Privacy Policy

Last updated: 13 July 2026

1. Who we are

GS-Connect is operated by GroenTech Systems (Pty) Ltd(“GroenTech”, “we”, “us”), a South African company. We are the responsible partyunder the Protection of Personal Information Act, 4 of 2013 (“POPIA”) for the personal information described in this policy.

Our Information Officer can be reached at admin@groentechsystems.com.

POPIA protects the personal information of both natural persons and juristic persons (companies). Because GS-Connect is a platform on which businesses share compliance information with each other, this policy covers both.

2. What we collect

Account information: your name, email address, and a securely hashed password (we never store your password itself). If you enable two-factor authentication, an encrypted authenticator secret and hashed recovery codes.

Company profile: company name, registration and VAT numbers, contact details, address, industry, products and services, social media links, and a logo if you upload one.

Compliance documents: the documents you upload (for example B-BBEE certificates and CIPC registration documents) and the fields our document-AI extracts from them (such as document type, B-BBEE level, and expiry dates). These documents may contain personal information of third parties, such as company directors — see section 6.

Billing content you create:quotes, invoices, statements, credit notes, your company’s banking details for display on those documents, and payment terms you record for partners.

Subscription and payment records: your plan, billing history, and payment references. Card payments are processed by PayFast — we never see or store your card number.

Platform activity: partner connections, document review actions and audit trails, checklist runs (including who completed which item and when), support tickets, in-app notifications, and profile view counts.

Technical information: IP addresses for security rate-limiting and abuse prevention, and essential session cookies to keep you signed in. Our analytics (Vercel Web Analytics) are aggregate and do not use cookies or track you across sites.

3. Why we process it

We process personal information to:

  • provide the GS-Connect platform — accounts, document management, AI document verification, partner networking, compliance scoring, checklists, and billing;
  • process subscription payments and issue tax invoices;
  • send service communications (verification emails, security notices, expiry and review reminders);
  • secure the platform (authentication, rate limiting, fraud and abuse prevention, audit trails);
  • provide support when you raise a ticket; and
  • comply with South African law, including tax record-keeping.

We do not sell personal information, and we do not send direct marketing without your consent.

4. Sharing on the platform — how visibility works

Sharing compliance information is the purpose of GS-Connect, and it is consent-driven:

  • Company register: your company name, industry, and products/services are visible to other signed-in platform users so partners can find you.
  • Connected partners: when you accept a partner connection, that partner can view your shared compliance documents and compliance status — and you theirs. Declining or dissolving a partnership ends that access.
  • Billing portal links: if you share an invoice link with a client, anyone with that link can view that invoice.

5. Our service providers (operators)

We use vetted service providers to run the platform. Each processes personal information only on our instructions, under written agreements with security obligations:

  • Vercel (USA/EU) — application hosting; our application runs in the European Union (Frankfurt).
  • Neon (EU — Frankfurt) — database hosting.
  • Microsoft Azure — document file storage and AI document analysis.
  • PayFast (South Africa) — payment processing.
  • Resend (USA) — transactional email delivery.
  • Anthropic (USA) — the optional AI help assistant: messages you type to it are processed to generate answers, and support-ticket content may be AI-analysed to help our staff resolve your issue.
  • Upstash (EU — Frankfurt) — security rate-limiting infrastructure.
  • hCaptcha (USA) — bot protection on registration.

Where information leaves South Africa (EU and USA above), we rely on section 72 of POPIA: recipients are bound by agreements providing substantially similar protection, including GDPR-standard contractual clauses.

6. Documents that contain other people's information

Compliance documents you upload (for example CIPC certificates) may contain personal information of third parties such as directors. For that content, your company is the responsible party and GroenTech acts as your operator: we store, process, and share it only per your instructions (your upload and your partner-sharing choices). Ensure you are entitled to upload and share such documents.

7. How long we keep information

  • Account and company data: for as long as your account is active.
  • Financial records (subscription tax invoices, billing documents): retained for at least 5 years as required by South African tax law, even after account closure.
  • Audit trails and security logs: retained for the period needed to serve their integrity and security purpose.
  • Everything else: deleted or de-identified within a reasonable period after account closure, except where law requires retention.

8. Your rights

Under POPIA you may:

  • request access to the personal information we hold about you;
  • request correction (most profile and company data you can correct yourself in the app);
  • request deletion, subject to the legal retention periods in section 7;
  • object to processing, and withdraw consent where processing is based on it.

To exercise any of these rights, email admin@groentechsystems.com — we respond within a reasonable time and at most within 30 days. You may also lodge a complaint with the Information Regulator (South Africa): inforegulator.org.za.

9. How we protect information

We apply the security safeguards POPIA requires, including: encrypted connections (HTTPS), hashed passwords, optional and staff-mandatory two-factor authentication, step-up verification for sensitive changes, role-based access control, security rate limiting, a strict content security policy, audit logging, and independent security review of platform changes. No system is perfectly secure; if a breach affecting your information occurs, we will notify the Information Regulator and affected users as soon as reasonably possible, as section 22 of POPIA requires.

10. Changes to this policy

We may update this policy as the platform evolves. Material changes will be announced in-app or by email, and the “last updated” date above always reflects the current version.

See also our Terms of Service.