Privacy Policy

Effective date: 2026-05-02 · Version 1.0

Draft — pending legal review. This document has been prepared as a working draft covering the standard POPIA Section 18 information notice requirements. Sections marked [To be confirmed] require input from the responsible party before publication. This draft should be reviewed by a South African admitted attorney prior to launch.

1. Who we are

Cerafin (“Cerafin”, “we”, “us”) is a cloud accounting and business-management platform operated from the Republic of South Africa. We are the responsible party (in POPIA terms) for personal information you provide when you register for or use the Cerafin platform.

Responsible party / data controller: Cerafin (Pty) Ltd (Registration No. [To be confirmed on incorporation])

2. Information we collect

We collect the personal information you give us directly and information generated by your use of the platform:

Account information — name, email address, password (hashed), preferred language, role.
Company / billing information — company name, country, currency, plan, invoices and payment records.
Operational records you enter — invoices, customers, suppliers, employees, products, banking transactions, accounting journals, attachments and any other records you upload.
Usage data — IP address, browser/user-agent, login timestamps, pages viewed, audit-log entries.
Cookies + session storage — required for sign-in (a session cookie), and a small set of preference cookies for theme + language.
Third-party integrations — if you connect bank feeds (Stitch), payment gateways (PayFast / Paystack), or import data from Xero / CSV, the corresponding data is shared with those services as you direct.

3. Lawful basis for processing

We process personal information on the following bases (POPIA s11 / GDPR Art 6):

Contract — performing the services you have signed up for.
Consent — for optional features such as marketing communications and certain integrations. Consent can be withdrawn at any time.
Legal obligation — tax, accounting and SARS-related record-keeping requirements.
Legitimate interest — security monitoring, abuse prevention, and improving the platform.

4. How long we keep your information

We retain account and transaction records for as long as your account is active and for at least five (5) years after closure, in line with South African tax and company-law retention requirements. Audit log entries are retained for the same period. After the retention window expires, records are anonymised or destroyed.

5. Sharing your information

We do not sell personal information. We share information only:

With service providers we use to operate the platform (hosting, email delivery, payment processing, error monitoring) under contractual confidentiality and processor agreements.
With third-party services you instruct us to integrate with (banks, payment gateways, accounting imports).
Where required by law, court order, or a binding regulator request.

6. Cross-border transfers

Some of our service providers (for example, our error-monitoring service) process data outside South Africa. Where this happens, we rely on the data exporter's adherence to laws that provide an adequate level of protection (POPIA s72) or the standard contractual safeguards required by the responsible party.

7. Security

We use industry-standard security controls, including encryption of data in transit (HTTPS/TLS), password hashing with bcrypt, optional two-factor authentication, row-level tenant isolation in the database, and access logging. No method of transmission over the Internet is 100% secure, but we maintain reasonable organisational and technical measures as required by POPIA s19.

8. Your rights

You have the following rights under POPIA (s23–s25) and GDPR (Articles 15–22):

The right to confirm whether we hold your personal information and to access it.
The right to correct or delete inaccurate or out-of-date information.
The right to object to processing on legitimate-interest grounds.
The right to data portability (export of your records in a structured format).
The right to withdraw consent for any consent-based processing.
The right to lodge a complaint with the Information Regulator of South Africa.

To exercise any right, contact our information officer (see Section 10). Requests for erasure of an entire workspace (right-to-be-forgotten) follow our Erasure Request flow with a 14-day cooling-off window before destruction.

9. Cookies

We use only the cookies necessary to keep you signed in and to remember your interface preferences (theme, language). We do not use third-party advertising cookies.

10. Information officer + contact (POPIA s55)

We have nominated an information officer in line with POPIA s55. To exercise your rights, ask a privacy question, or report a concern, contact:

Information Officer: [Name to be confirmed — to be registered with the Information Regulator of South Africa]
Email: privacy@cerafin.co.za
Telephone: [Contact number to be confirmed]
Postal address: [Registered office address to be confirmed on incorporation]
Information Regulator (SA): inforegulator.org.za — complaints.IR@justice.gov.za

11. Changes to this policy

We may update this Privacy Policy from time to time. The version and effective date at the top of the page reflects the current revision. Material changes will be notified to registered users by email or in-app notice at least 14 days before they take effect.