Privacy Policy

This Privacy Policy explains how Arooj Technology (“we”) collects, uses, and protects personal information when you use the Nexus AI Support Engine (the “Service”). We act as a data processorfor end-user data submitted through our customers' widgets, and as a data controller for the data we collect from our customers themselves (account, billing, support).

We design for compliance with the EU General Data Protection Regulation (GDPR) and Qatar's Personal Data Privacy Protection Law (PDPL), and apply the same standards globally.

Account data. Email, name, organization, password hash, role, and authentication tokens.

Billing data. Plan, billing address, and payment-method metadata. Card numbers are processed and stored by our payment provider, SkipCash; we receive a tokenized reference and the last four digits only.

Customer Data. Documents and content you upload to the knowledge base, conversation transcripts, and metadata generated by your end-users.

Operational data. Logs, IP addresses, user-agent strings, request timing, error reports, and usage telemetry — collected to operate, secure, and improve the Service.

We process information to:

• Provide and operate the Service;
• Authenticate users and prevent abuse;
• Send transactional emails (verification, escalation alerts, billing receipts) and operational notices;
• Calculate usage, enforce plan caps, and bill you accurately;
• Diagnose problems, improve performance, and develop new features; and
• Comply with applicable law and respond to legal requests.

Where the GDPR applies we rely on:

• Performance of a contract — to provide the Service to our customers;
• Legitimate interests — for security, fraud prevention, and product improvement (balanced against your rights);
• Legal obligation — to comply with tax, accounting, and law-enforcement requirements; and
• Consent — for marketing communications, where required.

We share personal information with sub-processors that help operate the Service. Each is bound by contractual data-protection commitments at least as strong as those in this policy. Current sub-processors include AWS (hosting, Bedrock AI inference, S3 Vectors), Supabase (managed Postgres + auth), Resend (transactional email), and SkipCash (payments).

We do not sell personal information, and we do not share Customer Data for the training of shared third-party models.

Your data may be processed in countries other than the one where you are located. When we transfer personal data out of the European Economic Area or Qatar, we rely on the European Commission's standard contractual clauses, adequacy decisions, or equivalent safeguards under PDPL.

We keep account and billing data for the life of the account and for a reasonable period after termination to comply with tax, accounting, and audit requirements. Customer Data is retained until you delete it (or up to thirty (30) days after termination, after which it is deleted on a normal cadence). Backups are pruned within ninety (90) days.

You have rights to access, rectify, delete, or restrict processing of your personal data, to object to processing based on legitimate interests, and (under GDPR) to data portability. Where we rely on consent you can withdraw it at any time.

For Customer Data submitted by your end-users, we act as a processor — direct your end-users to the customer that operates the widget. For your own personal data, contact privacy@nexus.example.

You also have the right to lodge a complaint with your local supervisory authority — for Qatar, the National Cyber Security Agency.

We use TLS for data in transit, encryption at rest, role-based access, row-level security in our database, and least-privilege provisioning for sub-processors. We monitor for incidents and will notify affected customers and authorities of qualifying breaches within seventy-two (72) hours.

We use first-party cookies for authentication and CSRF protection. We do not use third-party advertising or analytics cookies that identify you across sites. Where local law requires consent for non-essential cookies, we honor that requirement at the relevant point of collection.

The Service is not directed to children under sixteen (16) and we do not knowingly collect personal data from children. If we learn we have collected such data we will delete it.

We may update this policy from time to time. Material changes will be announced at least thirty (30) days in advance. The “Effective” date above will indicate when the latest version took effect.

Reach our privacy team at privacy@nexus.example, or write to Arooj Technology, Doha, State of Qatar. For general questions, see /contact.