Privacy Policy - Kujalia ERP

1. Introduction

Kujalia (Pty) Ltd ("Kujalia", "we", "us", or "our") operates the Kujalia ERP platform at erp.kujalia.com. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and what choices you have. It applies to all visitors, registered users, and subscribers of our platform.

We process personal information in accordance with the Protection of Personal Information Act, 2013 ("POPIA"). For POPIA-specific details, including your data subject rights and the Information Regulator's contact details, please see our POPIA Compliance Notice.

2. Information We Collect

2.1 Information you provide

Account registration — name, email address, and password when you sign up.
Company setup — trading name, registration number, VAT number, physical address, functional currency, and financial year-end when you create a tenant.
Business data — contacts, invoices, bills, journal entries, products, employees, payroll records, and other information you enter into the platform in the course of running your business.
Support requests — messages, attachments, and contact details you provide when you reach out to us for help.
Payment details — billing address and payment method information when you subscribe to a paid plan. Card details are handled directly by our payment processor and are never stored on our servers.

2.2 Information collected automatically

Log data — IP address, browser type and version, operating system, referring URL, pages visited, and timestamps.
Session data — authentication tokens, session identifiers, and login/logout events.
Device information — screen resolution and device type, used to optimise the interface.

2.3 Information we do not collect

We do not use third-party advertising trackers, social media pixels, or behavioural analytics tools. We do not collect biometric data, health information, or information about children.

3. How We Use Your Information

Purpose	Data used	Legal basis
Provide and operate the platform	Account, company, and business data	Contract
Process subscription payments	Billing and payment details	Contract
Send transactional emails (invoices, password resets, alerts)	Email address, name	Contract
Respond to support requests	Contact details, message content	Contract
Comply with tax, employment, and company law	Financial records, employee records	Legal obligation
Secure the platform and prevent fraud	Log data, session data, IP addresses	Legitimate interest
Monitor performance and fix bugs	Log data, error reports	Legitimate interest
Send product updates and new feature announcements	Email address	Consent

We do not use your business data (invoices, contacts, employees, etc.) for any purpose other than delivering the service to you. We never sell personal information to third parties.

4. Your Tenant Data

The business information you enter into Kujalia ERP — your customers, employees, invoices, inventory, and financial records — belongs to you. We process it on your behalf as an operator under POPIA. We do not access your tenant data except where necessary to provide the service, troubleshoot a problem you have reported, or comply with a lawful order. Each tenant's data is logically isolated and cannot be accessed by other tenants.

5. Cookies

We use a minimal number of cookies, all strictly necessary for the platform to function:

Cookie	Purpose	Duration
authjs.session-token	Authenticates your logged-in session	Session / 30 days
authjs.csrf-token	Protects against cross-site request forgery	Session
authjs.callback-url	Remembers where to redirect after sign-in	Session

We do not use analytics cookies, advertising cookies, or any third-party tracking scripts.

6. Third-Party Services

We share information with the following categories of service providers, each bound by data processing agreements:

Provider	Purpose	Data location
Amazon Web Services	Cloud hosting, database, caching	Cape Town, South Africa (af-south-1)
Payment processor	Subscription billing	South Africa
Transactional email provider	System notifications and alerts	Varies (see provider policy)

We do not share your information with data brokers, advertising networks, or social media platforms.

7. Data Storage and Security

Your data is hosted in AWS's Cape Town region (af-south-1) and protected by multiple layers of security:

All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
Passwords hashed with bcrypt; never stored in plain text.
Role-based access control with five permission levels (viewer, member, accountant, manager, admin).
Optional two-factor authentication (TOTP).
Comprehensive audit logging of all data access and changes.
Automated backups with point-in-time recovery.

For full details, see our Security page.

8. Data Retention

We keep your information only as long as needed:

Data type	Retention period	Reason
Account profile	Duration of subscription + 90 days	Service delivery, account recovery
Financial records	5 years	Tax Administration Act, Companies Act
Employment records	5 years after termination	Basic Conditions of Employment Act
Audit logs	2 years	Security and compliance
Server logs	90 days	Debugging and security monitoring
Support correspondence	2 years after resolution	Service quality

When you cancel your subscription, we retain your data for 90 days in case you wish to reactivate. After that, it is permanently deleted. You may request earlier deletion by contacting us.

9. Your Rights and Choices

Under POPIA, you have the right to access, correct, or delete your personal information, object to processing, and withdraw consent. Full details and the process for exercising these rights are set out in our POPIA Compliance Notice.

In addition, you can:

Export your data — download your tenant data in standard formats (CSV, PDF) at any time from within the platform.
Close your account — contact us to close your account and initiate data deletion.
Unsubscribe — opt out of non-essential emails using the unsubscribe link in any message.
Manage sessions — view and terminate active sessions from your security settings.

10. International Data Transfers

Your primary data is stored in South Africa. In limited cases, data may be processed outside the Republic — for example, when a third-party email provider routes a transactional message through international infrastructure. Any such transfer complies with Section 72 of POPIA, meaning the recipient country has adequate data protection laws, or we have binding contractual safeguards in place.

11. Changes to This Policy

We may revise this Privacy Policy from time to time. If we make material changes that affect how your personal information is handled, we will notify you by email or via an in-app notice at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: privacy@kujalia.co.za
Website: erp.kujalia.com

If you are unsatisfied with our response, you may lodge a complaint with the Information Regulator at complaints.IR@justice.gov.za.