Privacy Policy
Last updated: 1 January 2025 — Version 1.0
1. Who We Are
SymplTorque (Pty) Ltd operates the SymplTorque Workshop Management System (WMS) and is the responsible party for the purposes of the Protection of Personal Information Act 4 of 2013 (POPIA).
Information Officer: privacy@sympltorque.com
Physical address: South Africa
Information Regulator registration: Registered with the Information Regulator of South Africa
2. What Personal Information We Collect
We collect personal information only to the extent necessary:
- Workshop operators: Name, email address, phone number, role within the workshop
- End customers (via workshops): Name, phone number, email address, vehicle details (make, model, registration), service/jobcard history, invoices
- Usage data: Login timestamps, actions performed within the system (audit log) — stored without email/phone
- Technical data: IP addresses (for security and audit purposes), browser/device type
3. Why We Collect It — Lawful Bases
We process personal information only where we have a lawful basis:
- Contract performance: To provide the workshop management service you have subscribed to
- Legal obligation: SARS requires retention of financial records for at least 10 years; POPIA requires us to maintain consent records
- Consent: WhatsApp, SMS, and email marketing communications — opt-in only, withdrawable at any time
- Legitimate interest: System security, fraud prevention, service improvement
4. How Long We Keep Your Data
- Financial records (invoices, jobcards): Minimum 10 years as required by the South African Revenue Service (SARS)
- Customer profile data: Duration of active subscription plus 10-year financial retention period
- Audit logs: 2 years for security audits
- Session data: 30 days from last activity
5. Who We Share Data With
We do not sell personal information to third parties. We share data only with:
- Paystack: Payment processing — governed by their privacy policy
- WhatsApp Business API provider: For delivery of consented WhatsApp messages only
- Amazon Web Services (af-south-1): Cloud infrastructure — data remains in South Africa (Cape Town region)
All third-party processors are bound by data processing agreements consistent with POPIA requirements.
6. Security Safeguards
- All data encrypted at rest and in transit (HTTPS/TLS)
- Role-based access control — staff access only what they need
- Comprehensive audit logging of all data access and modifications
- Multi-factor authentication for privileged accounts
- Data hosted exclusively in South Africa (AWS af-south-1)
7. Your Rights Under POPIA
You have the right to:
- Access a copy of your personal information (within 30 days of request)
- Correct inaccurate personal information (processed within 7 days)
- Delete your data, subject to legal retention obligations (10-year SARS requirement)
- Object to processing — particularly for marketing communications
- Withdraw consent for optional processing at any time
To exercise any of these rights, contact our Information Officer at privacy@sympltorque.com. We will verify your identity before processing any request.
8. Cookies
We use a session cookie (httpOnly, secure) required for authentication. We do not use tracking or advertising cookies. You can read more about your choices in our cookie consent banner.
9. Changes to This Policy
We will notify registered users by email of any material changes to this Privacy Policy at least 30 days before they take effect.
10. Complaints
If you believe we have not handled your personal information correctly, please contact us first at privacy@sympltorque.com. If your concern is not resolved, you may lodge a complaint with the Information Regulator of South Africa: inforegulator.org.za.