Privacy Policy

How we collect, use, and protect your information

Updated: 15 July 2026

TOOLFlow Solutions ("we", "us", "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the TOOLFlow application ("Service" or "the App", as the context requires). This policy is compliant with the Protection of Personal Information Act, No. 4 of 2013 ("POPIA") of the Republic of South Africa.

1. Information We Collect

1.1 Information You Provide

Data TypeExamplesPurpose
Account informationEmail address, company name, store/location namesAccount creation and management
User profilesAdmin usernames, worker namesUser management and activity logging
Tool & material dataItem names, descriptions, quantities, prices, barcodes, photosCore inventory tracking functionality
Transaction dataCheck-in/out records, transfers, timestamps, user associationsActivity tracking and reporting
Client informationClient names, project/part numbersClient tracking and cost reporting
Custom field dataMachine names, job numbers, or other custom data you configureCustom tracking fields you define
FeedbackMessages submitted through the feedback featureProduct improvement and support

1.2 Information Collected Automatically

We do not collect Global Positioning System ("GPS") location data, contacts, or any data from your device beyond what you explicitly enter into the app.

2. How We Use Your Information

We use your information solely to:

We are committed to safeguarding your personal information. Accordingly, we will not sell, rent, or trade your personal data to any third parties, nor will we use your information for advertising or marketing purposes.

The only exception is referral sharing with your explicit consent: if, during registration, you indicate that you heard about TOOLFlow through one of our distribution partners and you expressly consent by ticking the corresponding checkbox, we will share your name, email address and company name with that selected distributor only, for the sole purpose of enabling them to contact you about quotations and support. This sharing occurs once, only with the distributor you selected, and only with your explicit, recorded consent. If you do not tick the checkbox, no details are shared with any distributor.

3. Data Storage & Third-Party Services

3.1 Third-Party Service Providers

Your data is stored using the following third-party services:

ServiceProviderPurposeLocation
Firebase Realtime DatabaseGoogle LLCData storageUnited States
Firebase AuthenticationGoogle LLCUser authenticationUnited States
Firebase Cloud FunctionsGoogle LLCEmail sending, scheduled tasksUnited States (us-central1)
Gmail SMTPGoogle LLCTransactional email deliveryUnited States
NetlifyNetlify Inc.Application hostingGlobal CDN
PayFastPayFast (Pty) LtdPayment processingSouth Africa
Payment merchant of recordCFAM Agritech (Pty) LtdMerchant of record for subscription payments made via PayFastSouth Africa

3.1.1 Payments and Merchant of Record

Subscription payments are processed by PayFast (Pty) Ltd, with CFAM Agritech (Pty) Ltd acting solely as the merchant of record. This means that when you pay for a subscription, your name, email address, and transaction details (amount, date, and payment reference) are received by CFAM Agritech (Pty) Ltd for the sole purposes of payment processing, accounting, and compliance with tax and other legal obligations. CFAM Agritech (Pty) Ltd's name (or its registered trading name) may appear on the PayFast checkout page and on your bank or card statement.

For clarity: CFAM Agritech (Pty) Ltd is not the owner or operator of TOOLFlow and does not control your data. TOOLFlow Solutions remains the responsible party for all Personal Information processed in connection with the Service. Payment information received by CFAM Agritech (Pty) Ltd in its capacity as merchant of record is never used for marketing purposes, and this payment flow is entirely independent of any referral-sharing consent you may give or decline at registration.

3.2 Cross-Border Processing and Transfers

Personal Information may be transferred to, stored, and processed in jurisdictions outside the Republic of South Africa where our service providers maintain infrastructure or operations.

Such transfers are undertaken in accordance with section 72 of POPIA, and are subject to appropriate contractual, technical and organisational safeguards designed to ensure an adequate level of protection for Personal Information. By using the Service, you acknowledge and consent to such cross-border transfers where required for the provision of the Service.

4. Data Security

4.1 Security Measures to Protect Your Data

4.2 Worker (User Mode) and Sub-Administrator Credentials

Company administrators may create worker and sub-administrator user profiles and assign access credentials for operational use within their organisation. Such credentials are distinct from the primary company account credentials managed through Firebase Authentication.

Access to worker and sub-administrator accounts is subject to technical and organisational safeguards, including authentication controls, role-based permissions, Firebase Security Rules and App Check, and company-level access restrictions designed to prevent unauthorised access to company data.

The company administrator is responsible for selecting, assigning, managing and safeguarding worker and sub-administrator credentials, including ensuring that credentials are appropriate for the intended operational environment, are not shared with unauthorised persons, and are changed or revoked when access is no longer required.

Users should not reuse credentials that are used for other systems, applications or online services.

