Privacy Policy

Effective Date: 1 March 2026  |  Last Updated: 2 March 2026

This Privacy Policy describes how TenderWatch SA ("we", "us", "our") collects, uses, stores, and protects your personal information when you use the TenderWatch platform ("Service"). This policy complies with the Protection of Personal Information Act (POPIA), No. 4 of 2013, and the Promotion of Access to Information Act (PAIA), No. 2 of 2000.

1. Information Officer

Our designated Information Officer under POPIA:

• Name: TenderWatch SA Information Officer
• Email: southafricanapp@outlook.com
• Address: Sandton, Gauteng, South Africa

2. Personal Information We Collect

Category	Data Collected	Purpose	Lawful Basis (POPIA s11)
Account Data	Email address, organisation name	Account management, billing, communication	Consent & Contract
Authentication	API key hash (SHA-256; raw key never stored)	Access control	Legitimate interest
Payment Data	Processed by PayPal — we do NOT store card numbers, CVVs, or bank details	Subscription billing	Contract
Usage Logs	API endpoint, timestamp, response status	Billing metering, abuse prevention, audit	Legitimate interest
Access Logs	IP address hash (SHA-256), user agent, timestamp	POPIA audit trail, security monitoring	Legal obligation (POPIA s19)

3. Public Procurement Data

TenderWatch analyses government tender data sourced from the National Treasury OCDS API, which is publicly available under South African open data policies. This data may contain:

• Names of government departments and officials (in their public capacity)
• Company names and registration numbers (public CIPC records)
• Tender values and award dates

We apply automated PII redaction to strip phone numbers, personal email addresses, and ID numbers from scraped data before storage. Any personal information encountered in public procurement data is processed under POPIA Section 11(1)(d) — legitimate interest for transparency and accountability.

4. How We Use Your Information

• Service delivery: Authenticating your access, enforcing tier limits, delivering features
• Billing: Processing payments via PayPal, generating invoices, managing subscriptions
• Security: Detecting abuse, preventing fraud, maintaining audit logs
• Improvement: Aggregated, anonymised usage analytics to improve the Service
• Communication: Service updates, billing notifications, security alerts (no marketing without consent)

5. Data Sharing

We share your personal information only with:

Recipient	Purpose	Location
PayPal Holdings, Inc.	Payment processing	Global (PCI DSS compliant)
Supabase Inc	Database hosting	EU (AWS eu-west-1, with encryption at rest)
Sentry (Functional Software Inc)	Error monitoring (PII stripped before transmission)	United States
Vercel Inc	Application hosting	Global CDN (application logic in nearest region)

We do NOT sell, rent, or trade your personal information to any third party.

6. Cross-Border Transfers

Where data is processed outside South Africa (Supabase in EU, Sentry in US), we ensure adequate protection through:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• PII stripping before transmission to error tracking services
• Contractual obligations with processors that meet POPIA Section 72 requirements

7. Data Retention

Data Type	Retention Period	Basis
Account data	Duration of account + 12 months	Contract + legal obligation
Access logs	24 months	POPIA s19 security safeguard
Usage logs	24 months	Billing reconciliation + audit
Payment records	5 years	SARS tax compliance (Tax Administration Act)
Anomaly data	Indefinite (public procurement data)	Public interest (POPIA s27)

8. Your Rights Under POPIA

You have the right to:

• Access: Request a copy of personal information we hold about you
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of personal information (subject to legal retention requirements)
• Object: Object to processing of your personal information on reasonable grounds
• Data portability: Export your usage data in CSV format via GET /api/billing/usage/export
• Withdraw consent: Withdraw consent at any time (this may affect your ability to use the Service)
• Complaint: Lodge a complaint with the Information Regulator of South Africa

To exercise any of these rights, email us at southafricanapp@outlook.com with subject "POPIA Request".

9. PAIA Requests

Requests for access to records under the Promotion of Access to Information Act (PAIA) should be directed to our Information Officer using the prescribed PAIA Form C, available from the Information Regulator website.

10. Security Measures

We implement the following technical and organisational safeguards (POPIA s19):

• API keys hashed with SHA-256 (timing-safe comparison)
• IP addresses one-way hashed with salted SHA-256
• All data encrypted in transit (TLS 1.3) and at rest
• PII automatically redacted from scraped data before storage
• Role-based access control with audit logging
• Rate limiting and abuse detection
• Regular security reviews and dependency updates

11. Cookies and Tracking

TenderWatch does not use tracking cookies, advertising pixels, or third-party analytics. The only client-side storage used is localStorage for your API key preference, which remains on your device and is never transmitted to third parties.

12. Children's Privacy

The Service is not intended for persons under 18. We do not knowingly collect personal information from children. If we become aware of such collection, we will promptly delete the information.

13. Changes to This Policy

We will notify you of material changes to this policy at least 30 days before the effective date, via email or dashboard notification. The "Last Updated" date at the top of this page reflects the most recent revision.

14. Contact and Information Regulator

TenderWatch SA

• Email: southafricanapp@outlook.com
• Address: Sandton, Gauteng, South Africa

Information Regulator (South Africa)

• Website: https://www.justice.gov.za/inforeg/
• Email: complaints.IR@justice.gov.za