Privacy Notice

KhulaBooks (operated by {{RESPONSIBLE_PARTY_LEGAL_NAME — confirm at deploy}}) is the “responsible party” under POPIA. We provide multi-entity accounting software for South African businesses.

Registered address: {{RESPONSIBLE_PARTY_ADDRESS — confirm at deploy}}.
Company registration number: {{COMPANY_REGISTRATION_NUMBER — confirm at deploy or remove if pre-incorporation}}.

Our designated Information Officer is {{IO_FULL_NAME — confirm at deploy}} (Founder & Chief Executive Officer). Their full statutory mandate and contact channels are described in section 11.

Transparency note. Our Information Officer's registration with the Information Regulator (POPIA s55(2) and Regulation 4(2)(a)) is in progress. You retain every right described in this notice in the meantime, and you can contact the Information Regulator directly at any time (see section 12).

We collect three categories of personal information:

We do not collect special personal information (POPIA s26) or the personal information of children (POPIA s34) intentionally. If you upload such information into a free-text field, please contact our Information Officer so we can advise on the appropriate handling.

We process your personal information on the following POPIA s11 grounds:

• Performance of a contract (s11(1)(b)) — everything required to provide the KhulaBooks service to you and your organisation.
• Compliance with a law (s11(1)(c)) — retention of accounting records required by the Tax Administration Act s29, the VAT Act s55, and the Companies Act s24.
• Legitimate interest (s11(1)(f)) — security monitoring, abuse prevention, audit-trail integrity, and safeguarding the rights of other users on the platform.
• Consent (s11(1)(a)) — only where we ask you for it explicitly (e.g. optional product communications). You can withdraw consent at any time without affecting prior processing.

We use personal information to:

• Authenticate you and operate your account.
• Power the accounting features of the product — journals, invoices, payments, bank reconciliation, reporting.
• Send you transactional email (verification codes, password resets, invitations, billing notices). We do not send marketing email without your separate consent.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Comply with legal obligations — chiefly the retention of financial records required by tax law.
• Improve the product, in aggregated and de-identified form.

We do not sell your personal information. We do not share it with advertisers. We do not use it to train third-party machine-learning models.

We rely on a small number of vetted sub-operators to deliver parts of the service. They process personal information strictly on our written instruction and only for the purpose listed below.

We may also disclose personal information where required by law, court order, or regulatory direction — for example, in response to a lawful SARS request. Where the law permits, we will tell you about the request before we comply.

Our primary database and document storage are configured to keep South African customer data in regions that satisfy POPIA s72. Some sub-operators (notably Cloudflare R2 and our email provider) operate global edge networks; data may transit their infrastructure. In all cases we rely on contractual safeguards (Data Processing Agreements with binding POPIA-equivalent terms) to ensure your information is afforded adequate protection in line with POPIA s72.

If you would like the specific region in which a given class of data is stored at the time of your request, write to our Information Officer (section 11).

We keep personal information only for as long as we need it for the purpose for which it was collected, except where a law requires us to keep it for longer (POPIA s14). In summary:

• Active user accounts — for as long as your account is open. You can erase your account at any time from Settings → Delete my account (30-day grace period, then pseudonymized).
• Financial records (invoices, journals, payments) — five years from the end of the tax period to which they relate (Tax Administration Act s29; VAT Act s55).
• Audit log — seven years for accountability under POPIA s17 and the Companies Act s24.
• Customer / supplier contacts — auxiliary identifying details (additional people, addresses, phones, notes) are deleted on request immediately. The contact shell itself is pseudonymized once any associated financial document has aged out of its five-year window.
• Authentication artefacts — verification codes (24 hours), password reset tokens (1 hour), invite tokens (7 days). Cleared on use.

The full retention schedule (every model, every horizon, every legal basis) is maintained internally by our Information Officer and is available on request.

We follow the POPIA s19 obligation to put in place reasonable technical and organisational measures. In practice this includes:

• Encryption of data in transit (TLS) and at rest (database and object storage).
• One-way hashing of passwords (bcrypt-class) — we cannot recover or read your password.
• Role-based access controls inside the product (least privilege by default).
• Append-only audit logs for security-sensitive actions (logins, authorisation changes, exports, erasures).
• Sub-operators bound by written DPAs with POPIA-equivalent terms.
• Annual review of these measures by the Information Officer.

No security control is perfect. If we ever suffer a breach affecting your personal information, we will notify you and the Information Regulator as soon as reasonably possible, in line with POPIA s22.

KhulaBooks uses only strictly-necessary cookies (auth session, CSRF protection, theme preference). No analytics, no ads, no third-party tracking.

• Authentication session (NextAuth JWT cookie) — Keeps you signed in between requests. Lifetime: Expires when you sign out or when the session window closes.
• CSRF protection token — Prevents cross-site request forgery on form submissions. Lifetime: Per request; cleared at end of session.
• Theme preference — Remembers light/dark mode so the UI does not flash on reload. Lifetime: 1 year, refreshed on each visit.

We do not deploy a cookie consent banner because every cookie we set is strictly necessary for the service you have asked us to provide. POPIA and the POPIA Regulations do not require a banner for strictly-necessary cookies. If we ever add optional cookies (analytics, for example), we will ask for your separate consent before setting them.

POPIA gives you the following rights, free of charge:

• Access (s23) — ask what personal information we hold about you. Use Settings → Download my data to receive a structured JSON copy immediately.
• Correction (s24(1)(a)) — ask us to correct inaccurate or incomplete information. Most fields are editable directly in your profile and organisation settings.
• Deletion (s24(1)(c)) — ask us to delete personal information that is no longer required. Use Settings → Delete my account or contact our Information Officer for any other deletion.
• Objection (s11(3)) — object to processing based on legitimate interest, on reasonable grounds. Tell our Information Officer.
• Withdraw consent (s11(2)(b)) — for any processing we do on the basis of your consent.
• Complain (s74) — to the Information Regulator (section 12) without going through us first if you prefer.

Where the law requires us to retain information (most often the five-year tax window), we cannot delete that information immediately. Instead we pseudonymize it — replace your identifying details with non-identifying placeholders — so the record can satisfy the legal retention obligation without continuing to identify you. Pseudonymization is automatic the moment retention elapses.

For any privacy question, request, or concern, write to our Information Officer:

• Name: {{IO_FULL_NAME — confirm at deploy}}
• Position: Founder & Chief Executive Officer
• Email: {{IO_CONTACT_EMAIL — confirm at deploy (recommended: privacy@khulabooks.co.za)}}
• Postal address: {{IO_POSTAL_ADDRESS — confirm at deploy}}
• Telephone: {{IO_TELEPHONE — confirm at deploy}}

We respond to substantive POPIA requests within 30 calendar days of receipt. Where additional time is required we will send an interim acknowledgement within 14 days specifying the expected resolution date.

You can complain to the Information Regulator at any time without going through us first.

• Body: Information Regulator (South Africa)
• Postal address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• Telephone: +27 (0)10 023 5200
• General enquiries: inforeg@justice.gov.za
• POPIA complaints: POPIAComplaints@inforegulator.org.za
• PAIA complaints: PAIAComplaints@inforegulator.org.za
• Website: https://inforegulator.org.za

We review this notice at least once a year, and out-of-cycle whenever there is a material change — a new sub-operator, a new statutory obligation, or a change in our Information Officer. The dates at the top of this page tell you when the current version became effective and when it was last reviewed.

For material changes that affect your rights (a new purpose, a new sub-operator category, a change in retention horizon), we will notify you in-product and by email before the change takes effect.