This document is currently available in English only. The English version is the legally binding version. For translations or questions, contact legal@hexalian.com.

Privacy Policy

Last updated: March 20, 2026 — Applies to all users worldwide, including citizens and legal permanent residents of the United States and the European Economic Area (EEA).

In this privacy statement, we explain what we do with the data we obtain about you via NonaGuard. We recommend you carefully read this statement. In our processing we comply with the requirements of privacy legislation. That means, among other things, that we clearly state the purposes for which we process personal data, aim to limit collection to only what is required, first request explicit consent when required, take appropriate security measures, and respect your right to access or delete your data.

1. Information We Collect

We may collect or receive personal information for the following purposes:

Account Information: Name and email address via Google Sign-In or email/password registration (Firebase Authentication).
Odoo Instance Data: URL, database name, and API key you provide. API keys are encrypted at rest using AES-256-CBC via the Fernet specification with HMAC-SHA256 integrity verification.
Scan Results: Module lists, permission configurations, custom code flags, and health scores generated during scans.
Connector Module Data: If you install the optional NonaGuard Connector module in your Odoo instance, it periodically sends heartbeat payloads containing module lists, cron status, PostgreSQL metrics, and system health data to our servers. This data is transmitted over HTTPS and authenticated with a unique connector token.
Usage Data: Pages visited, features used, and scan frequency (via PostHog analytics).
Payment Information: Managed entirely by Stripe. We never store credit card numbers.
Contact data: Information provided through phone, mail, email, and/or web forms.
Statistics: Anonymous and aggregated data compiled for website improvement.

2. How We Use Your Data

To connect to your Odoo instance and perform health scans via XML-RPC (read-only).
To generate Pulse Scores, reports, and recommendations.
To manage your subscription and billing.
To improve our service and fix issues (error tracking via Sentry — no PII is sent).
To communicate important service updates and transactional emails.
To comply with legal obligations.

3. Disclosure Practices

We disclose personal information only if required by law or court order, in response to a law enforcement agency, or to the extent permitted under other provisions of law. If our organization is involved in a merger or acquisition, your details may be disclosed to advisers and passed to new owners.

4. Data Security

We are committed to the security of personal data. We take appropriate security measures to limit abuse of and unauthorized access to personal data:

Odoo API credentials encrypted using AES-256-CBC via Fernet with HMAC-SHA256 integrity verification.
Data stored in Google Firebase (Firestore) with strict security rules.
All connections use HTTPS/TLS encryption in transit via OpenLiteSpeed.
Redis cache protected with authentication.
Only necessary personnel have access to your data.
Security measures are regularly reviewed.

5. Data Retention

Scan results are retained for the lifetime of your account. When you delete an Odoo instance from NonaGuard, associated credentials are permanently deleted. You may request full account deletion at any time by contacting privacy@hexalian.com.

6. Cookies

NonaGuard uses cookies for authentication and session management. For product analytics, we use PostHog. We have concluded a data processing agreement with Google for Firebase services. For more information, refer to our cookie preferences in the application settings.

7. Do Not Track & Global Privacy Control

Our website does not currently respond to or support the Do Not Track (DNT) header request field. We respect your browser's Global Privacy Control signal where applicable.

8. Third-Party Services

Firebase (Google Cloud): Authentication and data storage.
Stripe: Payment processing (US/international). PCI DSS Level 1 certified.
Paddle: Payment processing (EU/international). Acts as Merchant of Record for VAT/GST compliance.
AI Providers (OpenAI, Google Gemini, Anthropic, Mistral, OpenRouter, Groq): When you enable AI-powered insights, anonymised scan data (category scores, risk summaries, module lists) may be sent to your chosen AI provider for analysis. No Odoo credentials, personally identifiable information, or raw database records are shared with AI providers. Your AI API keys are encrypted at rest using AES-256-CBC and are never logged or exposed.
Webhook Destinations (Slack, Microsoft Teams, custom URLs): If you configure notification webhooks, scan summaries and alert data are sent to the webhook URL you provide. We do not control or guarantee the security of your webhook endpoints.
Sentry: Error monitoring (no PII is sent).
PostHog: Product analytics (EU data processing agreement in place).

This privacy policy does not apply to third-party websites connected by links. We recommend you read their privacy statements before use.

9. Your Rights

You have the following rights with respect to your personal data:

You may submit a request for access to the data we process about you.
You may object to the processing.
You may request an overview of the data we process about you in a commonly used format.
You may request correction or deletion of data if it is incorrect or no longer relevant.
You may ask to restrict the processing of your data.
You may appeal our decision if we refuse a request, and submit a complaint with the competent authority.

Please clearly state who you are when contacting us so we can verify your identity. We shall provide requested information only upon receipt of a verifiable consumer request.

10. European Users — GDPR Compliance

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis: We process your data based on: (a) your consent (e.g., analytics cookies), (b) performance of a contract (e.g., providing the Service), (c) compliance with legal obligations, and (d) our legitimate interests (e.g., fraud prevention, service improvement).
Right to Erasure: You may request complete deletion of your personal data. Contact privacy@hexalian.com and we will process your request within 30 days.
Right to Data Portability: You may request a machine-readable export of your personal data.
Right to Restrict Processing: You may ask us to limit how we process your data.
Right to Object: You may object to processing based on legitimate interests.
Data Protection Officer: For GDPR-related inquiries, contact privacy@hexalian.com.
Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

International Transfers: Your data is stored in Google Cloud (Firebase) data centers. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Paddle, our EU payment processor, acts as Merchant of Record and processes EU payment data within the EEA.

Data Processing Agreements: We maintain DPAs with all sub-processors (Google/Firebase, Stripe, Paddle, Sentry, PostHog) in accordance with GDPR Article 28.

11. Children

NonaGuard is not designed to attract children. We do not intentionally collect personal data from children under the age of consent in their country of residence. We request that children under the age of consent do not submit any personal data to us.

12. Amendments

We reserve the right to amend this privacy statement. We recommend you consult it regularly. We will actively inform you of changes wherever possible.

13. Contact Information

NonaGuard is owned and operated by Hexalian LLC.

30 N Gould St Ste R, Sheridan, WY 82801, United States

Email: privacy@hexalian.com

Phone: +1 (724) 215-3235

Web: hexalian.com