PayI Privacy Policy

1. Data Controller

The PayI Service is operated by Synchplus Consulting (Pty) Ltd ("Synchplus", "the Company", "we", "us"), a company registered in the Republic of South Africa. PayI is a product of Kapardyn, a wholly-owned division of Synchplus Consulting. Synchplus is the data controller for information collected through the PayI platform in its capacity as service provider.

In the context of the PayI billing platform, the relationship is structured as follows:

• Synchplus Consulting (Pty) Ltd is the Responsible Party (controller) for MSP account data and platform operations data
• Synchplus Consulting (Pty) Ltd acts as the Operator (processor) for client personal information that MSPs input into PayI for billing purposes
• The MSP is the Responsible Party (controller) for their own clients' personal information processed through PayI

This Privacy Policy applies to all personal information processed through the PayI Service, whether you are an MSP user, an MSP's client using the payment portal, or a visitor to our website.

2. What Data We Collect

We collect and process the following categories of personal information:

2.1 MSP Account Information

• Business name, trading name, and registration number
• Contact person name, email address, and phone number
• Billing address and VAT registration number
• User account credentials (email, hashed password)
• Role assignments and permission levels
• API keys and integration configuration

2.2 Client Information (entered by MSPs)

• Client business name and trading name
• Client contact person name and email address
• Client billing address
• Client VAT registration number (if applicable)
• Invoice line items, amounts, and payment terms
• Payment status and history
• Communication preferences (email, SMS)

2.3 Payment Event Metadata

• Payment timestamps, amounts, and currency
• Payment method type (card, EFT, debit order)
• Card brand and last 4 digits (for display purposes only)
• Payment gateway transaction reference IDs
• Payment success/failure status and error codes
• Dunning attempt history and outcomes

2.4 Usage and Technical Data

• IP addresses, browser type, and device information
• Login timestamps and session duration
• Feature usage patterns and API call logs
• Error logs and diagnostic information

3. What Data We Do NOT Collect

• Credit card numbers (full PAN) — handled exclusively by Peach Payments
• Bank account numbers — never entered into or stored by PayI
• CVV/CVC security codes — entered directly on Peach Payments' secure form
• Card PINs — never collected or transmitted
• Bank routing numbers — not stored or processed by PayI
• 3D Secure passwords — handled entirely within the bank's authentication flow

For a detailed explanation of our payment security architecture, please refer to our Payment Security Policy.

4. Purpose of Data Processing

We process personal information for the following specific, explicitly defined purposes:

• Invoice generation and delivery: Creating, calculating, and sending invoices to your clients on your behalf
• Payment collection: Initiating and tracking payment transactions through the Peach Payments gateway
• Dunning and collections: Sending automated payment reminders and escalation notices for overdue invoices
• AI-powered analytics: Generating revenue forecasts, payment behaviour predictions, churn risk assessments, and collections optimisation recommendations
• Accounting integration: Synchronising invoice and payment data with Xero or QuickBooks Online when you enable the integration
• Platform operations: Maintaining security, preventing fraud, debugging issues, and improving service performance
• Legal compliance: Fulfilling our obligations under POPIA, tax legislation, and other applicable laws

We do not process your data for advertising, profiling for third parties, or any purpose unrelated to the delivery of the PayI Service.

5. Legal Basis for Processing

We process personal information on the following legal grounds under POPIA:

• Contractual necessity (POPIA Section 11(1)(b)): Processing is necessary for the performance of the contract between you and Synchplus Consulting (Pty) Ltd for the provision of the PayI Service
• Legitimate interest (POPIA Section 11(1)(f)): Processing is necessary for our legitimate interests in operating, improving, and securing the Service, provided these interests are not overridden by your rights
• Legal obligation (POPIA Section 11(1)(c)): Processing is necessary to comply with tax, accounting, and other legal obligations
• Consent (POPIA Section 11(1)(a)): Where applicable, for optional features such as marketing communications (you may withdraw consent at any time)

6. Data Retention

Data retention periods are determined by your subscription tier and applicable legal requirements:

The 6-year archival period for invoice and payment records aligns with the South African Tax Administration Act requirement to retain financial records for a minimum of 5 years, plus a 1-year safety margin. Archived records are stored in encrypted, compressed form and are accessible only upon explicit request.

