Privacy Policy
Last updated: 1 June 2026 · Sweet Phoenix (Pty) Ltd · Version 1.3
1. Who we are
Compliance Guard is a product of Sweet Phoenix (Pty) Ltd, a South African technology company. We comply with the Protection of Personal Information Act (POPIA, Act 4 of 2013). Our Information Officer can be reached at compliance@sweetphoenix.co.za.
2. What we collect
- Account details: full name, email address, mobile (WhatsApp) number.
- Business information: company name, registration number, VAT number, address — used to pre-fill permit forms.
- Permit data: documents and expiry dates you upload — stored to generate reminders.
- Usage data: server logs (IP address, timestamps) retained for 90 days for security and debugging.
- Audit trail: permit actions, team assignments, renewal status changes, and terms acceptance records — retained for legal compliance.
- AI/OCR results: when you upload a permit image, we process it with optical character recognition (OCR) to extract dates and permit types. The raw document is stored in your organisation's private storage; extracted text is discarded after processing.
- Workforce data (Workforce add-on): if you activate the Workforce Compliance module, you may upload employee details (name, SA ID number, contact details) and compliance documents (driver's licences, PDPs, certifications, induction records, and medical certificates of fitness). Medical/health information is "special personal information" under POPIA Section 26 — you must only upload it where you have the employee's consent or another lawful ground, which you confirm at upload time.
3. How we use it
- To send renewal reminders via WhatsApp and email at configurable intervals before expiry.
- To run AI-assisted OCR on uploaded documents to pre-fill expiry dates — always verify the result before saving.
- To process subscription payments through PayFast (PCI-DSS compliant). We do not store card numbers.
- To maintain an audit trail of permit changes and team activity within your organisation.
- If you request the "Renew for Me" service, to share your contact details with a vetted renewal consultant — only after your explicit written consent.
4. Notification delivery — important limitation
Compliance Guard sends reminders on a best-effort basis. Delivery of WhatsApp messages and emails is not guaranteed. Factors outside our control — including but not limited to: WhatsApp account status, mobile network availability, email spam filters, third-party service outages, server infrastructure failures, or your device settings — may prevent delivery. Sweet Phoenix accepts no liability for missed reminders, undelivered notifications, or any consequences arising from failure to receive an alert. You remain solely responsible for monitoring your own permit expiry dates.
5. AI / OCR accuracy
OCR-extracted data is generated automatically and may contain errors. Sweet Phoenix provides no warranty of accuracy for AI-extracted permit types, expiry dates, or any other extracted information. You must verify all extracted data against the original document before saving. Sweet Phoenix is not liable for any consequence arising from incorrect OCR results.
6. WhatsApp messaging
By providing your mobile number you consent to receive WhatsApp messages from our business account. You may opt out at any time by replying STOP or by disabling WhatsApp reminders in Settings. Standard data charges may apply. We do not send marketing messages — only transactional alerts related to your own permits.
7. Where your data lives & who processes it
Data is stored on Supabase (encrypted Postgres + object storage) with strict row-level security — only members of your organisation can access your files. We never sell, rent, or share your personal data with third parties for marketing purposes.
To deliver the service we use the following operators (sub-processors), each bound to process your data only on our instructions:
- Supabase — database, authentication, and encrypted file storage.
- Google (Gemini API) — optical character recognition on uploaded documents (see cross-border note below).
- PayFast (a Network Group company) — subscription & add-on payments. PCI-DSS compliant; we never see or store card numbers.
- Our email provider (SMTP) — delivery of transactional emails and reminders.
- Our WhatsApp messaging worker — delivery of WhatsApp reminders.
- Hosting (Vercel / Render) — application hosting and the background reminder worker.
8. Cross-border transfers (POPIA Section 72)
When you use AI document auto-scan (OCR), the uploaded image — which may contain personal information such as names and ID numbers — is sent to Google's Gemini API for text extraction. Google processes this outside South Africa under its own security and data-protection commitments. By uploading a document for auto-scan you consent to this transfer. OCR is optional — you can always enter details manually instead of scanning. Other personal data is stored in our Supabase project and is not transferred for marketing or profiling.
9. Retention and deletion
- Active account data is retained for as long as your account exists.
- You can delete your account yourself at any time in Settings → Security → Delete account, which immediately erases your personal data, permits, and (for solo organisations) all associated documents. Team-linked accounts are handled with our assistance — email us.
- On account deletion we erase all permit data and personal information within 30 days at the latest.
- Billing and payment records are retained for 5 years as required by SARS.
- Terms acceptance records are retained indefinitely for legal audit purposes.
- Server logs are retained for 90 days then automatically deleted.
10. Your POPIA rights
- Access: request a copy of your personal data.
- Correction: update incorrect information in Settings.
- Deletion: delete your account instantly in Settings → Security, or request full deletion by email — data erased within 30 days (subject to legal retention obligations).
- Portability: export all your data as JSON in Settings → Security, or your permit data as CSV.
- Withdraw consent: opt out of WhatsApp/email notifications without losing your account.
- Objection: object to any processing that is not required for the delivery of the service.
To exercise any of these rights, email compliance@sweetphoenix.co.za. We will respond within 30 days.
11. Cookies
We use strictly necessary cookies for authentication (Supabase session) and CSRF protection only. No marketing, analytics, or third-party tracking cookies are set.
12. Changes to this policy
We may update this policy. We will notify you via email at least 14 days before any material change. Continued use of the service after the effective date constitutes acceptance of the updated policy.
13. Contact
Sweet Phoenix (Pty) Ltd
📞 071 592 9220 (Mon–Fri 08:00–17:00 SAST)
✉️ compliance@sweetphoenix.co.za