Daybook Customer Privacy Policy
- Effective date
- 24 May 2026
- Last reviewed
- 26 June 2026
- Service provider
- DAYBOOK TECHNOLOGIES (Pty) Ltd, a private company registered in the Republic of South Africa, trading as Daybook (“Daybook”, “we”, “us”, “our”)
- Registered office
- 36 Protea Drive, Gordons Bay, Cape Town, Western Cape, 7140, South Africa - email intake@daybookcoza.com.
- Company registration
- Registration number 2026/502753/07 (CIPC, registered 25 June 2026). Enterprise number K2026502753.
- Information Officer (POPIA)
- Liam Clarke (registered with the Information Regulator under POPIA section 55, registration number 2026-043865, registered 26 June 2026)
- Data protection contact (UK GDPR)
- Liam Clarke, reachable at intake@daybookcoza.com. Daybook is a small owner-operated business and is not currently required to appoint a statutory Data Protection Officer; data-protection queries are handled by the contact named here.
- Privacy contact
- intake@daybookcoza.com
Which law applies to you
0.1. United Kingdom. If you are based in the United Kingdom, or Daybook’s processing of your personal data is otherwise subject to UK data protection law, the UK GDPR (the retained EU General Data Protection Regulation as it forms part of UK law) and the Data Protection Act 2018 apply. Your supervisory authority is the Information Commissioner’s Office (ICO). Where this policy uses POPIA terms (such as “Responsible Party”, “Operator”, or “Information Officer”), the equivalent UK GDPR concepts (“controller”, “processor”, and the data-protection contact named above) apply to you.
0.2. South Africa. If you are based in South Africa, or Daybook’s processing of your personal information is otherwise subject to South African law, POPIA applies and your supervisory authority is the Information Regulator (South Africa).
0.3. Both regimes. Where you could fall under both regimes, Daybook applies the standard that gives you the greater protection. Section 11 below sets out how to complain to either the ICO or the Information Regulator.
1. Scope of this Policy
1.1. This Privacy Policy describes how Daybook processes personal information of:
- 1.1.1. Customers - the natural persons and juristic entities (including their owners, directors, and authorised representatives) who register for, subscribe to, or use the Daybook service (“you”, “your”);
- 1.1.2. Website visitors - anyone who visits a Daybook web property (such as dayboook.site or a sub-domain) without necessarily signing up;
- 1.1.3. Prospects - individuals who contact Daybook for information, or whose contact details we have lawfully obtained for direct marketing in accordance with applicable law (UK GDPR / PECR in the UK; POPIA in South Africa).
1.2. Personal information of your debtors (your customers’ customers) is processed by Daybook on your instructions and on your behalf - as a processor under Article 28 of the UK GDPR and as an Operator under section 21 of POPIA. The rules for that processing are set out in the Daybook Data Processing Addendum. This Privacy Policy is not the privacy notice to be given to your debtors - you must publish your own privacy notice to them.
1.3. For purposes of this Policy, terms such as “personal information” / “personal data”, “data subject”, “controller” / “Responsible Party”, “processor” / “Operator”, and “processing” have the meanings given to them in the UK GDPR (for UK users) and in POPIA (for South African users). “Supervisory authority” means the ICO in the United Kingdom and the Information Regulator in South Africa.
2. What personal information we process and where it comes from
2.1. Information you provide directly:
- 2.1.1. Identification: full name, identity number or passport number (only where required for tax invoice compliance or for Daybook’s anti-fraud due diligence);
- 2.1.2. Contact: South African mobile / WhatsApp number, email address, physical address;
- 2.1.3. Business: registered name, trading name, CIPC registration number, VAT number, business address, trade type;
- 2.1.4. Banking details that appear on invoices: bank name, account number, branch code, account holder name (these appear on invoices issued to your debtors - Daybook does not initiate debits on these accounts);
- 2.1.5. Billing details used to pay your Daybook subscription and setup fee. These are collected and processed by our Merchant of Record, Paddle, which handles card processing and tax/VAT. Daybook receives transaction and tax records from Paddle but does not collect or store your full payment-card number.
- 2.1.6. Content of WhatsApp voice notes, text messages, and other communications sent to Daybook, including transcripts and AI-generated extractions.
