TOOLFlow Solutions ("we", "us", "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the TOOLFlow application ("Service"). This policy is compliant with the Protection of Personal Information Act, 2013 (POPIA) of the Republic of South Africa.
1. Information We Collect
1.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account information | Email address, company name, store/location names | Account creation and management |
| User profiles | Admin usernames, worker names | User management and activity logging |
| Tool & material data | Item names, descriptions, quantities, prices, barcodes, photos | Core inventory tracking functionality |
| Transaction data | Check-in/out records, transfers, timestamps, user associations | Activity tracking and reporting |
| Client information | Client names, project/part numbers | Client tracking and cost reporting |
| Custom field data | Machine names, job numbers, or other custom data you configure | Custom tracking fields you define |
| Feedback | Messages submitted through the feedback feature | Product improvement and support |
1.2 Information Collected Automatically
- Device information: Browser type, operating system, screen size (collected with feedback submissions only)
- Usage data: Firebase Analytics may collect general app usage patterns
We do not collect GPS location data, contacts, or any data from your device beyond what you explicitly enter into the app.
2. How We Use Your Information
We use your information solely to:
- Provide and maintain the TOOLFlow service
- Process your account registration and authentication
- Send transactional emails (account approvals, password resets, stock alerts, transfer slips, RFQ emails)
- Generate reports and exports you request
- Respond to your feedback and support requests
- Improve the Service based on usage patterns
We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising purposes.
3. Data Storage & Third-Party Services
Your data is stored using the following third-party services:
| Service | Provider | Purpose | Location |
|---|---|---|---|
| Firebase Realtime Database | Google LLC | Data storage | United States |
| Firebase Authentication | Google LLC | User authentication | United States |
| Firebase Cloud Functions | Google LLC | Email sending, scheduled tasks | United States (us-central1) |
| Gmail SMTP | Google LLC | Transactional email delivery | United States |
| Netlify | Netlify Inc. | Application hosting | Global CDN |
| PayFast | PayFast (Pty) Ltd | Payment processing (future) | South Africa |
By using TOOLFlow, you consent to your data being processed and stored on servers located outside of South Africa, in accordance with Section 72 of POPIA. Google's infrastructure complies with international data protection standards including SOC 2 and ISO 27001.
4. Data Security
We implement the following security measures to protect your data:
- All data transmitted between your device and our servers is encrypted using HTTPS/TLS
- Company account credentials (the email and password used to register the company) are managed by Firebase Authentication, which stores them as salted hashes — we do not have access to the plain-text password
- Firebase App Check is enforced on the database to verify legitimate app access
- Role-based access ensures users can only access data within their company and assigned locations
- Admin passwords are required for management functions inside the app
- Firebase Security Rules restrict database read/write access to authenticated users within their company
Important — worker (User Mode) and sub-admin passwords: Passwords for worker accounts and additional sub-admin accounts that are created by a company administrator inside the app are currently stored in our Realtime Database in clear text rather than as hashes. These passwords are short, in-shop credentials chosen by the administrator (not the company-account-registration password) and are protected by Firebase Security Rules and App Check, but they do not have the same protection as the Firebase-Authentication-managed company password. We are working to migrate these credentials to a hashed storage scheme. In the meantime, we recommend that administrators use simple, non-reused passwords for worker accounts, and that you do not use a worker password that is the same as a password used elsewhere.
While we take reasonable steps to protect your information, no electronic system is completely secure. We cannot guarantee absolute data security.
5. Your Rights Under POPIA
As a data subject under the Protection of Personal Information Act (POPIA), you have the right to:
- Access: Request confirmation of what personal information we hold about you
- Correction: Request correction of inaccurate personal information
- Deletion: Request deletion of your personal information (you can delete your account directly from the app)
- Object: Object to the processing of your personal information
- Data portability: Export your data using the CSV export features in the app
- Withdraw consent: Withdraw your consent to processing at any time by deleting your account
To exercise any of these rights, contact us at toolflow.solutions@gmail.com. We will respond within 30 days as required by POPIA.
6. Data Retention
- Active accounts: Your data is retained for as long as your account is active
- Account deleted by you: When you delete your account through the Main Admin panel, all associated data is permanently removed from our database immediately. We cannot recover deleted data.
- Account terminated by us: If we terminate your access under the Terms of Service (for violation, fraud, or payment failure), we may retain your data for up to 30 days to allow you to export it before permanent deletion.
- Cancelled subscriptions: If your subscription lapses, data is retained for up to 30 days to allow for reactivation or export, then permanently deleted.
- Feedback submissions: Retained indefinitely for product improvement purposes. Feedback messages do not contain account credentials and are not linked to tool or material data.
7. Cookies & Local Storage
TOOLFlow is a Progressive Web App (PWA) that uses:
- Firebase Authentication tokens: Stored locally to keep you logged in
- Service Worker cache: For offline functionality and faster loading
We do not use tracking cookies or third-party advertising cookies.
8. Children's Privacy
TOOLFlow is a B2B tool-tracking platform intended for use by businesses and their employees aged 18 or older. The person who registers a company account confirms that they are at least 18 years old.
Company administrators who add worker accounts are responsible for ensuring that the workers they add are aged 18 or older, and that the worker has consented to their name and identifying details being recorded in the platform for tool and material tracking purposes.
We do not knowingly collect personal information from persons under the age of 18. If we become aware that data relating to a person under 18 has been entered into the platform, we will remove it promptly on request. Removal requests can be sent to toolflow.solutions@gmail.com.
9. Email Communications
We send the following types of emails:
- Transactional: Account approvals, password resets, transfer slips, RFQ emails — sent only when triggered by an action you take
- Stock alerts: Low stock email notifications — only if configured by your admin
We do not send marketing emails. You can disable stock alert emails by removing your email from the alert configuration in Settings.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users by email of material changes at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.
11. Security Compromise Notification
In accordance with Section 22 of the Protection of Personal Information Act (POPIA), if we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, we will notify:
- You, the affected user, by email to the address registered on your account, as soon as reasonably possible after the compromise is identified.
- The Information Regulator of South Africa, in accordance with their published notification process.
The notification will describe (a) the nature of the compromise, (b) what personal information was affected, (c) the steps we have taken to address it, and (d) any steps we recommend you take to protect yourself. We will only delay notification if instructed to do so by law enforcement or if doing so would impede a criminal investigation.
12. Information Officer
In accordance with POPIA, our designated Information Officer can be contacted at:
Email: toolflow.solutions@gmail.com
Website: www.toolflow.co.za
Country: Republic of South Africa
If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the Information Regulator of South Africa:
Information Regulator (South Africa)
Address: Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191
POPIA complaints: POPIAComplaints@inforegulator.org.za
General enquiries: enquiries@inforegulator.org.za
Phone: 010 023 5200 | Toll-free: 0800 017 160
Website: inforegulator.org.za