Tap2CRM is committed to protecting your personal information. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and your rights in relation to it. It applies to all users of the Tap2CRM platform and website at tap2crm.co.za.
1. Who We Are (Responsible Party)
Tap2CRM is the Responsible Party for personal information collected through this platform, as defined under the Protection of Personal Information Act 4 of 2013 ("POPIA").
Contact details:
Email: info@devrocket.co.za
Website: https://tap2crm.co.za
2. What Personal Information We Collect
2.1 Account & Billing Information
When you register and subscribe, we collect:
- Name and email address of the account owner and team members;
- Business name and workspace subdomain;
- Billing information — payment is processed by PayFast and we do not store card details ourselves;
- IP address, browser, and device information at login.
2.2 WhatsApp Credentials & Configuration
To connect your WhatsApp Business Account, we store:
- Your WhatsApp Business Account ID (WABA ID) and Phone Number ID;
- Your WhatsApp access token — stored AES-256 encrypted at rest;
- Your webhook verify token — stored encrypted at rest.
2.3 Customer Data (Your Contacts)
When your customers message you via WhatsApp, we store on your behalf:
- Phone numbers and display names provided by WhatsApp;
- Message content (text, media references, templates);
- Timestamps, delivery and read statuses;
- Any additional contact information you manually add (email, notes, tags).
This data belongs to you. You are the Responsible Party for your customers' data. We process it only as your Operator under POPIA on your documented instructions (i.e. your use of the platform).
2.4 Usage & Technical Data
- Log files including IP addresses, HTTP request details, and error information;
- Session data stored in the database;
- Inbound webhook payloads from Meta (stored temporarily for processing and debugging).
3. How We Use Your Personal Information
We use personal information to:
- Provide, operate, and maintain the Tap2CRM service;
- Process payments and manage your subscription;
- Authenticate users and maintain account security;
- Send transactional communications (invoices, account alerts, password resets);
- Diagnose errors and improve platform reliability;
- Comply with legal obligations under South African law.
We do not sell, rent, or trade your personal information or your customers' data to any third party.
We do not use your customers' WhatsApp message content for advertising, profiling, or any purpose other than providing the service to you.
4. Legal Basis for Processing (POPIA)
We process personal information on the following grounds:
- Contractual necessity — to fulfil our obligations under our Terms of Service;
- Legitimate interest — for security, fraud prevention, and service improvement;
- Legal obligation — where required by South African law;
- Consent — where you have explicitly provided it (e.g. marketing communications, if applicable).
5. Third-Party Service Providers
We share personal information with the following categories of third parties, strictly as necessary to provide the service:
| Provider | Purpose | Data shared |
|---|---|---|
| Meta Platforms, Inc. | WhatsApp Business Cloud API | Message content, phone numbers, WABA credentials |
| PayFast (DPO PayGate) | Payment processing | Name, email, subscription amount |
| Hosting provider | Infrastructure & database hosting | All platform data (encrypted at rest) |
All third-party providers are required to process personal information only as instructed and in a manner consistent with POPIA.
6. WhatsApp & Meta
By using Tap2CRM, your WhatsApp message data passes through Meta's infrastructure. Meta's collection and use of data is governed by Meta's own Privacy Policy and Business Policy. You are responsible for informing your own customers that their messages are handled via the WhatsApp Business Cloud API.
7. Data Security
We implement appropriate technical and organisational measures to protect personal information against loss, unauthorised access, disclosure, or destruction, including:
- AES-256 encryption of WhatsApp credentials at rest;
- PostgreSQL Row Level Security (RLS) enforcing strict tenant data isolation at the database level;
- HTTPS (TLS) encryption for all data in transit;
- HMAC-SHA256 signature verification on all inbound WhatsApp webhooks;
- Role-based access controls (super admin, admin, agent);
- Bcrypt-hashed passwords.
No method of transmission over the internet is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.
8. Data Retention
We retain personal information for as long as your account is active or as needed to provide the service. Specifically:
- Account data — retained for the duration of your subscription and deleted within 90 days of account termination;
- Customer/contact data — retained as long as your workspace is active; you may delete individual contacts at any time;
- Message data — retained for the duration of your subscription;
- Billing records — retained for 5 years as required by South African tax law;
- Log files — retained for 90 days.
9. Your Rights Under POPIA
As a data subject under POPIA, you have the right to:
- Access — request a copy of the personal information we hold about you;
- Correction — request correction of inaccurate or incomplete personal information;
- Deletion — request deletion of your personal information, subject to our legal retention obligations;
- Objection — object to the processing of your personal information;
- Complaint — lodge a complaint with the Information Regulator of South Africa if you believe your rights have been violated.
To exercise any of these rights, email us at info@devrocket.co.za. We will respond within 30 days.
Information Regulator contact details:
Website: www.justice.gov.za/inforeg
Email: inforeg@justice.gov.za
10. Cookies & Tracking
We use session cookies to maintain your login state. These are essential cookies required for the service to function. We do not use advertising cookies, tracking pixels, or third-party analytics tools that profile your behaviour.
11. Children's Privacy
Tap2CRM is a business-to-business service. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have inadvertently collected such information, please contact us immediately.
12. International Data Transfers
Personal information may be transferred to and processed in countries outside South Africa, specifically by Meta (USA) for WhatsApp API processing and PayFast for payment processing. We ensure that such transfers comply with POPIA's requirements for cross-border data flows.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the revised policy.
14. Contact Us
If you have any questions or concerns about this Privacy Policy or how we handle your personal information, please contact our Information Officer:
Email: info@devrocket.co.za
Website: https://tap2crm.co.za
This Privacy Policy is governed by the laws of the Republic of South Africa and specifically the Protection of Personal Information Act 4 of 2013 (POPIA).