Privacy Notice

1. Who we are

Rexeipt (“we”, “us”) is a business management platform for SMEs that operates over WhatsApp and a web dashboard at rexeipt.com. We are the data controller for the data covered by this notice unless we say otherwise (the data your customers leave with you stays under your business’s control — we are the data processor on your behalf for that subset).

Our Data Protection Officer (DPO) can be reached at app@rexeipt.com. We respond to verified requests within 30 days.

2. What data we collect

2.1 Account data (you, the business owner)

• Name, phone number, email, password hash.
• Business name, currency, timezone, and the slug used in receipt links.
• Plan + billing data (subscription tier, payment provider tokens — we never store full card numbers).
• Sign-in metadata: IP address, user agent, login timestamps.

2.2 Operational data (your business)

• Items, prices, stock levels, suppliers.
• Sales, transactions, expenses, transfers, and the staff member attached to each.
• Customer records you create (name, phone, optional email, debt history).
• Receipts — including the canonical receipt page rendered at /receipt/<code>.

2.3 Copilot interaction data (opt-in)

When a business owner consents to the Copilot (see Section 13), we additionally collect:

• The text or voice messages you send the Copilot on WhatsApp or web.
• The tool calls the Copilot makes on your behalf (every call is logged in ai_tool_calls for audit).
• Business signals — derived events like “low stock”, “daily summary ready” — used to power proactive nudges. Personally-identifying details (emails, long digit strings, URLs, card-shaped numbers) are scrubbed before the signal is stored.
• Consent events — every grant, revoke, pause, resume, export, and erase action with the channel it came from.

2.4 Customer data (your customers)

Phone numbers and names that you record on customer-facing transactions live here. We process this data on your behalf; your business is the controller. If your customer asks us directly to access or delete their data, we forward the request to you.

2.5 Mobile-app permissions (Android & iOS apps only)

The Rexeipt mobile apps request a small, well-scoped set of device permissions. You are prompted at first use, can deny each individually, and can revoke any of them later in your phone’s settings — the related feature simply stops working until you re-enable it.

• Microphone (RECORD_AUDIO on Android, NSMicrophoneUsageDescription on iOS) — used onlywhen you tap the in-app assistant’s mic button. While you hold the button, your device records a short audio clip (typically a few seconds to one minute). When you release, the clip is sent to Rexeipt’s backend over TLS, which immediately forwards it to our speech-to-text sub-processor — DeepInfra, running OpenAI’s Whisper-large-v3-turbo model in the United States under Standard Contractual Clauses (see Section 5). The transcript comes back, the audio buffer is discarded from memory, and only the transcribed text is then handled like any other Copilot message (Section 2.3). We do not store the raw audio anywhere — neither on the device, in our database, nor in our object storage — and we never use voice clips to train models. If you prefer not to send audio off-device at all, type your message instead; the mic button is always optional.
• Camera — used only when you choose to capture a receipt, an item photo, or a profile picture. The resulting image is uploaded to Rexeipt object storage and from that point is treated as operational data (Section 2.2): scoped to your business tenant and subject to the same retention rules as the related transaction.
• Push notifications — used to deliver daily summaries, restock alerts, and Copilot replies. The notification token is bound to your account so we never deliver another business’s notification to your device.
• Photo library / file storage — used only when you explicitly attach an existing photo (e.g. a receipt you snapped earlier) or save a generated receipt PDF. We never browse the wider photo library.

3. How we use your data

• Run the service: record sales, send receipts, calculate daily profit, attribute transactions to staff.
• Talk to you: daily summary at 9 PM, restock alerts, low-stock warnings, billing notices.
• Power the Copilot (only with consent — see Section 13): answer questions, advise on inventory and credit, run recurring tasks like “improve my business this week”.
• Detect fraud + abuse: we audit every tool call, watch for cross-tenant access attempts, and reject impossible UUIDs server-side.
• Improve Rexeipt: aggregate, de-identified usage data informs product decisions. We never sell your data and we never train external models on it.

4. Legal bases (NDPA + GDPR)

We rely on the following legal bases under NDPA Section 25 and GDPR Article 6:

• Performance of a contract (NDPA 25(c) / GDPR 6(1)(b)) — the data you give us at signup, plus the operational data needed to run sales tracking.
• Consent (NDPA 25(a) / GDPR 6(1)(a)) — Copilot data, marketing messages, optional analytics. You can withdraw consent at any time using “STOP COPILOT” on WhatsApp or the privacy settings in your portal.
• Legitimate interests (NDPA 25(f) / GDPR 6(1)(f)) — fraud prevention and security audit logs. Your right to object applies; contact our DPO if you disagree with a specific use.
• Legal obligation (NDPA 25(d) / GDPR 6(1)(c)) — Nigerian tax and accounting regulations require us to keep transactional records for 7 years. See Section 6.

5. Sharing & sub-processors

We do not sell your data. We share it only with the sub-processors below, each bound by a Data Processing Agreement and the cross-border transfer safeguards required by NDPA Section 41 and GDPR Chapter V (Standard Contractual Clauses where applicable).

We will update this list at least 30 days before adding a new sub-processor.

