Privacy Policy

1. Who We Are (Responsible Party)

For the purposes of POPIA, the responsible party is:

Worksolutions (Pty) Ltd, trading as Zimela Stocktake System
Registered in the Republic of South Africa under the Companies Act 71 of 2008.
Contact: privacy@zimelastocktake.co.za

Where you are a Tenant (a business that subscribes to the Platform), you act as a responsible party in respect of your employees' and customers' personal information that you process through the Platform. We act as an operator in that context and process that information only on your documented instructions.

2. Scope of This Policy

This Policy applies to:

Visitors to our website and marketing pages.
Users who register for and use the Zimela Stocktake System Platform.
Tenants and their administrators who subscribe to the Platform.
Individuals whose personal information is processed through the Platform on behalf of a Tenant.

It does not apply to third-party websites or services that may be linked from our Platform.

3. Information We Collect

3.1 Information You Provide Directly

Category	Examples	Purpose
Account & Identity	Full name, email address, job title, role	Account creation, authentication, role-based access
Organisation	Company name, registration number, VAT number, physical address	Billing, compliance, white-label configuration
Billing & Financial	Payment method details (processed via secure payment gateway), invoice history	Subscription management and invoicing
Support Communications	Email content, attachments, chat transcripts	Technical support and issue resolution

3.2 Information Collected Automatically

Category	Examples	Purpose
Usage Data	Pages visited, features used, session duration, clicks	Product improvement, analytics
Device & Technical	IP address, browser type, operating system, device identifiers	Security, fraud prevention, compatibility
Log Data	Server logs, error reports, access timestamps	Security monitoring, debugging, audit trail
Cookies & Local Storage	Session tokens, preference settings, offline sync data	Platform functionality, offline capability

3.3 Inventory & Business Data (Processed as Operator)

When you use the Platform to manage your inventory, the data you upload (product information, stocktake records, variance reports, store details, employee records) is your data. We process it only on your behalf and do not use it for any other purpose.

4. Lawful Basis for Processing

Under POPIA, we process personal information on the following grounds (Conditions for Lawful Processing — Section 11):

Contractual necessity: Processing required to provide the Platform under our agreement with you.
Legitimate interests: Security monitoring, fraud prevention, product improvement, and direct marketing to existing clients (balanced against your rights).
Legal obligation: Compliance with South African law, including tax, financial reporting, and POPIA itself.
Consent: For optional communications such as newsletters and marketing emails (you may withdraw consent at any time).

5. How We Use Your Information

We use personal information for the following purposes:

Provision of the Platform — creating and managing accounts, authenticating users, and delivering platform features.
Billing & Subscription Management — processing payments, sending invoices, and managing plan changes.
Customer Support — responding to queries, resolving issues, and providing training.
Security & Fraud Prevention — detecting suspicious activity, enforcing access controls, and maintaining audit logs.
Product Improvement — analysing anonymised usage patterns to improve features and performance.
Legal Compliance — meeting our obligations under POPIA, the Companies Act, and other applicable legislation.
Communications — sending service notifications, updates, and (with consent) marketing communications.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Sharing & Disclosure

We may share your personal information with:

6.1 Service Providers (Operators)

We engage carefully vetted third-party operators — such as cloud hosting providers, payment processors, and email delivery services — who process information on our behalf under contractual data-processing agreements aligned with POPIA requirements.

6.2 Professional Advisers

Lawyers, auditors, and accountants who are bound by professional confidentiality obligations.

6.3 Legal & Regulatory Authorities

Where required by law, court order, or to protect our legal rights — including reporting to the Information Regulator in the event of a qualifying breach.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the successor entity, subject to equivalent privacy protections.

In all cases, we only share the minimum personal information necessary and require recipients to maintain appropriate safeguards.

