Privacy Policy

We may collect or receive personal information for the following purposes:

• Account Information: Name and email address via Google Sign-In or email/password registration (Firebase Authentication).
• Odoo Instance Data: URL, database name, and API key you provide. API keys are encrypted at rest using AES-256-CBC via the Fernet specification with HMAC-SHA256 integrity verification.
• Scan Results: Module lists, permission configurations, custom code flags, and health scores generated during scans.
• Usage Data: Pages visited, features used, and scan frequency (via PostHog analytics).
• Payment Information: Managed entirely by Stripe. We never store credit card numbers.
• Contact data: Information provided through phone, mail, email, and/or web forms.
• Statistics: Anonymous and aggregated data compiled for website improvement.

• To connect to your Odoo instance and perform health scans via XML-RPC (read-only).
• To generate Pulse Scores, reports, and recommendations.
• To manage your subscription and billing.
• To improve our service and fix issues (error tracking via Sentry — no PII is sent).
• To communicate important service updates and transactional emails.
• To comply with legal obligations.

We disclose personal information only if required by law or court order, in response to a law enforcement agency, or to the extent permitted under other provisions of law. If our organization is involved in a merger or acquisition, your details may be disclosed to advisers and passed to new owners.

We are committed to the security of personal data. We take appropriate security measures to limit abuse of and unauthorized access to personal data:

• Odoo API credentials encrypted using AES-256-CBC via Fernet with HMAC-SHA256 integrity verification.
• Data stored in Google Firebase (Firestore) with strict security rules.
• All connections use HTTPS/TLS encryption in transit via OpenLiteSpeed.
• Redis cache protected with authentication.
• Only necessary personnel have access to your data.
• Security measures are regularly reviewed.

Scan results are retained for the lifetime of your account. When you delete an Odoo instance from NonaGuard, associated credentials are permanently deleted. You may request full account deletion at any time by contacting privacy@hexalian.com.

NonaGuard uses cookies for authentication and session management. For product analytics, we use PostHog. We have concluded a data processing agreement with Google for Firebase services. For more information, refer to our cookie preferences in the application settings.

Our website does not currently respond to or support the Do Not Track (DNT) header request field. We respect your browser's Global Privacy Control signal where applicable.

• Firebase (Google Cloud): Authentication and data storage.
• Stripe: Payment processing (US/international). PCI DSS Level 1 certified.
• Paddle: Payment processing (EU/international). Acts as Merchant of Record for VAT/GST compliance.
• Sentry: Error monitoring (no PII is sent).
• PostHog: Product analytics (EU data processing agreement in place).

This privacy policy does not apply to third-party websites connected by links. We recommend you read their privacy statements before use.

You have the following rights with respect to your personal data:

• You may submit a request for access to the data we process about you.
• You may object to the processing.
• You may request an overview of the data we process about you in a commonly used format.
• You may request correction or deletion of data if it is incorrect or no longer relevant.
• You may ask to restrict the processing of your data.
• You may appeal our decision if we refuse a request, and submit a complaint with the competent authority.

Please clearly state who you are when contacting us so we can verify your identity. We shall provide requested information only upon receipt of a verifiable consumer request.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on: (a) your consent (e.g., analytics cookies), (b) performance of a contract (e.g., providing the Service), (c) compliance with legal obligations, and (d) our legitimate interests (e.g., fraud prevention, service improvement).
• Right to Erasure: You may request complete deletion of your personal data. Contact privacy@hexalian.com and we will process your request within 30 days.
• Right to Data Portability: You may request a machine-readable export of your personal data.
• Right to Restrict Processing: You may ask us to limit how we process your data.
• Right to Object: You may object to processing based on legitimate interests.
• Data Protection Officer: For GDPR-related inquiries, contact privacy@hexalian.com.
• Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

International Transfers: Your data is stored in Google Cloud (Firebase) data centers. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Paddle, our EU payment processor, acts as Merchant of Record and processes EU payment data within the EEA.

Data Processing Agreements: We maintain DPAs with all sub-processors (Google/Firebase, Stripe, Paddle, Sentry, PostHog) in accordance with GDPR Article 28.

NonaGuard is not designed to attract children. We do not intentionally collect personal data from children under the age of consent in their country of residence. We request that children under the age of consent do not submit any personal data to us.

We reserve the right to amend this privacy statement. We recommend you consult it regularly. We will actively inform you of changes wherever possible.

NonaGuard is owned and operated by Hexalian LLC.