Legal · Draft
STATIX — Privacy Policy
DRAFT — NOT YET LEGALLY REVIEWED. Professional drafting for review by a qualified South African attorney and (for EU/UK users) a data-protection adviser before publication. Not legal advice. Complete all
[bracketed]items, and confirm the actual sub-processors and retention periods, before publication.
Controlled by / Responsible Party: the STATIX design team, trading as [legal entity / sole proprietor], South Africa ("we", "us") Information Officer (POPIA): [name] · [privacy@statix.app] · [registered address] EU/UK matters / Data Protection contact: [privacy@statix.app] · [EU representative, if appointed] Version: Draft 0.1 · Effective date: [to be set]
This policy explains what personal information we collect, why, where it is processed, how long we keep it, and your rights. It is written to be aware of both the Protection of Personal Information Act 4 of 2013 (POPIA, South Africa) and the EU/UK General Data Protection Regulation (GDPR).
1. Privacy by design — and the offline edition
STATIX is built to keep your data on your own device wherever possible.
- The offline single-file edition runs entirely in your browser. Your structural models, inputs and reports are processed and stored on your own device (and in your browser's local storage), and are not transmitted to us, unless you explicitly use an online, account, hosting, sharing or support feature.
- We do not embed third-party tracking scripts or analytics CDNs in the offline application; required third-party libraries are bundled locally.
- We therefore collect personal information mainly in connection with accounts, licensing, payment, the website and support — not from your day-to-day modelling.
2. Who we are (roles)
- For account, licensing, billing, website and support personal information, we are the Responsible Party (POPIA) / Controller (GDPR).
- For any personal information that happens to be contained inside the models or files you upload to a hosted feature, we act as an Operator (POPIA) / Processor (GDPR) on your behalf — you remain the responsible party/controller for that content. The Data Processing Addendum governs that relationship for business customers.
3. What we collect and why
We practise data minimisation. Depending on how you use STATIX, we may process:
| Category | Examples | Purpose | Lawful basis (GDPR) / POPIA justification |
|---|---|---|---|
| Account data | Name, email, organisation, role, password (hashed), tier/seat | Create and manage your account and seats; authenticate you | Contract performance; legitimate interest in securing access |
| Licensing data | Licence key, activation/device count, subscription status, validation timestamps | Issue and enforce licences; prevent abuse | Contract; legitimate interest in protecting our IP |
| Billing data | Billing name, address, country, VAT/tax ID, invoices, last-4/payment token (full card data held by the payment provider, not us) | Take payment, issue invoices, comply with tax/accounting law | Contract; legal obligation (tax records) |
| Support data | Emails, chat messages, attachments you send us | Provide support and respond to you | Contract; legitimate interest |
| Website/usage data | IP address, device/browser type, pages viewed, essential/preference settings | Run and secure the website; remember preferences; understand aggregate usage | Legitimate interest; consent for any non-essential cookies (see Cookie Policy) |
| Your Content (hosted features only) | Models, inputs, reports you upload/sync/share | Store, process and display them to provide the feature you chose | Contract; we act as Operator/Processor on your behalf |
| Communications/marketing | Email, contact preferences | Send service messages; send marketing only where permitted | Consent (marketing) / legitimate interest (service messages) |
We do not knowingly seek special categories of personal information. Please do not put sensitive personal information into model files or support messages unless necessary.
4. Children
The Service is not intended for children. We do not knowingly collect personal information from children under [18]. If you believe a child has provided us data, contact us and we will delete it.
5. Where your data is processed (cross-border transfers)
We are based in South Africa. To run the Service we use reputable third-party sub-processors, some of which are located outside South Africa and outside the EU/UK. This means your personal information may be transferred across borders.
