Privacy notice

You message Imali on WhatsApp. We log your business transactions, generate reports, and (with your separate, opt-in consent) share aggregated or anonymised signals with lenders you choose to work with. We don’t sell your data. We don’t set third-party trackers or pixels on this site. We don’t use your data to train third-party AI models.

Some of our processing happens outside South Africa — the EU (Render, Cloudflare) and the United States (Neon Postgres, OpenAI for OCR and language understanding, Sentry for error monitoring). We disclose this at the consent step at onboarding, and you consent specifically to it then under POPIA Section 72(1)(a).

If something on this page is unclear, write to imali@ebstar.co and a human will reply within one business day.

Under POPIA Section 56, every responsible party in South Africa must designate an Information Officer. For Imali, that’s:

Name

Ebenezer Tarubinga

Role

Founder & Information Officer

Email

imali@ebstar.co

Fallback

contact@ebstar.co

Postal

By request, on registered mail only. We don’t publish a physical address while pre-seed.

Registration

Application for Information Officer registration with the Information Regulator was submitted on 12 May 2026 in accordance with Regulation 4 of the Regulations Relating to the Protection of Personal Information, 2018 (GG 42110). The Regulator’s reference number will be inserted here within 5 business days of issue.

We collect only what we need to run the service you’re using.

a. Account & identity

• WhatsApp phone number (your account identifier). We hold the number in clear text in the operational database because we need to message you back; only the analytics warehouse holds a salted HMAC-SHA256 hash of it.
• Business name & sector (you tell us during onboarding)
• Preferred language (English, isiZulu, isiXhosa)
• Default currency & province (ZAR / Gauteng / Western Cape, etc.)

b. Business transactions

• Income & expense entries you log via WhatsApp message or voice note. Voice notes are transcribed by OpenAI Whisper in the USA; the audio is discarded once the transcription is returned.
• Invoice line items, totals, and the customer names / contact details you enter
• Inventory items, stock counts, supplier names
• Photos of supplier receipts. Each photo is sent to OpenAI Vision (GPT-4o-mini) in the USA for OCR, and the image is retained in encrypted Cloudflare R2 storage so we can re-process if the OCR misreads. You can wipe every receipt we hold by replying stop on WhatsApp (which deletes the whole account), or request deletion of an individual receipt by replying fix on WhatsApp.
• Free-text questions you ask Imali (“how much did I make this week?”, “who owes me money?”) together with the specific transaction, invoice or inventory rows needed to answer them. These are sent to OpenAI in the USA for language understanding only; OpenAI does not use them to train its models, per our API agreement.
• SARS Turnover Tax categorisations (income / qualifying / disqualified per the SARS schedule)

c. Payment data (Premium tier only)

• Subscription status, plan, and billing history
• Card details are never stored by Imali — they live with our payment processor (Peach Payments or Stitch, depending on your region)

d. Technical data

• WhatsApp message metadata (timestamps, delivery status — needed for the bot loop)
• Server logs (kept for 30 days for debugging and abuse detection)
• Aggregate usage analytics (count of messages, error rates — no per-merchant breakdown stored beyond 90 days)

POPIA Section 11 requires a lawful basis for every category of processing. Ours, in order of importance:

Explicit consent

You opt in by replying to our POPIA consent prompt during onboarding. You can withdraw consent at any time by replying stop on WhatsApp, which deletes your account within 72 hours.

Performance of contract

Running the bookkeeping service you asked for — logging transactions, generating PDFs, computing tax.

Legitimate interest

Detecting abuse (e.g. someone using Imali to launder transaction data) and improving the product (debugging crashes, fixing OCR misreads on SA handwriting).

Legal obligation

SARS & FICA record-keeping; complying with NCR / POPIA / SARB reporting where applicable.

Credit signals and FMCG data sharingare separate, opt-in flows. Neither is enabled by default. If you opt in to share an alternative-data credit profile with a lender partner (Lula, Standard Bank, Merchant Capital, Letshego, or others), we disclose the specific lender and the specific signals up front, and you can opt out the same day. Imali is not a credit bureau within the meaning of section 70 of the National Credit Act, 2005 — we do not compile a credit information database. We make introductions; the lender runs its own credit assessment under its own NCR registration.

Proactive WhatsApp messages. While your account is active we send the following automated messages as part of the service you signed up for (POPIA Section 69(3)(c)):

• A weekly Monday-morning nudge (Free tier) reminding you to log the previous week.
• A weekly transactional summary on Mondays (Starter tier and above).
• A monthly PDF report on the 1st of each month (Starter tier and above).

You can stop all of these at any time by replying nudges off on WhatsApp. Reply nudges on to resume them, or cancel the subscription to stop them altogether.

POPIA Section 14 requires us to keep your data only as long as it’s needed. Practically:

Active account

As long as your WhatsApp account is enrolled and you’re using the service.

After deletion request

Transaction records, OCR images, and message content are removed within 72 hours. Hashed identifiers stay in aggregate analytics for up to 90 days.

Tax records

Where SARS or FICA require it, we retain transaction records for 5 years from the end of the relevant tax year. After that window, they’re deleted unconditionally.

Server logs

30 days. Errors and abuse events that lead to an investigation can be retained for a further 12 months.

Credit signals shared with a lender

Once shared, the lender becomes a separate responsible party for that copy. We delete our copy on the same schedule as your account.

