Privacy policy

Last updated: 2026-04-29

NxtLevel is the practice-management platform of Virtual Accounting (Pty) Ltd. This policy explains what data the platform collects, how it is stored, and who has access to it.

1. Who we are

Virtual Accounting (Pty) Ltd, registered in the Republic of South Africa, is the controller of personal information processed through the NxtLevel platform. The director is Dirk van Velden, dirk@virtual-acc.com.

2. Data we collect

• Staff accounts: name, email, role, hashed password, last sign-in time and IP, optional 2FA secret (encrypted at rest), optional Xero subject ID for SSO.
• Client data: client group and entity records, financial-year metadata, services on proposals, monthly fees, and schedule data.
• Xero integration: when an organisation is connected via OAuth, NxtLevel stores encrypted access and refresh tokens and retrieves contacts, accounts (chart of accounts), and creates repeating invoices and bills on behalf of the organisation. We do not store your Xero login credentials.
• Audit log: sign-ins, password changes, role changes, Xero/XPM connections, and integration sync events with timestamps, user identifier, IP address and user agent.

3. How we store data

• Database: PostgreSQL hosted by Neon, region eu-west-2 (Ireland). Neon encrypts data at rest by default.
• File storage (PDFs of bills and proposals): Vercel Blob, encrypted at rest.
• Application servers: Vercel (TLS 1.2+ everywhere; HTTP-only cookies).
• OAuth tokens (Xero, XPM): encrypted with AES-256-GCM with separate per-integration keys before storage.
• Passwords: hashed with bcrypt (12 rounds). Never stored in plain text.
• 2FA secrets: encrypted with AES-256-GCM under a key separate from OAuth tokens.

4. Who has access

Only authorised staff of Virtual Accounting (Pty) Ltd can sign in to NxtLevel. The director sees all data. Managers see their assigned client portfolio only, with cost and gross-profit data hidden. We do not share any data with third parties except:

• Xero (when an organisation is connected) — for the explicit purpose of creating and synchronising invoices and bills.
• Anthropic — to extract structured data from PDFs you upload (proposal PDFs, software bills) using Claude. Document content is sent over TLS and is not retained for training.
• Resend — for transactional email (invitations, password resets).

5. Retention

• Audit log: indefinite (kept for compliance and investigation).
• Login attempts (rate-limit table): 24 months.
• Client and proposal data: indefinite while you remain a client of Virtual Accounting; deleted on request after end of engagement.
• OAuth tokens: deleted immediately on disconnect; otherwise refreshed continuously while the integration is active.

6. Your rights (POPIA / GDPR)

You may request a copy of your personal information, request correction of inaccuracies, or request deletion of your data (subject to legal retention obligations). Contact dirk@virtual-acc.com.

7. Security incidents

Suspected security incidents must be reported immediately to dirk@virtual-acc.com. Where a breach affects personal information, we will notify the Information Regulator and affected data subjects within the timeframes required by POPIA.

8. Changes

We may update this policy from time to time. Material changes will be announced via email to platform users.

See also the terms of use.