How we handle
your data.

1. Who we are

VanaNexus is a sole-proprietorship registered in Sri Lanka under the Business Names Ordinance (Cap. 149), Reg. No. TN/DS/UC/1192, with its registered place of business at Point Pedro Road, Madduvil South, Chavakachcheri, Sri Lanka.

In data-protection terms, VanaNexus is the data controller for personal data collected through this website and from end-users of our products. Where our products are licensed to a business customer (for example, a service company using Jobara, or a school using 3S), that customer is the data controller for their own employee/customer/student data, and VanaNexus acts as a data processor on their behalf, under a written agreement.

2. The short version

• We collect personal data only to operate the website and our products.
• We don't sell personal data to anyone. We don't share it with advertisers.
• We use a small number of named subprocessors (hosting, storage, email) — listed below.
• We store data in geographic regions we disclose, and we delete it when you ask.
• We apply extra care to children's data in 3S and Studio Lab.
• You can contact us at hello@vananexus.net for any privacy request.

3. What we collect, and why

3.1 On this website (vananexus.net)

When you visit this website, we collect:

• Basic request data your browser sends (IP address, user agent, page visited, referrer, timestamp) — used to operate the website, prevent abuse, and produce aggregate traffic counts.
• If you email us via the hello@vananexus.net link, we receive the email content, your email address, and any attachments you choose to send. We use this only to respond to you.

We do not use third-party advertising trackers, marketing cookies, or session replay on this site. Aggregate, IP-truncated traffic counts may be produced through our hosting provider's built-in analytics; no personal identifier is stored.

3.2 In Jobara (jobara.app)

Jobara is a multi-tenant Field Service Management platform sold to service businesses. When a business customer (the "tenant") uses Jobara, the following categories of personal data may be processed on their behalf:

• Tenant staff: name, email, phone, role, department, profile photo, login credentials (hashed), device tokens for push notifications, GPS location during check-in/out (only when an active job or attendance punch requires it), signatures, in-app activity logs.
• Tenant customers / job sites: name, address, phone, email, job records, job photos, signatures captured on-site, payment status.
• Operational records: attendance, overtime requests, claims, receipts, commissions, leave entitlements, audit logs.

This data is processed on the tenant's instructions. We do not use it to train AI models, build profiles, or for any purpose outside operating the platform for that tenant.

3.3 In 3S (school platform — in pilot)

3S is a digital platform licensed to schools. When a school customer uses 3S, the following may be processed on their behalf:

• Students: name, class/grade, attendance records, e-canteen transactions, dismissal records, school-issued ID. Photos only where the school explicitly enables that module.
• Parents/guardians: name, phone, email, relationship to student, app login credentials, in-app communication with teachers, notification preferences.
• School staff: name, role, communications with parents, login credentials.

Children's data is treated with extra care. See Section 8 below.

3.4 In Studio Lab (planned)

Studio Lab is currently in research. When it launches, it will be an early-years (pre-kindergarten to Year 5) gamified learning app, in Tamil. The data we will process is expected to include: child profile (first name, age band, learning level), parent contact, in-app progress and rewards, and device identifiers. A separate, simplified privacy notice for parents will be published before launch. This policy will be updated at the same time.

4. Legal bases (PDPA Sri Lanka 2022 / PDPA Malaysia 2010 / general)

We rely on the following legal bases for processing:

• Contract: to deliver a product or service you (or your employer/school) have signed up for.
• Legitimate interest: to operate the website, secure our systems, prevent abuse, and respond to emails you send us.
• Consent: where required (for example, sensitive categories, marketing, or children's data — collected at the point of sign-up).
• Legal obligation: to comply with tax, accounting, and law-enforcement requests that meet the applicable legal standard.

Sri Lanka's Personal Data Protection Act, No. 9 of 2022, applies to VanaNexus as a Sri Lanka-registered controller. Where our customers operate in other jurisdictions (e.g., Malaysia, where Jobara's primary market sits), we contractually commit to applying equivalent safeguards to data we process on their behalf, including those required under Malaysia's PDPA 2010 and subsequent amendments.

