Legal
Privacy Policy
Last updated: April 2026 · Track My Tax SA (Pty) Ltd
Track My Tax SA is committed to protecting your personal information. This policy explains what we collect, why we collect it, and how we protect it — in plain English.
1. Who we are
Track My Tax SA (Pty) Ltd ("we", "us", "our") operates the Track My Tax SA web application and iOS app available at trackmytax.co.za and app.trackmytax.co.za. We are the responsible party for your personal information as defined under the Protection of Personal Information Act No. 4 of 2013 (POPIA).
Our appointed Information Officer can be contacted at admin@trackmytax.co.za.
2. What information we collect
We collect only what is necessary to provide the Service:
- Account information — your email address and password (stored securely via Supabase Auth)
- Business profile — business name, tax number, VAT number, entity type, date of birth (for rebate calculations)
- Financial records — income amounts, expense amounts, asset values, trip distances, and donation amounts that you enter or scan
- Uploaded documents — receipt images, invoices, and statements you upload for AI scanning
- Usage data — number of AI scans used per month (for free/paid tier management)
- Payment information — subscription status only; card details are never stored by us and are processed entirely by PayFast
3. How we use your information
Your information is used solely to provide the Service:
- Authenticating your account and maintaining your session
- Storing your financial records securely in the cloud
- Processing uploaded documents through AI for expense categorisation and tax assessment
- Calculating your provisional tax estimates
- Managing your subscription and processing payments
- Communicating with you about your account or the Service
We do not use your information for advertising, profiling, or any purpose unrelated to the Service.
4. Third parties we share data with
We share your information only with the following service providers who are necessary to operate the Service:
- Supabase Inc. — cloud database and authentication. Your account data and financial records are stored on Supabase's secure servers. Supabase Privacy Policy
- OpenAI LLC — AI document analysis. When you scan a receipt or invoice, the document image is sent to OpenAI's API for processing. OpenAI does not use API data to train its models. Images are processed transiently and not retained beyond the API call. OpenAI Privacy Policy
- PayFast (Pty) Ltd — payment processing for Pro subscriptions. We share your email address and subscription amount with PayFast. Card details are entered directly on PayFast's secure platform and never transmitted to us. PayFast Privacy Policy
- Cloudflare Inc. — web hosting and content delivery. Your traffic passes through Cloudflare's network. Cloudflare Privacy Policy
We do not sell, rent, or trade your personal information to any third party.
5. AI document scanning
When you scan a receipt or invoice, the document image is transmitted to OpenAI's API for text extraction and tax categorisation. Please be aware:
- Images are sent securely over HTTPS
- OpenAI processes images transiently — they are not stored or used for AI training
- Do not scan documents containing sensitive personal information unrelated to your business expenses (e.g. ID documents, medical records)
- AI assessments are indicative only and have not been reviewed by a qualified tax practitioner
6. Data retention
- Account data — retained for as long as your account is active
- Financial records — retained for as long as your account is active. SARS requires you to retain records for 5 years under section 29 of the Tax Administration Act — we recommend you maintain your own copies
- Uploaded images — stored in Supabase Storage for as long as your account is active
- Deleted accounts — upon account deletion request, all personal data is removed within 30 days in accordance with POPIA
7. Security
We take reasonable technical and organisational measures to protect your information:
- All data transmitted over HTTPS/TLS encryption
- Passwords hashed and never stored in plain text
- Database access controlled via Row Level Security — you can only access your own data
- API keys and secrets stored as environment variables, never in client-side code
No system is completely secure. In the event of a data breach that poses a risk to your rights, we will notify you and the Information Regulator as required by POPIA.
8. Your rights under POPIA
As a data subject under POPIA, you have the right to:
- Access — request a copy of the personal information we hold about you
- Correction — request correction of inaccurate or incomplete information
- Deletion — request deletion of your account and associated data
- Objection — object to the processing of your personal information
- Complaint — lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, contact us at admin@trackmytax.co.za. We will respond within 30 days.
The Information Regulator of South Africa can be contacted at www.justice.gov.za/inforeg.
9. Cookies and tracking
Track My Tax SA does not use advertising cookies or third-party tracking. We use only essential browser storage (localStorage) to maintain your login session. We do not use Google Analytics, Facebook Pixel, or any advertising tracking technology.
10. Children
Track My Tax SA is intended for use by adults operating businesses. We do not knowingly collect personal information from persons under the age of 18.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. Continued use of the Service after notification constitutes acceptance of the updated policy.
12. Contact
Track My Tax SA (Pty) Ltd
Information Officer: admin@trackmytax.co.za
trackmytax.co.za