Privacy Policy
Eziflow PO — a product of IDEA. (Pty) Ltd
Eziflow PO is a multi-tenant purchase order and approval workflow platform engineered and operated by IDEA. (Pty) Ltd ("IDEA.", "we", "us", or "our"). This Privacy Policy explains how we collect, use, store, and protect personal information in connection with your use of the Eziflow platform ("Platform"). We are committed to complying with the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, international data protection standards.
1. Information Officer
In accordance with POPIA, IDEA. (Pty) Ltd has designated the following Information Officer responsible for ensuring compliance with this Policy and handling all data-related queries and complaints:
Information Officer — IDEA. (Pty) Ltd
2. What Personal Information We Collect
We collect the personal information necessary to operate your Account and the Platform on your behalf. This includes:
- Account and user details — name, email address, and username for every user your Account creates, plus role assignments (Owner, Co-Owner, Admin, Employee, Viewer) and permissions.
- Login credentials — passwords are hashed using bcrypt encryption immediately upon creation. We do not store, transmit, or have access to your password in plaintext at any point.
- Business data entered into the Platform — supplier contact details, purchase order data, approver names, comments, and any personal information your Account chooses to enter into forms, workflows, or purchase orders in the ordinary course of business.
- Email server (SMTP) credentials — where your Account configures its own outbound email settings, the SMTP username/password is encrypted at rest and used solely to send your Account's workflow emails.
We do not collect payment card details, national identification numbers, or other special personal information as defined under POPIA, unless your Account voluntarily enters such information into a purchase order, form, or support communication.
3. How We Use Your Personal Information
Personal information we hold is used exclusively for the following purposes:
- Authentication — to verify your identity when you log in.
- Account and workflow operation — to run purchase order approvals, route emails, generate PDFs, and provide the features your Account has configured.
- Service communications — to respond to support enquiries you initiate, and to notify you of material changes affecting your Account.
- Security — to detect and prevent unauthorised access, fraud, or abuse of the Platform.
We do not use your personal information for marketing without your explicit consent, and we do not sell, rent, or trade your personal information to third parties under any circumstances.
4. Multi-Tenant Data Isolation
Every Account on Eziflow operates in a fully isolated data environment. Personal information and business data entered by your Account — suppliers, purchase orders, users, comments, uploaded files — is never visible to, or mixed with, any other Account. Access by IDEA. staff for support purposes (including superadmin impersonation) requires your Account's explicit opt-in while active, and is logged.
5. Uploaded Content
The Platform allows users to attach quotes, supporting documents, and other files to purchase orders ("Uploaded Content").
- You retain ownership. IDEA. claims no intellectual property rights over Uploaded Content.
- You are responsible for its lawfulness. You are solely responsible for ensuring Uploaded Content complies with applicable law, including intellectual property and privacy obligations. IDEA. accepts no liability for Uploaded Content that infringes third-party rights or violates applicable law.
- Uploaded Content is not "personal information" for the purposes of this Policy unless it contains personal information about identifiable individuals (for example, a quote referencing a named individual) — in which case your Account bears the responsibility of a responsible party under POPIA in respect of that information.
6. Data Storage and Security
Your personal information and Uploaded Content are stored on secured servers. We implement appropriate technical and organisational measures to protect against unauthorised access, disclosure, alteration, or destruction of personal information, including:
- Bcrypt hashing of all passwords, with no plaintext storage.
- AES-256 encryption of stored SMTP credentials.
- Server-side session authentication with idle and absolute timeouts, and hardened session cookies.
- Cross-site request forgery (CSRF) protection on every data-modifying action.
- Account-level data isolation enforced on every database query.
- Login brute-force lockout protection.
No method of electronic storage or transmission over the internet is completely secure. While we use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. In the event of a security compromise affecting your personal information, we will notify you in accordance with our obligations under POPIA.
7. Data Retention
We retain your Account's personal information for as long as the Account remains active. If an Account is suspended or closed, it enters a retention window (currently a three-month countdown) before permanent deletion, during which an Owner or Co-Owner may reactivate the Account. After that window, all Account data — including personal information, purchase orders, and Uploaded Content — is permanently and irreversibly deleted, except where we are required by law to retain specific records for longer.
Generated purchase order PDFs are rendered on demand and are not stored beyond what is needed to serve the request.
8. Disclosure of Personal Information
We do not share your personal information with third parties except in the following limited circumstances:
- Legal obligation — where we are required to disclose information by law, court order, or regulatory authority.
- Protection of rights — where disclosure is necessary to protect the rights, property, or safety of IDEA., our users, or the public.
- Business transfer — in the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to equivalent privacy protections.
- Your own workflow configuration — where your Account configures a workflow to email a supplier or other recipient, the information you choose to include is sent on your instruction, through your Account's own email server.
9. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights in respect of your personal information held by us:
- Right of access — you may request a record of the personal information we hold about you.
- Right to correction or deletion — you may request that we correct inaccurate personal information or, where we have no lawful basis for retention, delete it.
- Right to object — you may object to the processing of your personal information on reasonable grounds.
- Right to complain — if you believe we have violated your rights under POPIA, you may lodge a complaint with the Information Regulator of South Africa at inforeg@justice.gov.za.
To exercise any of these rights, please contact our Information Officer, JJ Heymans.
10. Cookies and Session Data
The Platform uses server-side session cookies solely to maintain your authenticated login session and a CSRF token to protect against unauthorised requests. These cookies:
- Are not used for tracking, profiling, or advertising purposes.
- Do not persist beyond your browser session unless you have an active, authenticated session.
- Do not contain personal information beyond a session identifier.
We do not use third-party analytics, advertising cookies, or tracking pixels.
11. International Clients
Eziflow may serve Accounts both within South Africa and internationally. Where you access the Platform from outside South Africa, you acknowledge that your personal information is processed and stored in South Africa, and that such processing is subject to South African law, including POPIA. If your jurisdiction imposes specific transfer mechanisms or consent requirements (for example, under the GDPR), please contact our Information Officer to discuss appropriate arrangements.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify registered users by email or by a prominent notice on the Platform. Continued use of the Platform after any changes constitutes acceptance of the revised Policy.
13. Contact Us
For all privacy-related queries, requests, or complaints, please contact our Information Officer:
IDEA. (Pty) Ltd | Eziflow PO Platform
Note: This Privacy Policy is provided for general informational purposes and does not constitute legal advice. IDEA. (Pty) Ltd recommends that organisations with specific compliance obligations consult a qualified attorney familiar with South African and applicable international data protection law.