V
VATConnect

Privacy Policy

VAT Connect Privacy Policy

Last updated: 21 January 2026

Who we are (Responsible Party)

VAT Connect is a marketplace for VAT-registered companies in South Africa. We collect and process personal data to provide secure authentication, compliance, and transaction support.

Responsible party: VATCONNECT (PTY) LTD
Registration number: 2026/037567/07
Physical address: 34 Whiteley Road, Melrose Arch, Birnam, Johannesburg, 2196
Information Officer: [Name to be added]
Email: privacy@vatconnect.co.za
Tel: +27 (11) 440 6072

Data we collect

  • Account data: name, email, password (hashed), KYC details you submit, and transaction records.
  • Google Sign-In data: basic profile (name, email, avatar) used for authentication only. We do not request Gmail, Drive, Calendar, or other Google data.
  • KYC/verification data: ID documents, proof of address, company documents, beneficial ownership information.
  • Usage & device data: limited technical logs for security, fraud prevention, and service performance.

Mandatory vs voluntary information

Some information is mandatory to create an account and to transact safely (e.g., identity verification for KYC purposes). If you do not provide mandatory information, we may be unable to provide the service or complete a transaction.

Optional information (such as additional profile details) is voluntary and you may choose not to provide it.

How we use your data

  • Create and manage your VAT Connect account and profile.
  • Authenticate you (email/password or Google Sign-In) and maintain sessions.
  • Provide KYC, compliance, and transaction services.
  • Protect the service against fraud, abuse, and security threats.
  • Communicate about account activity, security alerts, and service updates.
  • Comply with legal and regulatory obligations.

Lawful basis / justification

We process your personal information based on:

  • Contract: Processing necessary to provide our services to you.
  • Legal obligation: Processing required to comply with laws (e.g., AML/KYC requirements).
  • Legitimate interest: Processing for fraud prevention, security, and service improvement.
  • Consent: Where you have given explicit consent for specific purposes.

Google user data

  • Requested scopes: openid, email, profile (non-sensitive).
  • Use: sign-in, account creation, and keeping your profile in sync.
  • Storage: Supabase Auth (for identity) and our profiles table (name, email, avatar).
  • We do not use Google data for ads, resale, or AI model training.
  • You can revoke access anytime at myaccount.google.com/permissions.

Recipients / categories of recipients

We share personal information with:

  • Hosting providers: For data storage and infrastructure.
  • Authentication providers: Supabase, Google (for Google Sign-In).
  • Payment processors: For secure payment processing.
  • KYC/verification services: For identity verification.
  • Messaging providers: For notifications and communications.
  • Fraud prevention services: To protect the platform.
  • Professional service providers you appoint: Where you instruct us to share (e.g., filing providers).
  • Legal/regulatory bodies: Where required by law or to investigate fraud/abuse.

We share data only with processors that help us run VAT Connect under contracts that require confidentiality and security. We do not sell user data.

Cross-border transfers

Where processors store data outside South Africa (e.g., cloud infrastructure providers), we take steps to ensure an appropriate level of protection and contractual safeguards in line with POPIA requirements.

Retention & security

We keep data for as long as needed to provide the service and meet legal/compliance obligations, then delete or anonymize it. Typical retention periods:

  • Account data: Duration of account + 5 years (legal/tax requirements).
  • Transaction records: 5 years after transaction completion.
  • KYC documents: As required by applicable regulations (typically 5 years).

We use encryption in transit, access controls, and auditing. No security practice is perfect; contact us immediately if you suspect unauthorized access.

Cookies

We use essential cookies for authentication and session security, and limited analytics/performance cookies (if enabled) to improve the service. You can manage cookies in your browser. See our Cookie Policy for details.

Your rights (POPIA data subject rights)

Under POPIA, you have the right to:

  • Access: Request confirmation of whether we hold your personal information and access to that information.
  • Correction: Request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading, or unlawfully obtained personal information.
  • Deletion: Request destruction or deletion of your personal information (subject to legal retention requirements).
  • Object: Object to processing of your personal information in certain circumstances.
  • Withdraw consent: Where processing is based on consent, you may withdraw that consent.

To exercise these rights, contact us at privacy@vatconnect.co.za.

Complaints

If you believe your personal information has been processed in violation of POPIA, you have the right to lodge a complaint with the Information Regulator:

Information Regulator (South Africa)
Email: complaints.IR@justice.gov.za
Website: www.justice.gov.za/inforeg

Your choices

  • Access, update, or delete your profile data in your account or by contacting us.
  • Revoke Google access at myaccount.google.com/permissions.
  • Opt out of non-essential analytics cookies in your browser.
  • Close your account by contacting support; we may retain limited records to meet legal duties.

Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website or by email. Your continued use of the service after changes constitutes acceptance of the updated policy.

Contact

Questions or requests? Email us at privacy@vatconnect.co.za or support@vatconnect.co.za.