6. Retention

• Account data: kept while your account is active and for 12 months after closure, then deleted unless we’re required to keep it longer by tax law.
• Transactional data (sales, receipts, expenses): 7 years from the date of the transaction, per Nigerian Companies and Allied Matters Act and FIRS record-keeping rules.
• Copilot data (signals, tool-call audit, proactive outbox): default 540 days, adjustable by the business owner between 30 and 3,650 days in Portal › Settings › Privacy. Daily retention sweep runs at 03:13 UTC and purges anything older.
• Consent audit log: a regulatory minimum of 1,095 days (3 years) applies even if you set a tighter retention. Required by NDPA auditors to verify consent history.
• Backups: rolling 30-day window. Erasure requests propagate to backups during the next backup cycle and are fully gone within 30 days.

7. Security

• TLS 1.2+ in transit. AES-256 at rest for database and object storage.
• Multi-tenant isolation enforced at four layers: application RBAC, scoped database transactions, Postgres row-level security, and a post-LLM cross-tenant UUID validator on every Copilot tool call.
• Every Copilot tool call writes an immutable audit row recording the actor, the business at message-time, and the validator outcome.
• Two-factor authentication available for owner accounts.
• Quarterly penetration testing; we publish a security overview at Terms § Security.
• If we ever suffer a personal-data breach affecting you, we’ll notify the regulator within 72 hours per NDPA Section 40 / GDPR Article 33, and notify you without undue delay if the breach is likely to cause harm.

8. Your rights

You have the following rights under NDPA + GDPR. To exercise any of them, email app@rexeipt.com or use the Privacy page in your portal:

• Access — request a JSON export of your Copilot data, your account record, and your business operational data. The Copilot data export is available self-service in the portal.
• Rectification — correct any inaccurate data; most fields are editable directly in the portal.
• Erasure (“right to be forgotten”) — wipe Copilot data self-service from the portal; account + transactional erasure requires our DPO because of overlapping legal-retention obligations.
• Restriction — pause processing while a dispute is under review.
• Portability — the export bundle is in a structured, machine-readable JSON format suitable for moving to another platform.
• Objection — to processing based on legitimate interests, or to direct marketing.
• Withdraw consent — for anything where consent is the legal basis (Copilot, marketing, analytics). Withdrawal does not affect anything we lawfully did before withdrawal.
• Lodge a complaint with the Nigeria Data Protection Commission (ndpc.gov.ng) or your local EU / UK supervisory authority.

9. Account & data deletion

You can remove your data from Rexeipt through one of two paths, depending on what you want erased. Both honour the same retention floor described under What we have to keep below.

A. Copilot data — self-service in the portal

For the data the Copilot has accumulated about your business (signals, conversations, tool-call audit, engagement scores):

• Sign in at rexeipt.com/portal.
• Go to Settings › Privacy.
• Click Erase all my Copilot data, type ERASE to confirm.
• Effect: every Copilot row tied to your business is deleted within seconds. The Copilot is automatically turned off. Your account, transactions, items, and customer records stay intact.

B. Whole-account erasure — via the DPO

For full deletion of your Rexeipt account (profile, login credentials, Copilot data, and the customer records you have created):

• Email app@rexeipt.com with the subject line DPO request: account deletion.
• Include the phone number and email address tied to your Rexeipt account so we can verify ownership before we act.
• We acknowledge within 72 hours and complete verified requests within 30 days.
• Backups containing your data are purged during the next backup cycle and are fully gone within an additional 30 days (60 days from the request, worst case).

What we have to keep, even after deletion

Three narrow categories survive deletion because Nigerian and EU law require us to keep them. They are stripped of your name, email, and business name where possible, and are never used to contact you:

• Transactional records (sales, receipts, expenses, payouts) — 7 years from the transaction date, per the Companies and Allied Matters Act and FIRS record-keeping rules. Auto-deleted after the floor.
• Consent audit log — the bare timestamps of which Terms / Privacy versions you accepted and when you withdrew — 3 years (1,095 days) per NDPA auditing requirements.
• Security log of the deletion request itself — IP address and timestamp, retained for 90 days for fraud-investigation purposes.

In-app delete button

We are building a one-tap Delete account button into the portal Settings page so you don’t have to email anyone. Until it ships, the email path above is the canonical flow and is honoured under the same 30-day SLA.

10. Children

Rexeipt is for businesses operated by adults. We do not knowingly collect data from anyone under 18. If you believe a child has provided us with data, contact our DPO and we’ll delete it.

11. International transfers

Most of your data lives in EU and African data centers. Some sub-processors (notably DeepInfra for Copilot embeddings and voice-message transcription) operate in the United States. Cross-border transfers happen under Standard Contractual Clauses (SCCs) approved by the European Commission and aligned with the NDPA’s adequacy-or-safeguards regime.

12. Cookies & analytics

The marketing site uses minimal cookies for session continuity and (with your opt-in) PostHog product analytics. The portal uses a session cookie scoped to the portal hostname; storefront pages on a separate origin cannot read it. We don’t use third-party advertising trackers.

14. Updates to this notice

If we make a material change, we’ll notify you on WhatsApp + email at least 14 days before it takes effect. The date at the top of this page is the current effective date. We keep an archive of past versions; ask the DPO if you want a copy.

15. Contact us

Email app@rexeipt.com for any privacy or data-protection question. For DPO-specific correspondence, mark the subject line with “DPO request” — that routes to a dedicated queue with a 30-day SLA.