2.2. Information generated by your use of the service:
- 2.2.1. Account activity: invoices issued, quotes issued, reminders sent, approvals and rejections, login times;
- 2.2.2. Communication metadata: timestamps of messages received and sent;
- 2.2.3. Technical data: IP address, browser type, device type, operating system, referrer URL, and similar information collected automatically when you access the Daybook website or dashboard.
2.3. OAuth-authorised access tokens:
- 2.3.1. Where you grant Daybook OAuth access to your Gmail or Microsoft Outlook account, we hold a refresh token and access token that allow Daybook to act on your behalf for the limited scopes you authorised. For Gmail, Daybook requests permission to: (i) send email as you, so it can send your invoices, quotes, statements and reminders from your own address; (ii) read your mailbox, so it can capture replies to those messages — customer replies, supplier replies to purchase orders, and delivery-failure (bounce) notifications — and file each against the right record; and (iii) organise the messages Daybook handles, limited to marking Daybook-handled threads as read and applying a “Daybook” label so you can find them in your own Gmail. Daybook does not delete, archive, or move your mail, and does not request full-mailbox access. Microsoft Outlook connections grant the equivalent send and read permissions. We do not receive or store your email password.
- 2.3.2. Google API Services User Data Policy - Limited Use disclosure. Daybook’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: (a) we use Google user data only to provide or improve user-facing features that are prominent in the Daybook user interface - drafting and sending invoices, quotes, statements, reminders and follow-ups as you; reading replies and delivery-failure notifications to those messages so we can present them in the Daybook dashboard and detect payment confirmations, disputes and queries; and marking those threads read and applying a “Daybook” label so you can find them in your own Gmail; (b) we do not transfer Google user data to third parties except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition or sale of assets with user consent; (c) we do not use Google user data for serving advertisements; and (d) we do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for Daybook’s internal operations and even then only when the data has been aggregated and anonymised.
- 2.3.3. Microsoft Graph API. Where Daybook accesses Microsoft 365 / Outlook on your behalf, the equivalent restrictions apply under the Microsoft Services Agreement and the Microsoft Identity Platform terms.
2.4. Information from third parties:
- 2.4.1. WhatsApp messaging metadata from our WhatsApp provider (Twilio, 360dialog, or WPPConnect, as applicable);
- 2.4.2. Payment status and reconciliation data from our payment processor;
- 2.4.3. Limited identity verification data, where required by law or for fraud prevention.
2.5. Special category / special personal information. Daybook does not seek and does not need special category data (UK GDPR Article 9 - racial or ethnic origin, health, religious or philosophical beliefs, political opinions, biometric or genetic data, sex life or sexual orientation, trade-union membership) or data about criminal convictions and offences (UK GDPR Article 10), which correspond to “special personal information” under POPIA section 26. Do not include such information in messages to Daybook. Where you inadvertently provide it, Daybook will treat it with appropriate care and minimise its retention.
2.6. Children. The Daybook service is a business tool that is not directed at and is not intended for use by children. Daybook does not knowingly process personal information of children. If you become aware that personal information of a child has been provided to Daybook, please contact intake@daybookcoza.com and we will delete it.
