Privacy Policy

MyBizBox ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share and safeguard your personal information when you use our platform, website, mobile applications and services (collectively, the "Services").

We operate across Southern Africa — including South Africa, Zimbabwe, Zambia, Botswana and Namibia — and comply with applicable data-protection laws, including the Protection of Personal Information Act 4 of 2013 (POPIA) in South Africa and the General Data Protection Regulation (GDPR) where relevant.

By using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Services.

2.1 Information you provide directly

• Account data: name, email address, phone number, password, profile photo, job title and company name.
• Billing data: payment-card details, billing address, VAT or tax number, and transaction history. (Card numbers are tokenised by our PCI-DSS-compliant payment processor; we do not store full card numbers.)
• Business documents: templates, contracts, employee records, invoices and other content you upload, generate or edit using the Services.
• Communications: messages sent via support chat, email, WhatsApp Business or feedback forms.
• Marketing preferences: opt-in/out choices for newsletters, product updates and promotional offers.

2.2 Information collected automatically

• Device and log data: IP address, browser type, operating system, device identifiers, pages visited, time spent, referral URLs and crash logs.
• Usage data: features used, documents generated, searches performed, workflow triggers and AI-assistant interactions.
• Location data: approximate location derived from IP address (used for jurisdiction-specific compliance and tax calculations, not precise GPS tracking).
• Cookies and similar technologies: see Section 9 below.

2.3 Information from third parties

• Authentication partners: when you sign in via Google or other OAuth providers, we receive your name, email and profile photo.
• Integration partners: if you connect accounting, CRM or storage integrations, we receive data necessary to enable that connection (only with your explicit consent).
• WhatsApp Business API: phone numbers and message content shared through our WhatsApp Business integration.

We use your information for the following lawful purposes:

• Provide and maintain the Services: generating documents, running workflows, processing payments, delivering push notifications and enabling team collaboration.
• AI assistance: powering our AI Business Assistant to draft, review and suggest content. AI inputs may be processed by our AI-gateway providers; we do not use your confidential business documents to train public AI models without your explicit consent.
• Personalisation: recommending templates, workflows and jurisdiction-specific compliance packs based on your industry, country and usage patterns.
• Communications: sending service announcements, security alerts, onboarding tips and (with consent) marketing messages.
• Security and fraud prevention: detecting suspicious activity, unauthorised access and payment fraud.
• Legal compliance: meeting tax, accounting, labour-law and regulatory obligations in the jurisdictions where we operate.
• Analytics and improvement: understanding how the platform is used so we can improve features, fix bugs and optimise performance.

We process personal data only where we have a valid legal basis:

• Contractual necessity: to provide the Services you have subscribed to.
• Consent: for marketing communications, optional AI-training participation and non-essential cookies. You may withdraw consent at any time.
• Legal obligation: to comply with tax, regulatory and law-enforcement requests.
• Legitimate interests: for fraud prevention, network security, product improvement and enforcing our terms — provided these interests do not override your fundamental rights.

We do not sell your personal data. We share information only in the following limited circumstances:

• Service providers: cloud-hosting (AWS / Cloudflare), payment processing (Paystack, Peach Payments, PayFast), email delivery, analytics, customer-support tools and AI-gateway providers. All providers are bound by confidentiality and data-processing agreements.
• Your organisation: if you are an invited team member, your account data and activity are visible to the organisation owner and admins as needed for administration.
• Marketplace vendors: when you purchase a third-party template pack, we share necessary contact and transaction details with the vendor to fulfil the purchase.
• Legal and regulatory bodies: when required by court order, subpoena or applicable law, or to protect our rights, property or safety.
• Business transfers: in connection with a merger, acquisition or sale of assets, your information may be transferred subject to the same privacy protections.

Our servers are hosted in the AWS Cape Town region and backed up to Cloudflare infrastructure. Some service providers (e.g., AI-gateway, email delivery) may process data in other jurisdictions. Where data is transferred outside South Africa or the EEA, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the EU Commission and South African Information Regulator;
• Adequacy decisions where recognised; and
• Binding corporate rules for intra-group transfers.