7. Retention of Personal Information

We retain personal information only for as long as necessary for the purpose for which it was collected, or as required by law:

Data Category	Retention Period
Account & profile data	Duration of account + 12 months after termination
Billing & financial records	5 years (as required by the Income Tax Act)
Audit logs & security events	3 years
Support communications	2 years after resolution
Inventory & business data (Tenant)	30 days after account termination (then deleted unless export requested)
Server/access logs	12 months
Marketing consent records	Until consent withdrawn + 12 months

After the applicable retention period, personal information is securely deleted or anonymised in accordance with our data destruction procedures.

8. Security Measures

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, loss, destruction, or disclosure (POPIA Section 19). These include:

TLS 1.2+ encryption for all data in transit.
AES-256 encryption for data at rest.
Role-based access controls and least-privilege principles.
Multi-tenant data isolation — Tenant data is logically separated.
Regular security assessments and vulnerability scanning.
Employee training on data protection and information security.
Access logging and anomaly detection.

While we take all reasonable precautions, no system is completely secure. We encourage you to use strong, unique passwords and to report any suspected security incidents immediately.

9. Cross-Border Transfers

The Platform is hosted on infrastructure that may be located outside South Africa (for example, on cloud providers with data centres in Europe or the United States). Where we transfer personal information outside South Africa, we ensure that the recipient country or organisation provides an adequate level of protection comparable to POPIA, either through:

A binding agreement with the recipient that includes data-protection obligations equivalent to those in POPIA (Section 72); or
The recipient being subject to laws or binding corporate rules that uphold POPIA-equivalent protections.

By using the Platform you consent to transfers under these safeguards.

10. Your Rights under POPIA

As a data subject under POPIA, you have the following rights (Sections 23–25):

person_search

Right to Access

Request confirmation of whether we hold your personal information and obtain a copy of it.

edit

Right to Correction

Request correction of inaccurate, misleading, or outdated personal information.

delete

Right to Erasure

Request deletion of personal information where it is no longer necessary for its original purpose.

block

Right to Object

Object to the processing of your personal information in certain circumstances, including direct marketing.

download

Right to Data Portability

Request your personal information in a structured, machine-readable format.

gavel

Right to Complain

Lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, contact our Information Officer at privacy@zimelastocktake.co.za. We will respond within 30 days (extendable by a further 30 days in complex cases, with notice). There is no charge for reasonable requests.

We may request proof of identity before fulfilling any request to protect against unauthorised access.

11. Cookies & Tracking

We use the following types of storage technologies:

Type	Purpose	Duration
Session cookies	Authenticate your session and maintain login state	Expires when browser closes
Persistent cookies	Remember your preferences (e.g., language, theme)	Up to 12 months
localStorage / IndexedDB	Offline data storage for PWA functionality and sync queue	Until cleared by user or app
Analytics cookies	Anonymised usage analytics to improve the Platform (if enabled)	Up to 24 months

You may control cookies through your browser settings. Disabling essential cookies may affect Platform functionality. We do not use third-party advertising cookies.

12. Children's Privacy

The Platform is intended for use by businesses and professionals aged 18 and over. We do not knowingly collect personal information from children under the age of 18. If you believe a child has provided us with personal information, please contact us immediately and we will take steps to delete it.

13. Data Breach Notification

In the event of a security compromise involving personal information that is likely to prejudice data subjects, we will:

Notify the Information Regulator as soon as reasonably possible (and within the timeframes required under POPIA Section 22).
Notify affected data subjects in writing, unless the Regulator directs otherwise.
Provide notification details including: the nature of the information affected, the steps we have taken to address the breach, and recommendations for affected persons to protect themselves.

If you discover or suspect a data breach, please contact us immediately at security@zimelastocktake.co.za.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated by email and/or a notice within the Platform at least 14 days before taking effect. We encourage you to review this Policy periodically.

Continued use of the Platform after the effective date of changes constitutes acceptance of the updated Policy.

15. Contact & Information Officer

We have appointed an Information Officer as required by POPIA Section 55. You may contact our Information Officer for any privacy-related queries, complaints, or to exercise your rights: