Privacy Policy
1. Introduction and scope
This Privacy Policy describes how PawPlate (the "Service") collects, uses, and protects personal information in line with the South African Protection of Personal Information Act, 2013 ("POPIA"). It applies to visitors to www.pawplate.co.za, prospective customers, customer staff using the platform, and the pet owners whose data customers process within the Service.
2. Responsible Party (Operator)
The Service is operated by Yappitech (Pty) Ltd trading as PawPlate ("we", "us"), a company registered in the Republic of South Africa, with its registered office in the Western Cape. For privacy enquiries, contact privacy@pawplate.co.za.
Where PawPlate processes personal information on behalf of a customer facility (an "Operator" under POPIA), the customer facility is the Responsible Party for the data they store; PawPlate acts as their Operator under a written processing arrangement.
3. Categories of personal information collected
- Owner data — name, contact number, email address, physical address, payment details for invoicing.
- Pet data — name, species, breed, age, weight, photographs, feeding plan, medications, behavioural notes, veterinary records you choose to upload.
- Staff data — for customer facility employees: name, work email, role, audit logs of actions performed in the platform.
- Payment data — billing records, transaction reference numbers, subscription tier. PawPlate does not store full card numbers; payment processing is handled by PayFast.
- Technical data — IP address, browser user-agent, session tokens, request logs, error traces.
4. Purpose of processing
- To create and operate customer facility accounts and the records customers store within them.
- To process subscription billing, generate invoices, and reconcile payments.
- To send transactional email (magic-link sign-in, billing receipts, trial-ending notifications).
- To provide product support, investigate incidents, and audit access for security purposes.
- To improve the Service through aggregated usage analysis (no profiling for behavioural advertising).
5. Lawful basis for processing
We rely on the following POPIA-recognised grounds, depending on the processing activity:
- Consent — for marketing communications and optional features.
- Contractual necessity — to deliver the subscription Service to customer facilities.
- Legitimate interest — for fraud prevention, security logging, and product improvement (balanced against data subject rights).
- Legal obligation — for tax, accounting, and statutory record-keeping.
6. Third-party processors
We share personal information only with processors who are contractually bound to protect it on our behalf:
- Supabase — managed PostgreSQL hosting (database storage and row-level security).
- PayFast — payment processing for subscription billing (South African payment gateway).
- Resend (or equivalent transactional email provider) — magic-link and notification email delivery.
- Replit — application hosting and runtime infrastructure.
7. Cross-border transfers
Some processors operate infrastructure outside the Republic of South Africa. Where personal information is transferred cross-border, we rely on the recipient being subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection equivalent to POPIA, in line with section 72 of the Act.
8. Data subject rights
Under POPIA you have the right to:
- Request confirmation of, and access to, the personal information we hold about you.
- Request correction or deletion of inaccurate or out-of-date personal information.
- Object to processing on legitimate-interest grounds in your particular circumstances.
- Submit a complaint to the Information Regulator (see section 13).
To exercise any of these rights, email privacy@pawplate.co.za. We will respond within 30 days.
9. Data retention
We retain personal information only for as long as necessary for the purposes set out above, and as required by law:
- Active customer records — retained for the life of the customer subscription.
- Billing and invoice records — retained for at least five years to comply with the Tax Administration Act.
- Closed accounts — personal records (other than statutory billing records) deleted within 90 days of cancellation, unless the customer requests earlier deletion.
- Server logs — retained for up to 90 days for security and incident-response purposes.
10. Security measures
We protect personal information using:
- TLS 1.2+ in transit for all browser and API traffic.
- Encryption at rest at the storage layer (managed by Supabase / hosting provider).
- PostgreSQL row-level security (RLS) policies enforcing tenant isolation in the database.
- Magic-link and OAuth authentication; no plaintext password storage.
- Audit logs of administrative actions, retained for forensic review.
11. Cookies and tracking
The Service uses a single first-party session cookie (pawplate.sid) to maintain your authenticated session. We do not use third-party advertising cookies. We may use first-party analytics in future to understand aggregate product usage; if and when we do, this policy will be updated and a cookie banner introduced.
12. Children's data
The Service is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@pawplate.co.za and we will delete it.
13. Information Regulator
If you are not satisfied with how we have handled your personal information, you may lodge a complaint with the South African Information Regulator:
- Website: https://inforegulator.org.za
- Complaints: complaints@inforegulator.org.za
14. Contact
Privacy enquiries: privacy@pawplate.co.za
General enquiries: hello@pawplate.co.za
15. Effective date
This Privacy Policy is effective from 2026-04-22. We will post any material changes to this URL and update the "Last updated" date above.