Back to Plutus Solutions

Privacy Policy

Version 1.1, Effective date: 11 May 2026

1. Introduction

Plutus Solutions (“we”, “us”, “our”) is committed to protecting your personal information in compliance with the Protection of Personal Information Act, 2013 (POPIA) and other applicable South African legislation. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform.

2. Information We Collect

We collect the following categories of personal information:

  • Account information: first name, last name, username, email address, and encrypted password.
  • Authentication data: short code (PIN), two-factor authentication secrets (encrypted).
  • Business data: transaction records, purchase documents, daily sales and cashup summaries, supplier information, and uploaded documents.
  • Technical data: IP address, browser user agent, and login timestamps for security auditing.

3. Purpose of Processing

We process your personal information for the following purposes:

  • Providing and maintaining the Plutus Solutions platform and services.
  • Authenticating your identity and securing your account.
  • Storing and organising your business records and documents.
  • Generating reports and dashboards for your business operations.
  • Communicating with you about your account (password resets, setup emails).
  • Complying with legal and regulatory obligations.
  • Security auditing and fraud prevention.

4. Legal Basis for Processing

We process your personal information based on: (a) your consent, which you provide when accepting these terms; (b) contractual necessity, to provide the services you have requested; and (c) legitimate interest, for security auditing and platform improvement.

5. Data Storage and Security

  • Passwords are hashed using bcrypt with a cost factor of 12 and are never stored in plain text.
  • All data is transmitted over HTTPS/TLS encryption.
  • Documents are stored securely using Cloudflare R2 with signed URLs for access control.
  • Access to personal data is restricted by role-based permissions (Master Admin, Company Admin, Branch Admin, User).
  • Authentication tokens expire after 8 hours.
  • Security events (logins, password changes, data exports, account activations/deactivations) are logged in an audit trail.
  • Login attempts are rate-limited to 10 attempts per minute per account. Accounts are temporarily locked for 10 minutes after exceeding this limit to prevent brute-force attacks.
  • Global API rate limiting is applied at 300 requests per minute per IP address to protect against abuse.

6. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We may share data with:

  • Infrastructure providers: Cloudflare (document storage), Mailgun (transactional emails), strictly as data processors acting on our instructions.
  • Legal authorities: when required by law, regulation, or court order.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. Financial transaction records may be retained for the period required by South African tax legislation (currently 5 years). Audit logs are retained for 2 years. Upon individual account deletion, personal data is removed and financial records are anonymised for legal compliance.

Company deactivation and deletion: When a Company Admin deactivates their company, all data is retained for a 30-day grace period. During this period, the Company Admin may log in to download data or reactivate the account. After 30 days, all company data, including user accounts, branches, transactions, documents, uploaded files, audit logs, and all associated records, is permanently and irreversibly deleted from our systems and storage infrastructure. It is the Company Admin’s responsibility to download all required data before the 30-day period expires.

User deactivation: Deactivated user accounts are retained (not physically deleted) to preserve audit trail integrity. Deactivated users cannot access the platform. Their names remain associated with historical audit records for accountability.

8. Your Rights Under POPIA

You have the right to:

  • Access: Request a copy of all personal data we hold about you (available via Profile → Security → Download My Data).
  • Data portability: Download all branch-level data including transactions, documents, and uploaded files as a ZIP archive (available via Settings → Branches).
  • Correction: Update or correct your personal information via your profile settings.
  • Deletion: Request deletion of your account and personal data (available via Profile → Security → Delete Account).
  • Objection: Object to specific processing of your personal information.
  • Withdraw consent: Withdraw your consent at any time, though this may affect your ability to use the platform.

9. Cookies and Tracking

Plutus Solutions uses local storage (not cookies) to maintain your authentication session. We do not use third-party tracking, analytics, or advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the version number and effective date at the top of this page. If changes are material, you will be asked to re-accept the updated policy upon your next login.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your POPIA rights, please contact us at:

Email: privacy@plutussolutions.co.za
Website: https://plutussolutions.co.za