Legal

Privacy Policy

Last updated: April 5, 2026
Company: Nexobe, Inc., a Delaware C corporation
Contact: [email protected]

Summary

We take your privacy seriously. Here's the short version:

We only access your bank data in read-only mode
We never sell your data to anyone
Your data is encrypted at rest (AES-256-GCM)
Transaction data is auto-deleted 14 months after your last report
You can request full deletion at any time (completed within 30 days)
We never see your bank credentials — Plaid handles authentication
We never move money — no transfers, no payments on your behalf

1. What Data We Collect

Account information

Email address (required for account creation and report delivery)
Full name (optional, used in reports)
Authentication data via Clerk (session tokens, login timestamps)

Financial data (via Plaid)

Transaction history (up to 12 months): date, merchant name, amount, category
Account metadata: account type (checking, savings, credit), institution name
Account balances (for net worth calculation, when applicable)

We do NOT collect: bank account numbers, routing numbers, login credentials, Social Security numbers, or any government identification.

Payment data

Payments are processed by Stripe. We do not store credit card numbers, CVVs, or full card details. Stripe handles all payment security per PCI DSS standards.

Usage data

IP address (for abuse prevention on the waitlist and API endpoints)
User agent (browser/device type, for debugging)
Feature interest selections (from the waitlist form)

2. How We Use Your Data

Transaction analysis: to identify interest income, dividend income, and other riba-derived transactions per our published methodology
Report generation: to produce your Annual Riba Purification Report (PDF)
Email communication: to send your report, notify you when your review is ready, and respond to support requests
Product improvement: aggregate, anonymized patterns (never individual data) to improve classification accuracy

We do NOT use your data for: advertising, marketing to third parties, profiling, credit scoring, or any purpose unrelated to the Nuqsaf service.

3. AI Processing

Nuqsaf uses Anthropic's Claude language model to classify transactions. When a transaction is sent to Claude for classification:

Only the transaction name, amount, date, and category are sent — never your identity, account numbers, or other PII
Transactions are batched (up to 20 at a time) to minimize API calls
Anthropic's data retention policy applies to these API calls (Anthropic does not train on API data by default)

4. Third-Party Services

Nuqsaf uses the following third-party services to operate:

Plaid, Inc. — bank account connection and transaction data (Plaid Privacy Policy)
Supabase — database hosting (data encrypted at rest, hosted in the US)
Clerk — authentication and user management (Clerk Privacy Policy)
Stripe, Inc. — payment processing (Stripe Privacy Policy)
Resend — transactional email delivery
Anthropic — AI classification via Claude API (Anthropic Privacy Policy)
DigitalOcean — application hosting
Cloudflare — marketing site hosting and CDN

5. Data Retention

Transaction data: retained for 14 months after your last report generation, then automatically deleted
PDF reports: retained for 14 months, then automatically deleted. Save the email attachment if you want a permanent copy
Account data: retained until you request deletion
Waitlist entries: retained until the user is invited or requests removal

6. Your Rights

You have the right to:

Access your data — email us and we'll provide a copy within 30 days
Delete your data — email us and we'll delete everything within 30 days across all systems: Supabase, Clerk, Plaid (via item removal), Supabase Storage, Resend. This is permanent and irreversible.
Correct your data — if a report contains incorrect information, we'll regenerate it at no charge
Withdraw consent — you can disconnect your bank accounts at any time via the Nuqsaf app

These rights apply to all users regardless of location. We aim to comply with GDPR, CCPA, and equivalent privacy regulations.

7. Security

Plaid access tokens are encrypted with AES-256-GCM using a key stored separately from the database
All data in transit uses HTTPS/TLS
Database access requires authentication; row-level security is enforced
No PII (email, names, account numbers) appears in application logs
The application never stores bank credentials — Plaid handles all bank authentication

8. Children's Privacy

Nuqsaf is not intended for use by anyone under 18 years of age. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

For privacy-related questions, data access requests, or deletion requests:

Email: [email protected]
Nexobe, Inc.
Delaware, USA