TOOLFlow Solutions ("we", "us", "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the TOOLFlow application ("Service" or "the App", as the context requires). This policy is compliant with the Protection of Personal Information Act, No. 4 of 2013 ("POPIA") of the Republic of South Africa.
1. Information We Collect
1.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account information | Email address, company name, store/location names | Account creation and management |
| User profiles | Admin usernames, worker names | User management and activity logging |
| Tool & material data | Item names, descriptions, quantities, prices, barcodes, photos | Core inventory tracking functionality |
| Transaction data | Check-in/out records, transfers, timestamps, user associations | Activity tracking and reporting |
| Client information | Client names, project/part numbers | Client tracking and cost reporting |
| Custom field data | Machine names, job numbers, or other custom data you configure | Custom tracking fields you define |
| Feedback | Messages submitted through the feedback feature | Product improvement and support |
1.2 Information Collected Automatically
- Device information: Browser type, operating system, screen size (collected with feedback submissions only).
- Usage data: Firebase Analytics may collect general app usage patterns.
We do not collect Global Positioning System ("GPS") location data, contacts, or any data from your device beyond what you explicitly enter into the app.
2. How We Use Your Information
We use your information solely to:
- Provide and maintain our Service.
- Process your account registration and authentication.
- Send transactional emails (account approvals, password resets, stock alerts, transfer slips, RFQ emails, etc.).
- Generate reports and exports you request.
- Respond to your feedback and support requests.
- Improve the Service based on usage patterns.
We are committed to safeguarding your personal information. Accordingly, we will not sell, rent, or trade your personal data to any third parties, nor will we use your information for advertising or marketing purposes.
The only exception is referral sharing with your explicit consent: if, during registration, you indicate that you heard about TOOLFlow through one of our distribution partners and you expressly consent by ticking the corresponding checkbox, we will share your name, email address and company name with that selected distributor only, for the sole purpose of enabling them to contact you about quotations and support. This sharing occurs once, only with the distributor you selected, and only with your explicit, recorded consent. If you do not tick the checkbox, no details are shared with any distributor.
3. Data Storage & Third-Party Services
3.1 Third-Party Service Providers
Your data is stored using the following third-party services:
| Service | Provider | Purpose | Location |
|---|---|---|---|
| Firebase Realtime Database | Google LLC | Data storage | United States |
| Firebase Authentication | Google LLC | User authentication | United States |
| Firebase Cloud Functions | Google LLC | Email sending, scheduled tasks | United States (us-central1) |
| Gmail SMTP | Google LLC | Transactional email delivery | United States |
| Netlify | Netlify Inc. | Application hosting | Global CDN |
| PayFast | PayFast (Pty) Ltd | Payment processing | South Africa |
| Payment merchant of record | CFAM Agritech (Pty) Ltd | Merchant of record for subscription payments made via PayFast | South Africa |
3.1.1 Payments and Merchant of Record
Subscription payments are processed by PayFast (Pty) Ltd, with CFAM Agritech (Pty) Ltd acting solely as the merchant of record. This means that when you pay for a subscription, your name, email address, and transaction details (amount, date, and payment reference) are received by CFAM Agritech (Pty) Ltd for the sole purposes of payment processing, accounting, and compliance with tax and other legal obligations. CFAM Agritech (Pty) Ltd's name (or its registered trading name) may appear on the PayFast checkout page and on your bank or card statement.
For clarity: CFAM Agritech (Pty) Ltd is not the owner or operator of TOOLFlow and does not control your data. TOOLFlow Solutions remains the responsible party for all Personal Information processed in connection with the Service. Payment information received by CFAM Agritech (Pty) Ltd in its capacity as merchant of record is never used for marketing purposes, and this payment flow is entirely independent of any referral-sharing consent you may give or decline at registration.
3.2 Cross-Border Processing and Transfers
Personal Information may be transferred to, stored, and processed in jurisdictions outside the Republic of South Africa where our service providers maintain infrastructure or operations.
