← Back to home

Privacy Policy

Effective date: 1 January 2026

POPIA Compliance Notice

This Privacy Policy is written in compliance with the Protection of Personal Information Act, 4 of 2013 (POPIA). As a South African business, we are committed to protecting your personal information and upholding your rights as a data subject.

1. Who We Are

FinBox is operated by Novus Labs (Catalyst Innovation Solutions) ("we", "us", "our"), a company registered in South Africa. We act as the Responsible Party for your personal information as defined under POPIA.

Our Information Officer can be contacted at support@myfinbox.co.

2. What We Collect

We collect the following categories of personal information:

  • Account information: Name, email address, and password (stored as a secure hash).
  • Financial documents: Invoices, receipts, slips, and bank statements that you upload. These may contain personal or business financial information.
  • Business travel data: Odometer readings, trip routes, dates, and business purposes entered into the logbook feature.
  • Subscription and payment data: Billing history and plan information. We do not store payment card details — these are handled by PayFast.
  • Usage data: Information about how you use the Service, including page views, feature usage, and error logs, for the purpose of improving the Service.
  • Communications: Emails you send to our support team.

3. How We Use Your Information

We process your personal information for the following lawful purposes:

  • To provide, maintain, and improve the FinBox Service
  • To authenticate you and maintain the security of your account
  • To process subscription payments and manage billing
  • To send you transactional emails (receipts, document notifications, renewal reminders)
  • To respond to your support requests
  • To comply with our legal obligations under South African law
  • To generate aggregate, anonymised analytics about Service usage

We will not use your personal information for direct marketing without your explicit consent, and you may opt out at any time.

4. Data Storage and Security

Your data is stored on Supabase infrastructure, hosted on AWS servers located in the European Union (eu-west-1 region). While this is outside South Africa, Supabase maintains appropriate safeguards consistent with POPIA's cross-border transfer requirements.

We implement the following security measures to protect your data:

  • All data is encrypted in transit using TLS 1.2+
  • All data is encrypted at rest using AES-256
  • Row-level security (RLS) ensures your data is logically isolated from other users
  • Passwords are never stored in plain text — they are hashed using bcrypt
  • Access to production data is restricted to authorised personnel only

Despite our best efforts, no system is completely secure. If you become aware of any security vulnerability, please report it immediately to support@myfinbox.co.

5. Third-Party Services

We use the following sub-processors to operate the Service:

Supabase

Database, authentication, and file storage. Your account data and documents are stored on Supabase.

Privacy Policy →

Resend

Transactional email delivery. Used to send you account notifications, receipt confirmations, and renewal reminders.

Privacy Policy →

PayFast

Payment processing for paid subscriptions. PayFast handles all card data and is PCI-DSS compliant. We never see your card details.

Privacy Policy →

Vercel

Hosting and deployment infrastructure for the FinBox web application.

Privacy Policy →

Google

Gmail integration (optional). Only activated if you explicitly connect your Gmail account. We only read emails you authorise.

Privacy Policy →

6. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

  • Right of access: You may request a copy of the personal information we hold about you.
  • Right to correction: You may request that we correct inaccurate or incomplete personal information.
  • Right to deletion: You may request that we delete your personal information, subject to our legal obligations to retain certain records.
  • Right to object: You may object to the processing of your personal information in certain circumstances.
  • Right to data portability: You may request an export of your data in a structured, machine-readable format.
  • Right to lodge a complaint: You may lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.

To exercise any of these rights, email us at support@myfinbox.co. We will respond within 30 days as required by POPIA.

7. Data Retention

We retain your personal information for as long as your account is active, plus a period of 12 months following account closure (to allow for tax and legal compliance requirements). Financial documents you upload may need to be retained for longer periods in accordance with SARS requirements — we will advise you accordingly.

You may request earlier deletion of your data by contacting us. We will honour such requests unless we are legally required to retain the information.

8. Cookies

FinBox uses essential session cookies only — these are required for authentication and to keep you logged in. We do not use advertising or tracking cookies. We do not use Google Analytics or any third-party analytics that track you across websites.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

10. Contact

For any privacy-related queries or to exercise your rights under POPIA, contact our Information Officer at:

Novus Labs (Catalyst Innovation Solutions)

Email: support@myfinbox.co