5. Subprocessors

We use the following infrastructure providers to operate our products. Each has been chosen for security posture and offers a Data Processing Agreement (DPA):

• Neon (PostgreSQL hosting) — application databases. Data region disclosed to each customer.
• Cloudflare (CDN, DNS, Pages, R2 object storage, Workers) — website hosting, static assets, file storage (job photos, signatures, receipts, documents), email routing for hello@vananexus.net. Global edge network; primary storage region disclosed.
• Railway (application hosting) — API compute for Jobara and 3S.
• Google Fonts (font delivery) — fonts are requested from fonts.googleapis.com when you load our website. Google may receive your IP and user agent.
• Resend (transactional email) — used to deliver password resets, notifications, and invoices. Planned; will be confirmed in a later update of this policy.
• 2Checkout / Verifone (subscription billing) — for tenants paying for Jobara plans. As Merchant of Record, the provider processes payment card data; we do not see or store card numbers. Planned; will be confirmed in a later update of this policy.
• Google Cloud / Vertex AI (AI features) — for AI-augmented workflow features on Jobara's roadmap. Data sent for AI processing will be pre-filtered and tenant-scoped. Planned; will be confirmed in a later update of this policy.

We do not transfer personal data to any subprocessor not listed above.

6. How long we keep data

• Website logs: up to 30 days, then aggregated or deleted.
• Emails you send us: retained while the conversation is active and for up to 24 months after, then deleted.
• Tenant data in our products: retained for the duration of the customer's subscription, plus 90 days after termination for export/recovery, after which it is deleted. Backups are rotated and overwritten on a defined schedule.
• Audit logs: retained for the period required by the controller's policy and applicable law, typically 12–24 months.
• Tax/accounting records: retained for the statutory period (typically 7 years).

7. Your rights

Subject to applicable law, you have the right to:

• Ask what personal data we hold about you.
• Ask us to correct inaccurate data.
• Ask us to delete your data ("right to erasure"), subject to legal retention obligations.
• Ask for a portable copy of your data.
• Withdraw consent at any time, where consent is our legal basis.
• Object to processing based on legitimate interest.
• Lodge a complaint with your local data-protection authority (in Sri Lanka, the Data Protection Authority of Sri Lanka; in Malaysia, the Department of Personal Data Protection (JPDP)).

To exercise any of these rights, email hello@vananexus.net. Where you are an end-user of one of our products under a business customer, please raise the request with that customer first — they are the controller; we will assist them in responding.

8. Children's data (3S and Studio Lab)

Both 3S and Studio Lab will process data about minors. We apply the following safeguards:

• We collect the minimum data required for the educational or operational purpose — no behavioural profiling, no advertising, no third-party analytics on screens used by children.
• Accounts for children are created and managed by the parent/guardian (Studio Lab) or by the school under its legal authority (3S).
• Children's data is segregated from adult data at the application layer.
• Photos of children, where collected, are stored in private storage with access only granted to authorised school staff and the child's parent/guardian.
• We will not use children's data to train any AI model.

9. Security

We take security seriously. Concretely:

• All website and application traffic is encrypted in transit via HTTPS / TLS.
• Application databases are encrypted at rest by the provider (Neon). Object storage (Cloudflare R2) is private; files are served via short-lived signed URLs.
• Passwords are stored as one-way BCrypt hashes; we never see or store passwords in plaintext.
• Multi-tenancy is enforced at the application layer with tenant-scoped queries and EF Core global query filters; we are evaluating database-level Row Level Security (RLS) when the platform moves to a provider that supports it without pooling limitations.
• The web frontend is protected by a Content Security Policy (CSP), HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Permissions-Policy headers.
• Mobile applications are signed and validated; production builds use Play Integrity / equivalent.
• We log access to sensitive operations (audit log).
• No system is perfectly secure. If a personal-data breach occurs, we will notify affected controllers within 72 hours and assist them with regulator notifications as required by applicable law.

10. Cookies

This website does not set marketing or tracking cookies. We may set a small number of strictly necessary cookies (for example, to remember a theme preference or to mitigate abuse). Our products use authentication cookies / tokens that are essential to provide the service — these are not used for tracking.

11. International transfers

Our subprocessors may operate servers outside Sri Lanka (typically in Singapore, the European Union, or the United States). Where personal data is transferred internationally, we rely on the subprocessor's standard contractual clauses or equivalent safeguards, and we disclose primary storage region on request.

12. Changes to this policy

We will update this policy when our products, subprocessors, or legal obligations change. The "Last updated" date at the top of this page reflects the latest revision. Material changes will be announced via email (for product customers) or via a banner on this site.

13. Contact

For any question, request, or complaint about this policy:
hello@vananexus.net

VanaNexus
Point Pedro Road, Madduvil South, Chavakachcheri, Sri Lanka
Reg. No. TN/DS/UC/1192