Privacy Policy

1. Who we are

BMS ("Business Management System", "we", "us", "our") operates the platform at bmssa.co.za and the application at app.bmssa.co.za. We are a South African business providing software-as-a-service for local SMEs.

2. What this policy covers

This policy explains what personal information we collect when you visit bmssa.co.za or use BMS, why we collect it, how long we keep it, who we share it with, and the rights you have under the Protection of Personal Information Act, 2013 (POPIA).

3. What we collect

• Account information - name, email, phone and business details you give us at signup or in settings.
• Business content - clients, invoices, quotes, payroll records, tax drafts, documents, signatures, team chat messages and bank-statement uploads - whatever you enter into BMS to run your business.
• AI conversation content - what you type to the BMS Brain (our AI assistant), the documents you ask it to summarise or improve, and the replies it produces.
• Technical data - IP address, browser and device information, log files and cookie identifiers collected automatically when you use the service.
• Payment information - handled by our PCI-DSS compliant payment providers (PayFast, Ozow, Paystack). We do not store card numbers ourselves.

4. Why we collect it

• Deliver the service you signed up for.
• Support, maintain, secure and improve the platform.
• Send service notifications and, where permitted, news about BMS.
• Comply with South African law (e.g. SARS, CIPC, POPIA obligations).

5. Lawful basis (POPIA)

Personal information is processed on one or more of the following bases: your consent, contractual necessity to deliver the service, compliance with law, and our legitimate business interests balanced against your rights.

6. Who sees your data

• BMS staff on a strict need-to-know basis.
• Payment processors (PayFast, Ozow, Paystack) only to process your transactions.
• Email and SMS providers (Resend, BulkSMS) only to send notifications you've opted into.
• AI processing providers (Anthropic in the United States) only when you use the BMS Brain assistant (see section 7 below for cross-border details).
• External storage providers (Google Drive, Dropbox, Microsoft OneDrive) only when you explicitly connect them in Settings → Integrations and turn on per-folder mirroring.
• WhatsApp Business (Meta) only when you choose to send a client a message via WhatsApp.
• Cloud hosting infrastructure physically located in South Africa.
• South African authorities where required by law.

We do not sell your personal information.

7. Cross-border data transfer (POPIA s72)

Two specific BMS features cause personal information to leave South Africa:

• BMS Brain (AI assistant) - the text of your conversations and any documents you ask it to process are sent to Anthropic, PBC in the United States to generate replies. Anthropic processes this data under data-protection law substantially similar to POPIA and a contractual undertaking not to train models on customer content. The data is retained for 30 days for trust-and-safety review and then deleted.
• External storage mirroring - if you connect Google Drive, Dropbox or OneDrive in Settings → Integrations and turn on mirroring for a folder, copies of those documents go to Google LLC, Dropbox Inc. or Microsoft Corp. respectively (all US). You control which folders mirror and can disconnect at any time.

By using these features you agree to the transfer of the relevant personal information outside South Africa for those purposes. You can opt out by not using the Brain (no transfer happens) and by leaving the storage integrations disconnected (no transfer happens).

8. Where we store it

Primary data (your business records, accounts, invoices, payroll, documents) is stored on cloud infrastructure physically hosted in South Africa. Encrypted backups are retained in accordance with the schedule in section 9 below. Data sent to the providers in section 7 follows their respective storage policies.

9. How long we keep it

• Account data - while your account is active, plus up to 7 years after cancellation to comply with SARS record-keeping requirements.
• Business content - you control it - export or delete at any time via the app.
• Technical logs - up to 12 months.
• Marketing consent records - until you withdraw consent.

10. Your POPIA rights

You have the right to:

• Be told what personal information we hold about you.
• Correct or delete your personal information.
• Object to processing for direct marketing.
• Lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za).

To exercise any of these rights, email info@bmssa.co.za. We respond within 30 days as required by POPIA.

11. Information Officer (POPIA s55)

Our Information Officer is the founder and CEO of BMS, contactable at info@bmssa.co.za. The Information Officer is registered with the Information Regulator of South Africa and is responsible for our compliance with POPIA.

12. Cookies

We use a small number of cookies: a session token to keep you logged in (stored in browser localStorage), CSRF tokens for security, and anonymous usage analytics. You can disable cookies in your browser - some features will stop working if you do.

13. Security

We use encryption in transit (HTTPS / TLS 1.2+), encryption at rest for the database and backups, role-based access control, audit logging, and regular security reviews. No system is perfectly secure - we will notify you and the Information Regulator within 72 hours if we become aware of a breach that affects your personal information (POPIA s22).

14. Children

BMS is not intended for anyone under 18. We do not knowingly collect information about children.

15. Changes to this policy

If we change this policy we will update the "last updated" date above. Material changes will be announced in-app or by email before they take effect.

16. Contact

Privacy queries, complaints or POPIA requests: info@bmssa.co.za.