Privacy Policy
Last updated: 21 March 2026
1. Introduction
Axiomatics Technologies (Pty) Ltd ("Axiomatics", "we", "us", or "our") is a South African registered company that provides cloud-based accounting, financial management, customer relationship management (CRM), and AI-assisted business software through our platform at axiomatics.co.za (the "Platform").
We are committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, store, share, and protect your data when you use our Platform and services, in compliance with the Protection of Personal Information Act, 2013 (POPIA) and, where applicable, the General Data Protection Regulation (GDPR).
By accessing or using our Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Platform.
2. Information Officer
Our designated Information Officer for POPIA purposes can be contacted at:
- Email: hello@axiomatics.tech
- Entity: Axiomatics Technologies (Pty) Ltd
- Country: South Africa
3. Information We Collect
3.1 Information You Provide Directly
- Account information: full name, email address, and password when you create an account.
- Company information: company name, trading name, legal entity type, industry, financial year-end, registered address, and company logo.
- Tax information: VAT registration number, VAT status, entity tax type, provisional tax estimates, dividend declarations, capital gains records, and tax depreciation schedules (encrypted at rest where applicable).
- Contact and customer/supplier data: names, email addresses, phone numbers, and physical addresses of your business contacts (encrypted at rest).
- Financial records: journal entries, invoices, bills, purchase orders, fixed asset registers, bank reconciliation data, and annual financial statements.
- Documents: uploaded files such as bank statements, invoices, receipts, and supporting documentation.
- Communications: messages sent through in-app chat, comments on records, CRM task notes, and support tickets.
3.2 Information Collected Through Integrations
When you connect third-party services, we collect data necessary to operate those integrations:
- Banking (Stitch Money): bank account details, transaction history, account balances, and account holder information via secure OAuth connection.
- Email (Gmail / Outlook): email metadata and content for invoice and document processing, connected via Google or Microsoft OAuth.
- Cloud storage (Google Drive / OneDrive): file names and content for documents you choose to sync, connected via OAuth with scoped permissions.
- WhatsApp Business: phone number, message delivery status for invoice delivery and payment reminders.
- Payment processing (Yoco): payment transaction records and checkout status.
- AI/LLM providers: your API keys (encrypted at rest) for OpenAI, Anthropic (Claude), or Google (Gemini) if you choose to connect your own AI provider.
3.3 Information Collected Automatically
- Session data: session identifiers, device information, and last activity timestamps for security and multi-device session management.
- Audit logs: records of actions performed on the Platform (e.g., creating, editing, or deleting financial records) including timestamps and user identifiers.
- Usage data: AI assistant conversation counts and feature usage metrics for service improvement.
4. How We Use Your Information
We process your personal information for the following purposes, each supported by a lawful basis under POPIA:
- Service delivery (contractual necessity): providing accounting, CRM, invoicing, bank reconciliation, financial reporting, and document management features.
- AI-assisted processing (contractual necessity): using AI models to parse uploaded documents, categorise transactions, generate financial insights, and respond to your queries via the AI assistant.
- Integration operation (consent): syncing bank feeds, email, cloud storage, and messaging services you have explicitly connected.
- Communication (contractual necessity / legitimate interest): sending transactional emails (account invitations, notifications), invoice delivery via email or WhatsApp, and automated payment reminders.
- Security and fraud prevention (legitimate interest): session management, two-factor authentication, audit logging, bank statement fraud detection, and role-based access control.
- Legal compliance (legal obligation): maintaining financial records for the statutory retention period, VAT calculations, corporate income tax (27%), capital gains tax, dividend withholding tax (20%), provisional tax, interest limitation analysis, and SARS reporting compliance.
- Service improvement (legitimate interest): analysing aggregated, non-identifying usage patterns to improve Platform features and performance.
5. Cookies and Similar Technologies
We use a minimal set of cookies strictly necessary for Platform operation. We do not use advertising, tracking, or analytics cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| firebase-token | Authentication session token (HttpOnly, Secure, encrypted) | Session |
| 2fa-verified | Two-factor authentication verification flag | Session |
| session-id | Multi-device session tracking for security | 30 days |
6. Data Security
We implement robust technical and organisational measures to protect your data:
- Encryption at rest: sensitive personal data (PII), credentials, tax numbers, addresses, and all integration tokens are encrypted using AES-256-GCM with HMAC integrity verification.
- Encryption in transit: all data transmitted between your browser and our servers is encrypted via TLS/HTTPS.
- Access control: role-based access control (RBAC) with ten distinct roles (Admin, Manager, Employee, HR, Accountant, Financial Director, Intern, Client Admin, Client Manager, Client Employee) ensures users only access data relevant to their role and company.
