Privacy Policy

Who We Are

Khanya CRM is operated by Khanya ("we", "us", "our"), a company registered in South Africa. Our platform is accessible at app.getkhanya.com and getkhanya.com.

Contact: info@getkhanya.com

We are committed to protecting your personal information in accordance with the Protection of Personal Information Act, 4 of 2013 (POPIA) and the Electronic Communications and Transactions Act, 25 of 2002 (ECT Act).

1. What This Policy Covers

This Privacy Policy explains how Khanya collects, uses, stores, and protects personal information when you:

- Visit our marketing website at getkhanya.com

- Create and use an account at app.getkhanya.com

- Interact with our Lead Engine, CRM, invoicing, or task features

- Contact us by email or through the platform

2. Information We Collect

2.1 Account Information

When you register for Khanya, we collect:

- Full name and email address — required to create your account

- Password — stored as a securely hashed value (we never store plaintext passwords)

- Profile details — any additional information you choose to add to your profile

2.2 Billing and Payment Information

When you subscribe to a paid plan, we collect:

- Plan selection and subscription status (Basic, Starter, or Pro)

- Payment transaction IDs and status returned by PayFast after payment

We do not store credit card numbers, bank account details, or any raw payment credentials. All payment processing is handled by PayFast, a PCI-DSS-compliant South African payment gateway. PayFast's own Privacy Policy governs their handling of your payment details.

2.3 Business Lead Data

When you use the Lead Engine to discover South African businesses, we process:

- Business names, addresses, phone numbers, website URLs, and ratings sourced from publicly available sources (including Google Maps and publicly accessible web pages)

- Lead notes, tags, status updates, and activity logs that you create within the CRM

You are responsible for ensuring that your use of this data complies with applicable law, including POPIA, when you store, contact, or process information about third-party businesses.

2.4 Team and Collaboration Data

If your account includes team members, we collect:

- Names and email addresses of invited users

- Role assignments (admin, manager, agent)

- Activity logs associated with each user

2.5 Usage and Technical Data

We automatically collect the following when you use the platform:

- IP address and approximate geographic location (country/city level)

- Browser type, operating system, and device type

- Pages visited, features used, and session duration

- Error logs and performance data to help us diagnose issues

2.6 Communications

If you contact us via email or through a contact form, we retain those communications to respond to your enquiry and improve our service.

3. Legal Basis for Processing

Under POPIA, we process your personal information on one or more of the following grounds:

• Creating and managing your account — Contract performance

• Sending transactional emails (receipts, notifications) — Contract performance

• Processing subscription payments via PayFast — Contract performance

• Improving platform features and fixing bugs — Legitimate interest

• Sending product updates or announcements (opt-out available) — Legitimate interest / consent

• Complying with legal obligations (tax records, fraud prevention) — Legal obligation

4. How We Use Your Information

We use your information to:

1. Provide the service — operate your account, manage your pipeline, process invoices, and run the Lead Engine

2. Process payments — initiate and verify subscriptions with PayFast; manage plan upgrades, downgrades, and cancellations

3. Send transactional communications — account confirmations, password resets, invoice receipts, task notifications

4. Improve the platform — analyse usage patterns to fix bugs and build better features

5. Provide support — respond to questions and troubleshoot issues

6. Meet legal obligations — retain financial records as required by South African tax law

We do not sell your personal information to third parties. We do not use your data to serve third-party advertising.

5. Third Parties We Share Data With

We share data with trusted third parties only to the extent necessary to operate the platform:

• PayFast (Payment processing and recurring billing) — Name, email, subscription amount

• Resend (Transactional email delivery) — Name, email address

• Google Maps Platform (Business discovery in the Lead Engine) — Search queries, location parameters

• Infrastructure providers (Hosting: servers, database, Redis, object storage) — Encrypted data at rest

All third-party providers are contractually required to handle your data securely and in accordance with applicable law.

6. Data Retention

We retain data as follows:

• Account data — For as long as your account is active, plus 12 months after closure

• Financial records (invoices, payment logs) — 5 years (as required by South African tax law)

• Lead and CRM data — For as long as your account is active

• Server and error logs — 90 days

• Marketing enquiries / early access submissions — 24 months

You may request deletion of your account and associated data at any time (see Section 8 — Your Rights).

7. Data Security

We take reasonable technical and organisational measures to protect your personal information, including:

- All data in transit is encrypted using TLS (HTTPS)

- Passwords are hashed using bcrypt — never stored in plaintext

- Production infrastructure is hosted within isolated Docker containers

- Access to production systems is restricted by role

- Sensitive environment variables (API keys, database credentials) are never committed to version control

No system is 100% secure. If you suspect a security incident involving your account, contact us immediately at info@getkhanya.com.

8. Your Rights Under POPIA

As a data subject, you have the right to:

• Access — Request a copy of the personal information we hold about you

• Correction — Request that inaccurate or incomplete information be corrected

• Deletion — Request that we delete your personal information (subject to legal retention obligations)

• Objection — Object to the processing of your information on grounds of legitimate interest

• Restriction — Request that we restrict processing in certain circumstances

• Portability — Receive your data in a structured, machine-readable format

• Complaint — Lodge a complaint with the Information Regulator of South Africa

To exercise any of these rights, email us at info@getkhanya.com with the subject line "Privacy Request". We will respond within 30 days.

Information Regulator of South Africa:

Website: inforegulator.org.za

Email: inforeg@justice.gov.za

9. Cookies

We use cookies and similar tracking technologies to operate and improve the platform. For full details, see our Cookie Policy.

10. Children's Privacy

Khanya is a B2B platform intended for business use. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal information, contact us at info@getkhanya.com and we will delete it promptly.

11. International Data Transfers

Khanya is operated from South Africa and primarily serves South African businesses. Some of our third-party service providers (such as Resend for email delivery) may process data in countries outside South Africa. Where this occurs, we ensure appropriate contractual protections are in place consistent with POPIA.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this document. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related questions or requests:

Khanya CRM

Email: info@getkhanya.com

Website: getkhanya.com

Khanya — Built in South Africa 🇿🇦