# STATIX — Privacy Policy

> **DRAFT — NOT YET LEGALLY REVIEWED.** Professional drafting for review by a
> qualified South African attorney and (for EU/UK users) a data-protection adviser
> before publication. Not legal advice. Complete all `[bracketed]` items, and confirm
> the actual sub-processors and retention periods, before publication.

**Controlled by / Responsible Party:** N. de Beer, trading as [legal entity / sole proprietor], South Africa ("we", "us")
**Information Officer (POPIA):** [name] · [privacy@statix.app] · [registered address]
**EU/UK matters / Data Protection contact:** [privacy@statix.app] · [EU representative, if appointed]
**Version:** Draft 0.1 · **Effective date:** [to be set]

This policy explains what personal information we collect, why, where it is
processed, how long we keep it, and your rights. It is written to be aware of both
the **Protection of Personal Information Act 4 of 2013 (POPIA, South Africa)** and
the **EU/UK General Data Protection Regulation (GDPR)**.

---

## 1. Privacy by design — and the offline edition

STATIX is built to keep your data on your own device wherever possible.

- The **offline single-file edition runs entirely in your browser.** Your structural
  models, inputs and reports are processed and stored **on your own device** (and in
  your browser's local storage), and are **not transmitted to us**, unless you
  explicitly use an online, account, hosting, sharing or support feature.
- We do not embed third-party tracking scripts or analytics CDNs in the offline
  application; required third-party libraries are bundled locally.
- We therefore collect personal information mainly in connection with **accounts,
  licensing, payment, the website and support** — not from your day-to-day modelling.

---

## 2. Who we are (roles)

- For **account, licensing, billing, website and support** personal information, we
  are the **Responsible Party** (POPIA) / **Controller** (GDPR).
- For any **personal information that happens to be contained inside the models or
  files you upload to a hosted feature**, we act as an **Operator** (POPIA) /
  **Processor** (GDPR) on your behalf — you remain the responsible party/controller
  for that content. The **Data Processing Addendum** governs that relationship for
  business customers.

---

## 3. What we collect and why

We practise data minimisation. Depending on how you use STATIX, we may process:

| Category | Examples | Purpose | Lawful basis (GDPR) / POPIA justification |
|---|---|---|---|
| **Account data** | Name, email, organisation, role, password (hashed), tier/seat | Create and manage your account and seats; authenticate you | Contract performance; legitimate interest in securing access |
| **Licensing data** | Licence key, activation/device count, subscription status, validation timestamps | Issue and enforce licences; prevent abuse | Contract; legitimate interest in protecting our IP |
| **Billing data** | Billing name, address, country, VAT/tax ID, invoices, last-4/payment token (full card data held by the payment provider, not us) | Take payment, issue invoices, comply with tax/accounting law | Contract; legal obligation (tax records) |
| **Support data** | Emails, chat messages, attachments you send us | Provide support and respond to you | Contract; legitimate interest |
| **Website/usage data** | IP address, device/browser type, pages viewed, essential/preference settings | Run and secure the website; remember preferences; understand aggregate usage | Legitimate interest; consent for any non-essential cookies (see Cookie Policy) |
| **Your Content (hosted features only)** | Models, inputs, reports you upload/sync/share | Store, process and display them to provide the feature you chose | Contract; we act as Operator/Processor on your behalf |
| **Communications/marketing** | Email, contact preferences | Send service messages; send marketing only where permitted | Consent (marketing) / legitimate interest (service messages) |

We do not knowingly seek special categories of personal information. Please do not
put sensitive personal information into model files or support messages unless
necessary.

---

## 4. Children

The Service is not intended for children. We do not knowingly collect personal
information from children under [18]. If you believe a child has provided us data,
contact us and we will delete it.

---

## 5. Where your data is processed (cross-border transfers)

We are based in South Africa. To run the Service we use reputable third-party
sub-processors, some of which are located **outside South Africa and outside the
EU/UK**. This means your personal information may be transferred across borders.