Such transfers are undertaken in accordance with section 72 of POPIA, and are subject to appropriate contractual, technical and organisational safeguards designed to ensure an adequate level of protection for Personal Information. By using the Service, you acknowledge and consent to such cross-border transfers where required for the provision of the Service.
4. Data Security
4.1 Security Measures to Protect Your Data
- All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
- Company account credentials (the email and password used to register the company) are managed by Firebase Authentication, which stores them as salted hashes — we do not have access to the plain-text password.
- Firebase App Check is enforced on the database to verify legitimate app access.
- Role-based access ensures users can only access data within their company and assigned locations.
- Admin passwords are required for management functions inside the App.
- Firebase Security Rules restrict database read/write access to authenticated users within their company.
4.2 Worker (User Mode) and Sub-Administrator Credentials
Company administrators may create worker and sub-administrator user profiles and assign access credentials for operational use within their organisation. Such credentials are distinct from the primary company account credentials managed through Firebase Authentication.
Access to worker and sub-administrator accounts is subject to technical and organisational safeguards, including authentication controls, role-based permissions, Firebase Security Rules and App Check, and company-level access restrictions designed to prevent unauthorised access to company data.
The company administrator is responsible for selecting, assigning, managing and safeguarding worker and sub-administrator credentials, including ensuring that credentials are appropriate for the intended operational environment, are not shared with unauthorised persons, and are changed or revoked when access is no longer required.
Users should not reuse credentials that are used for other systems, applications or online services.
We implement reasonable security safeguards as contemplated by applicable data protection legislation, including POPIA. However, no method of electronic transmission, storage or processing can be guaranteed to be completely secure, and we cannot warrant or guarantee absolute security of information processed through the Service.
4.3 Customer Security Responsibilities
The registered company administrator is responsible for maintaining the confidentiality of account credentials, assigning appropriate user permissions, promptly disabling access for former employees or contractors, ensuring that passwords are not shared between users, and implementing internal security practices appropriate to its business operations.
We will not be responsible for unauthorised access arising from the customer's failure to safeguard credentials, manage user permissions appropriately, or remove access rights from persons no longer authorised to use the Service.
5. Your Rights Under POPIA
As a data subject under POPIA, you have the right to:
- Access: Request confirmation of what personal information we hold about you.
- Correction: Request correction of inaccurate personal information.
- Deletion: Request deletion of your personal information (you can delete your account directly from the App).
- Object: Object to the processing of your personal information.
- Data Export Functionality: Retrieve and retain copies of information stored within the App by using the CSV export functionality.
- Withdraw consent: Withdraw your consent to processing at any time by deleting your account.
To exercise any of these rights, contact us at support@toolflow.co.za. We will respond to requests relating to personal information within a reasonable period and in accordance with applicable provisions of POPIA.
6. Data Retention
6.1 Retention of Personal Information
- Active accounts: Your data is retained for as long as your account is active
- Account deleted by you: When you delete your account through the Main Admin panel, all associated data is permanently removed from our database immediately. We cannot recover deleted data.
- Account terminated by us: If we terminate your access under the Terms of Service (for violation, fraud, or payment failure), we may retain your data for up to 30 (thirty) days to allow you to export it before permanent deletion.
- Cancelled subscriptions: If your subscription lapses, data is retained for up to 30 (thirty) days to allow for reactivation or export, then permanently deleted.
- Feedback submissions: Retained indefinitely for product improvement purposes. Feedback messages do not contain account credentials and are not linked to tool or material data.
6.2 Responsibility for Information Submitted
Customers are solely responsible for ensuring that any personal information uploaded, entered, recorded or otherwise processed through the App has been lawfully collected and may lawfully be processed in accordance with applicable legislation, including POPIA.
We do not verify the legality, accuracy, completeness or lawfulness of information submitted by customers and accept no responsibility for any claim arising from customer-provided information.
