Skip to main content
Paid It logoPaid It

Privacy Policy

Effective Date: February 2026

1. Introduction

Paid It, a product of WeMakeSites (Pty) Ltd (Registration Number: 2025/527655/07), is committed to protecting your personal information in accordance with the Protection of Personal Information Act, 4 of 2013 (POPIA). This Privacy Policy explains how we collect, use, store, and share your personal information when you use our invoicing platform ("Platform"). By creating an account or using the Platform, you consent to the practices described in this policy.

2. Responsible Party and Information Officer

The responsible party for the processing of your personal information, as defined in Section 1 of POPIA, is:

  • Legal Entity: WeMakeSites (Pty) Ltd
  • Registration Number: 2025/527655/07
  • Product: Paid It (a product of WeMakeSites (Pty) Ltd)
  • Address: 1219 Mokale Dr, Unit 7, Mmabatho, Mahikeng, North West, South Africa
  • Email: paidit@wemakesites.co.za
  • Website: https://wemakesites.co.za

Our designated Information Officer, as required by Sections 55 and 56 of POPIA, can be contacted at:

  • Email: paidit@wemakesites.co.za
  • Address: 1219 Mokale Dr, Unit 7, Mmabatho, Mahikeng, North West, South Africa

3. Personal Information We Collect

In compliance with Section 18(1)(a) of POPIA, we collect the following categories of personal information when you use our Platform:

Business Details

  • Business or trading name
  • VAT registration number
  • Company registration number
  • Business address

Contact Information

  • Full name
  • Email address
  • Phone number
  • WhatsApp number

Financial Information

  • Bank account details (for invoice display purposes only — we do not store payment card data; this is handled by Paystack)
  • Invoice data and line items
  • Payment records and transaction history

Usage Data

  • Login times and session information
  • Feature usage and interaction patterns

Device Data

  • Browser type and version
  • Device type and operating system
  • IP address

4. Voluntary or Mandatory Provision of Information

In compliance with Section 18(1)(d) and (e) of POPIA:

  • Mandatory: Your name, email address, and business details are required to create an account and use the Platform. Without this information, we cannot provide you with access to the service.
  • Mandatory for invoicing: Your business address, bank account details, and VAT number (if VAT-registered) are required to generate SARS-compliant tax invoices. Without this information, the invoicing features of the Platform cannot function correctly.
  • Optional: Your phone number and WhatsApp number are optional. If not provided, you will not be able to use WhatsApp-based invoice delivery features, but all other Platform functionality will remain available.

5. Purpose of Processing

In compliance with Section 13 of POPIA (purpose limitation), we process your personal information for the following specific purposes:

  • Providing invoicing, quoting, and business management services
  • Processing subscription payments through Paystack
  • Processing invoice payments from your clients through Paystack, including split payments to your designated bank account
  • Sending invoices and quotes via email and WhatsApp on your behalf
  • Generating PDF documents for invoices and quotes
  • Providing AI-powered features such as invoice assistance and smart suggestions (see Section 12 below)
  • Facilitating compliance with SARS requirements for tax invoices
  • Improving our services, diagnosing technical issues, and enhancing user experience
  • Communicating service updates, billing notifications, and important changes

6. Legal Basis for Processing

We process your personal information on the following legal grounds under POPIA Section 11:

  • Consent (Section 11(1)(a)): You provide consent when you create an account and agree to this Privacy Policy via our click-wrap consent mechanism.
  • Contract Performance (Section 11(1)(b)): Processing is necessary to fulfil our obligations under the service agreement when you subscribe to Paid It.
  • Legal Obligation (Section 11(1)(c)): We are required to retain certain financial records in compliance with the Tax Administration Act, 28 of 2011 (Section 29) and the Companies Act, 71 of 2008.
  • Legitimate Interest (Section 11(1)(f)): We may process data where it is in our legitimate business interest, such as improving services and preventing fraud, provided this does not override your rights. You may object to processing on this basis at any time (see Section 10 below).

