Privacy Policy

Last updated: 19 May 2026

1. Who We Are

iNdex POS is developed and operated by iNdexTech (Pty) Ltd, based in Johannesburg, South Africa. We build point-of-sale software for spaza shops, tuck shops, salons, and small businesses across South Africa.

Contact: privacy@indextech.co.za

2. What Data We Collect

Account & Shop Data

• Shop name, owner name, email address, phone number
• Business type and location (province/city level only)
• Subscription plan and billing status

Transaction & Sales Data

• Sales transactions, product names, prices, quantities
• Payment methods used (cash, card, EFT, mobile money)
• Refunds and voids

Staff Data

• Staff first name, last name, phone number, role
• Login credentials (passwords stored as BCrypt hashes — never plain text)

Customer Data (optional)

• Customer name, phone number, email (only if you add them)
• Loyalty points balance and transaction history

Device Data

• Device identifier (generated locally, not linked to personal identity)
• Bluetooth and Wi-Fi used locally for cashier pairing only — no data sent to our servers

3. What We Do NOT Collect

• We do not collect your device's contacts, photos, or microphone
• We do not sell your data to third parties
• We do not track your location beyond city/province level
• We do not share customer data with advertisers
• Camera permission is used only for QR code scanning during setup
• Bluetooth permission is used only for local cashier device pairing

4. How We Use Your Data

• To run your POS system and process sales
• To generate reports and analytics for your shop
• To enforce subscription limits and billing
• To send WhatsApp receipts and reminders to your customers (only if enabled)
• To detect fraud and anomalies in your shop's transactions
• To improve the app and fix bugs

5. Offline & Local Storage

iNdex POS stores data locally on your device (SQLite) so it works without internet. This data includes products, transactions, and staff profiles. It is encrypted on modern Android devices using Android's built-in storage encryption.

When internet is available, data syncs to our secure cloud servers hosted in South Africa.

6. POPIA Compliance

We comply with the Protection of Personal Information Act (POPIA), Act 4 of 2013. As a responsible party, you (the shop owner) control the personal information of your customers stored in iNdex POS. We act as an operator processing that data on your behalf.

You have the right to access, correct, or delete your personal information at any time by contacting us.

7. Data Security

• All data transmitted to our servers uses HTTPS/TLS encryption
• Passwords are hashed with BCrypt — we cannot see your password
• JWT tokens expire after 24 hours and use refresh token rotation
• OTP codes for the customer portal are stored as SHA-256 hashes only
• Our servers are hosted on Render.com with automatic security updates

8. Third-Party Services

iNdex POS integrates with the following services. Each has their own privacy policy:

• Ozow — Instant EFT payments
• MTN Mobile Money (MoMo) — Mobile payments
• Kazang — Airtime and electricity vending
• WhatsApp Business API — Receipts and notifications
• Firebase (Google) — Push notifications
• Xero — Accounting integration (optional)

9. Data Retention

We retain your data for as long as your account is active. If you cancel your subscription, your data is retained for 90 days before permanent deletion, allowing you to export your records. Transaction history required for SARS compliance is retained for 5 years.

10. Children's Privacy

iNdex POS is a business tool intended for adults (18+). We do not knowingly collect data from children under 13.

11. Changes to This Policy

We may update this policy as the app grows. We will notify you via the app or email when significant changes are made. Continued use of iNdex POS after changes means you accept the updated policy.

12. Contact Us

For privacy questions, data access requests, or to delete your account:

• Email: privacy@indextech.co.za
• Website: www.indextech.co.za