliance flow in your Shopify admin. Shopify will dispatch the request to us via the customers/redact,customers/data_request, or shop/redact webhooks, which we honor within 30 days as described in Section 6.1.

8. Cookies

We use essential cookies required for the Service to function (authentication cookies, session management). We do not use advertising or third-party tracking cookies. Authentication cookies are HttpOnly and Secure, meaning they cannot be accessed by client-side scripts and are only transmitted over encrypted connections.

9. International Data Transfers

Your data may be processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place to protect your information in accordance with applicable data protection laws.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or through the Service and update the "Effective Date" above. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: admin@nxentra.com