Privacy Policy

1. Information Officer

Our Information Officer can be contacted at luke@atab.ai. Use this address for any access requests, deletion requests, or POPIA-related queries.

2. What we collect

To run Snap-a-Slip, we collect:

• Phone number. Your WhatsApp number is your account identifier. We need it to send you replies and to keep your data linked to you.
• Receipt photos. Every image you send to Snap-a-Slip on WhatsApp.
• Extracted receipt data. Merchant, date, total, VAT, currency, line items, category, and the raw OCR text. Plus any corrections you send.
• Payment metadata. Tier, billing period, PayFast transaction reference. We do not store full card numbers. PayFast handles those directly.
• Usage data. Timestamps of incoming and outgoing messages, errors, command counts. Used to keep the service running and to bill correctly.
• Device and IP metadata. Standard request headers from the WhatsApp webhook and the web app, used for rate-limiting and security.

3. Why we collect it

We process your personal information for these purposes:

• To provide the service (extract, categorise, store, and export your receipts).
• To bill you correctly and to enforce tier limits.
• To improve accuracy and reliability (in aggregate, with personally identifying information stripped).
• To produce aggregated, anonymised market insights that we may share with retailers and brand-research partners. These insights exclude any information that could identify you. You can opt out at any time in your account settings.
• To comply with our legal obligations under South African law.

4. How long we keep it

• Active accounts. Receipt data and images for as long as your account is active, plus 5 years after the last receipt, to match the SARS record-keeping requirement. You can shorten this from your account settings.
• Cancelled accounts. 30 days after cancellation, for export and recovery. Then deleted.
• Payment metadata. 5 years, as required by South African tax legislation.
• Logs and rate-limit metadata. 90 days.

5. Who processes your data

We use a small number of trusted service providers (sub-processors) to operate Snap-a-Slip. Each is contractually bound to handle your data in line with this policy and POPIA, and to apply protections broadly equivalent to South African law.

Sub-processors fall into the following categories:

• Optical character recognition. A document-AI provider converts your receipt image into machine-readable text.
• Receipt extraction. An AI provider processes the text content of your receipts to extract structured fields such as merchant, date, total, VAT, and line items.
• Image and export storage. A cloud storage provider stores your receipt images and export files on encrypted object storage.
• Messaging surface. A messaging platform delivers inbound and outbound WhatsApp messages between you and Snap-a-Slip.
• Payments. A South African payment processor handles card details for paid tiers. We do not see or store full card numbers.
• Hosting and infrastructure. A web hosting provider serves the marketing site and supporting systems.

The current named list of sub-processors is available on request. Email our Information Officer at luke@atab.ai.

We do not sell your personal information. We do not share it with marketing networks, ad-tech platforms, or data brokers. We may share aggregated, anonymised purchase insights (for example, category-level spending trends) with retailers and brand-research partners. These insights contain no information that could identify you. You can opt out in your account settings.

6. Your rights under POPIA

POPIA gives you specific rights over your personal information. We honour all of them:

• Access (s23). Request a copy of all personal information we hold about you. Reply with "export everything" in WhatsApp, or email us. We respond within 7 days.
• Correction (s24). Reply with "merchant ...", "amount ...", or any other correction. The receipt updates instantly.
• Erasure (s24). Type "delete account" in WhatsApp. We confirm, then permanently delete every receipt, image, and personal field within 7 days.
• Objection. You can object to specific processing (for example, aggregate accuracy improvements). Email us.
• Complaint. If you're not satisfied with how we handle your data, you can complain to the Information Regulator at inforegulator.org.za.

7. Cross-border transfers

Your receipt images are stored on encrypted cloud object storage. Receipt text may be processed by AI providers operating outside South Africa, including in the United States, for the purposes of OCR and structured extraction. Card payments are processed by a South African provider. The messaging platform that delivers WhatsApp messages operates globally.

Each sub-processor is contractually bound to provide protection broadly equivalent to POPIA, in line with POPIA s72.

8. Security

Data in transit is encrypted with TLS 1.3. Data at rest is encrypted (AES-256). Server-side encryption on R2 is enabled. Access to production systems is limited to a small set of named individuals, with audit logging.

No system is bulletproof. If we suffer a security incident affecting your data, we'll notify you and the Information Regulator without unreasonable delay, as POPIA requires.

9. Cookies and tracking

The marketing site uses a privacy-respecting analytics service that does not set cookies and does not collect personally identifying information. The web app uses one essential cookie for your login session. No third-party advertising trackers.

10. Children

Snap-a-Slip is not intended for users under 18. We don't knowingly process the personal information of children. If you believe we have, contact our Information Officer and we'll delete it.

11. Updates to this policy

We update this policy when our practices change. The "Last updated" date at the top reflects the most recent revision. For material changes we notify you via WhatsApp or email at least 14 days before they take effect.

12. Contact

Email luke@atab.ai for any privacy or data-protection question. We aim to respond within 7 days.