Privacy Policy — Practacular

This Privacy Policy explains how Yield SPM (Pty) Ltd ("we", "us", "Yield SPM") collects, uses, stores, and protects your personal information when you use the Practacular practice management platform ("the Service").

This policy is drafted in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and the Promotion of Access to Information Act 2 of 2000 ("PAIA"). Where Practacular is provided to consumers as defined by the Consumer Protection Act 68 of 2008 ("CPA"), the relevant provisions of that Act also apply.

We are committed to processing your personal information lawfully, fairly, and in a manner that respects your privacy.

1. Information Officer

In terms of POPIA, our designated Information Officer is:

2. What Personal Information We Collect

2.1 Information You Provide

Category	Examples	POPIA Category
Account information	Name, email address, phone number, firm name, CIPC registration number	Identifiers, contact details
Firm staff details	Staff names, email addresses, roles	Identifiers, contact details
Financial data	Client financial records processed through the Service on behalf of your accounting firm	Financial information (Section 26 — special personal information provisions do not apply as this is processed in your capacity as a responsible party)
Billing information	Subscription tier, payment history	Financial information
Consent records	Date and version of terms and privacy policy acceptance	Behavioural information

2.2 Information Generated Through Use

Category	Examples
AI interaction data	Queries submitted to AI agents, AI-generated responses
Audit trail records	Timestamps, actions performed, user IDs (SHA-256 hashed)
Usage data	Features accessed, session duration, error logs

2.3 Information We Do Not Collect

We do not collect biometric information, information about race, ethnicity, religion, political affiliation, trade union membership, health, sex life, or criminal history. We do not process special personal information as defined in Section 26 of POPIA.

3. How We Use Your Personal Information

We process your personal information only where we have a lawful basis to do so under Section 11 of POPIA:

Purpose	Lawful Basis	POPIA Section
To create and manage your account	Performance of contract	Section 11(1)(b)
To provide the practice management Service	Performance of contract	Section 11(1)(b)
To process AI-assisted queries about financial data	Consent	Section 11(1)(a)
To process subscription payments	Performance of contract	Section 11(1)(b)
To send service-critical notifications (outages, security, billing)	Legitimate interest	Section 11(1)(f)
To comply with tax and company law obligations	Legal obligation	Section 11(1)(c)
To maintain audit trails for data integrity	Legal obligation (ECTA Section 16) and legitimate interest	Section 11(1)(c) and (f)
To detect and respond to security incidents	Legitimate interest	Section 11(1)(f)
To improve the Service through aggregated, anonymised analytics	Legitimate interest	Section 11(1)(f)

We do not use your personal information for direct marketing without your separate, explicit consent as required by Section 69 of POPIA.

4. AI Processing Disclosure

Practacular uses artificial intelligence services provided by third parties to deliver its core functionality. This is a material aspect of how the Service works, and we disclose it here in accordance with the transparency requirements of POPIA Condition 6 (Openness).

4.1 AI Providers

Provider	Service	Data Sent	Jurisdiction
Anthropic, PBC (Claude)	Text analysis, financial reasoning, compliance guidance, client communication drafting	Text-based queries, financial data excerpts, firm context	United States
Google LLC (Gemini)	Document analysis, text generation, supplementary AI processing	Text-based queries, document content	United States

4.2 What This Means

When you or your AI agents interact with Practacular's AI features, the text content of your queries and relevant financial data is transmitted to these providers for processing. The providers process this data to generate responses and return them to Practacular.

4.3 Data Minimisation

In accordance with POPIA Condition 3 (Purpose Limitation), we send only the information necessary for each specific AI interaction. We do not send bulk client records for purposes unrelated to the specific query.

4.4 Provider Obligations

We require our AI providers to process personal information only on our instructions and to maintain appropriate security measures. We are in the process of establishing formal data processing agreements with each provider in accordance with Section 21 of POPIA (operator agreements).

5. Cross-Border Transfers

Your personal information may be transferred outside the Republic of South Africa in the circumstances described in Section 4 above. These transfers are governed by Section 72 of POPIA.

We rely on the following legal bases for cross-border transfers:

Basis	POPIA Section	Application
Consent	Section 72(1)(b)	You consent to AI processing (including cross-border transfer) when you accept this Privacy Policy and the POPIA consent gate in the application
Contractual necessity	Section 72(1)(c)	Payment processing requires transfer to payment processors
Contractual safeguards	Section 72(1)(a)	We require processors to be bound by contractual obligations consistent with POPIA Condition 7

Data residency: Your data at rest is stored in Google Cloud's africa-south1 region (Johannesburg, South Africa). Cross-border transfers occur only for active AI processing and payment transactions; data is not permanently stored outside South Africa by Yield SPM.

