Privacy Policy

1. Introduction

POSly (Pty) Ltd ("POSly", "we", "us", or "our") is committed to protecting the privacy and personal information of our clients, their customers, and visitors to our website. This Privacy Policy explains how we collect, use, store, share, and protect personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and other applicable data protection legislation.

This policy applies to all personal information processed through our cloud-based point-of-sale platform, our website (posly.co), and any related services.

2. Responsible Party and Information Officer

For the purposes of POPIA, POSly (Pty) Ltd is the Responsible Party for personal information collected directly through our website and registration process.

When our clients use POSly to process their customers' personal information, the client is the Responsible Party and POSly acts as an Operator processing data on the client's behalf.

3. Personal Information We Collect

We collect the following categories of personal information:

3.1 Information You Provide Directly

• Business registration details (business name, trading name, CIPC registration number, VAT number)
• Contact information (name, email address, phone numbers, physical address)
• Position and role within your organisation
• Billing and payment information
• Communications you send to us (support requests, feedback)

3.2 Information Collected Through Service Use

• Transaction and sales data processed through the platform
• Inventory and product information
• Customer records you create within the platform
• Usage data and activity logs (features used, login times, device information)
• Integration data from connected Third-Party Services

3.3 Information Collected Automatically

• IP address and approximate location
• Browser type and version
• Device type and operating system
• Pages visited, time spent, and referral sources
• Cookies and similar tracking technologies (see Section 10)

4. Purpose of Processing

We process personal information for the following purposes:

• Service Delivery: To provide, maintain, and improve the POSly platform and its features.
• Account Management: To create and manage your account, verify your identity, and process registration.
• Billing: To process payments, generate invoices, and manage your subscription.
• Communication: To send service-related notifications, respond to support requests, and provide product updates.
• Security: To detect, prevent, and respond to fraud, abuse, and security incidents.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes, including SARS tax requirements.
• Analytics: To understand how our Service is used and to improve user experience. Aggregated, anonymised data may be used for this purpose.
• Marketing: With your consent, to send promotional communications about our products and services. You may opt out at any time.

5. Legal Basis for Processing

Under POPIA, we process personal information on the following grounds:

• Consent: Where you have given explicit consent (e.g., marketing communications).
• Contract: Where processing is necessary to fulfil our contractual obligations to you.
• Legal Obligation: Where processing is required to comply with a legal obligation (e.g., tax records, FICA).
• Legitimate Interest: Where processing is necessary for our legitimate business interests, provided these do not override your rights and interests.

6. Sharing of Personal Information

We may share personal information with the following categories of recipients:

• Service Providers: Trusted third parties who assist us in operating the Service (hosting providers, payment processors, email services). These parties are contractually bound to protect your information.
• Third-Party Integrations: When you connect Third-Party Services (e.g., WooCommerce, Takealot), data is shared as necessary for the integration to function.
• Legal Requirements: When required by law, regulation, court order, or governmental request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, where personal information may be transferred as a business asset.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

7. Cross-Border Transfers

7.1. Our Service may utilise cloud infrastructure located outside of South Africa. Where personal information is transferred to a country outside of South Africa, we ensure that adequate safeguards are in place as required by Section 72 of POPIA, including ensuring the recipient country has adequate data protection laws or that appropriate contractual protections are in place.

7.2. By using the Service, you consent to the transfer of your personal information to jurisdictions outside of South Africa where necessary for the provision of the Service.

8. Data Retention

8.1. We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.

Specific retention periods:

• Account data: For the duration of your account plus 30 days after termination for data export purposes.
• Transaction records: As required by SARS for tax compliance (minimum 5 years from the end of the relevant tax year).
• Communication records: For 2 years from the date of the last communication.
• Usage logs: For 12 months for security and analytics purposes.
• Marketing consent records: For the duration of consent plus 1 year after withdrawal.

9. Data Security

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Employee access limited to a need-to-know basis
• Secure cloud infrastructure with industry-standard certifications
• Incident response procedures for data breaches

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Regulator as required by POPIA.

10. Cookies and Tracking Technologies

10.1. Our website uses cookies and similar technologies to improve your browsing experience, analyse website traffic, and understand usage patterns.

Types of cookies we use:

• Essential Cookies: Required for the website and Service to function correctly. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website. Data is aggregated and anonymised.
• Functional Cookies: Remember your preferences and settings to enhance your experience.

10.2. You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

11. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

• Right of Access: Request confirmation of whether we hold your personal information and request access to it.
• Right to Correction: Request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, or misleading personal information.
• Right to Deletion: Request destruction or deletion of personal information that is no longer necessary for the purpose for which it was collected.
• Right to Object: Object to the processing of your personal information on reasonable grounds, or object to processing for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
• Right to Data Portability: Request your personal information in a structured, commonly used, machine-readable format.
• Right to Lodge a Complaint: Lodge a complaint with the Information Regulator if you believe your rights have been infringed.

To exercise any of these rights, contact our Information Officer at privacy@posly.co. We will respond to your request within a reasonable time, and no later than 30 days.

12. Children's Privacy

The Service is designed for use by businesses and is not intended for children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete it promptly.

13. Client's Responsibilities

As a user of the POSly platform, you are responsible for:

• Obtaining proper consent from your customers before collecting and processing their personal information through the Service.
• Complying with POPIA and any other applicable data protection laws in your processing of personal information.
• Maintaining your own privacy policy that accurately describes your data processing practices.
• Ensuring the accuracy and relevance of personal information you process through the Service.
• Notifying affected individuals and relevant authorities in the event of a data breach involving your Client Data, in accordance with POPIA.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via email or prominent notice within the Service at least 30 (thirty) days before they take effect.

The "Effective Date" at the top of this page indicates when this policy was last updated. We encourage you to review this policy periodically.

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us: