Privacy policy

Effective date: 2026-05-29 Responsible party: Navrix Solutions (Pty) Ltd (registration number [Navrix Solutions registration number]), trading as Khanyitas.

1. About this policy

This privacy policy explains how Navrix Solutions (Pty) Ltd collects, uses, shares, and protects personal information about the people who interact with Khanyitas — primarily our customers and prospective customers, the people who visit our website, and the people we communicate with by email. It is published under section 18 of the Protection of Personal Information Act, 2013 (POPIA) and follows the Information Regulator's published guidance.

A separate Data Processing Agreement governs how we process the personal information *your business* gives us about *your data subjects* (your customers, employees, suppliers) when you use the Khanyitas service. For that processing, you are the responsible party and we are an operator under POPIA s20 and s21. See /legal/dpa.

2. Who we are

• Responsible party: Navrix Solutions (Pty) Ltd (registration number [Navrix Solutions registration number])
• Trading name: Khanyitas
• Physical address: [Physical address]
• Information Officer: [Information Officer name]
• Information Officer email: info-officer@khanyitas.co.za
• General contact: hello@khanyitas.co.za

3. What personal information we collect

3.1 When you create an account

• Your full name and email address
• A password (stored only as a salted hash; we never see your plaintext password)
• Your organisation's name and your role
• Optional contact details (phone, office address)

3.2 When you subscribe to a paid tier

• Billing email, billing name, and your VAT number where applicable
• Last four digits of the payment instrument and the country it was issued in
• Subscription tier, billing history, invoice records

We do not see or store full card numbers, CVVs, or banking credentials. Paystack processes payments as a separate responsible party for the payment-card data.

3.3 When you use the Service

• Pages visited inside the application and timestamps of activity (so the dashboard can surface "what's pending")
• IP address and approximate geographic location (for security and abuse prevention)
• Device and browser information (for diagnostics)

3.4 When you communicate with us

• Emails, support messages, and any attachments you send us
• Records of our responses

3.5 What we do **not** collect about you on this site

We do not run third-party advertising trackers, social-media pixels, or session-replay tooling on the Khanyitas marketing or application surface.

4. Why we process this information

Each processing purpose has a lawful basis under POPIA s11(1):

• Provide the Service to you (s11(1)(b) — performance of a contract). Authenticating you, rendering your dashboard, generating documents, storing your inputs.
• Bill you and keep accounting records (s11(1)(b) and s11(1)(c) — legal obligation). Required by the Tax Administration Act, the Companies Act, and the FIC Act where applicable.
• Operate and secure our systems (s11(1)(f) — legitimate interest). Detecting abuse, debugging, preventing fraud, monitoring uptime.
• Communicate with you about your account (s11(1)(b) and s11(1)(f)). Operational notices, service updates, security alerts.
• Send marketing — only if you have opted in (s11(1)(a) — consent). Product updates, occasional newsletters. You can opt out at any time from the email footer or by emailing us.
• Improve the Service (s11(1)(f)). Aggregate, de-identified analysis of feature usage. We do not profile individuals for product decisions.

5. Who we share personal information with

We share personal information only with operators acting on our behalf under POPIA s20, including:

• Supabase — database, authentication, and storage. Operator. Processing region: Ireland (EU).
• Paystack — payment processing. Separate responsible party for payment-card data; receives the billing personal information you give us at checkout. Processing region: South Africa (Paystack Payments South Africa (Pty) Ltd), with sub-processors in Nigeria and Ireland for the underlying platform.
• Resend — transactional and marketing email delivery. Operator. Processing region: United States.
• Vercel — application hosting and content delivery. Operator. Processing region: United States and edge.
• AWS — sub-operator of Supabase and Vercel. Operator. Processing region: af-south-1 (Cape Town) for the Supabase database where configured.

We require every operator to maintain the s19 security measures and to process only on our instructions, under a written contract per POPIA s21.

