V
VMS

Privacy Policy

Last updated: March 2026

1. Introduction

VMS (VAT Management System) ("we", "us", "our") is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and other applicable South African legislation. As a responsible party under POPIA, we are accountable for the personal information we process and are committed to the principles of lawfulness, minimality, purpose limitation, and information quality as set out in Chapter 3 of POPIA.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our cloud-based VAT management platform. It applies to all users of the Service, including organisation owners, administrators, accountants, and viewers.

For any privacy-related enquiries, you may contact us at privacy@vms.co.za.

2. Information We Collect

We collect the following categories of personal information in order to provide and improve our Service:

2.1 Account Information

  • Full name, email address, and authentication credentials when you create an account.
  • Profile information you choose to provide.
  • Authentication data managed through our identity provider (Supabase Auth), including OAuth tokens where applicable.

2.2 Business Information

  • Company or trading name.
  • VAT registration number and company registration number.
  • Business address, filing frequency, and tax year-end details.
  • Organisation logo (if uploaded).

2.3 Financial and Transaction Data

  • VAT transactions (input and output), including descriptions, amounts, VAT rates, vendor/customer names, and dates.
  • VAT period data, filing statuses, and calculated VAT summaries.
  • Recurring transaction templates.
  • Audit log entries recording changes to transactions.

2.4 Receipt Data

  • Uploaded receipt images and PDF documents.
  • Data extracted via optical character recognition (OCR), including vendor names, amounts, VAT numbers, VAT rates, and individual line item details.

2.5 Payment Information

  • Payment method type (card, debit order, or EFT).
  • Card last four digits, card brand, and expiry date (for display purposes only).
  • Paystack authorisation tokens for processing recurring payments.
  • We do not store full card numbers, CVVs, or PINs. All sensitive payment data is handled exclusively by Paystack in their PCI DSS Level 1 compliant environment.

2.6 Usage and Technical Data

  • Pages visited, features used, and interaction patterns (collected via Vercel Analytics).
  • Browser type, operating system, screen resolution, and device type.
  • IP address, approximate geographic location derived from IP, and referring URL.
  • Error reports and performance data (collected via Sentry, anonymised where possible).

3. How We Use Your Information

We process your personal information for the following purposes:

  • Platform delivery: Providing and maintaining the VMS platform, including dashboard views, report generation, and data management features.
  • VAT calculations: Processing VAT transactions, calculating input/output VAT, generating VAT201 reports, and facilitating SARS eFiling XML exports.
  • OCR processing: Sending receipt images to our OCR service to automatically extract transaction data, reducing manual data entry.
  • Authentication: Verifying your identity, managing sessions, and securing access to your account and organisation data.
  • Billing and payment processing: Processing subscription payments, managing plan changes, generating invoices, and handling payment retries and grace periods.
  • Email communications: Sending transactional emails including welcome messages, team invitations, payment receipts, trial expiry notices, and payment failure alerts.
  • Error monitoring: Identifying and resolving technical issues, crashes, and performance problems to ensure platform reliability.
  • Legal compliance: Meeting our obligations under the Tax Administration Act, POPIA, and other applicable legislation.
  • Fraud prevention: Detecting and preventing unauthorised access, abuse, and fraudulent activity on the platform.

4. Legal Basis for Processing

We process your personal information based on the following lawful grounds under POPIA Section 11:

  • Consent (Section 11(1)(a)): You provide consent when creating an account, uploading receipts for OCR processing, and opting in to communications. You may withdraw consent at any time, though this may affect your ability to use certain features.
  • Contractual necessity (Section 11(1)(b)): Processing is necessary to deliver the services you have subscribed to, including VAT calculations, report generation, billing, and team management.
  • Legal obligation (Section 11(1)(c)): We may process data to comply with tax record-keeping requirements under the Tax Administration Act, anti-money laundering obligations, and other regulatory requirements.
  • Legitimate interest (Section 11(1)(f)): To improve our services, ensure platform security, prevent fraud, and maintain system integrity, provided such processing does not prejudice your rights and freedoms.

5. Data Sharing and Third Parties

We share your personal information only with the following third-party service providers, strictly as needed to provide and maintain our Service. We do not sell, rent, or trade your personal information to any third party.

ProviderPurposeData Processed
SupabaseDatabase, authentication, and file storageAccount data, business data, transactions, receipt files, authentication tokens
Google (Gemini API)Receipt OCR processingReceipt images are processed in real time and are not retained by Google beyond the API request
PaystackPayment processing (PCI DSS Level 1 compliant)Payment card details, billing amounts, transaction references
ResendTransactional email deliveryRecipient email addresses, email content (welcome, invitations, billing notices)
VercelWeb hosting and edge computeHTTP request data, IP addresses, usage analytics
SentryError monitoring and performance trackingAnonymised error data, stack traces, browser/device metadata

We will not share your data with parties not listed above without your explicit consent, unless required by law or a valid court order.

6. Cross-Border Data Transfers

Some of our third-party service providers operate outside the Republic of South Africa, including in the United States and the European Union. In accordance with POPIA Section 72, we ensure that any cross-border transfer of personal information is subject to appropriate safeguards, including:

  • Contractual data processing agreements that impose obligations equivalent to those under POPIA.
  • Encryption of all data in transit using TLS 1.2 or higher.
  • Encryption of data at rest by our infrastructure providers.
  • Selection of providers that maintain industry-recognised security certifications (SOC 2, ISO 27001, PCI DSS as applicable).

