We collect the following categories of personal information in order to provide and improve the Service:

a) Account and Organisation Information: When you register for an account or are invited to an organisation, we collect your name, email address, phone number, organisation name, timezone, and role or permission group assignment.

b) Authentication Credentials: We use a secure, industry-standard authentication provider to manage your login credentials. Passwords are encrypted and are never stored in plaintext.

c) Operational Data: Data you create or upload through the Service, including audit submissions, form responses, task records, approval workflows, documents, photos, reports, and scheduling information ("Client Data").

d) Usage and Analytics Data: We automatically collect anonymised usage data such as page views, feature interactions, device type, browser information, and error logs to improve platform performance and user experience.

e) Contact and Enquiry Information: If you contact us via our contact form, submit a support request, or download resources, we collect the information you provide (e.g. name, email, company, message content).

We process your personal information for the following purposes:

• To create and manage your account and organisation within the Service.
• To provide, maintain, and improve the functionality of the Service.
• To authenticate users and enforce role-based access controls.
• To send transactional communications, including account notifications, reports, and operational alerts.
• To process billing and subscription management through our payment provider.
• To respond to support requests, enquiries, and bug reports.
• To analyse anonymised usage patterns for the purpose of improving user experience.
• To detect, prevent, and address fraud, abuse, or security incidents.

We process your personal information based on one or more of the following lawful grounds:

• Contractual Necessity: Processing is necessary to perform the contract between you and Storecall (i.e. providing the Service).
• Consent: Where you have provided explicit consent, such as when submitting a contact form or registering for a trial.
• Legitimate Interest: Processing is necessary for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud.
• Legal Obligation: Processing may be required to comply with applicable laws and regulations.

All data is hosted on Google Cloud Platform infrastructure, which maintains industry-leading security certifications including SOC 1, SOC 2, SOC 3, and ISO 27001. We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction, or alteration. These measures include encryption in transit and at rest, strict access controls, server-side validation, and regular security reviews.

The Service enforces role-based access controls to ensure that users can only access data belonging to their organisation and consistent with their assigned permissions. Access policies are enforced at both the application and infrastructure level. Organisation administrators are responsible for correctly assigning users to appropriate roles and permission groups.

Storecall acts in two distinct capacities depending on the type of personal information involved:

• Responsible Party / Controller: Storecall is the responsible party (as defined under POPIA) or data controller (as defined under GDPR) for account information, billing data, and usage analytics that we collect directly from users to operate the Service.
• Operator / Processor: When our clients use the Service to collect, store, or manage personal information about their own employees, stores, or other individuals through audits, forms, or workflows ("Client Data"), Storecall acts as an operator (under POPIA) or data processor (under GDPR). In this capacity, the client remains the responsible party or data controller for their Client Data and is responsible for ensuring that they have the appropriate legal basis and consent to collect and process such data through the Service.

Storecall processes Client Data solely in accordance with the client's instructions and the terms of the applicable service agreement. Clients who require a formal Data Processing Agreement (DPA) may contact us to arrange one.

We engage trusted third-party service providers to help operate and deliver the Service. These providers are contractually bound to process personal information only as necessary to provide their services to us and in compliance with applicable data protection laws. The categories of third-party providers we use include:

• Cloud Infrastructure: Hosting, database, file storage, and authentication services provided by Google Cloud Platform (Firebase).
• Payment Processing: Subscription and billing services are handled by Paystack, a PCI-DSS compliant payment processor. We do not store your credit card or banking details directly. Paystack's privacy policy is available at paystack.com/privacy.
• Email Communications: Transactional and operational emails are delivered through SendGrid (Twilio). SendGrid's privacy policy is available at twilio.com/legal/privacy.
• Abuse Prevention: We use Google reCAPTCHA to verify legitimate user interactions and protect the Service against bot traffic and abuse. This is subject to the Google Privacy Policy and Terms of Service.
• Analytics: We use Firebase Analytics, a Google service, to collect anonymised usage data. This data remains within Google Cloud Platform infrastructure and is not shared with third-party advertising networks. Google's privacy policy applies and is available at policies.google.com/privacy.

We encourage you to review the privacy policies of any third-party services that may be integrated with your use of the Service.

The Service uses cookies and similar technologies to maintain your session and remember preferences. We also use Firebase Analytics (a Google service) to collect anonymised usage data such as page views and feature interactions; this data remains within Google Cloud Platform infrastructure and is not shared with third-party advertising networks. The Service does not use cookies for third-party advertising or cross-site tracking. You may control cookie settings through your browser, but disabling essential cookies may affect the functionality of the Service.

We retain your personal information for as long as your account is active or as needed to provide the Service. Client Data is retained in accordance with your organisation's subscription and any applicable data retention agreements. Upon termination of your account or subscription, Client Data will be available for export for 60 calendar days following termination, in accordance with our Terms of Service, after which it will be permanently deleted. Other personal information (such as account and billing data) will be deleted or anonymised within a reasonable period following termination, unless retention is required by law or for legitimate business purposes (e.g. dispute resolution, audit requirements). Anonymised and aggregated analytics data may be retained indefinitely as it does not identify individual users.

In the event of a personal information breach that poses a risk to data subjects, we will notify the relevant supervisory authority (including the Information Regulator of South Africa under POPIA, and applicable authorities under GDPR) and affected individuals as required by applicable law. We will take immediate steps to contain, assess, and remediate any breach, and will provide affected parties with information about the nature of the breach, the categories of personal information involved, and the measures taken or proposed to address it.

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:

• With third-party service providers as described in the "Third-Party Service Providers" section above, strictly for the purposes of operating the Service.
• With your organisation's administrators, who manage user accounts and access within their organisation.
• When required by law, regulation, legal process, or enforceable governmental request.
• To protect the rights, property, or safety of Storecall, our users, or the public.
• In connection with a merger, acquisition, or sale of assets, provided the receiving party agrees to protect your information in a manner consistent with this Privacy Policy.

Your data may be processed and stored in jurisdictions outside of your country of residence, including where our cloud infrastructure providers operate data centres. Where such transfers occur, we ensure that appropriate safeguards are in place to protect your personal information in accordance with applicable data protection laws, including standard contractual clauses or equivalent mechanisms.

Subject to applicable law (including POPIA and, where applicable, GDPR), you have the following rights regarding your personal information:

• Access: Request confirmation of whether we hold your personal information and obtain a copy of it.
• Correction: Request correction of any inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal retention obligations.
• Objection: Object to the processing of your personal information where processing is based on legitimate interest.
• Restriction: Request restriction of processing in certain circumstances.
• Data Portability: Request your personal information in a structured, commonly used, and machine-readable format.
• Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us using the details provided in the "Contact Us" section below. We will respond to your request within a reasonable timeframe and in accordance with applicable law.

The Service is not directed at children under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information promptly.

You are responsible for maintaining the confidentiality of your account credentials. We strongly recommend using strong, unique passwords and not sharing them with others. Storecall will never request your password via email or any other communication channel. If you believe your account has been compromised, please contact us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated policy will be posted on our website with a revised "Last Updated" date. We encourage you to review this Privacy Policy periodically. For material changes, we will make reasonable efforts to notify you via email or a prominent notice within the Service. Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:

Prolific Solutions (Pty) Ltd, trading as Storecall
Email: imraan@prolificsolutions.co.za

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority, such as the Information Regulator of South Africa.