arrow_backPrivacy Policy

1. Who We Are

Dropsheet is a quote and invoice management platform for South African tradespeople, operated by Certo (Pty) Ltd ("we", "us", or "our"). We are subject to the Protection of Personal Information Act 4 of 2013 (POPIA) and are committed to protecting your personal information.

Data protection queries can be directed to: privacy@dropsheet.co.za

2. What Personal Information We Collect

We collect and process the following categories of personal information:

  • Identity information: Your full name and business name.
  • Contact details: Email address and mobile phone number.
  • Business details: Trade type, VAT number, and banking details (account holder name, bank, branch code, account number — used solely to pre-populate your invoice templates).
  • Client information: Names, physical addresses, and contact details for the clients whose quotes and invoices you create through Dropsheet. You are the responsible party for this information.
  • Payment information: Subscription billing is handled by Paddle (paddle.com). We do not store your payment card details. For client payments processed through Yoco (yoco.com), Dropsheet records payment status and references only — card details are handled entirely by Yoco.
  • Usage data: Log entries, audit trails of actions taken within the app (quote created, invoice sent, signature received), and IP addresses for security purposes.

3. Why We Collect It (Lawful Basis)

  • Contract performance: To provide the Dropsheet service you signed up for, including generating quotes, sending invoices, and processing e-signatures.
  • Legal obligation: To comply with South African law, including POPIA compliance, audit trail requirements, and SARS-related record keeping.
  • Legitimate interest: To detect fraud, prevent abuse of the platform, and improve the service.
  • Consent: For any marketing communications — you may withdraw consent at any time.

4. How Your Information Is Stored

Your data is stored in Supabase (supabase.com), a managed database platform. Supabase operates servers in the EU (Frankfurt, Germany). Data is encrypted at rest and in transit. Access is restricted by row-level security policies that ensure each organisation can only access its own data.

E-signature records (signed documents and signature images) are retained permanently as they form part of a legally binding record of agreement.

5. Data Retention

We retain your personal information for as long as your account is active and for a period thereafter as required by law or legitimate business need:

  • Account data: Retained for the duration of your subscription and deleted upon a valid erasure request (see Section 7).
  • Financial records (quotes, invoices): Retained for 5 years after the financial year in which the document was created, in accordance with SARS requirements.
  • Audit logs: Retained for 3 years for security and compliance purposes.
  • Deleted accounts: PII (name, email, phone) is anonymised immediately on deletion. Anonymised records and financial documents are retained for the statutory period.

6. Sharing Your Information

We do not sell your personal information. We share it only with:

  • Supabase: Database hosting and authentication.
  • Paddle: Subscription billing. Paddle acts as a Merchant of Record and has its own privacy policy at paddle.com/legal/privacy.
  • Yoco: Client payment processing. Yoco has its own privacy policy at yoco.com/privacy.
  • Resend: Transactional email delivery (quote and invoice delivery emails).
  • Law enforcement or regulatory bodies: Where we are legally required to do so.

7. Your Rights Under POPIA

As a data subject under POPIA, you have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that inaccurate information be corrected. Most information can be updated directly in Profile & Settings.
  • Deletion (right to erasure): Request that your personal information be deleted. You can initiate account deletion directly from within the app under Profile & Settings. This will anonymise your PII and delete your login credentials. Financial records are retained in anonymised form for the statutory period.
  • Objection: Object to the processing of your personal information for direct marketing purposes.
  • Complaint: Lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za) if you believe your rights have been infringed.

To exercise any of the above rights, contact us at privacy@dropsheet.co.za.

8. Cookies and Tracking

Dropsheet uses session cookies issued by Supabase for authentication. We do not use advertising cookies or cross-site tracking. We may use PostHog for anonymised product analytics (page views, feature usage) to help us improve the service. PostHog is configured in privacy-first mode with no personally identifiable information.

9. Changes to This Policy

We may update this policy from time to time. We will notify active users by email if we make material changes. Continued use of Dropsheet after changes take effect constitutes acceptance of the revised policy.

10. Contact

For any privacy-related queries, to exercise your POPIA rights, or to report a concern, contact our Information Officer at:

Email: privacy@dropsheet.co.za

Last updated 30 June 2025 · Terms of Service · Refund Policy