Daybook Customer Privacy Policy

1. Scope of this Policy

1.1. This Privacy Policy describes how Daybook processes personal information of:

• 1.1.1. Customers — the natural persons and juristic entities (including their owners, directors, and authorised representatives) who register for, subscribe to, or use the Daybook service (“you”, “your”);
• 1.1.2. Website visitors — anyone who visits a Daybook web property (such as dayboook.site or a sub-domain) without necessarily signing up;
• 1.1.3. Prospects — individuals who contact Daybook for information, or whose contact details we have lawfully obtained for direct marketing under POPIA.

1.2. Personal information of your debtors (your customers’ customers) is processed by Daybook on your instructions and on your behalf, as an Operator under section 21 of POPIA. The rules for that processing are set out in the Daybook Data Processing Addendum. This Privacy Policy is not the privacy notice to be given to your debtors — you must publish your own privacy notice to them.

1.3. For purposes of this Policy, terms such as “personal information”, “data subject”, “Responsible Party”, “Operator”, “processing”, and “Information Regulator” have the meanings given to them in POPIA.

2. What personal information we process and where it comes from

2.1. Information you provide directly:

• 2.1.1. Identification: full name, identity number or passport number (only where required for tax invoice compliance or for Daybook’s anti-fraud due diligence);
• 2.1.2. Contact: South African mobile / WhatsApp number, email address, physical address;
• 2.1.3. Business: registered name, trading name, CIPC registration number, VAT number, business address, trade type;
• 2.1.4. Banking details that appear on invoices: bank name, account number, branch code, account holder name (these appear on invoices issued to your debtors — Daybook does not initiate debits on these accounts);
• 2.1.5. Payment instrument used to pay your Daybook subscription (held by our payment processor — we do not store full card numbers);
• 2.1.6. Content of WhatsApp voice notes, text messages, and other communications sent to Daybook, including transcripts and AI-generated extractions.

2.2. Information generated by your use of the service:

• 2.2.1. Account activity: invoices issued, quotes issued, reminders sent, approvals and rejections, login times;
• 2.2.2. Communication metadata: timestamps of messages received and sent;
• 2.2.3. Technical data: IP address, browser type, device type, operating system, referrer URL, and similar information collected automatically when you access the Daybook website or dashboard.

2.3. OAuth-authorised access tokens:

• 2.3.1. Where you grant Daybook OAuth access to your Gmail or Microsoft Outlook account, we hold a refresh token and access token that allow Daybook to send and read email on your behalf for the limited scopes you authorised. We do not receive or store your email password.

2.4. Information from third parties:

• 2.4.1. WhatsApp messaging metadata from our WhatsApp provider (Twilio, 360dialog, or WPPConnect, as applicable);
• 2.4.2. Payment status and reconciliation data from our payment processor;
• 2.4.3. Limited identity verification data, where required by law or for fraud prevention.

2.5. Special personal information. Daybook does not seek and does not need special personal information (as defined in POPIA section 26 — race, health, religion, political views, biometric data, criminal behaviour, etc.) from you. Do not include such information in messages to Daybook. Where you inadvertently provide it, Daybook will treat it with appropriate care and minimise its retention.

2.6. Children. The Daybook service is not directed at and is not intended for use by children (persons under 18). Daybook does not knowingly process personal information of children. If you become aware that personal information of a child has been provided to Daybook, please contact intake@daybookcoza.com and we will delete it.

3. Why we process this information and our lawful basis

3.1. If we ever wish to process your personal information for a purpose not covered above and not compatible with the original purpose, we will seek your consent first.

3.2. No automated decisions with legal effect. Daybook does not use automated decision-making that produces legal consequences for you within the meaning of POPIA section 71. AI extraction is presented for human approval — you remain in control of every invoice and reminder sent.

4. Who we share information with — sub-processors and others

4.1. Sub-processors. Daybook uses the following sub-processors to deliver the service:

4.2. Daybook updates this list when sub-processors change. Material changes are notified to active Customers as set out in the Daybook Data Processing Addendum.

4.3. Other recipients. Daybook may also share personal information with:

• 4.3.1. Professional advisers (lawyers, accountants, auditors) under confidentiality obligations, on a need-to-know basis;
• 4.3.2. Regulators, courts, and law enforcement where required by law, court order, or to protect Daybook’s rights;
• 4.3.3. Successors in the event of a merger, acquisition, restructuring, or sale of substantially all of Daybook’s assets, in which case we will give you reasonable notice and the same protections will continue to apply.

