Privacy Policy

Last updated: February 2026

LetsInvoice ("we", "us", or "our") operates the website letsinvoice.co.za and provides an online invoicing platform (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa and other applicable data protection legislation.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal information as described herein. If you do not agree with this policy, please discontinue use of the Service.

1. Information We Collect

1.1 Personal Information

When you register for an account or use our Service, we may collect the following personal information:

  • Full name
  • Email address
  • Phone number
  • Physical or business address
  • Company or trading name
  • VAT registration number (if applicable)
  • Password (stored in encrypted form)

1.2 Business and Financial Data

In the course of using our invoicing platform, we process the following business data:

  • Invoice details (descriptions, amounts, dates, reference numbers)
  • Client and customer information you add to the platform
  • Product and service listings
  • Payment records and transaction history
  • Subscription and billing information

1.3 Usage and Technical Data

We automatically collect certain technical information when you interact with our Service, including:

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited, features used, and time spent on the Service
  • Referring website or source
  • Device identifiers

2. How We Use Your Information

We use your personal information for the following purposes:

  • Providing the Service: To create and manage your account, generate invoices, process payments, and deliver the core functionality of the platform.
  • Communication: To send transactional emails (invoices, receipts, account notifications), respond to support enquiries, and provide service-related updates.
  • Billing and Payments: To process subscription payments through our payment provider, manage plan upgrades or downgrades, and maintain billing records.
  • Improvement and Analytics: To analyse usage patterns, diagnose technical issues, and improve the performance, features, and user experience of the Service.
  • Security: To detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activity.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes, including tax and accounting obligations.

3. Legal Basis for Processing (POPIA)

Under the Protection of Personal Information Act (POPIA), we are required to have a lawful basis for processing your personal information. We rely on the following grounds as set out in Section 11 of POPIA:

  • Consent (Section 11(1)(a)): You provide consent when you create an account and agree to this Privacy Policy. You may withdraw consent at any time, subject to legal or contractual restrictions.
  • Contractual Necessity (Section 11(1)(b)): Processing is necessary to perform our obligations under the terms of service and subscription agreement between you and LetsInvoice.
  • Legal Obligation (Section 11(1)(c)): We may process information to comply with South African tax law, the Electronic Communications and Transactions Act (ECTA), and other regulatory requirements.
  • Legitimate Interest (Section 11(1)(f)): We process certain data (such as usage analytics) where it is in our legitimate interest to improve and secure the Service, provided this does not override your rights.

We process personal information in line with the conditions for lawful processing outlined in Chapter 3 of POPIA, including accountability, processing limitation, purpose specification, information quality, openness, security safeguards, and data subject participation.

4. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We may share your data with the following categories of third parties, strictly as required to deliver and support our Service:

4.1 Payment Processor

We use PayFast (a South African payment gateway) to process subscription payments. When you make a payment, PayFast receives your name, email address, and transaction details necessary to complete the payment. PayFast processes this information under its own privacy policy and is a POPIA-compliant operator. We do not store your credit card or bank account details on our servers.

4.2 Hosting Provider

Our Service is hosted on a cPanel-based server infrastructure. Your data is stored on servers managed by our hosting provider, which maintains physical and technical security measures to safeguard your information. We select hosting providers that operate within or comply with South African data protection standards.

4.3 Other Disclosures

We may disclose your personal information if required to do so by law, regulation, legal process, or enforceable governmental request, or where necessary to protect the rights, property, or safety of LetsInvoice, our users, or the public.

5. Data Security

We take the security of your personal information seriously and implement appropriate technical and organisational measures as required by Section 19 of POPIA, including:

  • SSL/TLS encryption for all data transmitted between your browser and our servers
  • Secure password hashing (passwords are never stored in plain text)
  • Session-based authentication with secure session management
  • Regular software updates and security patching
  • Access controls limiting personnel access to personal information on a need-to-know basis
  • Database security measures and regular backups

While we strive to protect your personal information, no method of electronic storage or transmission over the internet is completely secure. We cannot guarantee absolute security but are committed to promptly notifying affected data subjects and the Information Regulator in the event of a data breach, as required by Section 22 of POPIA.

6. Data Retention

In accordance with Section 14 of POPIA (further processing limitation), we retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

  • Account Data: Retained for as long as your account remains active. Upon account deletion, personal data will be removed within 30 days, except where retention is required by law.
  • Invoice and Financial Records: Retained for a minimum of five (5) years after the relevant tax year, in compliance with the South African Income Tax Act and the Tax Administration Act.
  • Usage Data: Aggregated and anonymised usage data may be retained indefinitely for analytics purposes, as it no longer constitutes personal information.
  • Support Records: Communication records may be retained for up to two (2) years for quality assurance and dispute resolution.

7. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights in relation to your personal information. These rights are set out in Sections 23 to 25 of POPIA:

7.1 Right of Access (Section 23)

You have the right to request confirmation of whether we hold personal information about you and to request access to that information. You may also request details about the third parties to whom your information has been disclosed.

7.2 Right to Correction (Section 24)

You have the right to request the correction or deletion of your personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. You may update most of your personal information directly within your account settings, or contact us for assistance.

7.3 Right to Deletion (Section 24)

You have the right to request the deletion or destruction of your personal information where it is no longer needed for the purpose for which it was collected, or where your consent has been withdrawn. Deletion requests are subject to our legal retention obligations as described in Section 6 above.

7.4 Right to Object (Section 11(3))

You have the right to object to the processing of your personal information on reasonable grounds relating to your particular situation, unless legislation provides for such processing. You may also object to the processing of your information for direct marketing purposes.

7.5 Right to Lodge a Complaint (Section 74)

If you believe that your personal information has been processed in violation of POPIA, you have the right to lodge a complaint with the Information Regulator (South Africa):

To exercise any of these rights, please contact our Information Officer using the details provided in Section 12 below. We will respond to valid requests within a reasonable time, and no later than 30 days from receipt of the request as required by POPIA.

8. Cookies

Our Service uses cookies and similar technologies to enhance your experience and maintain your session. The types of cookies we use include:

  • Essential Cookies: Required for the basic functioning of the Service, including session management and authentication. These cannot be disabled without affecting core functionality.
  • Functional Cookies: Used to remember your preferences and settings (such as language or display options) to provide a more personalised experience.
  • Analytics Cookies: Used to collect anonymised usage data to help us understand how visitors interact with the Service and to identify areas for improvement.

You can manage cookie preferences through your browser settings. Please note that disabling essential cookies may prevent you from using certain features of the Service.

9. Children's Privacy

Our Service is not directed at or intended for use by children under the age of 18. We do not knowingly collect personal information from children. In accordance with Section 35 of POPIA, if we become aware that we have collected personal information from a child without the consent of a competent person (parent or guardian), we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us immediately.

10. International Data Transfers

We primarily store and process your data within the Republic of South Africa. In certain circumstances, your personal information may be transferred to or processed in countries outside of South Africa (for example, where a third-party service provider operates internationally). In such cases, we ensure that appropriate safeguards are in place in accordance with Section 72 of POPIA, which requires that the recipient country has adequate data protection laws, or that the transfer is subject to binding agreements that provide an equivalent level of protection for your personal information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice within the Service. We encourage you to review this policy periodically to stay informed about how we are protecting your information.

12. Contact and Information Officer

If you have any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal information, or if you wish to exercise any of your rights under POPIA, please contact our designated Information Officer:

We will acknowledge receipt of your request and respond within 30 days, as required by POPIA.