Privacy

To prepare and submit your tax return we need your contact details, your South African ID and SARS tax reference number, bank statements you choose to upload, and the categorised transactions we derive from them. For provisional and company returns we also collect your company registration number.

We never ask for or store your SARS eFiling password. We never ask for your online banking credentials.

All personal data is stored in South Africa: Postgres on Fly.io Johannesburg and Cloudflare R2 (JNB region). Sensitive fields are encrypted at the column level with app-layer AES-256-GCM — a database dump alone is useless without the master key, which lives in infrastructure secrets, not source control.

Raw PDFs you upload are deleted within 24 hours of successful parsing, enforced by both an R2 lifecycle rule and an explicit cleanup job. Only the derived transaction data is retained.

Auto-tier subscribers can forward bank statement emails to a unique address (e.g. your-id@statements.autotax.co.za). When an email arrives:

• The PDF attachment is extracted and pushed through the same parser as a manual upload. Original PDFs are deleted within 24 hours of successful parsing.
• We log a minimal audit record per email: sender domain, subject line, attachment count, parse outcome. We do not store email body text. The audit feed is visible to you on the forwarding page.
• We never log into your bank, never request your bank credentials, and never receive any email other than what you explicitly forward.
• You can rotate or revoke the forwarding address at any time from the dashboard. Old addresses stop receiving immediately.

When a return is ready for your approval we email a single-use, time-limited link (7 days, single use) to your account email. Tapping Approve & file with SARS on the review page is recorded in the audit log with timestamp, IP address and user-agent — that record stands as the legal taxpayer affirmation under the Tax Administration Act.

We never auto-submit a return without your explicit tap on the link.

The only third party that receives your return data is SARS, via the eFiling system, and only for the purpose of submitting the return. Our sub-processors handle delivery but not business logic:

• Fly.io (application + Postgres database, Johannesburg)
• Cloudflare (CDN, R2 object storage, Workers)
• Brevo (transactional email + inbound parsing for the Auto tier; EU-resident; statement attachments are fetched from Brevo and deleted from our side within 24h of parsing)
• Anthropic (transaction categorisation; only transaction descriptions and amounts are sent, no identifiers)
• Sentry (error monitoring, with PII scrubbing)
• Paystack (payments, ZA)

Each sub-processor is bound by a data-processing agreement that mirrors these commitments.

Statement PDFs: 24 hours after successful parsing (R2 lifecycle + explicit cleanup).

Derived transactions, returns, and audit logs: 5 years from submission, matching the SARS record-keeping requirement under the Tax Administration Act.

Account profile data (name, email, ID number, tax number) is kept while your subscription is active and for 5 years thereafter so the audit trail remains complete.

You can request a copy of the personal information we hold on you, correct inaccuracies, delete your account (subject to our legal retention duty for submitted returns), and object to processing. Email contact@2ko.co.za. We respond within 30 calendar days.

If we discover a breach that affects your personal data, we notify you and the Information Regulator of South Africa within 24 hours.

Per POPIA, our Information Officer is the founder, contactable at contact@2ko.co.za. The Information Officer's name and the legal entity will be updated here once the operating Pty Ltd is incorporated.