Privacy Policy

Last updated: 9 April 2026

QuickSlip (Pty) Ltd ("QuickSlip", "we", "us", or "our") is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and all other applicable South African privacy legislation. This policy explains how we collect, use, store, and share personal information when you use our websites, platform, and related services.

1. Who We Are

QuickSlip is a South African SaaS platform that enables accounting firms ("Tenants") to manage their clients' financial receipts and documents. Contact details are provided in Section 15.

Information Officer: In accordance with section 55 of POPIA, QuickSlip has designated an Information Officer responsible for ensuring compliance with this policy. Contact details are in Section 15.

2. Roles Under POPIA

For most receipt and document data uploaded by a Tenant, the Tenant acts as the Responsible Party and QuickSlip acts as an Operatorprocessing personal information on the Tenant's instructions.

For limited data required to run our relationship with you (for example account owner details, billing contacts, support correspondence, and security logs), QuickSlip may act as a Responsible Party in its own right.

3. Personal Information We Collect

Account & Identity

  • Full name and email address
  • Organisation name and role
  • Account credentials (passwords stored as salted hashes — never plain text)

Receipt & Financial Documents

  • Uploaded receipt images and PDF files
  • Extracted data (vendor, date, amount, tax) via OCR processing
  • File metadata (name, size, upload date)

Microsoft / SharePoint Integration

  • Microsoft 365 account identifiers (when you authorise SharePoint integration)
  • OAuth access and refresh tokens (stored encrypted with AES-128 Fernet)
  • SharePoint folder structure and file metadata accessed through the integration

Technical & Usage Data

  • IP address, browser type, and device information
  • Log data: pages accessed, actions performed, timestamps
  • Session tokens (JWT) used for authentication

4. How We Use Your Personal Information

We process your personal information for the following purposes, each with a lawful basis under POPIA:

PurposeLawful Basis
Providing and operating the QuickSlip platformPerformance of contract
Processing and storing uploaded receiptsPerformance of contract
Syncing documents to your SharePoint environmentPerformance of contract / Consent
Sending transactional emails (setup, invites, alerts)Performance of contract
Security monitoring and fraud preventionLegitimate interest
Improving platform features and performanceLegitimate interest
Complying with legal obligationsLegal obligation

5. Data Storage and Security

We implement the following security measures to protect your personal information:

  • All data in transit is encrypted using TLS 1.2 or higher
  • OAuth credentials (Microsoft tokens) are encrypted at rest using Fernet (AES-128-CBC)
  • Passwords are hashed using industry-standard algorithms and never stored in plain text
  • Database-level Row-Level Security (RLS) enforces strict tenant data isolation
  • JWT-based authentication with short-lived tokens and automatic refresh
  • Access to production systems is restricted to authorised personnel only

6. Sharing Your Personal Information

We do not sell your personal information. We share it only:

  • Within your organisation — your tenant administrator has access to users and receipts managed within their firm.
  • With service providers (sub-operators) who process data on our behalf under contractual data processing obligations.
  • Where required by law, court order, or to protect the rights, property, or safety of QuickSlip, our users, or the public.
  • As part of a merger, acquisition, financing, or asset sale, subject to confidentiality and lawful transfer safeguards.

7. Cross-Border Data Transfers

In accordance with section 72 of POPIA, we disclose the following cross-border transfers:

Microsoft Azure (SharePoint / Azure AD)

If you enable the SharePoint integration, your documents and OAuth credentials may be processed on Microsoft Azure infrastructure. Microsoft operates data centres in South Africa (South Africa North, South Africa West) and other jurisdictions.

Amazon Web Services (SES — email delivery)

Transactional emails are routed through AWS Simple Email Service and related AWS services. AWS maintains appropriate contractual and technical safeguards for personal data.

We transfer personal information cross-border only where we have a lawful basis under POPIA section 72, including adequacy, consent, necessity for performance of a contract, or other recognised safeguards.

8. Data Retention and Deletion

  • Account data is retained for the duration of your subscription and for a limited period thereafter to support account recovery, billing, legal compliance, and dispute resolution.
  • Uploaded receipts and metadata are retained in accordance with your organisation's configuration and applicable accounting regulations.
  • Audit logs are retained for a minimum of 12 months for security and compliance.
  • OAuth tokens are invalidated upon disconnecting the SharePoint integration.
  • Deleted data may remain in secure backups for a limited backup retention window before permanent overwrite.

9. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights. Contact our Information Officer (Section 15) to exercise them:

Right of access (s23)Request a copy of the personal information we hold about you.
Right to correction (s24)Request correction of inaccurate, irrelevant, or misleading information.
Right to deletionRequest deletion where we no longer have a lawful basis to retain it.
Right to object (s11(3))Object to processing where we rely on legitimate interest.
Right to data portabilityRequest your data in a structured, machine-readable format where feasible.
Right to complainLodge a complaint with the Information Regulator at [email protected].

Where QuickSlip acts as an Operator on behalf of a Tenant, we may direct your request to the relevant Tenant as Responsible Party. We may request information to verify your identity before fulfilling rights requests.

10. Security Incidents and Breach Notification

We maintain incident response procedures designed to detect, investigate, and address security incidents. Where required by POPIA and other applicable law, we will notify the affected Responsible Party and/or data subjects, and relevant regulators, without undue delay.

11. Cookies and Tracking

QuickSlip uses strictly necessary cookies and session tokens required for authentication and platform operation. We do not use advertising cookies or third-party tracking pixels as at the "Last updated" date.

12. Children's Personal Information

QuickSlip is a professional B2B platform not directed at children under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users via email and update the "Last updated" date above. Continued use of the platform after changes take effect constitutes acceptance of the revised policy where permitted by law.

14. Governing Law

This Privacy Policy is governed by the laws of the Republic of South Africa, including POPIA and the Electronic Communications and Transactions Act 25 of 2002 (ECT Act).

15. Contact Us

For any privacy-related queries or to exercise your data subject rights, contact our Information Officer:

QuickSlip (Pty) Ltd — Information Officer

Email: [email protected]

You may also lodge a complaint with the South African Information Regulator:

Information Regulator (South Africa)

Email: [email protected]

Tel: +27 10 023 5207 · www.inforegulator.org.za