7. Data Recipients and Third-Party Operators

In compliance with POPIA Section 21, we have written agreements with each of the following third-party operators (data processors) who assist us in operating the Platform. Each operator is bound to maintain security measures as required by POPIA Section 19:

  • Supabase — Database hosting and authentication (AWS infrastructure, hosted in various regions). Processes: account data, business information, invoice data.
  • Vercel — Application hosting and deployment (United States). Processes: request data, IP addresses.
  • Paystack South Africa (Pty) Ltd — Payment processing for subscriptions and invoice payments (South Africa). Paystack is PCI DSS compliant and licensed by the Payments Association of South Africa (PASA). Payment card data is processed directly by Paystack and is never stored on our servers. Processes: payment card details, transaction amounts, email addresses.
  • OpenAI — AI-powered features including invoice assistance and smart suggestions (United States). We send only the minimum data necessary to provide AI features (invoice descriptions and line items). Processes: invoice content submitted to AI features. See Section 12 for more detail.
  • Resend — Email delivery for invoices, quotes, and notifications (United States). Processes: recipient email addresses, invoice/quote PDF attachments.
  • Meta / WhatsApp — WhatsApp message delivery for invoices and quotes (United States). Processes: recipient phone numbers, message content, document attachments. See Section 13 for more detail.
  • Google LLC — Website analytics via Google Analytics 4 (United States). Analytics cookies are only set if you provide explicit consent via our cookie consent banner. Processes: anonymised usage data, page views, device and browser information, IP address (anonymised by Google). See Section 15 for more detail on cookies and how to withdraw consent.

Each operator processes data only as necessary to perform their specific function and is contractually bound to maintain appropriate security measures.

8. Cross-Border Transfers

In compliance with Section 72 of POPIA, your personal information may be transferred to and processed in countries outside of South Africa, including the United States, by our service providers listed above. These transfers are lawful under Section 72(1) on the following bases:

  • Binding agreements (Section 72(1)(a)): Each service provider has entered into data processing agreements that provide a level of protection substantially similar to POPIA.
  • Consent (Section 72(1)(b)): By agreeing to this Privacy Policy, you consent to the cross-border transfer of your personal information for the purposes described herein.
  • Contractual necessity (Section 72(1)(c)): The transfers are necessary for the performance of the contract between you and Paid It.

We take reasonable steps to ensure that your personal information is treated securely and in accordance with this Privacy Policy when transferred internationally.

9. Data Retention

In compliance with POPIA Section 14 (retention limitation), we retain your personal information only for as long as necessary to fulfil the purposes described in this policy, subject to the following minimum retention periods required by law:

  • Invoice and financial records: Retained for a minimum of 5 years from the date of submission of the relevant tax return, in compliance with the Tax Administration Act, 28 of 2011 (Section 29).
  • Company records: Retained for 7 years in compliance with the Companies Act, 71 of 2008.
  • Account data: Deleted within 30 days of an account deletion request, except for records we are legally required to retain under South African tax and company legislation.

10. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

  • Right of Access (Section 23): You may request confirmation of whether we hold your personal information and request a copy of it.
  • Right to Correction (Section 24): You may request that inaccurate or incomplete personal information be corrected or updated.
  • Right to Deletion (Section 24): You may request the deletion of your personal information where it is no longer necessary for the purpose it was collected, subject to legal retention requirements.
  • Right to Object (Section 11(3)): You may object to the processing of your personal information on reasonable grounds relating to your particular situation. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right Not to be Subject to Automated Decision-Making (Section 71): You may request that a decision that was made solely by automated processing be reconsidered (see Section 12 below).
  • Right to Complain: You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your personal information has been mishandled.

To exercise any of these rights, you may contact us free of charge via email, WhatsApp, SMS, phone, or in person, in accordance with the POPIA Amendment Regulations (April 2025). Contact us at paidit@wemakesites.co.za. We will respond to your request within 30 days.