3. Why we process this information and our lawful basis
| Purpose | Lawful basis under UK GDPR (Article 6) | Equivalent basis under POPIA |
|---|---|---|
| Providing the Daybook service to you (drafting and sending invoices and reminders, reconciling payments, weekly summary) | Performance of a contract with you (Art. 6(1)(b)) | Performance of a contract (section 11(1)(b)) |
| Onboarding and account administration | Performance of a contract (Art. 6(1)(b)) | Performance of a contract (section 11(1)(b)) |
| Billing, collecting fees, refunds | Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) | Performance of a contract; legal obligation (section 11(1)(b) and (c)) |
| Billing and payment through our Merchant of Record (Paddle), including invoicing, tax/VAT, refunds and chargebacks | Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) | Performance of a contract; legal obligation (section 11(1)(b) and (c)) |
| Customer support | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) | Performance of a contract; legitimate interests (section 11(1)(f)) |
| Compliance with applicable law (UK: tax, accounting and company-law obligations; South Africa: the Tax Administration Act, the Companies Act, the Financial Intelligence Centre Act where applicable, and POPIA) | Compliance with a legal obligation (Art. 6(1)(c)) | Compliance with a legal obligation (section 11(1)(c)) |
| Security, fraud prevention, abuse detection, incident investigation | Legitimate interests of Daybook and of other users (Art. 6(1)(f)) | Legitimate interests (section 11(1)(f)) |
| Direct marketing of similar Daybook services to existing customers | Legitimate interests (Art. 6(1)(f)), subject to your right to object and to the rules in the Privacy and Electronic Communications Regulations (PECR) | Legitimate interests, subject to your right to opt out under POPIA section 69 and section 45 of the ECT Act |
| Direct marketing to prospects who are not existing customers | Consent (Art. 6(1)(a)), in line with PECR | Consent (section 11(1)(a) and section 69) |
| Product analytics and improvement | Legitimate interests (Art. 6(1)(f)), using de-identified or aggregated data wherever possible | Legitimate interests, using de-identified or aggregated data wherever possible |
3.0a. About legitimate interests. Where we rely on legitimate interests under UK GDPR Article 6(1)(f), we have considered your interests and rights and only rely on this basis where they do not override our interest. You may ask us for more information about that balancing assessment, and you may object to processing based on legitimate interests (see section 7).
3.1. If we ever wish to process your personal information for a purpose not covered above and not compatible with the original purpose, we will identify a lawful basis for it and, where the law requires, seek your consent first.
3.2. No automated decisions with legal effect. Daybook does not use solely automated decision-making that produces legal effects concerning you or similarly significantly affects you, within the meaning of UK GDPR Article 22 or POPIA section 71. AI extraction is always subject to a human-in-the-loop control. Daybook supports two operating modes, set per Customer:
- 3.2.1. Approval mode (default for new Customers). Every invoice and reminder is presented to the Customer on WhatsApp for explicit approval before sending. Nothing leaves the Customer’s authorised sender address without a tap-to-approve from the Customer.
- 3.2.2. Auto-Send mode (opt-in per Customer). The Customer may elect, via a per-account setting recorded in Daybook’s operational records, to have Daybook send invoices and reminders on their standing authorisation under the Daybook Service Agreement. In Auto-Send mode, Daybook (a) transcribes the Customer’s voice note or text instruction, (b) immediately confirms to the Customer on WhatsApp what was understood and what will be sent, (c) holds the invoice for a Customer-configurable cancellation window (default 3 to 5 hours), during which a reply of “STOP” cancels the send, and (d) sends only if no cancellation is received in that window. The Customer remains in control via the cancellation reply and via their right to revoke Auto-Send for their account at any time.
- 3.2.3. In either mode, no Daybook decision produces legal effect against a third party without the Customer’s authorisation - either the per-message approval (3.2.1) or the standing authorisation plus cancellation window (3.2.2). A complete audit trail of confirmations, cancellations, and sends is retained for each invoice.
4. Who we share information with - sub-processors and others
4.1. Sub-processors. Daybook uses the following sub-processors to deliver the service. Each is engaged under a written data processing agreement and, where personal data leaves the UK or South Africa, under an appropriate transfer mechanism. The transfer basis below is given in both UK GDPR and POPIA terms; see section 5 for detail.
4.1a. Payments and Merchant of Record. Daybook’s subscription and one-time setup fees are sold and billed through Paddle (Paddle.com Market Limited), which acts as the Merchant of Record for those transactions. Paddle is the seller of record at checkout, collects your billing details and payment-card information directly, issues your invoice or receipt, and is responsible for handling sales tax / VAT. Daybook does not receive, process, or store your full payment-card number. Paddle processes your personal data as an independent controller for its own payment, fraud-prevention, tax and legal-compliance purposes, and as Daybook’s processor for the billing it performs on Daybook’s behalf. Paddle’s privacy notice is available at paddle.com.
| Sub-processor | Role | Data accessed | Location | Transfer / adequacy basis |
|---|---|---|---|---|
| Google LLC | Gmail OAuth for sending and reading email on your behalf | OAuth tokens, email content sent and received through your authorisation | United States | UK GDPR Art. 46 (UK International Data Transfer Agreement / Addendum to the EU SCCs) and POPIA section 72(1)(a): bound by contractual safeguards and, where applicable, binding corporate rules comparable to UK and SA information-protection standards |
| Microsoft Corporation | Microsoft Graph / Outlook OAuth (where applicable) for sending and reading email on your behalf | OAuth tokens, email content sent and received through your authorisation | United States and European Union | UK GDPR Art. 46 (UK IDTA / SCCs); POPIA section 72(1)(a) |
| Anthropic, PBC | AI extraction and drafting (Claude model) | WhatsApp content, draft text, no Customer Data used for model training | United States | UK GDPR Art. 46 and POPIA section 72(1)(a); Anthropic’s Data Processing Addendum applies |
| OpenAI, LLC | Backup AI extraction model (where used) | Same as Anthropic | United States | UK GDPR Art. 46 and POPIA section 72(1)(a); OpenAI’s Data Processing Addendum applies |
| Notion Labs, Inc. | Database and internal CRM | Account data, invoice records, communications history | United States | UK GDPR Art. 46 and POPIA section 72(1)(a); Notion’s Data Processing Addendum applies; encryption at rest in Notion infrastructure |
| Vercel, Inc. | Web hosting, serverless compute, Blob storage | All data passing through the Daybook platform | United States | UK GDPR Art. 46 and POPIA section 72(1)(a); Vercel’s Data Processing Addendum applies |
| WhatsApp provider - one of: WPPConnect (interim), Twilio Inc., 360dialog GmbH | WhatsApp message routing | WhatsApp message metadata and content | United States (Twilio); Germany / EU (360dialog); self-hosted infrastructure (WPPConnect) | UK GDPR Art. 46 (UK IDTA / SCCs) and POPIA section 72(1)(a) for US/EU sub-processors; for EU-based processing, UK adequacy and POPIA recognition of the EU apply |
| Sentry (Functional Software, Inc.) (once enabled) | Error and exception monitoring | Stack traces, error context, redacted of personal information where reasonably possible | United States | UK GDPR Art. 46 and POPIA section 72(1)(a) |
| PostHog Inc. (once enabled) | Product analytics | De-identified usage events; IP address truncated | United States | UK GDPR Art. 46 and POPIA section 72(1)(a) |
| Vercel Analytics (if used) | Aggregated web analytics on dayboook.site | Aggregated visit counts, no individual profiling | United States | UK GDPR Art. 46 and POPIA section 72(1)(a) |
| Paddle.com Market Limited | Merchant of Record: checkout, subscription and setup-fee billing, card processing, invoicing, tax/VAT handling, refunds and chargebacks | Your name, billing email, billing address/country, the payment instrument used to pay Daybook (Paddle holds card data; Daybook does not), transaction and tax records | United Kingdom / European Union (Paddle.com Market Limited, Judd House, 18-29 Mora Street, London EC1V 8BT, United Kingdom) | UK GDPR: Paddle is UK-established; onward transfers under Paddle’s DPA rely on Art. 46 safeguards (UK IDTA / SCCs + UK Addendum). POPIA section 72(1)(a) and (c) |
4.2. Daybook updates this list when sub-processors change. Material changes are notified to active Customers as set out in the Daybook Data Processing Addendum.
4.3. Other recipients. Daybook may also share personal information with:
- 4.3.1. Professional advisers (lawyers, accountants, auditors) under confidentiality obligations, on a need-to-know basis;
- 4.3.2. Regulators, courts, and law enforcement where required by law, court order, or to protect Daybook’s rights;
- 4.3.3. Successors in the event of a merger, acquisition, restructuring, or sale of substantially all of Daybook’s assets, in which case we will give you reasonable notice and the same protections will continue to apply.
4.4. No sale of personal information. Daybook does not sell personal information.
5. Cross-border transfers
5.1. Several of Daybook’s sub-processors process personal information outside the United Kingdom and outside the Republic of South Africa, mainly in the United States and the European Economic Area.
5.2. UK transfers (UK GDPR). Where Daybook transfers personal data of UK data subjects outside the United Kingdom, it does so only where one of the following applies under Chapter V of the UK GDPR:
- 5.2.1. the destination is covered by UK “adequacy regulations” (for example, the European Economic Area);
- 5.2.2. the transfer is made under appropriate safeguards in Article 46 - in practice the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum, supplemented by additional technical and organisational measures where needed; or
- 5.2.3. a limited exception in Article 49 applies (for example, the transfer is necessary to perform a contract with you).
