How we look
after your data.
Plain-language disclosure for our clients under the Protection of Personal Information Act (POPIA, Act 4 of 2013).
1. Who is the responsible party
GetSorted Accounting is the responsible party (Section 1, POPIA) for your personal information processed through this client portal. Contact: dylan@getsorted.co.za.
2. What we collect & why
- Account data — your name, business name, email, phone — to identify you and communicate with you.
- Financial documents you upload — bank statements, invoices, AFS, tax returns, payslips — to perform the bookkeeping, tax and compliance services you've engaged us for.
- Activity & deadline data — to track tasks, send notifications and meet SARS, CIPC and statutory deadlines on your behalf.
3. How we secure your data
- All connections are encrypted with HTTPS / TLS.
- Passwords are hashed with bcrypt using a unique random salt per user. We can never see your password.
- Access tokens expire after 12 hours and the portal auto-logs you out after 30 minutes of inactivity.
- Every API request is authorised — clients can only access their own profile, deadlines, requests and documents. Admin access is restricted to authorised GetSorted staff.
- Files are stored in encrypted object storage and only served via authenticated, ownership-checked download endpoints — there are no public file URLs.
4. Where data is stored (subprocessors)
We use the following operators (POPIA s20–21) to host this portal and your documents on our behalf:
- Emergent — application hosting, MongoDB database and object file storage.
Our infrastructure provider's data centres may be located outside South Africa. Where this is the case, the cross-border transfer is permitted under POPIA s72 because (a) the operator is contractually bound to apply equivalent protection, and (b) you consent to the transfer by accepting these terms when uploading documents. You can request the current data centre region by emailing us at any time.
5. How long we keep it
We retain your records for the periods required by South African tax and company law (typically 5 years after submission for SARS records; 7 years for company financial records). After that, or on your written request to delete, we permanently remove your data subject to any retention obligation we still have under law.
6. Your POPIA rights
- Access — request a copy of personal information we hold about you.
- Correction — ask us to fix anything inaccurate or out of date.
- Deletion — ask us to delete information we no longer need.
- Object — object to specific processing activities.
- Complain to the Information Regulator (SA) at inforegulator.org.za.
7. Contact us
Any privacy question, request or concern — email dylan@getsorted.co.za. We respond within 5 working days.