We do not sell personal information. We do not share it with third parties for their own marketing.

6. Transfers outside South Africa (POPIA s72)

Some of the operators above process personal information on servers outside the Republic of South Africa. We rely on s72(1)(c) — the transfer is necessary for the performance of the contract between you and us — together with s72(1)(a) binding-agreement safeguards in our operator contracts. We maintain a register of cross-border transfers and can share it on request.

7. How long we keep your personal information

• Account information: for as long as you have a relationship with us, plus a further five years to meet our retention obligations under the Tax Administration Act s29 and the Companies Act regulations.
• Billing records: five years from the end of the relationship (TAA s29).
• Marketing-consent records: for the lifetime of the consent plus three years after withdrawal (so we can prove the lawful basis if asked).
• Support correspondence: three years from the date of the message.
• Server logs: 90 days; aggregated for longer.

Where a longer period is required by law (for example a continuing investigation), we keep the information for that longer period. Where you ask us to delete information and no legal-retention obligation applies, we delete it without undue delay.

8. Information security (POPIA s19)

We take reasonable technical and organisational measures to protect personal information against unauthorised or unlawful processing and against accidental loss, destruction, or damage, as required by POPIA s19. These measures include:

• Encryption in transit (HTTPS everywhere) and at rest (Supabase Postgres encryption + AWS encrypted storage)
• Multi-factor authentication on all administrative accounts
• Row-Level Security on every customer-facing table, scoped to the signed-in customer
• Access logging and review
• Staff confidentiality undertakings and onboarding training
• Vendor due diligence on every operator (POPIA s21)
• A documented incident-response procedure

If a personal-information security compromise occurs that meets the threshold in POPIA s22, we will notify the Information Regulator and affected data subjects without undue delay.

9. Your rights under POPIA

You have the following rights in relation to your personal information:

• Access (s23). Ask us to confirm what personal information we hold about you and to give you a copy.
• Correction (s24). Ask us to correct information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
• Deletion (s24). Ask us to delete information we are no longer entitled to retain. Where a legal-retention obligation applies, we explain why we cannot delete it.
• Withdraw consent (s11(2)(b)). Where we rely on your consent, withdraw it. Withdrawal does not affect the lawfulness of processing already carried out.
• Object to processing (s11(3)). Object to processing on the basis of legitimate interest, and to direct-marketing processing at any time.
• Complain to the Information Regulator (s74). See section 12 below.

To exercise any of these rights, email our Information Officer at info-officer@khanyitas.co.za. We respond within a reasonable time, as the Information Regulator interprets — 30 days from receipt of a verified request.

10. Cookies and similar technologies

We use only the cookies strictly necessary to deliver the Service:

• An authentication session cookie so that you stay signed in after you log in.
• A CSRF protection cookie to prevent cross-site request forgery on form submissions.

We do not use advertising cookies, third-party analytics cookies, or session-replay cookies on the marketing or application surface today. If we introduce optional analytics or product-improvement cookies in the future, we will ask for your consent through the cookie banner before setting them.

11. Children's personal information (POPIA s34/s35)

Khanyitas is a service for South African businesses, not for individual consumers and certainly not for children. We do not knowingly create accounts for, or process personal information about, people we know to be under the age of 18. If you believe we hold personal information about a child, please tell our Information Officer and we will investigate and delete it where appropriate.

12. Complaints

If you are not happy with how we have handled your personal information, please raise it with our Information Officer first — we want the chance to put it right.

You may also lodge a complaint directly with the Information Regulator (South Africa) under POPIA s74:

• Email: complaints.IR@justice.gov.za
• Website: https://inforegulator.org.za

13. Changes to this policy

We may update this policy from time to time. The effective date at the top reflects the date of the current version. Material changes will be communicated through the same channel by which you signed up, and a summary of the change will be highlighted at the top of this page for at least 30 days.

14. Effective date

This policy is effective from 2026-05-29.