Privacy Policy

1. Who We Are

Nalevra, Inc. ("Nalevra," "we," "us," or "our") operates a compliance intelligence platform at nalevra.com. We help organisations assess their compliance posture, identify gaps across governance domains, manage obligations, and prepare documentation for investors, enterprise customers, and regulatory purposes.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and what rights you have over it. It applies to all users of the Nalevra platform, including the Gap Assessment, Assessment Hub, Nalevra Command, and Verification Service.

For questions about this policy, contact us at privacy@nalevra.com.

2. Data We Collect

We collect the following categories of personal and organisational data:

Account and registration data

• Full name and email address
• Company or organisation name
• Password (stored as a hashed value; we never store your password in plain text)
• Account creation date and login activity

Assessment data

• All answers you provide across the four phases of the Gap Assessment, covering jurisdiction, risk profile, control existence, and control effectiveness
• Evidence files or notes you upload or attach to specific questions
• Your organisation's sector, employee count, revenue range, and country of incorporation
• Countries in which you operate and where your data subjects are located
• Whether you process sensitive, financial, children's, or biometric data
• Existing certifications and regulatory registrations

Compliance programme data (Nalevra Command users)

• Obligation titles, descriptions, domains, severity ratings, and statuses
• Owner assignments and due dates for obligations
• Remediation notes and evidence attached to obligations
• Team member names, email addresses, and roles within your Command organisation
• Posture snapshots recording your compliance score and obligation counts over time
• Regulatory updates and horizon monitoring data relevant to your jurisdictions

Verification service data

• Assessment outputs submitted for review
• Evidence documents and policy materials you share with a reviewer
• Reviewer notes, verification decisions, and supporting comments
• Verification tier, status, and date of issue

Payment data

• Billing name and address
• Payment method type and last four digits (held by Stripe; we do not store full card numbers)
• Transaction history and subscription status

Technical and usage data

• IP address and approximate geolocation
• Browser type and version, operating system, and device type
• Pages visited, features used, assessment progress, and session duration
• Authentication tokens and session identifiers stored as secure cookies
• Error logs and diagnostic data used to maintain platform reliability

3. How We Use Your Data

To provide the Service

We use your account data and assessment answers to operate the platform, generate your compliance report, populate your Assessment Hub, and activate Nalevra Command. Without this data the Service cannot function.

To generate AI-powered analysis

Your assessment answers, company profile, and jurisdiction data are processed by AI systems (including Anthropic's Claude) to produce your compliance score, domain scores, gap findings, 90-day roadmap, and document checklist. This processing is automated. Human employees do not review your individual answers unless you contact support or a technical issue requires investigation.

To run the Verification Service

If you purchase a verification, we share your assessment outputs and submitted evidence with an assigned qualified reviewer. The reviewer uses this data to form a professional opinion on your compliance posture and issue a verified outcome.

To operate Nalevra Command

Obligation data, team assignments, posture snapshots, and regulatory monitoring data are used to power the Command dashboard and generate reports including the Investor Pack.

To process payments

Billing data is passed to Stripe to process transactions. We retain transaction records for accounting and legal compliance purposes.

To improve the platform

We may use aggregated and anonymised usage data and assessment patterns to improve our scoring models, refine our assessment questions, and develop new features. We do not use your individually identifiable assessment answers to train third-party AI models.

To communicate with you

We use your email address to send account confirmations, report delivery notifications, team invitations, subscription renewal reminders, and responses to support requests. We do not send unsolicited marketing emails without your consent.

To comply with legal obligations

We may process or retain data as required by applicable law, including tax law, financial regulation, and data protection law.

4. Legal Bases for Processing (GDPR and Similar Frameworks)

Where applicable data protection law requires us to identify a legal basis for processing, we rely on the following:

• Contract: Processing necessary to deliver the Service you have purchased, including generating your assessment report and operating Command.
• Legitimate interests: Processing for platform security, fraud prevention, service improvement using anonymised data, and direct communications about the Service.
• Legal obligation: Retention of payment and transaction records as required by tax and accounting law.
• Consent: Where we rely on consent for optional processing such as marketing communications, you may withdraw consent at any time by contacting privacy@nalevra.com.