Our current (intended) sub-processor categories are:
| Sub-processor (intended) | Role | Likely location |
|---|---|---|
| [Cloudflare] | Hosting / CDN / security for the website and any hosted app | Global / [region] |
| [Lemon Squeezy / Paddle] (merchant of record) | International payment processing, invoicing, licence-key issuance, VAT | [USA / EU] |
| [Paystack] | Local (ZAR) payment processing | South Africa / [region] |
| [Authentication provider, e.g. Cloudflare Access / Supabase / Firebase] | Sign-in and identity | [region] |
| [Email provider] | Transactional and support email | [region] |
| [Cloud storage / database, if hosted features are enabled] | Storing account data and Your Content | [region] |
The final list of sub-processors and their locations must be confirmed and kept current. A live sub-processor list will be maintained at [statix.app/legal/subprocessors].
Safeguards. Where we transfer personal information across borders we rely, as applicable, on: your performance-of-contract necessity; recipients that are bound by laws or binding agreements providing an adequate level of protection (POPIA §72); and, for EU/UK data, appropriate safeguards such as Standard Contractual Clauses and adequacy decisions where they apply. You may request details of the safeguard used.
6. How long we keep it (retention)
We keep personal information only as long as necessary for the purpose it was collected, then delete or anonymise it.
| Data | Indicative retention |
|---|---|
| Account data | While your account is active, then up to [12 months] after closure |
| Licensing data | While the licence is active, then up to [24 months] for abuse-prevention and records |
| Billing/tax records | As required by South African tax/company law (typically [5 years]) |
| Support correspondence | Up to [24 months] after the matter is resolved |
| Website logs | Up to [12 months] |
| Your Content (hosted) | While stored by you; deleted within [30–90 days] of account deletion or on your request, subject to backups cycling out |
| Backups | Cycled out within [up to 90 days] |
Final periods to be confirmed with counsel and accountant before publication.
7. How we protect your data
We apply reasonable technical and organisational security measures appropriate to the risk, including encryption in transit (TLS), access controls, hashed passwords, least-privilege access, and use of reputable providers. No system is perfectly secure; we cannot guarantee absolute security.
Breach notification. If a security compromise affecting your personal information occurs, we will notify the Information Regulator and affected data subjects as required by POPIA (as amended, including the 2025 Regulations) and, for EU/UK data, the relevant supervisory authority and individuals as required by GDPR, within the applicable timeframes.
8. Your rights
Subject to applicable law, you have the right to:
- access the personal information we hold about you;
- correct inaccurate or incomplete information;
- delete your information ("right to be forgotten", subject to legal retention);
- object to or restrict certain processing;
- withdraw consent at any time (without affecting prior processing);
- data portability (receive certain data in a structured, machine-readable form);
- object to direct marketing at any time; and
- lodge a complaint with a regulator.
To exercise these rights, contact our Information Officer at [privacy@statix.app]. We will respond within the period required by law (and verify your identity first).
Regulators.
- South Africa: Information Regulator (POPIA) — [inforegulator.org.za], complaints via the Regulator's prescribed forms.
- EU/UK: your local data-protection supervisory authority.
9. Automated decisions and profiling
We do not use your personal information for automated decision-making that produces legal or similarly significant effects on you, or for profiling, other than basic fraud/abuse prevention and seat/licence enforcement.
10. Cookies
The website and any hosted app use cookies and similar technologies as described in the Cookie Policy. Non-essential cookies are used only with your consent.
11. Marketing
We will only send you marketing communications where the law permits (for example with your consent, or to existing customers about similar products with an opt-out). Every marketing email includes an unsubscribe link. Service and security messages are not marketing and may still be sent.
12. Changes
We may update this policy. We will post the new version with an updated effective date and, for material changes, give reasonable notice (for example by email or an in-product/website notice).
13. Contact
Information Officer (POPIA): [name] · [privacy@statix.app] Postal address: [registered address] For data-subject requests, complaints or questions, email [privacy@statix.app].
© [2026] STATIX design team. All rights reserved.
Reminder: this is a DRAFT for attorney review. Confirm the real sub-processors, locations, retention periods and Information Officer registration before publishing.
Legal index · EULA · Terms · Privacy · Cookies · DPA · Engineering Disclaimer