Privacy Policy

Nexora (“we”, “us”, or “our”) is a multi-tenant enterprise management platform developed and operated by Vected Technologies. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Nexora platform.

For data protection enquiries, contact our Data Protection Officer at dpo@nexora.app.

We collect the following categories of personal data:

We use your personal data to:

• Provide, operate, and improve the Nexora platform.
• Authenticate users and enforce role-based access controls.
• Process payroll, leave requests, and attendance records on behalf of your organisation.
• Send operational notifications (email alerts for leave approvals, ticket assignments, etc.).
• Deliver push notifications if you have granted permission.
• Generate audit logs for compliance and security purposes.
• Respond to support requests and troubleshoot issues.
• Comply with legal obligations.

We do not use your data for advertising, sell it to third parties, or process it for profiling beyond what is necessary to deliver the service.

We process personal data on the following legal bases:

• Contract: Processing necessary to provide the services you have subscribed to.
• Legitimate interests: Security monitoring, fraud prevention, and platform improvement.
• Legal obligation: Compliance with applicable laws and regulations.
• Consent: Push notifications (you may withdraw consent at any time in your profile settings).

Nexora is a multi-tenant platform. Each organisation's data is logically isolated using tenant-scoped database queries. Users of one organisation cannot access data belonging to another organisation. Platform administrators (“Super Admins”) can access tenant metadata for operational purposes (e.g., plan management) but cannot access individual employee records of other organisations.

• Account & HR data: Retained for the duration of your subscription plus 90 days after termination.
• Audit logs: Retained for 24 months.
• Chat messages: Retained for 12 months by default; configurable by your organisation admin.
• Backups: Encrypted backups are retained for 30 days.

After the applicable retention period, data is securely deleted using industry-standard methods.

We share personal data only in the following circumstances:

• Sub-processors: Cloud infrastructure (Supabase / AWS), email delivery (SMTP provider), and file storage. All sub-processors are bound by data processing agreements.
• Legal requirements: When required by law, court order, or governmental authority.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction with prior notice.

We do not sell, rent, or trade personal data.

We implement the following security measures:

• All data is encrypted in transit using TLS 1.2+.
• Passwords are hashed using bcrypt (cost factor 12) — we never store plaintext passwords.
• JWT tokens have short expiry windows and support refresh token rotation.
• All sensitive actions are recorded in an immutable audit log.
• Role-based access control (RBAC) with fine-grained permissions.
• Rate limiting on all authentication endpoints to prevent brute-force attacks.

Despite these measures, no system is completely secure. In the event of a data breach, we will notify affected users within 72 hours as required by applicable data protection laws.

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Erasure: Request deletion of your personal data (“right to be forgotten”).
• Portability: Request your data in a machine-readable format (CSV export is available from within the platform).
• Objection: Object to processing based on legitimate interests.
• Withdrawal of consent: Withdraw consent for push notifications at any time in your profile settings.

To exercise any of these rights, email privacy@nexora.app. We will respond within 30 days.

The Platform uses browser local storage to store your authentication token and user preferences (theme, locale). No third-party tracking cookies are set. If you use a browser that blocks local storage, some features may not function correctly.

The Platform is intended for use by organisations and their employees. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor's data has been collected, contact us immediately at privacy@nexora.app.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by displaying a prominent notice on the Platform at least 14 days before the changes take effect.

For privacy-related questions or to exercise your data rights, contact us at privacy@nexora.app.

Data Protection Officer: dpo@nexora.app