Receipt images sent to the Google Gemini API for OCR are transmitted securely, processed in real time, and are not retained by Google after the API response is returned.

7. Data Storage and Security

We implement comprehensive security measures to protect your personal information:

  • Row-level security (RLS): Database-level policies ensure that users can only access data belonging to their organisations. All queries are filtered through security-definer functions that verify membership and role permissions.
  • Encryption: All data is encrypted in transit (TLS) and at rest. Database connections use encrypted channels.
  • HTTPS enforcement: All platform communications are secured via HTTPS with strict transport security (HSTS) headers.
  • Security headers: Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers are enforced to protect against common web vulnerabilities.
  • Receipt storage: Receipt images and documents are stored in access-controlled storage buckets scoped to organisation members, with a maximum file size of 10MB and restricted to JPEG, PNG, WebP, and PDF formats.
  • Payment security: We do not store full payment card numbers. All payment processing is handled by Paystack, a PCI DSS Level 1 compliant payment gateway. We store only card last four digits, brand, and expiry for display purposes.
  • Authentication: User sessions are managed through Supabase Auth with secure, HTTP-only session cookies. Server-side session validation is performed on all protected routes.
  • Rate limiting: OCR and sensitive API endpoints are rate-limited to prevent abuse.

8. Data Retention

We retain your personal information according to the following schedule:

  • Active accounts: Your data is retained for as long as your account remains active and is necessary to provide the Service.
  • Tax records: Financial and transaction data may be retained for a minimum of five (5) years after the relevant tax year to comply with South African tax record-keeping requirements under the Tax Administration Act 28 of 2011.
  • Audit logs: Transaction audit trail entries are retained for the duration of the relevant tax retention period to support compliance and dispute resolution.
  • Account deletion: Upon account deletion or termination, we will delete or anonymise your personal information within thirty (30) days, except where retention is required by law.
  • Billing records: Payment and invoice records may be retained for the statutory period required under the Companies Act and tax legislation.
  • Backup data: Encrypted backups may retain data for up to ninety (90) days after deletion, after which they are permanently purged.

9. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

  • Right of access (Section 23): You may request confirmation of whether we hold your personal information and request access to it. You can export your data at any time from your account settings in PDF, CSV, Excel, or XML format.
  • Right to correction (Section 24): You may request that we correct or update inaccurate, incomplete, or misleading personal information. You can also correct most data directly through the platform interface.
  • Right to deletion (Section 24): You may request the deletion of your personal information, subject to legal retention requirements. You can initiate a deletion request from your account settings.
  • Right to object (Section 11(3)(a)): You may object to the processing of your personal information on reasonable grounds relating to your particular situation, unless we have a legitimate ground that overrides your objection.
  • Right to withdraw consent (Section 11): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing conducted before withdrawal.
  • Right to data portability: You may request your data in a structured, commonly used, machine-readable format. Our platform supports export in PDF, CSV, Excel, and SARS eFiling XML formats.
  • Right to lodge a complaint (Section 74): You may lodge a complaint with the Information Regulator if you believe your privacy rights have been infringed. See Section 14 for the Information Regulator's contact details.

To exercise any of these rights, please contact us at privacy@vms.co.za. We will respond to your request within a reasonable time, and in any event within thirty (30) days as required by POPIA.

10. Data Breach Notification

In accordance with POPIA Section 22, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person, we will:

  • Notify the Information Regulator as soon as reasonably possible after the discovery of the compromise.
  • Notify affected data subjects as soon as reasonably possible after notifying the Information Regulator, unless the identity of such data subjects cannot be established.
  • Provide sufficient information to allow data subjects to take protective measures against the potential consequences of the compromise.
  • Include in the notification: the nature of the breach, the categories of personal information affected, measures taken to address the breach, and recommended steps data subjects should take.

11. Cookies and Local Storage

We use only essential cookies and local storage to operate the Service. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

  • Authentication session cookie: Supabase authentication cookies (sb-*) maintain your signed-in session. These are essential for the Service to function.
  • Theme preference: Your light/dark mode preference is stored in localStorage.
  • Cookie consent: Your cookie consent choice is stored in localStorage.
  • UI preferences: Sidebar state and other interface preferences are stored in localStorage.

For full details on our use of cookies and local storage, please see our Cookie Policy.

12. Children's Privacy

Our Service is a business-to-business platform designed for use by VAT-registered businesses and tax professionals. It is not directed at children under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take reasonable steps to delete such information from our systems.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

  • Posting the updated policy on our platform with a revised "Last updated" date.
  • Sending an email notification to the address associated with your account for significant changes.
  • Displaying an in-platform notification where appropriate.

Continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the Service and may request deletion of your data.

14. Information Regulator Contact

If you have concerns about how we handle your personal information or wish to lodge a complaint, you may contact the Information Regulator (South Africa):

  • Phone: 012 406 4818
  • Email: inforeg@justice.gov.za
  • Website: https://inforegulator.org.za
  • Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
  • Postal address: P.O. Box 31533, Braamfontein, Johannesburg, 2017

15. Contact Us

For any privacy-related enquiries, to exercise your rights under POPIA, or to contact our Information Officer, please reach out to us:

  • Email: privacy@vms.co.za
  • Subject line: "Privacy Enquiry" or "POPIA Request"

We will acknowledge receipt of your request within five (5) business days and endeavour to respond substantively within thirty (30) days.