Privacy Policy

Effective 10 May 2026. Last updated 10 May 2026.

This Privacy Policy explains what personal information TradeJot ("we", "us") collects, why we collect it, how we protect it, and what rights you have. We comply with the South African Protection of Personal Information Act 4 of 2013 ("POPIA").

Quick summary. We collect the minimum needed to send invoices via WhatsApp on your behalf. Sensitive fields (phone numbers, addresses, business details) are encrypted at rest with AES-256-GCM. We do not sell your data. You can export or delete everything by messaging the bot.

1. Who we are

TradeJot is operated from the Free State, South Africa. The Information Officer responsible for personal information is the operator of the Service, contactable at privacy@tradejot.co.za.

2. Whose information this covers

Tenants (tradies): people who use TradeJot to invoice their own clients.
End-clients: the customers a tradie invoices via TradeJot.

3. What we collect

From tenants

Field	Why we need it
WhatsApp phone number	To deliver the Service over WhatsApp
Name, business name, trade	To populate invoices and quotes
Business email and address	For invoice headers if you choose to include them
VAT number (optional)	For tax-compliant invoicing if applicable
Banking details (optional)	To print on invoices if you choose to include them
Subscription / payment status	To deliver the right tier of Service
WhatsApp message history with the bot	To respond to your messages and improve parsing accuracy

From end-clients (collected via the tenant)

Field	Why we need it
Name	To address the invoice
Phone number	If the tenant chooses to record it for follow-up
Address	If the job involves a physical site
Job description and amount	To produce the invoice

What we do NOT collect

South African ID numbers
End-client banking details or card information
Marketing profiling data
Location history or GPS data
Voice notes are not stored: they are transcribed and the audio file is immediately deleted.

4. How we use your information

To deliver the Service: parse your messages, create invoices, send PDFs, track outstanding balances.
To process subscription payments via Paystack.
To meet legal obligations (e.g. SARS retention rules for tax records).
To detect abuse or fraud.

We do not sell, rent, or share your personal information for marketing purposes. We do not show advertising in TradeJot.

5. How we protect your information

Sensitive fields (your and your clients' phone numbers, addresses, business details, banking details, VAT numbers) are stored as AES-256-GCM ciphertext in the database. The encryption key is held only on the production server, with restricted file permissions.
Database backups are encrypted with GPG (AES-256 symmetric) and stored in Hetzner Object Storage in the EU.
Servers run in the Hetzner data centre in Nuremberg, Germany. SSH access is key-only, with brute-force protection (fail2ban) and a strict firewall (only ports 22, 80 and 443 open).
HTTPS is enforced site-wide via Let's Encrypt certificates.
Logs are scrubbed of personal information by configuration. We test for accidental leakage before every release.

6. Cross-border transfers

POPIA section 72 requires us to disclose when personal information leaves South Africa. The following transfers happen as part of running the Service:

Service	Country	Why
Hetzner Online (hosting)	Germany / EU	Server hosting and backups
OpenRouter / DeepSeek (parsing)	USA / EU	Parses your text messages into structured invoice data. Phone numbers are masked before being sent.
OpenAI Whisper (voice transcription)	USA	Transcribes voice notes you send to the bot. Audio is deleted immediately after transcription.
Paystack (payments)	Nigeria / South Africa	Processes subscription payments. Card data never touches TradeJot.
Meta / WhatsApp (messaging)	USA / Ireland	The Service runs on WhatsApp. Meta's own privacy terms apply to message delivery.

By using the Service you consent to these transfers. They are necessary to deliver the Service.

7. How long we keep your information

Data	Retention
Raw WhatsApp messages to the bot	30 days, then deleted (rolling)
Client records	While your account is active
Invoices and quotes	5 years after issue (SARS minimum for tax records)
Audit log	1 year
Backups	30 days, then overwritten
On account cancellation	30-day grace period, then full hard-delete and final export emailed to you

8. Your rights under POPIA

You have the right to:

Access the personal information we hold about you. Email privacy@tradejot.co.za from the email on file (or include your WhatsApp number) and we will send you a full export of your records within 7 business days.
Correct inaccurate information by updating it via the bot during normal use, or by emailing privacy@tradejot.co.za.
Delete your information. Email privacy@tradejot.co.za with your WhatsApp number and the subject line "Delete my account". We acknowledge within 7 days, send you a final export, and complete the hard delete within 30 days.
Delete a specific client. Email privacy@tradejot.co.za with your WhatsApp number and the client phone number.
Object to processing or withdraw consent. Note that withdrawing consent for processing necessary to deliver the Service means we cannot continue providing the Service to you.
Lodge a complaint with the Information Regulator of South Africa: https://inforegulator.org.za.

9. Lawful basis for processing

We process personal information on the following bases under POPIA section 11:

Contract performance: we need it to deliver the Service you signed up for.
Legitimate interest: for security, fraud prevention, and Service improvement.
Legal obligation: SARS retention, breach notification.
Consent: for cross-border transfers and any optional features.

10. End-client notice (your customers' data)

When a tradie records a client's phone number or address in TradeJot, that client may not have given direct consent to us. The first time the bot needs to contact a client on a tradie's behalf, it sends an opt-out notice:

"Hi! [Tradie Name] uses TradeJot to manage their work. Your phone number is stored securely and never shared. Reply STOP to opt out. Full privacy policy: tradejot.co.za/privacy"

If a client replies STOP, we hard-delete their record from the tradie's account.

11. Children

The Service is not intended for users under 18. We do not knowingly collect personal information from children.

12. Cookies and tracking

This website does not use cookies for tracking. We do not run analytics or advertising scripts on tradejot.co.za.

13. Data breaches

If we discover a security compromise that may affect your personal information, we will notify the Information Regulator within 72 hours and notify affected users within a reasonable time, as required by POPIA section 22.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified via WhatsApp and on this page at least 30 days before they take effect.

15. Contact

Privacy questions: privacy@tradejot.co.za
General support: support@tradejot.co.za