Privacy Policy

Last updated: April 12, 2026

This Privacy Policy describes how NexySBio, a division of Panthera Vax, LLC ("we", "us", or "our"), collects, uses, and protects your information when you use the R&D Financial Control & Audit Command Center ("FCAC" or the "Service"). We are committed to protecting the privacy and security of your data.

1. Data Controller

The data controller for information processed through the Service is:
NexySBio (a division of Panthera Vax, LLC)
Contact: info@nexysbio.com

2. Information We Collect

Account Information

  • Name, email address, and password (hashed)
  • Workspace name and configuration preferences
  • Role assignments and permission settings

Financial Data

  • Bank and credit card transaction records (imported via CSV, PDF, or integrations)
  • Account balances, vendor information, and payment records
  • Project budgets, cost allocations, and funding source details
  • R&D tax credit documentation, QRE classifications, and IRS §41 records
  • Inventory records, lot tracking, and stock movements

Usage Data

  • IP address, browser type, and device information
  • Pages visited, features used, and interaction patterns
  • Error reports and performance metrics (via Sentry, when configured)

Consent Records

  • Records of your acceptance of Terms of Service and Privacy Policy
  • IP address and user agent at the time of consent

3. Purpose of Processing

We process your information for the following purposes:

  • Service operation: Providing financial management, audit, and reporting functionality
  • Billing: Processing subscription payments and managing your account plan
  • Compliance: Supporting IRS §41 R&D tax credit documentation and grant compliance
  • Security: Protecting against unauthorized access, fraud, and security threats
  • Communication: Sending transactional emails (verification, password reset, alerts)
  • Improvement: Analyzing usage patterns to improve the Service

4. Legal Bases for Processing

  • Contract performance: Processing necessary to provide the Service you subscribed to
  • Legitimate interest: Security monitoring, fraud prevention, and service improvement
  • Consent: Where you have provided explicit consent (e.g., accepting these terms)
  • Legal obligation: Compliance with applicable laws and regulations

5. Third-Party Processors

We use the following third-party services to operate the Platform:

ProviderPurposeData Shared
StripePayment processingEmail, billing details
ResendTransactional emailEmail address, name
RailwayHosting & databaseAll service data (encrypted at rest)
SentryError monitoringError context, IP address
PlaidBank data import (optional)Bank credentials (tokenized)

We require all third-party processors to maintain appropriate security measures and process data only for the purposes we specify.

6. Data Retention

  • Financial records: Retained for the duration of your account plus 7 years, consistent with IRS record-keeping requirements for R&D tax credits
  • Audit logs: Append-only, retained for the life of the workspace for compliance purposes
  • Account data: Retained until account deletion is requested
  • Personal data: Anonymized or deleted within 30 days of an approved deletion request
  • Consent records: Retained for the life of the account for compliance verification

7. Your Rights (GDPR Articles 15–22)

If you are located in the European Economic Area, you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate personal data
  • Right to erasure (Art. 17): Request deletion of your personal data
  • Right to restrict processing (Art. 18): Request limitation of how we process your data
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interest
  • Right regarding automated decisions (Art. 22): Not be subject to solely automated decision-making

To exercise these rights, visit the Settings → Privacy page in your account, where you can export your data or submit a deletion request. You may also contact us directly at info@nexysbio.com.

8. Cookies & Tracking

The Service uses session cookies only (managed by NextAuth) to maintain your authenticated session. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

  • authjs.session-token — Authentication session (essential, httpOnly, secure)

No cookie consent banner is required as we only use strictly necessary cookies.

9. Security Measures

We implement the following security measures to protect your data:

  • Encryption in transit (TLS/HTTPS) and at rest (AES-256)
  • PostgreSQL Row-Level Security (RLS) for multi-tenant data isolation
  • Role-based access control (RBAC) with granular permissions
  • Immutable, append-only audit logging of all data modifications
  • Password hashing (bcrypt) with configurable policy enforcement
  • CSRF protection, rate limiting, and security headers
  • Optional two-factor authentication (TOTP)

10. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) where required for transfers from the EEA.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through an in-app notification at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact Us

For privacy-related questions, data requests, or concerns, please contact us at:
info@nexysbio.com

Back to sign in