Privacy Policy

GrowthNexus (Pty) Ltd ("GrowthNexus", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use the GrowthNexus platform and DueDeck service (the "Service").

This policy complies with the Protection of Personal Information Act, 2013 (POPIA) of South Africa and the General Data Protection Regulation (GDPR) of the European Union, where applicable.

GrowthNexus (Pty) Ltd
Cape Town, South Africa
Email: privacy@growthnexus.ai

For POPIA purposes, GrowthNexus is the "responsible party". For GDPR purposes, GrowthNexus is the "data controller".

3.1 Information You Provide

• Account information: full name, email address, password (hashed), organisation name.
• Billing information: payment details processed by our payment provider (Stitch). We do not store full card numbers.
• Communications: emails, support requests, and feedback you send to us.

3.2 Information from Connected Services

When you connect third-party services (Xero, QuickBooks Online, Google Drive), we access and store data from those platforms as permitted by the OAuth scopes you authorise, including:

• Chart of accounts, trial balances, profit & loss reports, and balance sheets.
• Organisation details (company name, financial year-end, base currency).
• Document metadata, file names, and file contents from connected Google Drive folders.

3.3 Information Collected Automatically

• IP address, browser type, device information, and operating system.
• Usage data: pages visited, features used, timestamps, and session duration.
• Cookies and similar technologies (see Section 9).

We process your personal information on the following legal grounds:

• Contract performance: to provide and maintain the Service as agreed in our Terms of Service.
• Legitimate interest: to improve the Service, prevent fraud, and ensure security.
• Consent: where you have explicitly opted in (e.g. marketing communications).
• Legal obligation: to comply with applicable laws, regulations, and lawful requests.

Under POPIA, processing is justified under sections 11(1)(a) (consent), 11(1)(b) (contract), and 11(1)(f) (legitimate interest).

We use your personal information to:

• Provide, operate, and maintain the Service.
• Authenticate your identity and manage your account.
• Process payments and manage subscriptions.
• Sync and normalise financial data from connected integrations.
• Generate due diligence reports, financial summaries, and data room exports.
• Send transactional emails (account verification, password resets, team invitations).
• Respond to support requests and provide customer service.
• Monitor and analyse usage patterns to improve the Service.
• Detect, prevent, and address technical issues, fraud, and security threats.

We may create anonymised, aggregated datasets derived from Connected Data. This data is irreversibly stripped of all personally identifiable information and cannot be linked back to any individual or Organisation.

We use Anonymised Data for:

• Industry benchmarking and market research.
• Improving the accuracy of our financial normalisation engine.
• Developing new features and services.
• Publishing aggregated statistical reports (no individual data is identifiable).

Anonymised Data is not considered personal information under POPIA or personal data under GDPR, as it cannot be used to identify a natural person. Our right to use Anonymised Data survives termination of your account.

We do not sell your personal information. We may share your data with:

• Service providers: trusted third parties who assist in operating the Service (hosting, payment processing, email delivery), bound by data processing agreements.
• Within your Organisation: other members of your Organisation on the platform can access shared project data.
• Investor sharing: when you create a shared link for a due diligence project, the recipient can view the data you have chosen to share. You control what is shared and can revoke access at any time.
• Legal requirements: if required by law, regulation, or legal process (e.g. court order, subpoena).
• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.

Your data may be processed and stored in jurisdictions outside of South Africa, including the European Union and the United States, where our service providers (e.g. Supabase, Vercel, Resend) operate.

Where data is transferred outside South Africa, we ensure adequate safeguards are in place as required by POPIA section 72, including:

• Transfers to jurisdictions with adequate data protection laws.
• Binding contractual obligations with data processors.
• Your consent to the transfer where applicable.

For GDPR purposes, transfers outside the EEA are conducted under Standard Contractual Clauses or to countries with an adequacy decision by the European Commission.

We use essential cookies to operate the Service:

• Authentication cookies: maintain your login session.
• CSRF cookies: protect against cross-site request forgery attacks.
• OAuth state cookies: temporary cookies used during third-party integration connections.

We do not use advertising or tracking cookies. We do not use third-party analytics that track individuals across websites.

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account data: retained until you delete your account, then deleted within 90 days.
• Connected Data: retained while the integration is active. Deleted within 90 days of disconnection or account closure.
• Payment records: retained for 5 years as required by South African tax legislation.
• Audit logs: retained for 2 years for security and compliance purposes.
• Anonymised Data: retained indefinitely (not personal information).

Under POPIA and GDPR, you have the following rights regarding your personal information:

• Right of access: request a copy of the personal information we hold about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your personal information, subject to legal retention requirements.
• Right to restrict processing: request that we limit how we use your data in certain circumstances.
• Right to data portability: receive your data in a structured, machine-readable format (CSV/PDF exports are available within the Service).
• Right to object: object to processing based on legitimate interest.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@growthnexus.ai. We will respond within 30 days (POPIA) or one month (GDPR).

We implement appropriate technical and organisational measures to protect your personal information, including:

• Encryption of data in transit (TLS/HTTPS) and at rest.
• Row-level security on all database tables.
• CSRF token validation on all mutation endpoints.
• Rate limiting on authentication and API endpoints.
• OAuth 2.0 with PKCE for third-party integrations.
• Password hashing using industry-standard algorithms.
• Regular security reviews and dependency updates.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

If you believe your personal information has been processed in violation of POPIA, you may lodge a complaint with the Information Regulator (South Africa):

Information Regulator
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: complaints.IR@justice.gov.za

For GDPR complaints, you may contact the relevant supervisory authority in your jurisdiction.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top of this page reflects the most recent revision.

For privacy-related enquiries, contact:

GrowthNexus (Pty) Ltd
Cape Town, South Africa
Email: privacy@growthnexus.ai