4.4. No sale of personal information. Daybook does not sell personal information.

5. Cross-border transfers

5.1. Several of Daybook’s sub-processors process personal information outside the Republic of South Africa, mainly in the United States and the European Economic Area.

5.2. Daybook transfers personal information outside South Africa only in compliance with POPIA section 72. Daybook relies on one or more of:

• 5.2.1. Section 72(1)(a): the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection of personal information and includes provisions substantially similar to POPIA chapters 5 and 9, and to onward-transfer restrictions;
• 5.2.2. Section 72(1)(b): the data subject has consented to the transfer;
• 5.2.3. Section 72(1)(c): the transfer is necessary for the performance of a contract between the data subject and the Responsible Party (Daybook);
• 5.2.4. Section 72(1)(d): the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the Responsible Party and a third party.

5.3. The contractual safeguards in place with each sub-processor include Standard Contractual Clauses (SCCs) of the European Union or comparable mechanisms approved or recognised in South Africa, together with security and confidentiality commitments at least equivalent to those Daybook offers you.

5.4. A copy of the relevant section 72 documentation will be provided on reasonable request to intake@daybookcoza.com.

6. How long we keep your information

6.1. Active customers. Daybook retains personal information about you and your business for as long as you have an active Daybook subscription, plus any period necessary to handle disputes, recover unpaid fees, and meet legal obligations.

6.2. On termination of your subscription:

• 6.2.1. 14-day return window — Daybook will, on request and within fourteen (14) days of termination, return Customer Data (including data about you and Customer Data processed under the DPA on your behalf) in a structured, commonly used machine-readable format.
• 6.2.2. 14-day deletion window — Within a further fourteen (14) days after the return window expires (or earlier if you so request and have already received your export), Daybook will delete its production copies of Customer Data, subject to clause 6.3.
• 6.2.3. OAuth tokens are revoked or invalidated immediately on termination so that Daybook can no longer act on your behalf.

6.3. Statutory retention.

• 6.3.1. Tax records. Section 29 of the Tax Administration Act 28 of 2011 requires Daybook to retain records relevant to tax for a minimum of five (5) years from the later of the date of the last entry, the date of submission of the relevant tax return, or the date of any assessment. Where an objection or appeal is lodged, the period extends until the dispute is resolved. Daybook may therefore retain copies of invoices Daybook issued to you, payment records, and related accounting data for up to seven (7) years to cover the longest applicable statutory period.
• 6.3.2. Other legal obligations. Where the Companies Act, the Financial Intelligence Centre Act (if applicable), the Consumer Protection Act, the NCA, or any court order requires longer retention, Daybook will retain the relevant data for that period and no longer.

6.4. Back-ups. Personal information may persist in encrypted back-ups for a limited period after deletion from primary systems. Such back-ups are not accessed except for disaster recovery, and are overwritten or destroyed in the ordinary course.

6.5. Anonymous and aggregated data. Daybook may retain de-identified, aggregated data (which is not personal information under POPIA) indefinitely for product analytics and improvement.

7. Your rights under POPIA

7.1. Under POPIA, you have the following rights as a data subject:

• 7.1.1. Right to be notified (POPIA section 18) — this Policy is part of how we notify you.
• 7.1.2. Right of access (POPIA section 23) — you may request confirmation of whether Daybook holds personal information about you, and a description of that information.
• 7.1.3. Right to correction or deletion (POPIA section 24) — you may request that Daybook correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
• 7.1.4. Right to object (POPIA section 11(3)) — on reasonable grounds, you may object to the processing of your personal information in certain circumstances.
• 7.1.5. Right to object to direct marketing (POPIA section 69) — you may request, at any time and free of charge, that Daybook stop sending you direct marketing communications.
• 7.1.6. Right not to be subject to automated decision-making (POPIA section 71) — see clause 3.2 above; Daybook does not undertake such decision-making.
• 7.1.7. Right to complain to the Information Regulator (see clause 11).

7.2. How to exercise your rights. Send a written request to intake@daybookcoza.com stating clearly which right you wish to exercise. Daybook will respond within thirty (30) days of receiving a valid, identifiable request. Daybook may need to verify your identity before complying.

7.3. PAIA — Promotion of Access to Information Act. Requests for access to records held by Daybook may also be made in terms of the Promotion of Access to Information Act 2 of 2000 (“PAIA”). A PAIA manual is in preparation per Promotion of Access to Information Act (PAIA) Section 51 and will be published at dayboook.site/paia-manual by 30 June 2026. In the interim, requests can be made to intake@daybookcoza.com.