5. Who We Share Your Data With

We do not sell your personal data. We share it only as described below.

• Anthropic: Your assessment answers and company profile are submitted to Anthropic's Claude API to generate your compliance report. Data is processed under our agreement with Anthropic. Anthropic does not use customer data to train their models for other users.
• Stripe: Payment data is processed by Stripe, Inc. Stripe receives billing name, address, and payment method details. We do not store full card numbers. Stripe's processing is subject to their privacy policy and applicable financial regulation.
• Neon (database hosting): Your data is stored in a PostgreSQL database hosted by Neon. Neon processes data on our behalf under a data processing agreement and does not access your data for their own purposes.
• Vercel (platform hosting): The Nalevra application is hosted on Vercel. Server-side processing and API requests run on Vercel infrastructure. Vercel processes data on our behalf as a data processor.
• Verification reviewers: If you purchase the Verification Service, your assessment outputs and submitted evidence are shared with an assigned qualified reviewer who is bound by confidentiality obligations.
• Your team members: If you are using Nalevra Command, data about your organisation's compliance programme, including obligations, scores, and team assignments, is visible to other members of your Command organisation according to their assigned role.
• Legal and regulatory requirements: We may disclose data if required by law, regulation, court order, or to protect the rights, property, or safety of Nalevra, our users, or others.

6. International Data Transfers

Nalevra operates primarily from the United States. Your data may be transferred to and processed in the United States and other countries where our service providers operate. If you are located in the UK, European Economic Area, or another jurisdiction with data transfer restrictions, we rely on appropriate safeguards including Standard Contractual Clauses approved by the European Commission to ensure your data is adequately protected in transit and at rest.

7. Data Retention

We retain your data for the following periods:

• Account data: Retained while your account is active and for 12 months after closure, unless a longer period is required by law.
• Assessment data and reports: Retained for the lifetime of your account and for 2 years after account closure.
• Command obligation data and snapshots: Retained while Command is active and for 2 years after closure.
• Verification records: Retained for 5 years to support any subsequent challenge to a verification outcome.
• Payment and transaction records: Retained for 7 years as required by tax and accounting law.
• Technical and usage logs: Retained for up to 90 days for security and diagnostic purposes.

You may request deletion of your account and associated data at any time. We will honour deletion requests subject to any legal retention obligations that override them.

8. Data Security

We implement the following technical and organisational measures to protect your data:

• Encryption of all data in transit using TLS
• Encryption of data at rest in our database
• Password hashing using industry-standard algorithms
• Role-based access controls limiting which team members can access your data
• Optional multi-factor authentication for Nalevra Command
• Secure session management and authentication token handling
• Regular security monitoring and logging

In the event of a data breach that poses a risk to your personal data, we will notify affected users and relevant data protection authorities as required by applicable law, typically within 72 hours of becoming aware of the incident.

9. Cookies

We use a small number of cookies that are strictly necessary to operate the Service:

• Authentication cookies: Secure, HTTP-only session tokens that keep you logged in during your session. These are essential and cannot be disabled without breaking the Service.
• Preference cookies: Used to remember settings such as assessment progress and UI state.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies that share your data with external parties. We do not participate in cross-site tracking or retargeting.

10. Your Rights

Depending on your location, you may have the following rights over your personal data. We honour these rights for all users regardless of jurisdiction.

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data, subject to legal retention obligations.
• Data portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing of your data for legitimate interests.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Withdrawal of consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

These rights apply under GDPR (EU and EEA users), UK GDPR (UK users), the Nigeria Data Protection Act (Nigerian users), and equivalent data protection laws in other jurisdictions where we operate. California residents also have rights under the CCPA, including the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at privacy@nalevra.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has submitted data through the Service, please contact us at privacy@nalevra.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. We will notify you of material changes by posting the revised policy on this page and updating the date above. For significant changes affecting your rights, we will provide notice by email or through the platform. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

13. Contact and Complaints

For questions, requests, or complaints about this Privacy Policy or our data practices, contact us at: privacy@nalevra.com

If you are located in the UK or EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority, such as the Information Commissioner's Office (ICO) in the UK or the relevant supervisory authority in your EU member state.