Imali is hosted across the providers below. Some sit in jurisdictions the Information Regulator recognises as offering adequate protection (the EU under GDPR); others sit in the United States, which does not have a POPIA adequacy decision. For the United States providers, your data crosses the border on the basis of (a) your specific opt-in consent at the onboarding consent step (POPIA Section 72(1)(a)) and (b) the processing being necessary to perform the service you asked for (POPIA Section 72(1)(b)). We have signed Data Processing Addenda (or equivalent operator agreements under POPIA Section 20) with each of them.

Where a provider is outside an adequate jurisdiction, our agreement with them contains contractual protections substantially equivalent to POPIA Chapter 3 (Standard Contractual Clauses or supplier-equivalent operator obligations under POPIA Section 20). If we add, remove or replace a sub-processor, we update this page within 14 days and message existing merchants in advance of any material change.

POPIA Section 19 says we must take “appropriate, reasonable” technical and organisational measures. Specifically:

• TLS 1.3 in transit for every connection between WhatsApp, our backend, and our database.
• AES-256 at rest for the database and file storage. Keys are rotated quarterly.
• HMAC-SHA256 signature verification on every inbound WhatsApp webhook. A request without a valid signature is rejected at the edge.
• Salted, peppered phone hashing (HMAC-SHA256) for analytics — we don’t store raw phone numbers in any analytics surface.
• K-anonymity ≥ 50 on every aggregate query exposed to a partner. No FMCG or lender API can resolve a result that would identify a single merchant.
• Least-privilege access: only the founder currently has production database access, and queries are logged. As the team grows, we add SCIM & SSO before any new engineer gets shell.
• Vulnerability monitoring via Sentry + GitHub Advanced Security. CVEs in dependencies are patched on a working-day SLA where reachable.
• Backups via Neon point-in-time restore (7-day window). Backups inherit the same encryption posture as the live database.
• Founder-level read access is audit-logged. Every time the founder views your data through the admin impersonation flow, an immutable record is written to a separate audit table with the timestamp, the action, the IP address, and a mandatory reason string. Retention is 12 months. The record is surfaced on request as part of a POPIA Section 23 access request.

Breach notification

If we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, then in line with POPIA Section 22 we will:

1. Notify the Information Regulator as soon as reasonably possible, in the form prescribed under POPIA Section 22(5);
2. Notify you by WhatsApp message and (where we have it) by email, as soon as reasonably possible, with: a description of the possible consequences, what we have done or intend to do in response, what you can do to mitigate harm, and the identity of the unauthorised person where known;
3. Where the Regulator directs, post a notice on this page or in another publicly accessible form.

We will not delay notification beyond what is reasonable, and only ever where law enforcement or the Regulator directs us under POPIA Section 22(3).

POPIA Sections 23 to 25 give every data subject a set of rights. You can exercise any of them by replying with the matching command on WhatsApp, or by emailing imali@ebstar.co. Where the request involves a data export or correction, we verify identity by email before any data moves (POPIA Section 23(3)).

Access (POPIA s23)

Reply my data on WhatsApp. We acknowledge instantly and email you a PDF of everything we hold within 72 hours (after identity verification).

Correction (POPIA s24)

Reply fix on WhatsApp and we’ll guide you through the correction by email. Common cases (wrong category, wrong currency, duplicate entry) we resolve within 72 hours.

Deletion (POPIA s24)

Reply stop or delete on WhatsApp. Account and content are removed within 72 hours, subject to the SARS retention window above.

Portability

Reply export on WhatsApp. We email you a CSV plus a PDF of your records within 72 hours (after identity verification).

Objection (POPIA s11(3))

Reply opt out on WhatsApp to stop any specific processing (credit signals, FMCG aggregates, marketing) while keeping the underlying service active. Reply nudges off for the lighter case of just stopping proactive Monday messages.

Automated decisions (POPIA s71)

Imali does not make solely-automated decisions about you. Engagement signals we generate are advisory only; the actual credit decision belongs to the lender.

This marketing site (imali.ebstar.co) sets a tiny number of cookies, all strictly necessary or first-party. There are noMeta pixels, no Segment, no Hotjar, no session-replay scripts. We don’t buy or run ad attribution.

• theme — remembers your light/dark preference. First-party. Expires when you clear browser data.
• imali_session — set only if you sign in to the analytics dashboard. Strictly necessary; expires 24h after last activity.
• No third-party cookies. No cookies set on the public pages until you choose to sign in.

Server logs at the CDN edge (Vercel) record anonymised request metadata for 24 hours; we don’t join those logs to anything else.

If you’re a B2B partner (lender, FMCG, distribution channel) and Imali is processing personal information on your behalf, or you’re receiving aggregated signals from us, we sign a standard Data Processing Addendum before any data moves.

Our template DPA covers POPIA Sections 19 (security), 20 (operator obligations), 21 (notification of breach), 71 (third-party processors) and 72 (cross-border transfers). It includes Standard Contractual Clauses for any non-South-African sub-processor.

Request the template from imali@ebstar.co or your usual partnerships contact. We sign per-counterparty, not via clickwrap.

Current sub-processors (every one of these has a signed DPA or operates under standard SCC):

• Meta / WhatsApp Business API — message transport (multi-region)
• Render — application hosting (Frankfurt, EU)
• Neon — managed Postgres (AWS us-east-1, USA)
• