Privacy policy

1. Who we are

ReceiptManager is operated by Nine Rock Group (Pty) Ltd (VAT 4730264826), a South African company registered in Sandton.

Information Officer: Vimal Maharaj · vimal@ninerock.co.za

2. What we collect

• Account details — name, email, phone, organisation
• Receipt images and the structured fields OCR extracts from them
• Bank statements you import (read-only, never write-back)
• Telemetry — request paths, IP, user-agent for audit and abuse detection

3. Why we collect it

To deliver the service you signed up for: capture, classify, allocate, report. We do not sell your data and we do not show ads.

4. Where it lives

Supabase managed Postgres + Storage in ap-south-1 (Mumbai). Migration to af-south-1 self-host is available on request — see Organisation settings → Data residency.

5. How long we keep it

• Active receipts + invoices: while your account is active
• Audit log + financial documents: 5 years per SARS s.29 Tax Administration Act
• SARS submissions (NOA, ITR14, VAT201): permanent

6. Your rights under POPIA

• Access — export everything we hold about you (Settings → Data → Export all my data)
• Correction — edit any field in Profile or Receipt detail
• Erasure — Settings → Data → Delete my account (30-day grace period)
• Object — withdraw consent for analytics in Settings → Notifications
• Complain to the Information Regulator at complaints.IR@justice.gov.za

7. Sub-processors

• Supabase (Postgres + Storage + Auth) — ap-south-1
• Vercel (web hosting + Edge Functions) — fra1
• OpenRouter → Google Gemini (OCR classification) — us-central1
• Resend (transactional email) — us-east-1

Each has a signed DPA on file. Snapshots available on request.

8. Contact

Information Officer: vimal@ninerock.co.za