5.3. South African transfers (POPIA). Where Daybook transfers personal information of South African data subjects outside South Africa, it does so only in compliance with POPIA section 72, relying on one or more of:
- 5.3.1. Section 72(1)(a): the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection of personal information and includes provisions substantially similar to POPIA chapters 5 and 9, and to onward-transfer restrictions;
- 5.3.2. Section 72(1)(b): the data subject has consented to the transfer;
- 5.3.3. Section 72(1)(c): the transfer is necessary for the performance of a contract between the data subject and the Responsible Party (Daybook);
- 5.3.4. Section 72(1)(d): the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the Responsible Party and a third party.
5.4. The contractual safeguards in place with each sub-processor include the UK IDTA or the EU Standard Contractual Clauses (with the UK Addendum where the transfer is from the UK), or comparable mechanisms recognised in South Africa, together with security and confidentiality commitments at least equivalent to those Daybook offers you.
5.5. A copy of the relevant transfer documentation (UK GDPR Article 46 safeguards and / or POPIA section 72 documentation) will be provided on reasonable request to intake@daybookcoza.com.
6. How long we keep your information
6.1. Active customers. Daybook retains personal information about you and your business for as long as you have an active Daybook subscription, plus any period necessary to handle disputes, recover unpaid fees, and meet legal obligations.
6.2. On termination of your subscription:
- 6.2.1. 14-day return window - Daybook will, on request and within fourteen (14) days of termination, return Customer Data (including data about you and Customer Data processed under the DPA on your behalf) in a structured, commonly used machine-readable format.
- 6.2.2. 14-day deletion window - Within a further fourteen (14) days after the return window expires (or earlier if you so request and have already received your export), Daybook will delete its production copies of Customer Data, subject to clause 6.3.
- 6.2.3. OAuth tokens are revoked or invalidated immediately on termination so that Daybook can no longer act on your behalf.
6.3. Statutory retention.
- 6.3.1. South African tax records. Section 29 of the Tax Administration Act 28 of 2011 requires Daybook to retain records relevant to tax for a minimum of five (5) years from the later of the date of the last entry, the date of submission of the relevant tax return, or the date of any assessment. Where an objection or appeal is lodged, the period extends until the dispute is resolved. Daybook may therefore retain copies of invoices Daybook issued to you, payment records, and related accounting data for up to seven (7) years to cover the longest applicable statutory period.
- 6.3.2. UK tax and accounting records. Where Daybook is required to keep records under UK tax and accounting law, it will retain the relevant invoices, payment records, and accounting data for the period required by that law (commonly around six years, and longer where a dispute or investigation is open). Retention is limited to what the applicable obligation requires, in line with the UK GDPR storage-limitation principle.
- 6.3.3. Other legal obligations. Where other applicable law (for example the South African Companies Act, the Financial Intelligence Centre Act if applicable, the Consumer Protection Act or the NCA; or the equivalent UK company-law, anti-money-laundering or consumer-protection rules) or any court order requires longer retention, Daybook will retain the relevant data for that period and no longer.
6.4. Back-ups. Personal information may persist in encrypted back-ups for a limited period after deletion from primary systems. Such back-ups are not accessed except for disaster recovery, and are overwritten or destroyed in the ordinary course.
6.5. Anonymous and aggregated data. Daybook may retain de-identified, aggregated data (which is not personal information under POPIA) indefinitely for product analytics and improvement.
7. Your rights (UK GDPR and POPIA)
7.1. If you are in the United Kingdom (UK GDPR), you have the following rights:
- 7.1.1. Right to be informed (Articles 13-14) - this Policy is part of how we inform you.
- 7.1.2. Right of access (Article 15) - you may ask whether we process personal data about you and request a copy of it (a “subject access request”).
- 7.1.3. Right to rectification (Article 16) - you may ask us to correct inaccurate or complete incomplete personal data.
- 7.1.4. Right to erasure (“right to be forgotten”, Article 17) - you may ask us to delete your personal data in certain circumstances.
- 7.1.5. Right to restriction of processing (Article 18) - you may ask us to limit how we use your personal data in certain circumstances.
