Privacy Policy

1Scope & Controller

This Privacy Policy applies to the NomosPay application ("App", "Service") published on the monday.com App Marketplace, operated by mydeveloper.ma ("we", "us", "our").

The App is an embedded monday.com application. It runs exclusively within the monday.com platform and interacts with monday.com's APIs on behalf of the authenticated workspace user. mydeveloper.ma acts as the data processor; the law firm or legal professional operating the monday.com workspace acts as the data controller.

Controller contact: The monday.com workspace administrator of the installing organization.
Processor contact: mydeveloper.ma — support@mydeveloper.ma

2What We Store (and Where)

NomosPay stores all operational data exclusively via the monday.com Storage API — a key-value store scoped to the installing workspace. No external database, cloud storage bucket, or third-party service is used.

All storage operations use monday.com's encrypted Storage API. monday.com provides AES-256 encryption at rest and TLS 1.3 in transit for all Storage API data as part of their platform security guarantees.

3What We Do NOT Store

To be explicit about what NomosPay does not do:

• We do not maintain any external database, file system, or data warehouse containing your billing data.
• We do not collect, transmit, or store any personally identifiable information (PII) about your clients on our infrastructure.
• We do not store payment card numbers, bank account numbers, or any financial credentials.
• We do not transmit billing data to any third-party analytics, advertising, or data-brokering service.
• We do not retain any copies of LEDES export files or PDF invoices after they are downloaded to your device.
• We do not send any data to our servers during normal App operation. All API calls go directly between your monday.com workspace and monday.com's servers.

4Legal Basis

To the extent that personal data of workspace users (e.g., timekeeper names, attorney identities) is processed through the App, the legal basis for processing is:

• GDPR Article 6(1)(b) — processing is necessary for the performance of a contract to which the data subject is party (the subscription agreement between the law firm and NomosPay / mydeveloper.ma).
• Moroccan Law 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data — as the operator is based in the Kingdom of Morocco, we comply with Law 09-08 and the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) requirements.

For users in the European Economic Area, the United Kingdom, or Switzerland, where GDPR or equivalent law applies, the law firm acting as data controller is responsible for identifying a valid legal basis for processing client personal data entered into the App.

5Encryption & Integrity

Encryption at rest

All data stored via monday.com's Storage API is encrypted at rest using AES-256 as part of monday.com's platform security. NomosPay does not apply additional application-layer encryption beyond what monday.com provides for standard storage fields.

Encryption in transit

All communication between the NomosPay App and the monday.com API is transmitted over TLS 1.3. Legacy TLS versions (1.0, 1.1, 1.2) are not accepted.

Trust ledger hash chain

The trust / IOLTA ledger uses a SHA-256 hash chain: each ledger entry includes the SHA-256 hash of the preceding entry's canonical JSON representation. This creates a tamper-evident audit trail — any modification to a historical record breaks the chain and is detectable during reconciliation. The chain verification status is displayed in the Trust Ledger UI and in reconciliation reports.

6Sub-processors & Data Sharing

NomosPay uses monday.com as its sole sub-processor. monday.com provides the platform infrastructure, Storage API, authentication, and notification services. monday.com's data processing is governed by their Data Processing Agreement (DPA), available at monday.com/l/privacy/data-processing-addendum/.

We do not share your data with any other third party, including but not limited to: analytics platforms, advertising networks, data brokers, cloud providers (AWS, Azure, GCP), or legal technology vendors.

We may disclose data if required by a court order or applicable law, after notifying the affected workspace administrator to the extent permitted by law.

7Retention & Deletion

NomosPay retains data for as long as the App is installed in your monday.com workspace and the subscription is active.

On uninstall

When NomosPay is uninstalled from your monday.com workspace, all data stored via the Storage API is immediately and automatically purged by the monday.com platform as part of the app uninstall lifecycle. mydeveloper.ma does not retain any copies after uninstall.

Manual erasure

You may request erasure of all NomosPay data at any time without uninstalling the App. Navigate to Firm Dashboard → Settings → Data & Privacy → Erase All Data. This action is immediate and irreversible. We recommend exporting all invoices and ledger reports before erasing.

Backup and disaster recovery

NomosPay does not maintain its own backups of your data. Backup and recovery of monday.com Storage API data is governed by monday.com's data retention and backup policies.

8Logging & Observability

NomosPay does not implement user-level activity logging on our infrastructure. We do not log which users open the App, which matters are accessed, or what entries are created.

We may collect aggregate, anonymized error counts (e.g., "N API errors in the last hour" without any identifying information) for the purpose of monitoring App health. These aggregate metrics contain no user-identifiable data and are not linked to individual workspaces.

monday.com maintains its own platform-level audit logs for API access, which are governed by monday.com's privacy policy and available to workspace administrators via monday.com's admin panel.

9Your Rights

If you are located in the European Economic Area, United Kingdom, or another jurisdiction with data subject rights legislation, you have the following rights with respect to personal data processed through NomosPay:

• Right of access — request a copy of personal data we hold about you.
• Right to rectification — correct inaccurate personal data. Within the App, you may edit any time entry, timekeeper record, or setting directly.
• Right to erasure — request deletion of your personal data. Use the in-App erase function or contact us at support@mydeveloper.ma.
• Right to data portability — export your billing data via the LEDES Export or PDF export functions at any time. No API access or special request is required.
• Right to object — object to processing on grounds relating to your particular situation. Contact us to discuss.
• Right to lodge a complaint — you may lodge a complaint with your national data protection supervisory authority.

To exercise any right, contact support@mydeveloper.ma. We will respond within 30 days.

10Cookies & Tracking

NomosPay does not use cookies, browser local storage, session storage, or any tracking technologies.

NomosPay does not use web analytics tools (e.g., Google Analytics, Mixpanel, Segment, Amplitude, or similar).

NomosPay does not use advertising trackers, pixels, or retargeting scripts.

The documentation pages you are currently reading (index.html, how-to-use.html, privacy-policy.html, terms-of-service.html) are static HTML pages with no tracking scripts. They use Google Fonts for typography, which involves a DNS request to Google's servers for font loading. If you wish to avoid this, you may self-host the fonts — contact us for the font files.

11Contact

For privacy-related inquiries, data subject rights requests, or questions about this policy:

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of NomosPay after the effective date constitutes acceptance of the revised policy. We will notify workspace administrators of material changes via a monday.com in-app notification.