Privacy Policy - Supplyd (Pty) Ltd

1. Who we are

Supplyd (Pty) Ltd ("SpendVault", "we", "us", "our") is a company registered in South Africa (registration number 2026/166593/07) with its registered office in Johannesburg, Gauteng. We operate the SpendVault procurement intelligence platform and the website at spendvault.co.za.

We are the responsible party as defined in the Protection of Personal Information Act 4 of 2013 ("POPIA") in respect of personal information processed through our website and platform.

Information Officer: SpendVault has designated an Information Officer as required by POPIA. Our Information Officer can be contacted at info@supplyd.co.za.

This policy applies to personal information collected through spendvault.co.za, through the SpendVault platform, and through any communications between you and SpendVault. If you are a client of SpendVault and your employees' or suppliers' personal information is processed within your SpendVault deployment, the data processing terms in your service agreement also apply.

2. Information we collect

2.1 Information you provide directly

Proposal intake: When you complete our AI intake form to request a proposal, we collect your name, job title, company name, email address, phone number and the information you provide in response to our scoping questions.
Contact form: When you contact us through our website, we collect your name, company, email address, phone number and the contents of your message.
Platform account: If you become a SpendVault client, we collect account registration details including name, business email address, job title and company information.

2.2 Information collected automatically

Usage data: When you visit our website, our servers may record your IP address, browser type, pages visited, time spent and referring URL. This information is used for security and analytical purposes.
Platform logs: Within the SpendVault platform, we log user actions (order creation, approvals, delivery confirmations) as part of the audit trail that is a core function of the service. These logs form part of the client's data, not SpendVault's own data.

2.3 Information from third parties

We do not purchase personal information from data brokers or other third-party sources. Where a client provides us with contact details for their suppliers, employees or other parties in connection with their SpendVault deployment, we process that information on the client's behalf as an operator under POPIA.

3. How we use your information

We use personal information for the following purposes:

To respond to enquiries and prepare and deliver scoped proposals for the SpendVault platform.
To provide the SpendVault service - account management, onboarding, support, and platform operation for clients.
To communicate with you about your account, service updates, security notices and changes to our terms or policies.
To send service-related communications, including confirmation emails following submission of an intake form or contact request.
To improve our platform and website through analysis of usage patterns. We use aggregated, non-identifying information for this purpose where possible.
To comply with legal obligations, including SARS requirements, the Companies Act and POPIA.
To prevent fraud and maintain security on our platform and systems.

We do not use your personal information for automated decision-making that produces legal or similarly significant effects without human review.

4. Legal basis for processing

Under POPIA, we process personal information on the following lawful grounds:

Contractual necessity: Processing required to fulfil our service agreement with you or to take steps at your request prior to entering into an agreement (e.g. preparing a proposal).
Legitimate interests: Processing necessary for our legitimate business interests, including operating and improving our platform, maintaining security and communicating with prospective clients - where these interests are not overridden by your rights and freedoms.
Legal obligation: Processing required to comply with applicable South African law.
Consent: Where we rely on consent (for example, for optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. To withdraw consent, contact us at info@supplyd.co.za.

5. Sharing your information

We do not sell, rent or trade personal information. We share personal information only in the following circumstances:

Service providers: We use third-party service providers who process personal information on our behalf to operate the website, platform, communications, hosting, security, authentication, database, storage, and audit-report generation features. These providers are engaged only where necessary to deliver the service and may not use your information for their own independent purposes except where their own legal obligations require it.
Legal requirements: We may disclose personal information where required to do so by law, court order, or lawful request from a government authority (including the Information Regulator), or where we believe disclosure is necessary to protect our legal rights or the safety of any person.
Business transfers: In the event of a merger, acquisition or sale of all or part of our business, personal information may be transferred to the acquiring entity. We will notify affected data subjects prior to such a transfer.
With your consent: In any other circumstances, only with your explicit consent.

Some of our service providers may process or store information outside South Africa as part of the managed infrastructure they operate. Where this occurs, we rely on providers offering appropriate contractual, technical, and organisational safeguards, or on another lawful basis permitted under POPIA, including where the transfer is necessary for the performance of a contract with you or with your consent.

6. Retention

We retain personal information only for as long as necessary for the purpose for which it was collected, or as required by law.

Proposal and intake data: Retained for 3 years from the date of collection, or until the associated client account is closed, whichever is later.
Active client data: Retained for the duration of the service agreement plus 5 years, to comply with the Companies Act, SARS requirements and potential audit obligations.
Contact and correspondence records: Retained for 3 years from the date of last contact.
Website logs: Retained for 12 months for security and analytical purposes.

