Privacy Policy

Last updated: 21 June 2026

Sumtra processes personal information to provide business management software, including customers, documents, job cards, reports, subscriptions, customer support, security, and selected AI-assisted workflows. We aim to process personal information lawfully, minimally, and transparently in line with POPIA.

1. Who We Are

This website and the Sumtra platform are operated by Sumtra (Pty) Ltd, South Africa. For privacy queries, contact info@sumtra.app.

2. Information We Collect

Depending on your relationship with us, we may collect and process:

  • Website enquiry details, including your name, email address, telephone number, and message.
  • Customer, supplier, and business information, including contact details, company details, VAT information, addresses, and account records.
  • Vehicle, workshop, and job-related information, including registration numbers, VINs, engine details, licence-disk data, diagnostics, notes, quotations, invoices, job cards, statements, and related attachments.
  • Uploaded or generated documents such as PDFs, slips, signatures, diagrams, and reports.
  • Account and security information for portal or admin access, including login activity, optional passkey credentials, and security-event records.
  • AI governance, audit, and compliance records used to review how our internal systems process information.

3. How We Use Personal Information

We use personal information to:

  • Respond to website enquiries and customer requests.
  • Create and manage quotes, invoices, statements, credit notes, job cards, and workshop records.
  • Diagnose, repair, report on, and support vehicle-related work.
  • Maintain accounting, operational, compliance, and security records.
  • Operate selected AI-assisted features described in our AI Usage Policy.
  • Protect our systems, detect abuse, investigate incidents, and meet legal or regulatory obligations.

4. AI-Assisted Processing

Some workflows use AI-assisted tools to improve operational efficiency and drafting speed. These uses are governed by internal controls, reviewer roles, audit schedules, and feature flags. Examples include drafting, summarisation, structured extraction, reporting assistance, content drafting, and compliance-monitoring support.

  • Licence-disk barcode extraction is handled locally and is not sent to external AI.
  • Some features send selected text or structured context to external AI services where needed for an internal workflow.
  • We aim to minimise the amount of personal information sent externally and keep human review in place for high-impact outputs.
  • Our compliance monitor is an early-warning review tool only. It does not make final legal decisions for us.

5. Sharing and Operators

We do not sell personal information. We may share information with service providers or operators where necessary to run our business systems, communications, security controls, hosting, CAPTCHA protection, or selected AI-assisted internal workflows. This may include providers such as our hosting and infrastructure partners, email and operational service providers, Cloudflare Turnstile for spam protection on website forms, and OpenAI for selected internal AI-assisted features.

Where an operator processes information on our behalf, we aim to limit the data shared to what is reasonably necessary for the purpose.

6. Cross-Border Processing

Some service providers we use may process or store information outside South Africa. Where cross-border processing is involved, we assess the use case as part of our compliance and vendor review process and aim to apply reasonable safeguards consistent with POPIA.

7. Security Measures

We use layered security controls to protect information, including appropriate access restriction, HTTPS in transit, secure authentication controls, AI monitoring, audit logging, compliance reviews, and encryption for sensitive stored payloads such as key document blobs and AI raw response data. No security measure is perfect, but we work to reduce risk and improve controls over time.

8. Retention

We keep records for as long as reasonably necessary for platform operations, accounting, legal, security, backup, and compliance purposes. Retention periods can differ depending on the type of record, the purpose for which it was collected, and any legal obligations that apply. More detail is set out in our Data Processing and Retention Policy.

9. Cancellation and Deletion Requests

To cancel future billing, sign in and go to Account > Businesses, then use Cancel Billing for the relevant business subscription. If you cannot access your account or need help cancelling, email info@sumtra.app from the account owner's email address.

To ask for deletion of personal information or business data, use the account deletion option where available or email info@sumtra.app. We may need to verify your identity and authority over the relevant business before processing the request.

10. Your POPIA Rights

Subject to applicable law, you may ask us to access, correct, update, or delete personal information we hold about you, or to object to or restrict certain processing. You may also raise a complaint with the Information Regulator of South Africa if you believe your information has been handled unlawfully.

To make a request, email info@sumtra.app.

11. Product Feedback

You may send product recommendations, improvement ideas, or feature requests to info@sumtra.app. Please avoid sending confidential customer information unless it is necessary for support.

12. Related Policies

This policy should be read with our AI Usage Policy, Data Processing and Retention Policy, PAIA / POPIA Manual, Cookie Policy, and Terms of Service.

13. Policy Updates

We may update this policy from time to time as our systems, service providers, or legal obligations change. The latest version will be published on this page with the updated date.

Sumtra.App