Privacy Policy

Geteken (Pty) Ltd ("Geteken", "we", "us", "our") is committed to protecting the personal information of our customers and the individuals who interact with our platform.

This Privacy Policy describes how we collect, use, process, store, and share personal information in connection with the Geteken electronic signature platform. It applies to all users of the platform, including account holders, document senders, and document recipients.

This policy is published in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and the Electronic Communications and Transactions Act 25 of 2002 (ECTA).

• Geteken (Pty) Ltd is the responsible party as defined in POPIA.
• Contact: compliance@geteken.co.za
• Registered address: [PLACEHOLDER — to be inserted before launch]
• Information Officer: [PLACEHOLDER — name and registration number to be inserted before launch]

• Account information: name, email address, company name, preferred language.
• Signing event data: signatory name, email address, mobile number (if SMS OTP is used), IP address at time of signing, user-agent string, and timestamp.
• Document content: the text, images, and metadata in documents you upload or receive for signing. We do not perform content analysis beyond what is needed to render the signing interface and generate audit certificates.
• Payment information: billing name and email. We do not store card numbers — payments are processed by Paystack.
• Usage data: page views, API calls, error logs, and performance metrics. This data is aggregated and anonymised where possible.
• Communications: emails you send to our support address.

• To provide the signing service: collecting signatory identity information is essential to generating a legally effective audit certificate under ECTA.
• To communicate with you: sending transaction emails (signing invites, reminders, completed packs).
• To process payments and maintain billing records.
• To detect and prevent fraud and security incidents.
• To improve the platform through aggregated analytics.
• To comply with legal obligations, including POPIA, ECTA, and SARS record-keeping requirements.

• Contract: processing is necessary to perform our agreement with you — delivering the signing service.
• Legitimate interest: security logging, fraud prevention, and platform improvement.
• Legal obligation: retention of records as required by applicable law.
• Consent: where we ask for your consent (e.g., marketing emails), you may withdraw it at any time.

• We share personal information only as necessary:
• Sub-processors: Supabase (database hosting, South Africa region), Cloudflare (edge compute), Paystack (payment processing), Resend (transactional email). Each sub-processor is bound by contractual data protection obligations.
• Legal requirements: we may disclose information if required by a court order, subpoena, or applicable law.
• Business transfers: in the event of a merger or acquisition, personal information may be transferred to the successor entity. We will notify affected users.
• We do not sell personal information to third parties.

• Signed documents and audit logs: retained for the period you configure in your account settings (default: 7 years). This default aligns with South African statutory record-keeping requirements.
• Account information: retained for as long as your account is active, plus 3 years after closure.
• Payment records: 5 years (SARS requirement).
• Signing OTPs: purged within 24 hours of use or expiry.
• On deletion of your account or expiry of the retention period, data is permanently deleted from production storage within 30 days and from backups within 90 days.

• We implement appropriate technical and organisational measures to protect personal information, including:
• Encryption at rest (AES-256) and in transit (TLS 1.2 minimum).
• RSA-PSS-SHA256 cryptographic signatures on all completed documents.
• OTP-based identity verification for all signatories.
• Access controls limiting database access to authorised personnel.
• Regular security reviews and incident response procedures.
• No security measure is perfect. If you believe your information has been compromised, contact compliance@geteken.co.za immediately.

• You have the following rights in respect of personal information we hold about you:
• Right of access: request a copy of personal information we hold about you.
• Right to correction: request correction of inaccurate or incomplete information.
• Right to deletion: request deletion of personal information, subject to retention obligations.
• Right to object: object to processing based on legitimate interest.
• Right to lodge a complaint: with the Information Regulator of South Africa — inforeg.org.za.
• To exercise any of these rights, email compliance@geteken.co.za. We will respond within 30 days. We may ask you to verify your identity before processing the request.

The platform is not directed at persons under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, contact compliance@geteken.co.za and we will delete it.

Our primary database is hosted in the AWS af-south-1 (South Africa) region. Cloudflare edge routing may involve transit through international nodes for performance reasons.

We apply POPIA section 72 transfer controls. Transfers outside South Africa are made only to recipients that provide an adequate level of protection for personal information or where we have contractual safeguards in place.

We use session cookies strictly necessary for authentication. We do not use tracking, advertising, or analytics cookies that identify individual users.

You can disable cookies in your browser, but this will prevent you from logging in.

We may update this policy periodically. Material changes will be communicated by email or in-platform notification at least 30 days before they take effect. The current version is always available at geteken.co.za/privacy.

• For privacy enquiries, data-subject-rights requests, or concerns:
• Email: compliance@geteken.co.za
• Geteken (Pty) Ltd · South Africa
• Information Regulator of South Africa: inforeg.org.za