When retention periods expire, personal information is securely deleted or anonymised. If you request deletion before the end of a retention period, we will assess the request against our legal obligations and respond within 30 days.

7. Your rights as a data subject

Under POPIA, you have the following rights in respect of personal information we hold about you:

Right of access: You may request confirmation of whether we hold personal information about you and, if so, a copy of that information.
Right to correction: You may request that inaccurate, incomplete or outdated personal information be corrected.
Right to deletion: You may request deletion of personal information where it is no longer necessary for the purpose for which it was collected, where you withdraw consent (and no other lawful basis exists), or where processing is unlawful.
Right to object: You may object to processing of your personal information on grounds relating to your particular situation, where we rely on legitimate interests as the lawful basis.
Right to restrict processing: You may request that we restrict processing of your personal information in certain circumstances (e.g. while the accuracy of information is contested).
Right not to be subject to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects on you.

To exercise any of these rights, submit a written request to info@supplyd.co.za. We will respond within 30 days. We may ask you to verify your identity before processing your request. There is no fee for exercising these rights unless your request is manifestly unfounded or excessive.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator (South Africa):

Website: www.inforegulator.org.za
Email: inforeg@justice.gov.za

8. Security

We implement appropriate technical and organisational security measures to protect personal information against loss, unauthorised access, disclosure, alteration or destruction. These measures include:

Encryption of data in transit (TLS) and at rest.
Access controls limiting personal information to staff who require it for their role.
Single-tenant architecture for client deployments, ensuring data isolation between clients.
Regular review of access rights and security procedures.
Incident response procedures for data breaches.

In the event of a data breach that is likely to result in serious consequences for your rights and freedoms, we will notify the Information Regulator and affected data subjects as required by POPIA, within the prescribed timeframes.

No method of electronic transmission or storage is 100% secure. While we take all reasonable steps to protect your personal information, we cannot guarantee absolute security.

9. Cookies and tracking

Our website (spendvault.co.za) uses minimal tracking. We do not use advertising cookies or third-party behavioural tracking. The following may be set:

Session functionality: Temporary session data required for the website to function correctly. These are deleted when you close your browser.
Cloudflare: Our infrastructure provider (Cloudflare) may set cookies for security and performance purposes (bot detection, DDoS protection). These are set by Cloudflare and governed by their privacy policy.

We do not use Google Analytics, Meta Pixel, or any other third-party advertising or analytics trackers on this website. If this changes, this policy will be updated.

10. Third-party services

Our website and platform interact with the following third-party services. Each has its own privacy policy governing their data practices:

Cloudflare - Infrastructure, DNS, CDN, edge runtime, and security services. Cloudflare Privacy Policy.
Supabase - Authentication, database, storage, and backend service delivery. Supabase Privacy Policy.
AWS infrastructure - Underlying managed cloud infrastructure supporting core platform data services delivered through Supabase.
Resend - Transactional email delivery. Email addresses and message content are transmitted to Resend for delivery. Resend Privacy Policy.
DeepSeek - AI-assisted audit narrative generation where submitted audit responses are processed to produce business-readable summaries and implementation guidance.
Google Fonts - Typeface delivery. Font files are served from Google's CDN. Google may collect your IP address as part of this service. Google Privacy Policy.

We select service providers who offer appropriate data protection commitments and process data only as necessary to provide their services to us.

11. Children's privacy

The SpendVault platform and website are intended for use by business entities and their authorised representatives. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have inadvertently collected such information, please contact us at info@supplyd.co.za and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or the services we offer. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify active clients by email.

Your continued use of our website or platform after the effective date of a revised policy constitutes your acceptance of the changes. We encourage you to review this policy periodically.

13. Contact and complaints

For any questions about this Privacy Policy, to exercise your rights as a data subject, or to raise a concern about our processing of your personal information, contact our Information Officer:

Email: info@supplyd.co.za
Company: Supplyd (Pty) Ltd
Registration: 2026/166593/07
Address: Johannesburg, Gauteng, South Africa

We will acknowledge your request within 5 business days and respond fully within 30 days. If your request is complex or you have submitted multiple requests, we may extend this period by a further 30 days and will notify you accordingly.

If you are not satisfied with our response or believe we are processing your personal information unlawfully, you may complain to the Information Regulator of South Africa at inforeg@justice.gov.za or www.inforegulator.org.za.

For formal access-to-record procedures, please refer to our PAIA Manual.