- Multi-tenant isolation: all data is scoped to your company via unique identifiers, preventing cross-company data access.
- Two-factor authentication: TOTP-based 2FA available for additional account security.
- Audit trails: comprehensive logging of all financial operations, including who performed the action, when, and whether it was manual or AI-initiated.
- Session management: multi-device session tracking with timeout controls and the ability to revoke sessions.
- Data classification: all data categories are classified under a DMBOK2-compliant framework (Public, Internal, Confidential, Restricted) with appropriate handling controls for each level.
7. Third-Party Service Providers
We share data with the following categories of third-party providers only as necessary to deliver our services. We do not sell your personal information.
| Provider | Purpose | Data Shared |
|---|---|---|
| Google (Firebase) | Hosting, authentication, database, storage | All Platform data (encrypted at rest) |
| Stitch Money | Bank account linking and transaction sync | OAuth tokens; bank data returned to us |
| Yoco | Payment processing | Payment amounts, invoice references |
| Anthropic | AI document parsing and assistant | Document content, conversation prompts |
| OpenAI | AI assistant (optional, user-connected) | Conversation prompts |
| Google (Gemini) | AI assistant (optional, user-connected) | Conversation prompts |
| Google (Gmail / Drive) | Email and cloud storage integration | OAuth tokens; accessed data scoped by permissions |
| Microsoft (Outlook / OneDrive) | Email and cloud storage integration | OAuth tokens; accessed data scoped by permissions |
| Meta (WhatsApp Business) | Invoice delivery, payment reminders | Recipient phone number, message content |
| Resend | Transactional email and invoice/quote delivery fallback | Recipient email, email content, PDF attachments |
8. International Data Transfers
Our Platform infrastructure is hosted on Google Cloud Platform (Firebase). Some third-party services (Anthropic, OpenAI, Meta, Microsoft, Resend) may process data outside of South Africa. In all cases:
- Data is encrypted in transit and at rest using industry-standard encryption.
- Transfers comply with POPIA Section 72, which permits cross-border transfers where the recipient is subject to binding rules or agreements providing adequate protection.
- Where possible, we use data processing agreements with our service providers.
9. Data Retention
We retain your data only for as long as necessary to fulfil the purposes described in this policy or as required by law:
| Data Category | Retention Period |
|---|---|
| Financial records (journals, invoices, statements) | 7 years (South African statutory requirement) |
| Account and company data | Duration of account |
| Audit logs | 7 years |
| AI assistant conversations | 90 days |
| Session records | 30 days |
| Notifications | 90 days |
| Integration credentials | Until disconnected by user |
| Exchange rate data | Indefinite (public data) |
Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law (e.g., financial records for 7 years).
10. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights:
- Right of access: request confirmation of whether we hold your personal information and obtain a copy of it.
- Right to correction: request correction or updating of inaccurate, incomplete, or misleading personal information.
- Right to deletion: request deletion or destruction of personal information that is no longer necessary for the purpose for which it was collected, subject to statutory retention requirements.
- Right to object: object to the processing of your personal information on reasonable grounds.
- Right to withdraw consent: where processing is based on consent (e.g., third-party integrations), you may withdraw consent at any time by disconnecting the integration.
- Right to lodge a complaint: submit a complaint to the Information Regulator (South Africa) at inforeg.org.za.
To exercise any of these rights, contact us at hello@axiomatics.tech. We will respond within 30 days.
11. Your Rights Under GDPR (EEA Users)
If you are located in the European Economic Area, you additionally have the right to:
- Data portability — receive your personal data in a structured, machine-readable format.
- Restrict processing of your personal data in certain circumstances.
- Lodge a complaint with your local data protection authority.
12. AI and Automated Decision-Making
Our Platform uses artificial intelligence for the following purposes:
- Document parsing: extracting data from uploaded invoices, bills, and bank statements using AI vision models.
- Transaction categorisation: suggesting accounting categories for bank transactions.
- Financial insights: calculating and presenting key performance indicators with health scores and benchmarks.
- AI assistant: responding to accounting queries, creating journal entries, generating reports, calculating tax liabilities, and producing tax compliance summaries on request.
All AI-generated actions that modify your financial data (such as journal entries or transaction categorisations) are subject to your review and approval. AI actions are logged in the audit trail and clearly marked as AI-initiated. No fully automated decisions with legal or significant effects are made without human oversight.
13. Children's Privacy
Our Platform is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting a notice on the Platform or emailing you at the address associated with your account. The "Last updated" date at the top of this page indicates the most recent revision.
15. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a data concern, please contact us:
- Email: hello@axiomatics.tech
- Entity: Axiomatics Technologies (Pty) Ltd
- Website: axiomatics.co.za