Our current (intended) sub-processor categories are:

| Sub-processor (intended) | Role | Likely location |
|---|---|---|
| **[Cloudflare]** | Hosting / CDN / security for the website and any hosted app | Global / [region] |
| **[Lemon Squeezy / Paddle]** (merchant of record) | International payment processing, invoicing, licence-key issuance, VAT | [USA / EU] |
| **[Paystack]** | Local (ZAR) payment processing | South Africa / [region] |
| **[Authentication provider, e.g. Cloudflare Access / Supabase / Firebase]** | Sign-in and identity | [region] |
| **[Email provider]** | Transactional and support email | [region] |
| **[Cloud storage / database, if hosted features are enabled]** | Storing account data and Your Content | [region] |

> The final list of sub-processors and their locations must be confirmed and kept
> current. A live sub-processor list will be maintained at [statix.app/legal/subprocessors].

**Safeguards.** Where we transfer personal information across borders we rely, as
applicable, on: your performance-of-contract necessity; recipients that are bound by
laws or binding agreements providing an adequate level of protection (POPIA §72);
and, for EU/UK data, appropriate safeguards such as **Standard Contractual Clauses**
and adequacy decisions where they apply. You may request details of the safeguard
used.

---

## 6. How long we keep it (retention)

We keep personal information only as long as necessary for the purpose it was
collected, then delete or anonymise it.

| Data | Indicative retention |
|---|---|
| Account data | While your account is active, then up to [12 months] after closure |
| Licensing data | While the licence is active, then up to [24 months] for abuse-prevention and records |
| Billing/tax records | As required by South African tax/company law (typically [5 years]) |
| Support correspondence | Up to [24 months] after the matter is resolved |
| Website logs | Up to [12 months] |
| Your Content (hosted) | While stored by you; deleted within [30–90 days] of account deletion or on your request, subject to backups cycling out |
| Backups | Cycled out within [up to 90 days] |

Final periods to be confirmed with counsel and accountant before publication.

---

## 7. How we protect your data

We apply reasonable technical and organisational security measures appropriate to
the risk, including encryption in transit (TLS), access controls, hashed passwords,
least-privilege access, and use of reputable providers. No system is perfectly
secure; we cannot guarantee absolute security.

**Breach notification.** If a security compromise affecting your personal
information occurs, we will notify the Information Regulator and affected data
subjects as required by POPIA (as amended, including the 2025 Regulations) and, for
EU/UK data, the relevant supervisory authority and individuals as required by GDPR,
within the applicable timeframes.

---

## 8. Your rights

Subject to applicable law, you have the right to:

- **access** the personal information we hold about you;
- **correct** inaccurate or incomplete information;
- **delete** your information ("right to be forgotten", subject to legal retention);
- **object to** or **restrict** certain processing;
- **withdraw consent** at any time (without affecting prior processing);
- **data portability** (receive certain data in a structured, machine-readable form);
- **object to direct marketing** at any time; and
- **lodge a complaint** with a regulator.

To exercise these rights, contact our Information Officer at [privacy@statix.app]. We
will respond within the period required by law (and verify your identity first).

**Regulators.**
- **South Africa:** Information Regulator (POPIA) — [inforegulator.org.za],
  complaints via the Regulator's prescribed forms.
- **EU/UK:** your local data-protection supervisory authority.

---

## 9. Automated decisions and profiling

We do not use your personal information for automated decision-making that produces
legal or similarly significant effects on you, or for profiling, other than basic
fraud/abuse prevention and seat/licence enforcement.

---

## 10. Cookies

The website and any hosted app use cookies and similar technologies as described in
the **Cookie Policy**. Non-essential cookies are used only with your consent.

---

## 11. Marketing

We will only send you marketing communications where the law permits (for example
with your consent, or to existing customers about similar products with an opt-out).
Every marketing email includes an unsubscribe link. Service and security messages
are not marketing and may still be sent.

---

## 12. Changes

We may update this policy. We will post the new version with an updated effective
date and, for material changes, give reasonable notice (for example by email or an
in-product/website notice).

---

## 13. Contact

**Information Officer (POPIA):** [name] · [privacy@statix.app]
**Postal address:** [registered address]
For data-subject requests, complaints or questions, email [privacy@statix.app].

---

*© [2026] N. de Beer. All rights reserved.*

**Reminder: this is a DRAFT for attorney review. Confirm the real sub-processors,
locations, retention periods and Information Officer registration before publishing.**