Privacy Policy

OmniFlo is owned and operated by FY25 (Pty) Ltd ("FY25", "we", "us", "our"), a private company registered in the Republic of South Africa with its registered address at:

Tijger Vallei Office Park, Building 98 Unit 9/10,
Pony Street, Hazeldean, Pretoria, 0054, South Africa

For the purposes of the Protection of Personal Information Act, 4 of 2013 ("POPIA"), FY25 (Pty) Ltd is the Responsible Party in respect of personal information processed through OmniFlo.

This policy explains how we collect, use, share, store and protect personal information when you:

• visit our websites at omniflo.co.za and related subdomains;
• register for, or use, the OmniFlo application; or
• communicate with us by email or other channels.

It is published in compliance with POPIA and, where relevant, the Electronic Communications and Transactions Act, 25 of 2002 ("ECTA") and the Consumer Protection Act, 68 of 2008 ("CPA").

We collect and process the following categories of personal information:

• Account information: name, email address, password (stored hashed), organisation name and role.
• Business and supplier data: supplier names, contact details, banking details (account number, branch, account holder), invoices, purchase orders, aged-payables information and confirmation letters that you upload.
• Xero integration data: when you connect Xero, we receive organisation details, contacts, bills and purchase-order data via the Xero API, using OAuth tokens that we store securely.
• Usage and technical data: IP address, browser type, device information, log files, pages visited and timestamps.
• Communications: emails and support requests you send to us.

We do not knowingly collect special personal information (as defined in POPIA) or personal information of children under 18.

• Directly from you when you register, configure your account or upload data.
• Automatically through cookies and similar technologies when you use the site.
• From third parties you authorise us to integrate with, such as Xero and your identity provider (e.g. Google sign-in).

In line with section 11 of POPIA, we only process personal information where we have a lawful basis to do so. The bases we rely on are:

• Performance of a contract – to provide the OmniFlo service to you and your organisation;
• Consent – where you have explicitly agreed (for example, connecting a Xero organisation or receiving marketing emails);
• Legal obligation – to comply with tax, accounting and other statutory obligations;
• Legitimate interests – to secure our systems, prevent fraud and duplicate payments, improve the service and communicate with you about it.

The specific purposes for which we process personal information include:

• creating and managing your user account and organisation;
• enabling supplier payment management, approval workflows and audit trails;
• generating bank-ready CSVs and PDF reports;
• communicating service updates, security notices and support responses;
• monitoring performance, debugging and improving the platform;
• complying with our legal and regulatory obligations.

We do not sell personal information. We share it only with the following categories of recipients, under appropriate contractual safeguards:

• Cloud and infrastructure providers that host the OmniFlo application, database and storage on our behalf;
• Xero, where you have connected your Xero organisation, for the purposes of importing and synchronising accounting data;
• Email and communication providers used to send transactional and notification emails;
• Professional advisors such as auditors, accountants and lawyers, where required;
• Law enforcement and regulators, where we are legally required to disclose information.

Some of our service providers process data outside South Africa. Where personal information is transferred across borders, we ensure (in line with section 72 of POPIA) that the recipient is subject to a law, binding corporate rules or binding agreement that provides an adequate level of protection, or that you have consented to the transfer, or that the transfer is necessary for the performance of a contract with you.

We retain personal information only for as long as is necessary for the purposes for which it was collected, or as required by law. As a general rule:

• Account and transactional data is retained for the duration of your use of the service and for a period of 5 (five) years after closure of your account, to meet our tax, audit and regulatory obligations under South African law.
• Audit logs and security records may be retained for the same period.
• Marketing data is retained until you opt out, after which we keep a minimal suppression record.

After the applicable retention period, personal information is deleted or de-identified.

We take reasonable, appropriate technical and organisational measures to secure the integrity and confidentiality of personal information, as required by section 19 of POPIA. These include:

• encryption of data in transit (HTTPS/TLS) and at rest;
• row-level security and role-based access controls within the database;
• segregation of duties (Owner / Loader / Approver) within the application;
• secrets management for API keys and OAuth tokens;
• logging, monitoring and regular security reviews.

If a security compromise affecting your personal information occurs, we will notify the Information Regulator and affected data subjects as required by section 22 of POPIA.

Under POPIA you have the right to:

• be notified that your personal information is being collected or has been accessed without authorisation;
• request confirmation of, and access to, the personal information we hold about you;
• request correction or deletion of inaccurate, irrelevant or outdated information;
• object to the processing of your personal information on reasonable grounds;
• object to direct marketing and withdraw any consent previously given;
• lodge a complaint with the Information Regulator (see contact details below).

To exercise any of these rights, contact us using the details in section 13. We may need to verify your identity before actioning a request, and certain requests may be subject to lawful limitations.

We use a small number of cookies and similar technologies to keep you signed in, remember your selected organisation and measure basic usage. You can disable cookies in your browser, but parts of OmniFlo may not function correctly without them.

We will only send you direct electronic marketing where you have consented or where you are an existing customer and the marketing relates to similar services, as permitted by section 69 of POPIA and section 45 of ECTA. Every marketing message includes an unsubscribe option.

If you have any questions, complaints or requests relating to your personal information, please contact our Information Officer:

FY25 (Pty) Ltd – Information Officer
Tijger Vallei Office Park, Building 98 Unit 9/10,
Pony Street, Hazeldean, Pretoria, 0054
Email: info@beal.co.za

You have the right to lodge a complaint with the Information Regulator of South Africa:

The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: POPIAComplaints@inforegulator.org.za
Website: inforegulator.org.za

We may update this policy from time to time. The "Last updated" date at the top will reflect the latest revision. Material changes will be communicated through the application or by email.