We implement reasonable security safeguards as contemplated by applicable data protection legislation, including POPIA. However, no method of electronic transmission, storage or processing can be guaranteed to be completely secure, and we cannot warrant or guarantee absolute security of information processed through the Service.

4.3 Customer Security Responsibilities

The registered company administrator is responsible for maintaining the confidentiality of account credentials, assigning appropriate user permissions, promptly disabling access for former employees or contractors, ensuring that passwords are not shared between users, and implementing internal security practices appropriate to its business operations.

We will not be responsible for unauthorised access arising from the customer's failure to safeguard credentials, manage user permissions appropriately, or remove access rights from persons no longer authorised to use the Service.

5. Your Rights Under POPIA

As a data subject under POPIA, you have the right to:

To exercise any of these rights, contact us at support@toolflow.co.za. We will respond to requests relating to personal information within a reasonable period and in accordance with applicable provisions of POPIA.

6. Data Retention

6.1 Retention of Personal Information

6.2 Responsibility for Information Submitted

Customers are solely responsible for ensuring that any personal information uploaded, entered, recorded or otherwise processed through the App has been lawfully collected and may lawfully be processed in accordance with applicable legislation, including POPIA.

We do not verify the legality, accuracy, completeness or lawfulness of information submitted by customers and accept no responsibility for any claim arising from customer-provided information.

7. Cookies & Local Storage

TOOLFlow is a Progressive Web App ("PWA") that uses:

We do not use tracking cookies or third-party advertising cookies.

8. Minors' Privacy

TOOLFlow is a B2B tool-tracking platform intended for use by businesses and their employees aged 18 (eighteen) or older. The person who registers a company account confirms that they are at least 18 (eighteen) years old.

Company administrators who add worker accounts are responsible for ensuring that the workers they add are aged 18 (eighteen) or older, and that the worker has consented to their name and identifying details being recorded in the platform for tool and material tracking purposes.

We do not knowingly collect personal information from persons under the age of 18 (eighteen). If we become aware that data relating to a person under 18 (eighteen) has been entered into the platform, we will remove it promptly on request. Removal requests can be sent to support@toolflow.co.za.

9. Email Communications

We send the following types of emails:

We do not send marketing emails. You can disable stock alert emails by removing your email from the alert configuration in settings on your device.

10. Changes to This Policy

We may update this Privacy Policy from time to time in our sole discretion. We will notify registered users by email of material changes at least 14 (fourteen) days before they take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.

Amendments which are administrative, non-material, beneficial to the user, required by law, or necessary to address security, fraud prevention or operational concerns may become effective immediately upon publication or notification.

The user is responsible for reviewing the most current version of the Privacy Policy from time to time.

The user's continued access to or use of the Service following the effective date of any amendment shall constitute acceptance of the amended Privacy Policy.

11. Security Compromise Notification

11.1 Initial Communication Alert

In accordance with Section 22 of POPIA, if we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, we will notify:

The notification will describe (a) the nature of the compromise, (b) what personal information was affected, (c) the steps we have taken to address it, and (d) any steps we recommend you take to protect yourself. We will only delay notification if instructed to do so by law enforcement or if doing so would impede a criminal investigation.

11.2 Incident Containment Measures

In the event of an actual or suspected security compromise, we reserve the right to suspend access to affected accounts, functions, services, databases or infrastructure where reasonably necessary to investigate, contain, mitigate or remediate the incident.

Such temporary suspension shall not constitute a breach of contract and shall not give rise to any claim against us.

12. Limitation of Liability

We implement reasonable technical and organisational safeguards to protect users' personal information in accordance with applicable law. Notwithstanding such safeguards, the customer acknowledges that no information technology system, software platform, communication network, cloud infrastructure, or security measure is capable of guaranteeing absolute security.

To the maximum extent permitted by applicable law, TOOLFlow shall not be liable for any indirect, incidental, consequential, special, punitive, or economic loss arising from any unauthorised access to, acquisition of, disclosure of, alteration of, destruction of, or loss of Personal Information resulting from a security compromise, cyberattack, malicious conduct by a third party, system vulnerability, telecommunications failure, internet outage, force majeure event, or other circumstance beyond TOOLFlow's reasonable control.

Nothing in this Privacy Policy excludes or limits any liability that may not lawfully be excluded or limited under applicable law.

13. Information Officer

In accordance with POPIA, our designated Information Officer can be contacted at:

Email: info@toolflow.co.za
Website: www.toolflow.co.za
Country: Republic of South Africa

If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the Information Regulator of South Africa:

Information Regulator (South Africa)
Address: Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191
POPIA complaints: POPIAComplaints@inforegulator.org.za
General enquiries: enquiries@inforegulator.org.za
Phone: 010 023 5200 | Toll-free: 0800 017 160
Website: inforegulator.org.za

Back to Home