7.4. Limits on rights. Daybook may decline a request where it has a legal basis under POPIA or other law to retain or continue processing the information (for example, statutory tax retention under clause 6.3.1, or where deletion would prejudice an ongoing investigation). Daybook will explain the basis for any refusal.

8. Security

8.1. Daybook applies appropriate technical and organisational measures to protect personal information against loss, unauthorised access, alteration, destruction, or unlawful processing, including:

• 8.1.1. In transit: TLS 1.2 or higher on all public endpoints; HMAC signature verification on WhatsApp webhooks;
• 8.1.2. At rest: encryption-at-rest for OAuth refresh tokens and access tokens in Daybook’s token store; encryption-at-rest provided by Notion (data store), Vercel Blob (file storage), and other sub-processors as part of their own infrastructure;
• 8.1.3. Access control: the Daybook dashboard is restricted to authorised Daybook personnel (currently the Information Officer only) under password and, where supported, multi-factor authentication; each Customer’s OAuth grants are scoped narrowly (send and read on the Customer’s own account only);
• 8.1.4. Audit logging: every invoice, quote, reminder, approval, and account event is timestamped and logged with the actor identifier;
• 8.1.5. Vendor due diligence: every sub-processor must offer security commitments at least equivalent to those Daybook offers you; Daybook reviews these annually.
• 8.1.6. Personnel: authorised personnel are bound by written confidentiality undertakings and trained on POPIA basics.

8.2. Detailed internal controls are documented in Daybook’s POPIA Operational Compliance document, which is maintained internally and available to auditors and regulators on request.

9. Personal information breach notification

9.1. If Daybook becomes aware of a “security compromise” (a breach affecting personal information) within the meaning of POPIA section 22, Daybook will:

• 9.1.1. notify the Information Regulator as soon as reasonably possible after becoming aware, and in any event within seventy-two (72) hours where the breach is likely to result in real or substantive harm to data subjects;
• 9.1.2. notify affected data subjects (including affected Customers and, where Daybook is the Operator, the Responsible Party) as soon as reasonably possible — in practice, within seventy-two (72) hours of becoming aware, unless a public authority directs otherwise to protect an investigation;
• 9.1.3. include in the notification a description of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate;
• 9.1.4. cooperate with the Information Regulator and affected parties to remediate.

9.2. Where Daybook is acting as Operator on a Customer’s behalf, Daybook will notify the Customer (as Responsible Party) within forty-eight (48) hours of becoming aware of the breach, in accordance with clause 5 of the Daybook Data Processing Addendum.

9.3. Daybook maintains an internal breach response runbook covering detection, assessment, escalation, notification, remediation, and post-incident review.

10. Cookies and online tracking

10.1. Strictly necessary cookies. Daybook uses cookies and similar technologies that are strictly necessary to operate the dashboard (such as session and authentication cookies). These are set under our legitimate interests basis and cannot be turned off without breaking the service.

10.2. Analytics. Daybook may use privacy-respecting analytics such as Vercel Analytics (aggregated, no individual profiling) and, when enabled, PostHog with IP truncation. These help us understand usage at an aggregate level.

10.3. No third-party advertising trackers. Daybook does not currently embed Google Analytics, Meta Pixel, or other advertising trackers on the Customer dashboard. If this changes, we will update this Policy and where required obtain consent in line with POPIA and the ECT Act.

10.4. You can control cookies through your browser settings. Disabling strictly necessary cookies will impair the service.

11. Information Regulator and complaints

11.1. You have the right to lodge a complaint with the Information Regulator (South Africa):

11.2. We ask that you give Daybook a reasonable opportunity to address your concerns first by contacting intake@daybookcoza.com.

12. Updates to this Privacy Policy

12.1. Daybook will publish an updated version of this Privacy Policy at dayboook.site/privacy from time to time.

12.2. For material changes affecting how Daybook processes your personal information, Daybook will give you at least thirty (30) days’ notice by email to your registered email address and by in-dashboard banner before the change takes effect.

12.3. For non-material changes (such as adding sub-processors with notice in accordance with the DPA, correcting typographical errors, or reflecting regulatory updates), Daybook may update this Policy without prior notice, with the “Last reviewed” date updated to reflect the change.

13. Contact

• Information Officer: Liam Clarke
• Privacy contact: intake@daybookcoza.com
• Postal: Postal address available on request — email intake@daybookcoza.com.