Privacy Policy v2.0

1. Who We Are

Sightline ("we", "our", or "us") is a budgeting and expense tracking application. We act as the "responsible party" under POPIA for the personal information we process.

2. What Information We Collect

We only collect information that is necessary for providing our services (principle of minimality):

• Account information: First name, last name, email address, phone number, address, country
• Authentication data: Hashed password (we never store plain text passwords)
• Workspace data: Project budgets, expense records, category allocations
• Receipt images: Photos of receipts you upload for expense tracking
• Consent records: Timestamps of when you accepted our Terms and Privacy Policy

3. Purpose of Processing

We process personal information to provide and operate the Sightline service, including creating and managing workspaces, spaces, budgets, income entries, expenses, invoices, analytics, exports, and notifications. We also process personal information to provide customer support, maintain and improve the service, prevent fraud and abuse, and ensure the security and integrity of our systems.

• Authentication: To verify your identity and secure your account
• Service delivery: To provide budgeting, expense tracking, and analytics features
• Workspace collaboration: To enable team features and shared project access
• Communication: To send expense receipts, notifications, and service updates
• Support and maintenance: To provide customer support and maintain service reliability
• Legal compliance: To meet our legal and regulatory obligations

We will not use your data for any secondary purposes without obtaining your explicit consent.

4. Legal Basis for Processing

Under POPIA, we process your information based on:

• Consent: You explicitly agree to our Terms & Conditions and Privacy Policy during signup
• Contract: Processing is necessary to provide the services you requested
• Legal obligation: We may retain financial records as required by law

5. Data Sharing

We do not sell your personal information. We may share data only in these limited circumstances:

• Workspace members: Project and expense data is visible to members of your workspace
• Service providers: We use secure third-party services for hosting, email delivery, and database storage
• Legal requirements: We may disclose data if required by law or valid legal process

6. Administrative Access (Limited and Audited)

To provide support and maintain service reliability, authorized personnel may access customer data strictly on a need-to-know basis. Administrative access is role-restricted, logged, and monitored. We maintain audit logs that record who accessed data, when, and what administrative actions were performed (including exports), to ensure accountability and compliance.

7. Exports and Access Logs

When administrative exports are generated (for example, to troubleshoot a support request or to analyze aggregated usage patterns), Sightline records the export activity, including the administrator identity, timestamp, scope, and reason for export.

8. No Monetization of Individual User Data

We do not sell or monetize individual customers' personal information or individual transaction-level financial data. Any analytics used to improve the service or educational guidance is intended to be aggregated or used for support and product improvement purposes and not for the commercial exploitation of individual users' data.

9. Data Minimization

We limit the personal information we collect and process to what is reasonably necessary for the purposes described in this policy.

10. Data Security

We implement appropriate technical and organizational security safeguards designed to protect personal information against loss, unauthorized access, disclosure, alteration, or destruction, including access controls, encryption where appropriate, and audit logging.

• Passwords are securely hashed (never stored in plain text)
• Data is encrypted in transit using HTTPS/TLS
• Access controls restrict who can view your data
• Audit logging of all administrative actions
• Regular security reviews and updates

11. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.

• Active accounts: Data is retained while your account is active
• Deleted accounts: Personal data is deleted or anonymized upon account deletion
• Financial records: May be retained for up to 5 years as required by South African law

12. Your Rights Under POPIA

Subject to applicable law, you may request access to, correction of, or deletion of your personal information. You may also object to certain processing or request restriction where permitted by law. To exercise these rights, contact us using the contact details provided in this policy.

• Right to access: View your personal data in your Profile settings
• Right to correction: Update your information at any time through the app
• Right to deletion: Request deletion of your account and associated data
• Right to object: Object to processing in certain circumstances
• Right to restriction: Request restriction of processing where permitted by law
• Right to complain: Lodge a complaint with the Information Regulator if you believe your rights have been violated

13. Cross-Border Data Transfers

If we process or store personal information outside South Africa, we will take steps to ensure an adequate level of protection as required by POPIA.

• Using service providers with appropriate data protection certifications
• Implementing contractual safeguards

14. Children's Privacy

Sightline is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the app. The version number and date at the top of this page indicate when it was last updated.