Privacy Policy

Last updated: 2026-05-15PrivacyTermsSecurity

This policy explains how TaxSort handles your personal information under the Protection of Personal Information Act, 2013 (“POPIA”). It is intentionally specific about what leaves the platform and where it goes; we’d rather you know the trade-offs than discover them later.

1. Who we are

John Swanepoel trading as TaxSort (“TaxSort,” “we,” “us”) is the responsible party for the personal information processed through this service. Our contact details are in section 11.

2. What information we collect

When you use TaxSort we collect:

  • Account information: your full name, email address, password (stored only as a bcrypt hash), and optional firm name.
  • Client Information: the personal information of your tax clients — name, SA ID number, SARS tax number, and tax-year metadata. ID and tax numbers are encrypted at rest with AES-256-GCM.
  • Bank statement content: the CSV or PDF files you upload, and every individual transaction extracted from them, including the merchant narration and amount.
  • Operational data: sign-in timestamps, IP address (for rate limiting), audit-log entries of every category override or sign-off action, and minimal product analytics about which pages you visit.

3. Why we process it

  • To deliver the categorization, review, and export services your subscription pays for.
  • To bill you, prevent fraud, and meet our own tax and record-keeping obligations under the Tax Administration Act.
  • To capture an audit trail you can use to defend a SARS verification or audit of your client’s return.
  • To diagnose and fix product errors via aggregated, automatically-scrubbed error reports (Sentry).

We do not train any AI model on your data or your clients’ data. Categorization is performed using third-party AI models (see section 5) but their providers’ contractual terms with us prohibit training on transmitted content and require 30-day deletion of input on standard API tiers.

4. Lawful basis

We process your personal information on the basis of (i) the contract between you and us under POPIA s11(1)(b), (ii) our legitimate interests in operating and securing the service under s11(1)(f), and (iii) your specific consent for cross-border AI processing as set out in section 5.

5. AI categorization and cross-border processing

This is the section that surprises most users; please read it carefully.

When you upload a CSV or PDF bank statement, TaxSort extracts the text from it and sends that text to an AI provider for transaction extraction and SARS-category classification. The provider we use is OpenAI, L.L.C., based in the United States.

The text sent to OpenAI typically includes:

  • Account holder name and account number as printed on the statement.
  • Every transaction line: date, merchant narration, amount.
  • Statement period and bank identifier.

Under OpenAI’s API terms in force at the time of writing, this data is not used for model training and is retained for at most 30 days for abuse-monitoring before being deleted. OpenAI operates servers in the United States; this constitutes a cross-border transfer of personal information under POPIA s72, which we rely on either (a) your consent given by uploading the file after reading this notice, or (b) the safeguards in the data processing agreement we maintain with OpenAI.

Right to object (POPIA s11(3)): if you do not want a particular client’s statement processed by an AI provider, do not upload that statement. We’re working on a non-AI fallback (deterministic per-bank CSV parsers already exist for FNB, Standard Bank, ABSA, Capitec, and Nedbank); using CSV from these banks keeps your data on our infrastructure and never sends it to OpenAI.

6. Who else we share data with (subprocessors)

We rely on the following operators to deliver the service. Each has its own privacy and security commitments documented on their websites.

  • Vercel Inc. (US, with EU edge presence) — application hosting.
  • Supabase Inc. (data hosted in the EU, Ireland) — database and private file storage for your uploaded statements.
  • Inngest Inc. (US) — background job execution for the AI categorization pipeline. Receives transaction IDs only, not raw statement content.
  • OpenAI, L.L.C. (US) — AI categorization. See section 5 above for the data scope.
  • Resend Inc. (US/EU) — transactional email (verification, password reset). Receives your email address only.
  • Sentry (Functional Software, Inc.) (EU, Frankfurt) — error reporting. We have configured Sentry not to send request bodies, headers, or IP addresses.

A current list with the country of processing and data scope per subprocessor is available on request at privacy@taxsort.co.za.

7. How long we keep it

We keep account information and audit-log entries for the lifetime of your account plus 5 years after closure, to align with the SARS record-keeping period in the Tax Administration Act. Bank statement files in our storage bucket are kept for the duration of your subscription; you may request earlier deletion of any client’s data at any time.

8. How we secure it

Full details are on our Security page. Headline controls:

  • Passwords hashed with bcrypt (cost 12).
  • Client ID and tax numbers encrypted at rest with AES-256-GCM.
  • All traffic TLS 1.2 or higher.
  • Row-level security on every Postgres table.
  • Private storage bucket, server-only access via service-role key.
  • Email verification required before dashboard access.
  • Tamper-evident audit trail for every override and sign-off.

9. Cookies and local storage

We set one strictly-necessary cookie: taxsort-session, an HTTP-only, Secure, SameSite=Strict session cookie that contains your encrypted session identifier. We do not use third-party analytics cookies, advertising trackers, or marketing pixels.

10. Your rights

Under POPIA you have the right to:

  • Access the personal information we hold about you.
  • Request correction or deletion of inaccurate or unlawfully obtained information.
  • Object to processing (see section 5 for the AI-specific objection).
  • Lodge a complaint with the Information Regulator.

To exercise any of these rights, email us at privacy@taxsort.co.za. We aim to respond within 30 calendar days.

11. The Information Regulator

You may complain directly to the Information Regulator (South Africa):

  • Email: inforeg@justice.gov.za
  • Phone: +27 12 406 4818
  • Website: https://inforegulator.org.za/

12. Changes

We may update this policy. The “Last updated” date at the top reflects the most recent change. Material changes will be notified by email to your account address at least 14 days before they take effect.

13. Contact

John Swanepoel trading as TaxSort
Email: privacy@taxsort.co.za
Postal address: available on request.