Legal

Privacy Policy

What we collect, why we collect it, how long we keep it, and what you can do about it. Built around POPIA, South Africa's Protection of Personal Information Act.

Last updated 29 April 2026

This Privacy Policy explains how Atab (Pty) Ltd (“Atab”, “we”, “us”), trading as Snap-a-Slip, processes your personal information in connection with the service.

We are the responsible party for personal information processed through Snap-a-Slip, as defined under POPIA.

1. Information Officer

Our Information Officer can be contacted at hello@snap-a-slip.com. Use this address for any access requests, deletion requests, or POPIA-related queries.

2. What we collect

To run Snap-a-Slip, we collect:

  • Phone number. Your WhatsApp number is your account identifier. We need it to send you replies and to keep your data linked to you.
  • Receipt photos. Every image you send to Snap-a-Slip on WhatsApp.
  • Extracted receipt data. Merchant, date, total, VAT, currency, line items, category, and the raw OCR text. Plus any corrections you send.
  • Payment metadata. Tier, billing period, PayFast transaction reference. We do not store full card numbers. PayFast handles those directly.
  • Usage data. Timestamps of incoming and outgoing messages, errors, command counts. Used to keep the service running and to bill correctly.
  • Device and IP metadata. Standard request headers from the WhatsApp webhook and the web app, used for rate-limiting and security.

3. Why we collect it

We process your personal information for these purposes:

  • To provide the service (extract, categorise, store, and export your receipts).
  • To bill you correctly and to enforce tier limits.
  • To improve accuracy and reliability (in aggregate, with personally identifying information stripped).
  • To comply with our legal obligations under South African law.

4. How long we keep it

  • Active accounts. Receipt data and images for as long as your account is active, plus 7 years after the last receipt, to support SARS audit trails. You can shorten this from your account settings.
  • Cancelled accounts. 30 days after cancellation, for export and recovery. Then deleted.
  • Payment metadata. 5 years, as required by South African tax legislation.
  • Logs and rate-limit metadata. 90 days.

5. Who processes your data

We use a small number of trusted sub-processors. Each is contractually bound to handle your data in line with this policy and POPIA.

  • OpenAI. Receipt extraction. Sees OCR text only. No images.
  • Google Cloud Vision. OCR. Receives the receipt image.
  • Cloudflare R2 (af-south-1, Cape Town). Image and export storage.
  • Meta WhatsApp Cloud API. The chat surface. They carry every inbound and outbound message.
  • PayFast. Card processing for paid tiers.
  • Vercel. Hosting for this marketing site.

We never sell your data. We do not share it with marketing networks or data brokers.

6. Your rights under POPIA

POPIA gives you specific rights over your personal information. We honour all of them:

  • Access (s23). Request a copy of all personal information we hold about you. Reply with “export everything” in WhatsApp, or email us. We respond within 7 days.
  • Correction (s24). Reply with “merchant ...”, “amount ...”, or any other correction. The receipt updates instantly.
  • Erasure (s24). Type “delete account” in WhatsApp. We confirm, then permanently delete every receipt, image, and personal field within 7 days.
  • Objection. You can object to specific processing (for example, aggregate accuracy improvements). Email us.
  • Complaint. If you're not satisfied with how we handle your data, you can complain to the Information Regulator at inforegulator.org.za.

7. Cross-border transfers

Receipt images stay in af-south-1 (Cape Town). OCR happens in Google's region closest to af-south-1. Receipt text is sent to OpenAI for extraction. OpenAI processes data in the United States. PayFast and Meta operate globally.

Each sub-processor is contractually bound to provide protection broadly equivalent to POPIA, in line with POPIA s72.

8. Security

Data in transit is encrypted with TLS 1.3. Data at rest is encrypted (AES-256). Server-side encryption on R2 is enabled. Access to production systems is limited to a small set of named individuals, with audit logging.

No system is bulletproof. If we suffer a security incident affecting your data, we'll notify you and the Information Regulator without unreasonable delay, as POPIA requires.

9. Cookies and tracking

The marketing site uses Plausible analytics. Plausible does not use cookies and does not collect personally identifying information. The web app uses one essential cookie for your login session. No third-party tracking.

10. Children

Snap-a-Slip is not intended for users under 18. We don't knowingly process the personal information of children. If you believe we have, contact our Information Officer and we'll delete it.

11. Updates to this policy

We update this policy when our practices change. The “Last updated” date at the top reflects the most recent revision. For material changes we notify you via WhatsApp or email at least 14 days before they take effect.

12. Contact

Email hello@snap-a-slip.com for any privacy or data-protection question. We aim to respond within 7 days.