C
Capys Business Manager

Privacy Policy

Last updated: March 2026

Capys Corporation ("we", "us", "our") is committed to protecting your privacy in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and all applicable South African legislation. This policy explains how we collect, use, store, and protect your personal information when you use our platform.

1. Information We Collect

We collect only information that is necessary to provide our services. This includes:

  • Account information: email address, full name, and business name when you register.
  • Business data you enter: customer records, bookings, invoices, payment records, services, and notes.
  • Technical data: authentication tokens, session cookies, and basic request metadata required for security and service operation.

We do not collect any biometric data, location tracking, browsing history, or any information from third-party sources.

2. Legal Basis for Processing

In terms of POPIA Section 11(1)(a), we process your personal information based on your explicit consent, given when you create an account and agree to these terms. You may withdraw consent at any time by deleting your account or contacting us directly.

3. How We Use Your Information

Your information is used solely to:

  • Provide, maintain, and improve the Capys platform and its features.
  • Process and display your bookings, invoices, customers, and analytics.
  • Authenticate your identity and secure your account.
  • Send essential service communications (e.g., password resets, critical updates).

We will never sell, rent, or share your personal information with third parties for marketing purposes.

4. Data Storage & Security

We take the security of your data seriously and employ the following measures:

  • All data is encrypted in transit using TLS 1.2+.
  • Database access is secured through Row-Level Security (RLS) policies, ensuring you can only access your own data.
  • Authentication is managed through industry-standard protocols with secure token handling.
  • API endpoints are protected with Bearer token authentication, input validation, and rate limiting.
  • Content Security Policy headers prevent cross-site scripting (XSS) attacks.

Your data is hosted on Supabase infrastructure with servers located in secure data centres. We retain your data for as long as your account is active or as needed to provide our services.

5. Third-Party Sharing

We do not share your personal information with any third parties, except:

  • When required by law, regulation, or valid court order.
  • With infrastructure providers (Supabase, Vercel) strictly for the purpose of hosting and operating the platform, under their respective data processing agreements.

6. Cookies

We use essential cookies only to manage your authentication session and ensure the platform functions correctly. We do not use any third-party tracking, analytics, or advertising cookies. No cookie consent banner is required as we only use strictly necessary cookies as defined under POPIA.

7. Your Rights Under POPIA

As a data subject under the Protection of Personal Information Act, you have the right to:

  • Access — request confirmation of what personal information we hold about you.
  • Correction — request correction or update of inaccurate personal information.
  • Deletion — request deletion of your personal information and account.
  • Objection — object to the processing of your personal information.
  • Data portability — request a copy of your data in a common digital format.
  • Withdraw consent — withdraw your consent to processing at any time.

You can exercise most of these rights directly through your dashboard settings. For account deletion or data export requests, contact us at support@capyscorporation.co.za.

8. Cross-Border Data Transfers

Our infrastructure providers may process data outside of the Republic of South Africa. Where this occurs, we ensure that adequate safeguards are in place in accordance with POPIA Section 72, including contractual obligations and industry-standard security measures.

9. Data Retention

We retain your personal information for as long as your account remains active. Upon account deletion, your data will be permanently removed from our systems within 30 days, except where retention is required by law. Soft-deleted records (e.g., archived bookings or invoices) are retained to maintain data integrity but are not accessible through the platform.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through a notice on our platform. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Complaints

If you believe your privacy rights have been infringed, you have the right to lodge a complaint with the Information Regulator (South Africa):

12. Contact Us

For any privacy-related questions or to exercise your rights, contact us at: