Privacy Policy

Last updated: 30 March 2026

1. Who We Are

AIRTIGHT is an AI-native accounting platform operated by SGH WLL (CR: 166677-1, Kingdom of Bahrain), part of the INEVARA / SINGULARITY ecosystem. In this policy, "we", "us", and "our" refer to SGH WLL.

2. Information We Collect

We collect information you provide directly when creating an account or using AIRTIGHT:

• Account information: name, email address, organisation name
• Financial data: transactions, invoices, bank feed data, and ledger entries you create or import
• Authentication data: passkey credentials (public keys only), session tokens
• Usage data: features used, pages visited, error logs

3. How We Use Your Information

We use your information solely to provide, maintain, and improve the AIRTIGHT platform:

• To operate the accounting platform and process your financial data
• To authenticate your identity and secure your account
• To provide AI-powered categorisation, reconciliation, and compliance features
• To send transactional emails (invoices, receipts, security alerts)
• To comply with legal and regulatory obligations

4. Data Security

Your financial data is protected by a four-layer envelope encryption architecture (CMK, KEK, DEK, field key). Every organisation's data is encrypted with a unique key. All sensitive fields (TFN, bank details, PII) use field-level encryption. Cryptographic shredding is applied on account deletion.

5. Multi-Tenancy and Data Isolation

AIRTIGHT enforces strict multi-tenant data isolation through PostgreSQL Row-Level Security (RLS) on every table. Your organisation's data is never accessible to other tenants.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account, we perform cryptographic shredding — your data encryption keys are destroyed, rendering all encrypted data permanently unrecoverable. Certain records may be retained as required by law (e.g., financial record-keeping obligations).

7. Third Parties

We do not sell your data. We share data only with:

• Infrastructure providers (AWS) for hosting and data storage
• Payment processor (Paddle) for billing — Paddle is the Merchant of Record
• Email provider (Resend) for transactional emails
• Law enforcement or regulators when legally compelled

8. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us at [email protected].

9. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via the email associated with your account.

10. Contact

For privacy enquiries: [email protected]