Legal registerQMS-LGL-001
Doc No.
QMS-LGL-001
Category
Legal
Last updated
8 June 2026
In force

Privacy Policy

QMSync is a platform operated by Atida (Pty) Ltd ("QMSync", "we", "us", or "our"). We are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information about you when you use our platform at qmsync.co.za. It is written in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa.

By using QMSync, you confirm that you have read and understood this policy. If you do not agree, please discontinue use of the platform.

1. Responsible Party

The responsible party for your personal information is:

CompanyAtida (Pty) Ltd
PlatformQMSync
RegistrationSouth Africa
Phone+27 (0)10 500 4800
LocationPretoria & Johannesburg, South Africa
Emailprivacy@qmsync.co.za
Supportsupport@qmsync.co.za
Websiteqmsync.co.za

2. Information We Collect

We collect personal information only where necessary to provide the QMSync service. This includes:

Account Information

Name, email address, job title, and organisation name provided during registration or onboarding.

Organisation Data

Quality management records you create within the platform — NCRs, audits, risks, documents (including their full revision history), training records, management review outputs, and My Tasks actions. This data belongs to your organisation; we act as an operator on your behalf.

User Preferences

Display name and timezone selected during onboarding or updated in account settings. Timezone defaults to Africa/Johannesburg for new accounts.

Team Invitation Data

When an organisation owner invites a team member, we store the invitee's email address, the role being offered, a time-limited invitation token (valid for 7 days), and a reference to the inviting user. This data is deleted or marked accepted once the invitation is acted on.

Billing Information

Payment is processed by Paystack, a PCI-DSS compliant payment provider. We do not store your card details. We receive transaction confirmation, subscription status, and subscription renewal dates only.

Usage Data

Log data such as IP address, browser type, pages visited, and timestamps — collected automatically to maintain security and improve the platform.

Cookies

We use session cookies required for authentication. We do not use third-party advertising cookies.

3. Purpose of Processing

We process your personal information for the following specific purposes:

  • 01Providing and maintaining the QMSync platform and your account
  • 02Sending transactional emails (invitations, overdue alerts, password resets)
  • 03Processing subscription payments via Paystack
  • 04Communicating important updates about the service
  • 05Detecting and preventing fraud, abuse, or security incidents
  • 06Complying with legal obligations under South African law
  • 07Improving platform functionality based on aggregated, anonymised usage data

We will not use your personal information for any purpose not listed above without first obtaining your consent.

4. Legal Basis for Processing

Under POPIA, we process personal information on the following grounds:

  • 01Contractual necessity — to perform the subscription agreement with you
  • 02Legitimate interest — to maintain platform security and prevent fraud
  • 03Legal obligation — to comply with applicable South African laws
  • 04Consent — for marketing communications (where applicable)

5. Third-Party Service Providers

We share personal information only with trusted service providers who process it strictly on our behalf:

ProviderRoleLocation
SupabaseDatabase hosting and authenticationEU / US (data residency configurable)
PaystackPayment processingNigeria / South Africa (PCI-DSS compliant)
OpenFGA (Okta)Fine-grained authorisation — stores role assignments linking users to organisations and resourcesUnited States
ResendTransactional email deliveryUnited States
SentryError monitoring and performanceUnited States (EU option available)
VercelApplication hosting and edge deliveryUnited States / Global CDN

We do not sell your personal information to any third party.

6. Data Retention

We retain your personal information only as long as necessary:

  • 01Active account data — retained for the duration of your subscription
  • 02Billing records — retained for 5 years as required by South African tax law
  • 03System logs — retained for 90 days for security purposes
  • 04Deleted account data — anonymised within 30 days of account closure

7. Your Rights Under POPIA

As a data subject under POPIA (sections 23–25), you have the following rights:

Right to access

Request a copy of the personal information we hold about you

Right to correction

Request correction of inaccurate or incomplete information

Right to deletion

Request deletion of your personal information (subject to legal retention obligations)

Right to object

Object to processing based on legitimate interest

Right to data portability

Receive your data in a structured, machine-readable format

Right to withdraw consent

Withdraw consent for processing at any time without affecting prior lawful processing

To exercise any of these rights, email us at privacy@qmsync.co.za. We will respond within 30 days.

8. The Information Regulator

If you are not satisfied with how we have handled your personal information, you have the right to lodge a complaint with the Information Regulator of South Africa:

NameInformation Regulator (South Africa)
Websitewww.inforegulator.org.za
Emailinforeg@justice.gov.za
AddressJD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

9. Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These include TLS encryption in transit, AES-256 encryption at rest, row-level security on all database tables, and role-based access controls enforced by OpenFGA.

In the event of a data breach that is likely to harm your rights and interests, we will notify you and the Information Regulator as required by POPIA section 22.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, where the changes are material, notify you by email. Continued use of QMSync after changes are published constitutes acceptance of the updated policy.

Contact Us

For any privacy-related questions or requests, contact our information officer at privacy@qmsync.co.za.

Controlled copy — uncontrolled when printed.