Privacy Policy

This Privacy Policy explains how FinLeakage processes personal information when you visit our website, create an account, purchase a plan, contact us, or use the Service.

1. Who we are

FinLeakage is operated by Africai Solutions (Pty) Ltd, registration number 2024/217162/07. For purposes of South African privacy law, including the Protection of Personal Information Act, 2013 ("POPIA"), we act as a responsible party in respect of personal information relating to our customers, website visitors, billing contacts, support contacts and users of our Service administration functions.

For Customer Data uploaded to the Service for analysis, our role may differ:

• (a) where you or your organisation decide why and how personal information in uploaded bank statements will be analysed, you or your organisation are generally the responsible party or controller, and FinLeakage acts as an operator or processor on your behalf; and
• (b) where law requires otherwise, or where we determine our own purposes for specific processing activities, we may act as a responsible party or controller for those limited activities.

2. Categories of information we process

We may process the following categories of information:

• (a) Account and identity information, such as names, business names, usernames, email addresses, phone numbers and login credentials.
• (b) Billing and transaction information, such as invoices, subscription details, plan information, payment status and limited payment-related metadata. Card information is ordinarily processed by our payment providers and not stored by us in full.
• (c) Customer Data, including bank statement files, transaction records, payment references, beneficiary names, account-related identifiers, analysis settings, mappings, thresholds, notes, outputs and reports.
• (d) Technical and usage data, including log data, IP addresses, browser information, device information, timestamps, session data, diagnostic data and security event information.
• (e) Communications, such as emails, support requests, demos, onboarding responses and feedback.

3. Sources of information

We collect information:

• (a) directly from you or your authorised users;
• (b) from files and inputs uploaded to the Service;
• (c) from payment providers, identity providers, hosting providers and other service providers acting on our instructions or their own lawful basis; and
• (d) automatically through your use of the website and Service.

4. Purposes of processing and legal basis

We process personal information for the following purposes:

• (a) to create and administer accounts, authenticate users and provide customer support;
• (b) to host, analyse, generate and deliver reports and other Service outputs that you request;
• (c) to secure the Service, detect abuse, investigate incidents, maintain logs and prevent fraud or misuse;
• (d) to invoice, collect payment, manage subscriptions and maintain financial records;
• (e) to comply with legal obligations, law-enforcement requests, court orders and regulatory requirements;
• (f) to improve, monitor and develop the Service, provided that where sensitive Customer Data is involved we will use de-identified, aggregated or anonymised data unless another lawful basis applies; and
• (g) to communicate with you about operational matters, material changes, service announcements and, where lawful, relevant product updates.

Where POPIA applies, our justification for processing may include consent, performance of a contract, compliance with legal obligations, legitimate interests that are not overridden by data-subject interests, and processing necessary to pursue your instructions as the responsible party. Where GDPR or equivalent laws apply, the corresponding lawful basis will be the applicable basis under those laws.

5. Special categories and sensitive financial information

Bank statements and related records may contain sensitive financial information and, in some cases, special personal information under applicable law. You must not upload information unless you have lawful authority to do so. We do not intentionally seek children's personal information through the Service.

6. Data sharing

We may disclose personal information to:

• (a) hosting, infrastructure, storage, security, backup, analytics, communication, support and payment providers who assist us in operating the Service;
• (b) professional advisers, auditors, insurers and group companies on a need-to-know basis;
• (c) regulators, courts, law-enforcement agencies or other persons where required by law or necessary to protect rights, safety, property or the integrity of the Service; and
• (d) a purchaser, successor or transaction counterparty in connection with a merger, sale, financing, reorganisation or disposal of all or part of our business, subject to appropriate confidentiality and data-protection safeguards.

We do not sell personal information. We do not use uploaded bank statement data for third-party marketing.

7. International and cross-border transfers

Your personal information may be processed in South Africa or in other countries in which we or our service providers operate. Where personal information is transferred outside South Africa, we will do so only where permitted by applicable law, including where:

• (a) the recipient is subject to a law, binding rules or a binding agreement that provides an adequate level of protection;
• (b) the transfer is necessary for performance of a contract or implementation of pre-contractual measures at your request;
• (c) the transfer benefits the data subject and obtaining consent is not reasonably practicable; or
• (d) another lawful ground applies.

Where GDPR applies and personal information is transferred outside the European Economic Area or United Kingdom, we will rely on recognised transfer mechanisms such as adequacy decisions, standard contractual clauses, or another lawful mechanism.

8. Security

We implement reasonable technical and organisational safeguards designed to protect personal information against loss, misuse, unauthorised access, disclosure, alteration and destruction. These safeguards may include role-based access control, encryption in transit, secure storage controls, logging, environment segregation, vendor due diligence and incident response procedures.

No system is completely secure. You are responsible for maintaining the security of your own systems, devices, networks and credentials.

9. Retention

We retain personal information only for as long as reasonably necessary for the purpose for which it was collected, or for longer where required or permitted by law, legitimate business need, legal hold, dispute management, fraud prevention or record-keeping obligations.

Unless a different period is stated in an order form or legal requirement, our baseline retention approach is:

• (a) account and billing records: for the active account period and thereafter for up to 7 years where needed for tax, accounting or legal compliance;
• (b) uploaded files and generated reports: for the period selected in your plan settings or service design, and thereafter deleted or de-identified within a reasonable cycle unless retention is required by law or customer instruction;
• (c) logs, telemetry and security records: for a limited period reasonably necessary for support, security and forensic purposes;
• (d) backups: retained in rolling backup cycles and deleted in the ordinary course.

10. Your rights

Subject to applicable law and verification of identity, you or the relevant data subject may have rights to:

• (a) request confirmation of whether we hold personal information;
• (b) access personal information or a description of it;
• (c) correct, update or delete personal information;
• (d) object to certain processing or request restriction;
• (e) withdraw consent where processing is based on consent;
• (f) lodge a complaint with the South African Information Regulator or another competent authority; and
• (g) request data portability where applicable law provides that right.

Where we act only as operator or processor for uploaded Customer Data, we may direct the request to the relevant customer as responsible party/controller, but we may assist that customer as required by law or contract.

11. Security incidents

If we become aware of a security compromise involving personal information that we process, we will take steps required by applicable law, which may include containment, investigation, remediation and notification to affected customers, data subjects and regulators where legally required.

12. Cookies and similar technologies

Our website and Service may use cookies and similar technologies for authentication, security, session management, analytics and functionality. Non-essential cookies will be used in accordance with applicable consent requirements. More detail may be provided in a separate Cookie Notice.

13. Automated processing

The Service uses automated rules and analytical methods to identify potential anomalies and risk indicators. These outputs are designed to support human review and are not intended to be the sole basis for decisions producing legal or similarly significant effects on individuals.

14. Third-party services and links

The Service may integrate with or link to third-party services. We are not responsible for the privacy practices of third parties acting as independent controllers or responsible parties. Their terms and notices apply to their processing.

15. Changes to this Policy

We may amend this Privacy Policy from time to time. If a change is material, we will provide notice by reasonable means before or when the updated version takes effect.

16. Contact details and complaints

Email: support@finleakage.com

If you believe your personal information has been processed unlawfully, please contact us first so that we can try to resolve the issue. You may also lodge a complaint with the Information Regulator of South Africa or any other competent supervisory authority.