- 7.1.6. Right to data portability (Article 20) - where processing is based on consent or contract and is carried out by automated means, you may ask to receive your data in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible.
- 7.1.7. Right to object (Article 21) - you may object to processing based on legitimate interests, and you may object to direct marketing at any time.
- 7.1.8. Rights related to automated decision-making and profiling (Article 22) - see clause 3.2 above; Daybook does not carry out solely automated decision-making with legal or similarly significant effects.
- 7.1.9. Right to withdraw consent at any time, where we rely on consent (this does not affect processing already carried out).
- 7.1.10. Right to complain to the ICO - the Information Commissioner’s Office (see clause 11).
7.2. If you are in South Africa (POPIA), you have the following rights as a data subject:
- 7.2.1. Right to be notified (section 18) - this Policy is part of how we notify you.
- 7.2.2. Right of access (section 23) - you may request confirmation of whether Daybook holds personal information about you, and a description of that information.
- 7.2.3. Right to correction or deletion (section 24) - you may request that Daybook correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
- 7.2.4. Right to object (section 11(3)) - on reasonable grounds, you may object to the processing of your personal information in certain circumstances.
- 7.2.5. Right to object to direct marketing (section 69) - you may request, at any time and free of charge, that Daybook stop sending you direct marketing communications.
- 7.2.6. Right not to be subject to automated decision-making (section 71) - see clause 3.2 above; Daybook does not undertake such decision-making.
- 7.2.7. Right to complain to the Information Regulator (see clause 11).
7.3. How to exercise your rights. Send a written request to intake@daybookcoza.com (or use the form at dayboook.site/popia-request) stating clearly which right you wish to exercise. Daybook will respond without undue delay and within one month of receiving a valid request from a UK data subject (extendable by up to two further months for complex or numerous requests, with notice), and within thirty (30) days for a POPIA request. Daybook may need to verify your identity before complying. Exercising these rights is generally free of charge, although we may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive, as permitted by law.
7.4. PAIA - Promotion of Access to Information Act (South Africa). Requests for access to records held by Daybook may also be made in terms of the Promotion of Access to Information Act 2 of 2000 (“PAIA”). A PAIA manual is in preparation per Promotion of Access to Information Act (PAIA) Section 51 and will be published at dayboook.site/paia-manual by 30 June 2026. In the interim, requests can be made to intake@daybookcoza.com.
7.5. Limits on rights. Daybook may decline or limit a request where it has a legal basis under the UK GDPR, POPIA, or other law to retain or continue processing the information (for example, statutory tax retention under clause 6.3, or where deletion would prejudice an ongoing investigation). Daybook will explain the basis for any refusal and, for UK requests, your right to complain to the ICO.
8. Security
8.1. Daybook applies appropriate technical and organisational measures to protect personal information against loss, unauthorised access, alteration, destruction, or unlawful processing, including:
- 8.1.1. In transit: TLS 1.2 or higher on all public endpoints; HMAC signature verification on WhatsApp webhooks;
- 8.1.2. At rest: encryption-at-rest for OAuth refresh tokens and access tokens in Daybook’s token store; encryption-at-rest provided by Notion (data store), Vercel Blob (file storage), and other sub-processors as part of their own infrastructure;
- 8.1.3. Access control: the Daybook dashboard is restricted to authorised Daybook personnel (currently the Information Officer only) under password and, where supported, multi-factor authentication; each Customer’s OAuth grants are scoped narrowly (send, read, and limited organise — mark-read and label — on the Customer’s own account only, never full-mailbox or delete access);
- 8.1.4. Audit logging: every invoice, quote, reminder, approval, and account event is timestamped and logged with the actor identifier;
- 8.1.5. Vendor due diligence: every sub-processor must offer security commitments at least equivalent to those Daybook offers you; Daybook reviews these annually.
- 8.1.6. Personnel: authorised personnel are bound by written confidentiality undertakings and trained on UK GDPR and POPIA basics.
8.2. These measures are intended to meet the security obligations in UK GDPR Article 32 (security of processing) and POPIA section 19. Detailed internal controls are documented in Daybook’s internal data-protection compliance document, which is maintained internally and available to auditors and regulators on request.