11. Data Security

In compliance with POPIA Section 19 (security safeguards), we take appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction, or damage. These measures include:

  • Encryption at rest using AES-256 encryption standards
  • Encryption in transit using TLS (Transport Layer Security)
  • Row-level security (RLS) for multi-tenant data isolation, ensuring your data is only accessible to your organisation
  • Strict access controls and authentication mechanisms
  • Regular security reviews of our infrastructure and service providers
  • Payment processing handled by PCI DSS-compliant Paystack — we never store, process, or have access to your payment card details

12. Automated Decision-Making and AI Features

In compliance with POPIA Section 71, we disclose that the Platform includes optional AI-powered features (such as invoice assistance and smart suggestions) provided through OpenAI's API. These features:

  • Are assistive tools only — all AI-generated suggestions require your review and approval before any action is taken
  • Do not make decisions that produce legal effects or that significantly affect you without human oversight
  • Process only the minimum data necessary (invoice descriptions, line items) — we do not send full client personal information to OpenAI unless it forms part of the invoice content you submit
  • Involve the transfer of data to the United States (see Section 8)

You have the right under Section 71 to request that any decision made solely by automated processing be reconsidered by a human. You may also request information about the logic involved in any automated decision. To exercise these rights, contact us at paidit@wemakesites.co.za.

13. WhatsApp Messaging

When you use our WhatsApp delivery features, we send messages to your clients via the WhatsApp Business API operated by Meta Platforms, Inc. This involves sharing your clients' phone numbers and message content (including invoice or quote details) with Meta's servers in the United States. This transfer is governed by the cross-border transfer provisions in Section 8 above and is protected by Meta's Business Data Processing Terms.

By using WhatsApp delivery features, you represent and warrant that you have obtained the necessary consent from your clients to receive messages via WhatsApp on your behalf, as required by POPIA Section 11 and the WhatsApp Business Policy.

14. Data Breach Notification

In compliance with POPIA Section 22, where there are reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, we will:

  • Notify the Information Regulator as soon as reasonably possible via the eServices Portal using the prescribed SCN1 form
  • Notify you as the affected data subject as soon as reasonably possible
  • Provide you with sufficient information to take protective measures, including a description of the possible consequences of the breach, the measures we are taking to address it, and recommendations for steps you should take to mitigate any adverse effects

15. Cookies

Paid It uses the following categories of cookies:

Essential Cookies

These cookies are strictly necessary for the operation of our Platform. They enable core functionality such as authentication, session management, and security. Essential cookies cannot be disabled and do not require consent.

Analytics Cookies (Opt-In)

We use Google Analytics 4 to understand how visitors use our Platform so we can improve your experience. Analytics cookies (such as _ga and _ga_*) are only set if you provide explicit consent via our cookie consent banner. No analytics data is collected or sent to Google until you click "Accept". If you decline, no analytics cookies are set and no data is shared with Google.

We implement Google Consent Mode v2 to ensure that no tracking occurs before you grant consent, in compliance with POPIA.

Withdrawing Cookie Consent

You can withdraw your cookie consent at any time by clicking the "Cookie Settings" link in the footer of any page. This will remove analytics cookies from your browser and prevent further analytics data collection until you consent again. You may also clear cookies directly via your browser settings.

16. Direct Marketing

In compliance with POPIA Section 69, we will not send you unsolicited electronic marketing communications unless you have given us your prior explicit consent. You may withdraw your consent to receive marketing communications at any time by contacting us or using the unsubscribe link in any marketing email. Service-related communications (such as billing notifications, security alerts, and service updates) are not considered direct marketing and will continue regardless of your marketing preferences.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. For material changes, we will notify you via email at the address associated with your account and may require you to re-acknowledge the updated policy. The updated policy will be posted on this page with a revised effective date.

18. Contact

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact our Information Officer:

  • Legal Entity: WeMakeSites (Pty) Ltd (Reg: 2025/527655/07)
  • Information Officer Email: paidit@wemakesites.co.za
  • General Support Email: paidit@wemakesites.co.za
  • Address: 1219 Mokale Dr, Unit 7, Mmabatho, Mahikeng, North West, South Africa

You may also contact the Information Regulator of South Africa:

  • Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
  • General Enquiries: enquiries@inforegulator.org.za
  • Complaints: complaints@inforegulator.org.za
  • Website: https://inforegulator.org.za