7. Cookies & Local Storage
TOOLFlow is a Progressive Web App ("PWA") that uses:
- Firebase Authentication tokens: Stored locally to keep the user logged in.
- Service Worker cache: For offline functionality and faster loading.
We do not use tracking cookies or third-party advertising cookies.
8. Minors' Privacy
TOOLFlow is a B2B tool-tracking platform intended for use by businesses and their employees aged 18 (eighteen) or older. The person who registers a company account confirms that they are at least 18 (eighteen) years old.
Company administrators who add worker accounts are responsible for ensuring that the workers they add are aged 18 (eighteen) or older, and that the worker has consented to their name and identifying details being recorded in the platform for tool and material tracking purposes.
We do not knowingly collect personal information from persons under the age of 18 (eighteen). If we become aware that data relating to a person under 18 (eighteen) has been entered into the platform, we will remove it promptly on request. Removal requests can be sent to support@toolflow.co.za.
9. Email Communications
We send the following types of emails:
- Transactional: Account approvals, password resets, transfer slips, RFQ emails — sent only when triggered by an action the user takes.
- Stock alerts: Low stock email notifications — only if configured by the user's admin.
We do not send marketing emails. You can disable stock alert emails by removing your email from the alert configuration in settings on your device.
10. Changes to This Policy
We may update this Privacy Policy from time to time in our sole discretion. We will notify registered users by email of material changes at least 14 (fourteen) days before they take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.
Amendments which are administrative, non-material, beneficial to the user, required by law, or necessary to address security, fraud prevention or operational concerns may become effective immediately upon publication or notification.
The user is responsible for reviewing the most current version of the Privacy Policy from time to time.
The user's continued access to or use of the Service following the effective date of any amendment shall constitute acceptance of the amended Privacy Policy.
11. Security Compromise Notification
11.1 Initial Communication Alert
In accordance with Section 22 of POPIA, if we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, we will notify:
- You, the affected user, by email to the address registered on your account, as soon as reasonably possible after the compromise is identified.
- The Information Regulator of South Africa, in accordance with their published notification process.
The notification will describe (a) the nature of the compromise, (b) what personal information was affected, (c) the steps we have taken to address it, and (d) any steps we recommend you take to protect yourself. We will only delay notification if instructed to do so by law enforcement or if doing so would impede a criminal investigation.
11.2 Incident Containment Measures
In the event of an actual or suspected security compromise, we reserve the right to suspend access to affected accounts, functions, services, databases or infrastructure where reasonably necessary to investigate, contain, mitigate or remediate the incident.
Such temporary suspension shall not constitute a breach of contract and shall not give rise to any claim against us.
12. Limitation of Liability
We implement reasonable technical and organisational safeguards to protect users' personal information in accordance with applicable law. Notwithstanding such safeguards, the customer acknowledges that no information technology system, software platform, communication network, cloud infrastructure, or security measure is capable of guaranteeing absolute security.
To the maximum extent permitted by applicable law, TOOLFlow shall not be liable for any indirect, incidental, consequential, special, punitive, or economic loss arising from any unauthorised access to, acquisition of, disclosure of, alteration of, destruction of, or loss of Personal Information resulting from a security compromise, cyberattack, malicious conduct by a third party, system vulnerability, telecommunications failure, internet outage, force majeure event, or other circumstance beyond TOOLFlow's reasonable control.
Nothing in this Privacy Policy excludes or limits any liability that may not lawfully be excluded or limited under applicable law.
13. Information Officer
In accordance with POPIA, our designated Information Officer can be contacted at:
Email: info@toolflow.co.za
Website: www.toolflow.co.za
Country: Republic of South Africa
If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the Information Regulator of South Africa:
Information Regulator (South Africa)
Address: Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191
POPIA complaints: POPIAComplaints@inforegulator.org.za
General enquiries: enquiries@inforegulator.org.za
Phone: 010 023 5200 | Toll-free: 0800 017 160
Website: inforegulator.org.za