Privacy Policy

1. Introduction

TIT Tax ("we", "us", "our") is committed to protecting your personal information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) and other applicable South African legislation. This Privacy Policy explains what information we collect, how we use it, and your rights.

2. Information We Collect

2.1 Account Information

• Name and surname
• Email address
• Password (stored securely using bcrypt hashing)

2.2 Tax Profile Information

• Occupation and employment type
• Tax identification number and ID number (encrypted at rest using AES-256)
• Medical aid details and dependants
• Retirement annuity contributions

2.3 Bank Statement Data

• Transaction text extracted from uploaded bank statements (CSV or PDF)
• We do not store the original uploaded files. Text is extracted in memory for AI analysis and the raw file is discarded immediately.

2.4 Payment Information

• Payments are processed by PayFast, a PCI DSS Level 1 compliant payment processor.
• We do not receive, process, or store your credit card number, CVV, or banking credentials.
• We store only: PayFast payment ID, plan selected, amount, status, and timestamp.

3. How We Use Your Information

We use your personal information to:

• Provide and improve the tax analysis service.
• Process transactions via AI (OpenAI) to categorise and identify potential deductions.
• Manage your account and credit balance.
• Process payments through PayFast.
• Communicate with you regarding your account or the Service.
• Comply with legal and regulatory obligations.

4. AI Processing & Third Parties

Bank statement transaction text is sent to OpenAI via their API for AI-powered analysis. OpenAI's API data usage policy states that data submitted via the API is not used to train their models. No identifying information such as your name, ID number, or account number is included in the data sent to OpenAI — only transaction descriptions, dates, and amounts.

5. Data Storage & Security

• Your data is stored in a secure PostgreSQL database hosted by Neon, with encrypted connections (TLS).
• Sensitive fields (ID number, tax number) are encrypted at rest using AES-256-GCM.
• Passwords are hashed using bcrypt and never stored in plain text.
• Authentication uses HTTP-only, secure, SameSite cookies (JWT).
• The application is served over HTTPS via Vercel's edge network.

6. Cookies

We use a single essential authentication cookie ("token") to keep you logged in. This is an HTTP-only secure cookie and cannot be accessed by JavaScript. We do not use tracking cookies, advertising cookies, or third-party analytics at this time.

7. Data Retention

• Account data is retained for as long as your account is active.
• Transaction analysis results are retained to allow you to generate reports across tax years.
• You may request deletion of your account and all associated data at any time (see section 8).

8. Your Rights Under POPIA

As a data subject under POPIA, you have the right to:

• Access — request a copy of the personal information we hold about you.
• Correction — request correction of inaccurate personal information.
• Deletion — request deletion of your personal information where there is no lawful reason for us to continue processing it.
• Objection — object to the processing of your personal information.
• Complaint — lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za.

9. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page with a revised "Last updated" date. Continued use of the Service constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related enquiries or to exercise your rights under POPIA, contact us at support@taxationistheft.co.za.