Privacy Notice

1. Who we are

Rexeipt (“we”, “us”) is a business management platform for SMEs that operates over WhatsApp and a web dashboard at rexeipt.com. We are the data controller for the data covered by this notice unless we say otherwise (the data your customers leave with you stays under your business’s control — we are the data processor on your behalf for that subset).

Our Data Protection Officer (DPO) can be reached at app@rexeipt.com. We respond to verified requests within 30 days.

2. What data we collect

2.1 Account data (you, the business owner)

• Name, phone number, email, password hash.
• Business name, currency, timezone, and the slug used in receipt links.
• Plan + billing data (subscription tier, payment provider tokens — we never store full card numbers).
• Sign-in metadata: IP address, user agent, login timestamps.

2.2 Operational data (your business)

• Items, prices, stock levels, suppliers.
• Sales, transactions, expenses, transfers, and the staff member attached to each.
• Customer records you create (name, phone, optional email, debt history).
• Receipts — including the canonical receipt page rendered at /receipt/<code>.

2.3 Copilot interaction data (opt-in)

When a business owner consents to the Copilot (see Section 12), we additionally collect:

• The text or voice messages you send the Copilot on WhatsApp or web.
• The tool calls the Copilot makes on your behalf (every call is logged in ai_tool_calls for audit).
• Business signals — derived events like “low stock”, “daily summary ready” — used to power proactive nudges. Personally-identifying details (emails, long digit strings, URLs, card-shaped numbers) are scrubbed before the signal is stored.
• Consent events — every grant, revoke, pause, resume, export, and erase action with the channel it came from.

2.4 Customer data (your customers)

Phone numbers and names that you record on customer-facing transactions live here. We process this data on your behalf; your business is the controller. If your customer asks us directly to access or delete their data, we forward the request to you.

3. How we use your data

• Run the service: record sales, send receipts, calculate daily profit, attribute transactions to staff.
• Talk to you: daily summary at 9 PM, restock alerts, low-stock warnings, billing notices.
• Power the Copilot (only with consent — see Section 12): answer questions, advise on inventory and credit, run recurring tasks like “improve my business this week”.
• Detect fraud + abuse: we audit every tool call, watch for cross-tenant access attempts, and reject impossible UUIDs server-side.
• Improve Rexeipt: aggregate, de-identified usage data informs product decisions. We never sell your data and we never train external models on it.

4. Legal bases (NDPA + GDPR)

We rely on the following legal bases under NDPA Section 25 and GDPR Article 6:

• Performance of a contract (NDPA 25(c) / GDPR 6(1)(b)) — the data you give us at signup, plus the operational data needed to run sales tracking.
• Consent (NDPA 25(a) / GDPR 6(1)(a)) — Copilot data, marketing messages, optional analytics. You can withdraw consent at any time using “STOP COPILOT” on WhatsApp or the privacy settings in your portal.
• Legitimate interests (NDPA 25(f) / GDPR 6(1)(f)) — fraud prevention and security audit logs. Your right to object applies; contact our DPO if you disagree with a specific use.
• Legal obligation (NDPA 25(d) / GDPR 6(1)(c)) — Nigerian tax and accounting regulations require us to keep transactional records for 7 years. See Section 6.

5. Sharing & sub-processors

We do not sell your data. We share it only with the sub-processors below, each bound by a Data Processing Agreement and the cross-border transfer safeguards required by NDPA Section 41 and GDPR Chapter V (Standard Contractual Clauses where applicable).

We will update this list at least 30 days before adding a new sub-processor.

6. Retention

• Account data: kept while your account is active and for 12 months after closure, then deleted unless we’re required to keep it longer by tax law.
• Transactional data (sales, receipts, expenses): 7 years from the date of the transaction, per Nigerian Companies and Allied Matters Act and FIRS record-keeping rules.
• Copilot data (signals, tool-call audit, proactive outbox): default 540 days, adjustable by the business owner between 30 and 3,650 days in Portal › Settings › Privacy. Daily retention sweep runs at 03:13 UTC and purges anything older.
• Consent audit log: a regulatory minimum of 1,095 days (3 years) applies even if you set a tighter retention. Required by NDPA auditors to verify consent history.
• Backups: rolling 30-day window. Erasure requests propagate to backups during the next backup cycle and are fully gone within 30 days.

7. Security

• TLS 1.2+ in transit. AES-256 at rest for database and object storage.
• Multi-tenant isolation enforced at four layers: application RBAC, scoped database transactions, Postgres row-level security, and a post-LLM cross-tenant UUID validator on every Copilot tool call.
• Every Copilot tool call writes an immutable audit row recording the actor, the business at message-time, and the validator outcome.
• Two-factor authentication available for owner accounts.
• Quarterly penetration testing; we publish a security overview at Terms § Security.
• If we ever suffer a personal-data breach affecting you, we’ll notify the regulator within 72 hours per NDPA Section 40 / GDPR Article 33, and notify you without undue delay if the breach is likely to cause harm.

8. Your rights

You have the following rights under NDPA + GDPR. To exercise any of them, email app@rexeipt.com or use the Privacy page in your portal:

• Access — request a JSON export of your Copilot data, your account record, and your business operational data. The Copilot data export is available self-service in the portal.
• Rectification — correct any inaccurate data; most fields are editable directly in the portal.
• Erasure (“right to be forgotten”) — wipe Copilot data self-service from the portal; account + transactional erasure requires our DPO because of overlapping legal-retention obligations.
• Restriction — pause processing while a dispute is under review.
• Portability — the export bundle is in a structured, machine-readable JSON format suitable for moving to another platform.
• Objection — to processing based on legitimate interests, or to direct marketing.
• Withdraw consent — for anything where consent is the legal basis (Copilot, marketing, analytics). Withdrawal does not affect anything we lawfully did before withdrawal.
• Lodge a complaint with the Nigeria Data Protection Commission (ndpc.gov.ng) or your local EU / UK supervisory authority.

9. Children

Rexeipt is for businesses operated by adults. We do not knowingly collect data from anyone under 18. If you believe a child has provided us with data, contact our DPO and we’ll delete it.

10. International transfers

Most of your data lives in EU and African data centers. Some sub-processors (notably DeepInfra for embeddings) operate in the United States. Cross-border transfers happen under Standard Contractual Clauses (SCCs) approved by the European Commission and aligned with the NDPA’s adequacy-or-safeguards regime.

11. Cookies & analytics

The marketing site uses minimal cookies for session continuity and (with your opt-in) PostHog product analytics. The portal uses a session cookie scoped to the portal hostname; storefront pages on a separate origin cannot read it. We don’t use third-party advertising trackers.

13. Updates to this notice

If we make a material change, we’ll notify you on WhatsApp + email at least 14 days before it takes effect. The date at the top of this page is the current effective date. We keep an archive of past versions; ask the DPO if you want a copy.

14. Contact us

Email app@rexeipt.com for any privacy or data-protection question. For DPO-specific correspondence, mark the subject line with “DPO request” — that routes to a dedicated queue with a 30-day SLA.