We implement industry-standard technical and organisational measures to protect your data:

• Encryption: TLS 1.3 in transit; AES-256 at rest.
• Access controls: role-based permissions, multi-factor authentication (MFA) and least-privilege access for staff.
• Monitoring: automated intrusion detection, vulnerability scanning and security-event logging.
• Backups: encrypted, geo-redundant backups with regular recovery testing.
• Incident response: a documented breach-response plan aligned with POPIA notification timelines (notification to the Information Regulator and affected data subjects within reasonable time).

No system is 100% secure. If you believe your account has been compromised, contact us immediately at security@ubuntubizbox.com.

We retain personal data only as long as necessary for the purposes outlined above:

• Active accounts: for the duration of your subscription plus any applicable statutory period.
• Deleted accounts: personal identifiers are removed or anonymised within 90 days of account deletion, unless retention is required for legal, tax or dispute-resolution purposes.
• Business documents: governed by your organisation's data-retention settings and applicable industry regulations (e.g., labour-law record-keeping periods).
• Logs and backups: retained for security and compliance periods (typically 12–24 months) before secure deletion.

We use cookies and similar technologies to:

• Keep you logged in and remember preferences (essential cookies);
• Analyse usage and improve the platform (analytics cookies);
• Deliver relevant marketing (marketing cookies, only with consent).

You can manage cookie preferences via the cookie banner on first visit or through your browser settings. For more details, see our Cookie Policy.

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request that inaccurate or incomplete data be corrected.
• Deletion: request deletion of your personal data, subject to legal retention obligations.
• Restriction: request that we limit processing in certain circumstances.
• Objection: object to processing based on legitimate interests or direct marketing.
• Portability: receive your data in a structured, machine-readable format.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Complaint: lodge a complaint with the South African Information Regulator or your local data-protection authority.

To exercise any of these rights, email us at privacy@ubuntubizbox.com. We will respond within the timeframe required by applicable law (typically 30 days under POPIA).

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

MyBizBox is a Business Operating System. You may upload, generate or store documents containing personal data of your employees, clients, suppliers or other third parties. You remain the data controller for that content; MyBizBox acts as a data processor.

• We process business documents solely to provide the Services (generation, storage, sharing, e-signature).
• We do not scan, analyse or monetise the content of your documents for advertising or unrelated purposes.
• Our AI Assistant may process document content to provide drafting or review suggestions. You control whether AI features are enabled per document or organisation.
• You are responsible for ensuring you have lawful grounds to process any personal data contained in your documents and for complying with applicable data-subject requests.

Our platform uses artificial intelligence to assist with document drafting, content suggestions, compliance checks and workflow automation. Important points:

• AI outputs are suggestions, not legal advice. You remain responsible for reviewing and approving any generated content.
• We do not use your confidential documents to train public or shared AI models unless you explicitly opt in.
• AI processing may occur through third-party providers (e.g., OpenAI, Anthropic) under strict data-processing terms.
• We do not make solely automated decisions that produce legal or similarly significant effects without human review.

If you use our WhatsApp Business integration, we process phone numbers and message content necessary to deliver notifications, support responses and workflow alerts. This data is handled in accordance with Meta's WhatsApp Business Terms and this Privacy Policy.

The Services may contain links to third-party websites or integrations (e.g., accounting software, cloud storage). This Privacy Policy does not cover those third parties. We encourage you to review their privacy policies before sharing data with them.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. We will notify you of material changes via email or an in-app notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

If you have questions, concerns or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@ubuntubizbox.com
• Postal: Ubuntu BizBox (Pty) Ltd, Attention: Data Protection Officer
• Support: via the in-app chat or support@ubuntubizbox.com

For formal POPIA information-officer or data-protection-officer contact details, please email privacy@ubuntubizbox.com.