POPIA Compliance

POPIA gives South Africans the right to know what personal information is collected about them, why it is collected, how it is used, and who it is shared with. We have built EazyTax with these principles at the core — minimising the data we collect, isolating each user's data at the database layer, and being clear about every third-party processor we use.

Our Information Officer is responsible for handling all POPIA-related enquiries, including data subject access requests, deletion requests, and complaints.

• Name: Starlight Group SA Information Officer
• Email: privacy@starlightgroupsa.co.za

We process your personal information on the basis of contractual necessity. You cannot use EazyTax without us processing your financial data — parsing your bank statements, categorising transactions, and generating SARS-format guides is the core service you are paying for. We also rely on legitimate interest for service-improvement signals (anonymised, aggregated usage data) and on your explicit consent for transactional and reminder emails.

We do not process “special personal information” as defined in section 26 of POPIA. EazyTax does not collect or process information relating to your religious beliefs, race, political opinions, health, sexual orientation, biometric data, or criminal behaviour.

Your SARS tax reference number is treated as confidential financial information and is only used to populate your generated tax guides and for SARS payment-reference instructions.

EazyTax stores your data on Supabase infrastructure in a South Africa region where available, with multi-region replication for redundancy. For specific processing operations, your data may transiently leave South Africa:

• Receipt OCR and bank-statement PDF parsing — performed by an AI processing partner whose API is hosted in the United States. Document images and statement text are sent for processing only and are NOT retained by the AI provider beyond the API call.
• Email delivery via Resend — message bodies and recipient addresses are processed by Resend (United States) for the purpose of sending the email.
• Payment processing via Stripe — card data is collected and held by Stripe; we never receive or store your card number.

Each of these processors operates under their own privacy framework — our AI partner and Resend offer SOC 2-compliant data handling; Stripe is PCI-DSS certified. We do not authorise any of them to use your data for purposes other than providing the service to you. The specific AI provider used for OCR is available on request via privacy@starlightgroupsa.co.za.

We protect your information through:

• Row-level security at the database layer — every query is filtered by your user ID, so users physically cannot access another user's data.
• Encrypted storage for bank statements and receipt images, with per-user folder access policies.
• Bcrypt password hashing via Supabase Auth.
• TLS 1.2+ on all data in transit.
• Time-limited, single-use share links for accountant review (14-day expiry).
• Bearer-token authentication for all internal cron and webhook endpoints.
• Mandatory MFA for all EazyTax staff with production database access.

POPIA gives you the right to access, correct, delete, or object to the processing of your personal information. To exercise any of these rights, send a request to privacy@starlightgroupsa.co.za. We will respond within 30 days.

Most requests can also be self-served from your account: you can export all your transactions and PDFs from the Reports page, edit your profile on the Settings page, and request account deletion from the Security tab.

If you believe we have not handled your personal information lawfully and you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa.

• Email: inforeg@justice.gov.za
• Phone: +27 12 406 4818
• Website: inforegulator.org.za