Privacy Policy
QMSync is a platform operated by Atida (Pty) Ltd ("QMSync", "we", "us", or "our"). We are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information about you when you use our platform at qmsync.co.za. It is written in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa.
By using QMSync, you confirm that you have read and understood this policy. If you do not agree, please discontinue use of the platform.
1. Responsible Party
The responsible party for your personal information is:
2. Information We Collect
We collect personal information only where necessary to provide the QMSync service. This includes:
Account Information
Name, email address, job title, and organisation name provided during registration or onboarding.
Organisation Data
Quality management records you create within the platform — NCRs, audits, risks, documents (including their full revision history), training records, management review outputs, and My Tasks actions. This data belongs to your organisation; we act as an operator on your behalf.
User Preferences
Display name and timezone selected during onboarding or updated in account settings. Timezone defaults to Africa/Johannesburg for new accounts.
Team Invitation Data
When an organisation owner invites a team member, we store the invitee's email address, the role being offered, a time-limited invitation token (valid for 7 days), and a reference to the inviting user. This data is deleted or marked accepted once the invitation is acted on.
Billing Information
Payment is processed by Paystack, a PCI-DSS compliant payment provider. We do not store your card details. We receive transaction confirmation, subscription status, and subscription renewal dates only.
Usage Data
Log data such as IP address, browser type, pages visited, and timestamps — collected automatically to maintain security and improve the platform.
3. Purpose of Processing
We process your personal information for the following specific purposes:
- 01Providing and maintaining the QMSync platform and your account
- 02Sending transactional emails (invitations, overdue alerts, password resets)
- 03Processing subscription payments via Paystack
- 04Communicating important updates about the service
- 05Detecting and preventing fraud, abuse, or security incidents
- 06Complying with legal obligations under South African law
- 07Improving platform functionality based on aggregated, anonymised usage data
We will not use your personal information for any purpose not listed above without first obtaining your consent.
4. Legal Basis for Processing
Under POPIA, we process personal information on the following grounds:
- 01Contractual necessity — to perform the subscription agreement with you
- 02Legitimate interest — to maintain platform security and prevent fraud
- 03Legal obligation — to comply with applicable South African laws
- 04Consent — for marketing communications (where applicable)
5. Third-Party Service Providers
We share personal information only with trusted service providers who process it strictly on our behalf:
| Provider | Role | Location |
|---|---|---|
| Supabase | Database hosting and authentication | EU / US (data residency configurable) |
| Paystack | Payment processing | Nigeria / South Africa (PCI-DSS compliant) |
| OpenFGA (Okta) | Fine-grained authorisation — stores role assignments linking users to organisations and resources | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Error monitoring and performance | United States (EU option available) |
| Vercel | Application hosting and edge delivery | United States / Global CDN |
We do not sell your personal information to any third party.
6. Data Retention
We retain your personal information only as long as necessary:
- 01Active account data — retained for the duration of your subscription
- 02Billing records — retained for 5 years as required by South African tax law
- 03System logs — retained for 90 days for security purposes
- 04Deleted account data — anonymised within 30 days of account closure
7. Your Rights Under POPIA
As a data subject under POPIA (sections 23–25), you have the following rights:
Right to access
Request a copy of the personal information we hold about you
Right to correction
Request correction of inaccurate or incomplete information
Right to deletion
Request deletion of your personal information (subject to legal retention obligations)
Right to object
Object to processing based on legitimate interest
Right to data portability
Receive your data in a structured, machine-readable format
Right to withdraw consent
Withdraw consent for processing at any time without affecting prior lawful processing
To exercise any of these rights, email us at privacy@qmsync.co.za. We will respond within 30 days.
8. The Information Regulator
If you are not satisfied with how we have handled your personal information, you have the right to lodge a complaint with the Information Regulator of South Africa:
9. Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These include TLS encryption in transit, AES-256 encryption at rest, row-level security on all database tables, and role-based access controls enforced by OpenFGA.
In the event of a data breach that is likely to harm your rights and interests, we will notify you and the Information Regulator as required by POPIA section 22.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, where the changes are material, notify you by email. Continued use of QMSync after changes are published constitutes acceptance of the updated policy.
Contact Us
For any privacy-related questions or requests, contact our information officer at privacy@qmsync.co.za.
Controlled copy — uncontrolled when printed.