9. Personal information breach notification
9.1. UK GDPR (personal data breach). Where Daybook acts as a controller and becomes aware of a personal data breach within the meaning of UK GDPR Article 4(12), Daybook will:
- 9.1.1. notify the ICO without undue delay and, where feasible, not later than 72 hours after becoming aware, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals (UK GDPR Article 33);
- 9.1.2. where the breach is likely to result in a high risk to affected individuals, notify them without undue delay (UK GDPR Article 34);
- 9.1.3. where Daybook acts as a processor for a Customer, notify that Customer without undue delay so the Customer can meet its own Article 33/34 obligations (see the DPA).
9.2. POPIA (security compromise). If Daybook becomes aware of a “security compromise” (a breach affecting personal information) within the meaning of POPIA section 22, Daybook will:
- 9.2.1. notify the Information Regulator as soon as reasonably possible after becoming aware, and in any event within seventy-two (72) hours where the breach is likely to result in real or substantive harm to data subjects;
- 9.2.2. notify affected data subjects (including affected Customers and, where Daybook is the Operator, the Responsible Party) as soon as reasonably possible - in practice, within seventy-two (72) hours of becoming aware, unless a public authority directs otherwise to protect an investigation;
- 9.2.3. include in the notification a description of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate;
- 9.2.4. cooperate with the Information Regulator and affected parties to remediate.
9.3. Where Daybook is acting as processor / Operator on a Customer’s behalf, Daybook will notify the Customer (as controller / Responsible Party) within forty-eight (48) hours of becoming aware of the breach, in accordance with the breach-notification clause of the Daybook Data Processing Addendum.
9.4. Daybook maintains an internal breach response runbook covering detection, assessment, escalation, notification, remediation, and post-incident review.
10. Cookies and online tracking
10.1. Strictly necessary cookies. Daybook uses cookies and similar technologies that are strictly necessary to operate the dashboard (such as session and authentication cookies). These are set under our legitimate interests basis and cannot be turned off without breaking the service.
10.2. Analytics. Daybook may use privacy-respecting analytics such as Vercel Analytics (aggregated, no individual profiling) and, when enabled, PostHog with IP truncation. These help us understand usage at an aggregate level.
10.3. Advertising and measurement technologies. Daybook does not set advertising or other non-essential cookies or trackers on this website, and we do not currently run any third-party advertising pixel. If in future we introduce a non-essential tracker (for example an advertising pixel), we will load it only after obtaining your consent through a cookie banner, name the recipient in this policy, and let you withdraw consent at any time. Cookies that are strictly necessary to operate the site and your account are always used.
10.4. You can control cookies through your browser settings. Disabling strictly necessary cookies will impair the service.
11. Supervisory authorities and complaints
11.1. United Kingdom. If you are in the UK, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Helpline: 0303 123 1113
Website: https://ico.org.uk/
Make a complaint: https://ico.org.uk/make-a-complaint/
11.2. South Africa. If you are in South Africa, you have the right to lodge a complaint with the Information Regulator (South Africa):
Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, 2017
Telephone: +27 (0)10 023 5200 / 5207
Website: https://inforegulator.org.za/
Complaints email: complaints.IR@inforegulator.org.za
POPIA-specific email: POPIAComplaints@inforegulator.org.za
General email: inforeg@justice.gov.za
11.3. We ask that you give Daybook a reasonable opportunity to address your concerns first by contacting intake@daybookcoza.com.
12. Updates to this Privacy Policy
12.1. Daybook will publish an updated version of this Privacy Policy at dayboook.site/privacy from time to time.
12.2. For material changes affecting how Daybook processes your personal information, Daybook will give you at least thirty (30) days’ notice by email to your registered email address and by in-dashboard banner before the change takes effect.
12.3. For non-material changes (such as adding sub-processors with notice in accordance with the DPA, correcting typographical errors, or reflecting regulatory updates), Daybook may update this Policy without prior notice, with the “Last reviewed” date updated to reflect the change.
13. Contact
- Information Officer (POPIA): Liam Clarke (Regulator reg. no. 2026-043865)
- Data protection contact (UK GDPR): Liam Clarke, intake@daybookcoza.com
- Privacy contact: intake@daybookcoza.com
- Postal: 36 Protea Drive, Gordons Bay, Cape Town, Western Cape, 7140, South Africa - email intake@daybookcoza.com.
End of Privacy Policy.