7. Data Sharing

We share personal information only with the following third parties, and only to the extent necessary to provide the Service:

• Peach Payments: We share payment-related metadata (amounts, currency, payment tokens) with Peach Payments for payment processing. Peach Payments is a PCI DSS Level 1 certified payment service provider based in South Africa. Peach Payments processes payment card data under their own privacy policy.
• Xero / QuickBooks Online: If you enable the accounting integration, we share invoice and payment data with your connected Xero or QuickBooks Online account. This integration is entirely optional and can be disconnected at any time.

We do not sell, rent, or trade personal information to third parties. We do not share data with advertising networks, data brokers, or analytics companies. We may disclose personal information if required by law, court order, or valid legal process.

8. Data Subject Rights Under POPIA

Under the Protection of Personal Information Act, you have the following rights with respect to your personal information:

• Right of access (Section 23): You may request confirmation of whether we hold personal information about you and request a copy of that information
• Right to correction (Section 24): You may request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully
• Right to deletion (Section 24): You may request deletion of your personal information, subject to our legal retention obligations
• Right to object (Section 11(3)): You may object to the processing of your personal information on grounds of legitimate interest
• Right to data portability: You may request your data in a structured, commonly used, machine-readable format (CSV or JSON)
• Right to lodge a complaint: You may lodge a complaint with the Information Regulator (South Africa) if you believe your rights have been infringed

To exercise any of these rights, please contact our POPIA Information Officer at privacy@kapardyn.com. We will respond to your request within 30 days as required by POPIA.

9. Cross-Border Data Transfers

PayI data is processed and stored in South Africa. We do not routinely transfer personal information outside the Republic of South Africa.

Peach Payments, our payment processor, processes all payment transactions within South Africa. Should any cross-border transfer become necessary (for example, if you enable an integration with a service hosted outside South Africa), we will ensure that:

• The recipient country provides an adequate level of data protection as recognised by the Information Regulator
• Appropriate contractual safeguards (such as binding corporate rules or standard contractual clauses) are in place
• You are informed of the transfer and its implications before it occurs

10. Security Measures

We implement comprehensive technical and organisational measures to protect personal information:

• Encryption at rest: All stored data is encrypted using AES-256-GCM with per-MSP derived encryption keys
• Encryption in transit: All data transmissions use TLS 1.2 or higher
• Tenant isolation: Strict data isolation between MSPs at the application and database level — the platform is designed so that one MSP cannot access another MSP's data through any documented API path, and encrypted data remains unusable without the correct MSP-specific derived key
• Audit trail: All data access and modifications are logged in a tamper-evident, hash-chained audit trail
• Access controls: Role-based access control (RBAC) with the principle of least privilege
• Authentication: JWT-based authentication with configurable session expiry
• Infrastructure: Hosted on secure, access-controlled infrastructure with regular security assessments

11. Cookies

The PayI Service uses minimal cookies strictly necessary for operation:

• Session cookies: Used to maintain your authenticated session while using the platform. These are deleted when you close your browser or your session expires.
• Preference cookies: Used to remember your display preferences (such as dashboard layout). These persist for up to 30 days.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not engage in cross-site tracking or behavioural profiling.

12. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy on this page with a revised "Last updated" date
• Send an email notification to all registered MSP account holders at least 14 days before the changes take effect
• Highlight the key changes in the notification

Continued use of the Service after the effective date of any update constitutes your acceptance of the revised policy.

13. Contact

For any questions, requests, or complaints relating to this Privacy Policy or how we handle your personal information, please contact:

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator (South Africa):