Privacy policy

"Nexus Ledger", "we", "us", or "our" refers to the operator of this service. Until the controlling legal entity is incorporated, the service is operated by Omer Khan as sole proprietor (Riyadh, Kingdom of Saudi Arabia) acting as the data controller. Once Verith Holdings (UAE) is incorporated, the controller will transition to that entity; an updated version of this policy will be published and existing customers will be notified by email at least 14 days in advance.

For any privacy enquiry, you can contact us at omerhayatkhan@gmail.com with subject line "Privacy enquiry". A dedicated privacy@ address will replace this once Verith is incorporated.

This policy covers personal data we process in connection with our website (this domain and its subdomains) and the Nexus Ledger application. It does not cover third-party websites linked from our service, third-party tools your firm chooses to integrate, or data your firm processes inside the application that does not relate to identifiable individuals (for example, a vendor invoice that contains only company information).

Our service is a multi-tenant SaaS used by accounting firms and in-house finance teams ("Customers"). Within the service, two distinct relationships exist:

• Account & billing data: we are the controller of the personal data of users who sign up, sign in, and administer their workspace (name, email, authentication factors, billing address, IP address, audit log, support correspondence).
• Customer Data: the documents Customers upload (voucher PDFs, invoices, salary slips, bank statements, etc.) and the journal entries, narratives, and metadata derived from them. For Customer Data, our Customer is the controller and we act as a processor on their behalf, governed by a Data Processing Addendum (DPA).

If you are an end-individual (for example, an employee whose salary slip was uploaded by a Customer), please contact the Customer directly to exercise rights over your data. We will support the Customer in fulfilling such requests but cannot act on your data without their instruction.

4.1 Data you provide directly

• Account: full name, work email address, organisation name, role.
• Authentication: magic-link tokens, multi-factor authentication codes, hashed session tokens.
• Billing (after pilot): billing contact, VAT/Tax registration number, billing address. Card details are handled by our payment processor and never touch our servers.
• Support correspondence: emails and in-app messages you send us, including any attachments.

4.2 Data collected automatically

• Application logs: IP address, user agent, request path, request and response timestamps, action type (signed in, uploaded a document, posted a journal entry, etc.). Retained for up to 90 days for security and debugging.
• Cookies: a strictly necessary session cookie, a locale preference cookie, and an active-workspace cookie. We do not run third-party advertising or cross-site tracking cookies.
• Product analytics (optional): aggregated, pseudonymised event data describing how the application is used (e.g., "user opened the journal-entry explorer"). Customers can disable this for their entire workspace; we do not record keystrokes, document content, or screen recordings.
• Audit log: every workflow transition (signed in, posted JE, exported report, granted role, etc.) is written to an append-only audit log retained for at least 11 years to support our document-retention obligations.

4.3 Customer Data we process on Customers' behalf

• Documents Customers upload (PDFs, images) and any personal data inside them — for example, employee names on salary slips, customer or supplier contact information on invoices, IBANs.
• Extracted, structured metadata derived from those documents (vendor names, amounts, dates, line items, narratives, GOSI deductions, VAT amounts).
• The journal entries, trial-balance rows, and reports computed from the extracted data.

We rely on the following legal bases under PDPL and GDPR:

• Performance of a contract — to provide the service you signed up for.
• Legitimate interests — security monitoring, fraud prevention, service improvement, customer support, defending legal claims; balanced against your rights and freedoms.
• Compliance with legal obligations — bookkeeping retention rules (Companies Act, ZATCA), tax law, and lawful requests from competent authorities.
• Consent — for optional product analytics and for marketing emails you can opt out of at any time.

The service uses third-party large-language-model and optical-character-recognition providers to extract structured data from uploaded documents. The following rules apply and are enforceable in our subprocessor agreements:

• No model training on Customer Data. Our agreements with AI subprocessors prohibit them from using prompts, completions, uploaded files, or any other Customer Data to train, fine-tune, or otherwise improve their models.
• No human review of Customer Data by subprocessors except where strictly necessary to investigate a Trust & Safety incident, and in those cases under contractual confidentiality obligations.
• Bound by the same row-level security as a user. The AI cannot read data outside the workspace it is currently processing for; service-role keys are never handed to the model.
• Customer remains the decision-maker. No journal entry posts without human approval during your pilot and during the 30-day cold-start window after going live. We do not make automated decisions producing legal or similarly significant effects on individuals (PDPL / GDPR Art. 22 sense).

Customers select a hosting region during onboarding:

• Standard region (default): region-flexible infrastructure operated by our hosting subprocessors with adequacy or equivalent safeguards in place. The specific region is disclosed to Customers in the DPA on request and in our subprocessor list at /subprocessors.
• KSA-resident option (Pro tier and above): a single-tenant deployment hosted inside the Kingdom of Saudi Arabia for Customers whose data must not leave the country under their internal policies or sectoral rules. Available on request and priced separately.

For cross-border transfers under SDAIA's Personal Data Transfer Regulation and under the UAE PDPL, we rely on (i) adequacy decisions where they exist, (ii) contractual safeguards equivalent to Standard Contractual Clauses, and (iii) an explicit data transfer impact assessment recorded in our Records of Processing.

We use a limited set of carefully-selected subprocessors to host, secure, and operate the service. The current list — including names, processing activity, and location — is published at /subprocessors. We give Customers at least 30 days' notice before adding or replacing a subprocessor and a right to object on reasonable grounds.

• Customer Data: for the duration of the subscription, plus the statutory accounting retention window (≥ 10 years; we default to 11) so books remain defensible for audit and tax review. Customers can request earlier hard-deletion of specific records that are not required to be retained by law.
• Account & billing data: for the life of the account plus 7 years after closure, to comply with applicable tax and commercial record-keeping rules.
• Application logs: up to 90 days, longer if relevant to an active security investigation or legal hold.
• Audit log: at least 11 years, append-only, never overwritten.

Subject to applicable law, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request erasure where there is no overriding lawful or contractual basis for us to keep it;
• request restriction or object to processing where we rely on legitimate interests;
• request portability of data you provided to us in a structured, machine-readable format;
• withdraw consent at any time where we relied on consent;
• lodge a complaint with the competent supervisory authority — in KSA, the Saudi Data and Artificial Intelligence Authority (SDAIA); in UAE, the UAE Data Office; in the EU/EEA, your local Data Protection Authority.

We respond to verified rights requests within 30 days. If your request relates to Customer Data, we will route it to the controlling Customer and support them in responding to you.

A detailed description of our security controls is published at /security. In short: row-level security on every business table; database-trigger-enforced double-entry and posted-entry immutability; append-only audit log; encryption in transit (TLS 1.2+) and at rest; multi-factor authentication mandatory for administrators; no service-role keys in client code; no Customer Data in AI training sets.

The service is intended for use by accounting and finance professionals. We do not knowingly collect personal data from children under the age of 18. If you believe a child's personal data has been uploaded as part of Customer Data, contact us and we will work with the controlling Customer to address it.

We may update this policy as the service evolves and as the legal landscape shifts. The "Last updated" date at the top of the page reflects the most recent change. Material changes are notified to active Customers by email at least 14 days before they take effect.

For privacy enquiries, rights requests, or to request a signed Data Processing Addendum, write to omerhayatkhan@gmail.com with subject line "Privacy enquiry". A dedicated privacy@ address will replace this once Verith Holdings is incorporated.