Now in open beta — close the books in 2 days, not 2 weeks.Read the case study →
legal

Privacy policy.

The data you put into Nonari is your data. We collect what we need to operate the product, nothing else. We don't sell it, train models on it, or hold it hostage if you decide to leave.

Last updated: June 15, 2026

01

Who we are

Nonari is an online service operated by Nonari IT Solutions, based in Pakistan and available to customers worldwide. Throughout this document, "Nonari", "we", "us", and "our" refer to Nonari IT Solutions. "You" refers to the individual using the product, or the organization on whose behalf you use it.

This policy covers nonari.io, the workspace at app.nonari.io (or the equivalent production hostname), all sub-paths, and the integrations we ship — including the Shopify app listed on the Shopify App Store.

02

What we collect

We collect three categories of data, and only what fits one of them:

  • Account data.When you sign up we collect your email and name through Clerk. If you create an organization we collect the organization name and any branch/site labels you set up. We don't ask for, store, or have access to your Clerk password.
  • Bookkeeping data you enter. Invoices, bills, contacts, products, inventory levels, journal entries, attachments, and the audit trail of every change. This is your data — you typed it (or imported it). We hold it on your behalf so the product works.
  • Integration data.If you connect Shopify, QuickBooks, or any other integration, we receive whatever the integration sends us — Shopify orders, product variants, customer records associated with those orders, inventory levels, and webhook events. We never request scopes the product doesn't use.
  • AI usage logs.When you use AI bookkeeping features we log the prompt, the model's response, and the action you took, so we can audit and improve the feature. The prompts may include excerpts of your data; we hold those logs to the same retention schedule as the rest of your account data.

We do not collect tracking cookies, advertising identifiers, or any third-party analytics that profile individual users. The only cookies we set are the ones our authentication provider (Clerk) needs to keep you signed in.

03

Why we collect it

We collect data so the product works. Specifically: to authenticate you, to display the books you've entered, to run the integrations you've enabled, to send transactional email (e.g. password reset, invoice delivered), and to charge for subscriptions you've agreed to.

Where the law requires a basis: in the EU/UK we rely on (a) the contract between you and Nonari, (b) our legitimate interest in operating the service securely, and (c) your consent for any optional processing (e.g. opting in to marketing email, which we don't do today).

04

Sub-processors

We rely on a small set of vendors to operate Nonari. Each one has access strictly scoped to what they do:

VendorPurposeRegion
ClerkAuthentication and session managementUnited States
ResendTransactional email deliveryUnited States
StripeSubscription and payment processingUnited States
OpenAIAI-assisted bookkeeping featuresUnited States
RailwayHosting and managed PostgresUnited States / EU
ShopifyWhen the merchant chooses to connect their Shopify storeUnited States / Canada

We update this list as the product changes. If we add a sub-processor that materially affects how your data is handled, we'll email you 30 days before the change.

05

Data retention

Bookkeeping records (invoices, bills, journal entries, ledger postings) are retained for the duration of your subscription and, where local tax law requires it, for a period after account deletion — typically six years in Pakistan. This is non-negotiable: we are obliged to keep your books available for tax inspection even after you stop using the product.

Customer contact records are retained until you delete the contact in the product, or 90 days after your subscription ends — whichever comes first. Audit-log entries are retained for the lifetime of the workspace, since the audit log is itself a control your accountant relies on.

If you cancel and want everything gone before the 90-day window, email info@nonari.io and we'll process the request within 30 days, retaining only what tax law obliges us to keep.

06

Your rights (GDPR + similar)

If you're in a jurisdiction with data-protection rights — the EU, UK, California, and a growing list — you can exercise these rights at any time:

  • Access — get a copy of the personal data we hold about you.
  • Rectification— correct anything that's wrong.
  • Erasure — ask us to delete your account and personal data, subject to the tax-retention carve-out above.
  • Restriction — pause processing while a dispute is resolved.
  • Portability— export your data as CSV and JSON. The product has an export button; you don't need to ask us.
  • Objection— object to processing we've based on legitimate interest.

To exercise any of these, email info@nonari.io. We aim to respond within 30 days, free of charge. You also have the right to complain to your national data protection authority.

Shopify customers:if you bought from a store that uses Nonari and want to exercise your rights against the store's records held in Nonari, ask the store first. They are the data controller; we are the processor. The store will forward verified requests to us through Shopify's privacy webhooks, which we action on a 30-day SLA.

07

Cookies

Nonari sets only the cookies needed to keep you signed in (Clerk session tokens) and to remember which branch you're drilled into. We do not set marketing, advertising, or third-party tracking cookies. We do not use Google Analytics or any equivalent third-party analytics that profiles individual users.

08

Where your data lives

Production data is hosted on Railway, in a United States or EU region depending on the workspace. Backups are encrypted at rest and retained for 30 days. Sensitive credentials (integration access tokens, webhook signing secrets) are encrypted at rest with AES-256-GCM before they touch the database.

Data may transit through additional regions when handed to a sub-processor — for example, Stripe billing data flows through Stripe's US infrastructure regardless of where you are. Where transfers cross jurisdictions, we rely on the relevant Standard Contractual Clauses or equivalent legal instruments.

09

Security

We use industry-standard practices: encrypted connections (TLS 1.2+) for everything in transit, AES-256-GCM for sensitive fields at rest, narrow-scoped database credentials, audit logging of every privileged action, and a tenant-isolation layer that scopes every query to your organization. We don't pretend to be SOC 2 — we aren't — but we don't cut corners either.

If you discover a security issue, email info@nonari.io and we'll respond within one working day. We don't run a paid bug bounty yet but we will acknowledge responsible disclosures.

10

Changes to this policy

We'll email you 30 days before any change that materially affects how your data is processed. Cosmetic changes (rewording, fixing a broken link) get applied without notice and reflected in the "Last updated" line at the top.

11

Contact

For privacy questions, including any of the rights listed above, email info@nonari.io. For general support, email info@nonari.io.

Nonari is operated by Nonari IT Solutions and available worldwide. You can also reach us on WhatsApp at +92 300 177 9950.

See also the Terms of Service for the contractual side of using Nonari.