6. Your Role as a Responsible Party

If you are an accounting firm using Practacular, you are the responsible party (as defined in Section 1 of POPIA) in respect of your clients' personal information. You determine the purpose and means of processing that information. Yield SPM acts as an operator (as defined in Section 1 of POPIA) processing personal information on your behalf, in accordance with your instructions and our agreement.

This means:

• You are responsible for ensuring you have a lawful basis to process your clients' information
• You are responsible for informing your clients about how their data is processed (including through Practacular and its AI features)
• We are responsible for processing that information securely and only as instructed by you
• We will assist you in responding to data subject requests from your clients

The obligations between us as operator and you as responsible party are set out in our Data Processing Addendum.

7. How We Protect Your Information

In terms of Section 19 of POPIA, we implement the following security safeguards:

Measure	Description
Encryption at rest	AES-256-GCM encryption for sensitive data fields
Encryption in transit	TLS 1.2+ for all network communications
Access control	Firebase Authentication with role-based rules; firm-scoped data isolation
Data integrity	SHA-256 hash chains for audit trails (ECTA Section 14 compliance); append-only logs
Data residency	Primary storage in Google Cloud africa-south1 (Johannesburg)
Soft deletion	Deleted records retained for 30 days before permanent removal
Consent versioning	Consent records are immutable; policy version changes trigger re-consent
Continuous review	Regular review and updating of security measures per Section 19(2) of POPIA

8. How Long We Keep Your Information

In terms of POPIA Condition 4 (Further Processing Limitation) and Condition 5 (Information Quality), we do not retain personal information longer than necessary.

Data Category	Retention Period	Basis
Account information	Duration of account + 12 months after deletion	Contract and legitimate interest
Financial data processed for your firm	Duration of service agreement	Contract; firm retains responsibility for its own retention
AI interaction logs	90 days	Legitimate interest (service improvement, debugging)
Audit trail records	5 years	ECTA Section 16 (retention of data messages); Companies Act record-keeping
Billing and payment records	5 years after financial year	Income Tax Act 58 of 1962 (Section 29); VAT Act 89 of 1991
Consent records	Duration of account + 5 years	POPIA accountability and evidence of consent
Soft-deleted records	30 days	Operational recovery; then permanently purged

9. Your Rights

Under POPIA, you have the following rights in respect of your personal information:

Right	Description	How to Exercise
Access (Section 23)	Request confirmation of whether we hold your personal information and request a copy	Email privacy@practacular.com
Correction (Section 24)	Request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading, or unlawfully obtained personal information	Email privacy@practacular.com
Object (Section 11(3))	Object to processing based on legitimate interest	Email privacy@practacular.com
Withdraw consent (Section 11(2)(b))	Withdraw consent previously given for processing (this may affect your ability to use AI features)	In-app settings or email
Complain (Section 74)	Lodge a complaint with the Information Regulator	See Section 10 below
Deletion	Request deletion of your account and associated personal information	Email privacy@practacular.com

We will respond to access requests within 30 days in accordance with PAIA Section 56.

10. Complaints

If you believe we have not handled your personal information in accordance with POPIA, you may:

1. Contact our Information Officer at privacy@practacular.com
2. Lodge a complaint with the Information Regulator:

11. Cookies and Tracking

The Practacular web application does not use third-party tracking cookies. Firebase Authentication uses session cookies strictly necessary for the Service to function. These are exempt from consent requirements as they are necessary for the provision of the Service requested by you (POPIA Section 11(1)(b)).

12. Children's Personal Information

Practacular is not directed at children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without the consent of a competent person as required by Section 35 of POPIA, we will take steps to delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the version number and effective date
• Notify you via the application or email
• Require renewed consent through the application's consent gate (the consent version tracking mechanism will automatically prompt re-acceptance)

Your continued use of the Service after being notified of changes constitutes acceptance of the updated policy.

14. Governing Law

This Privacy Policy is governed by the laws of the Republic of South Africa, including POPIA, PAIA, and ECTA.

Yield SPM (Pty) Ltd | Reg 2024/185151/07 | privacy@practacular.com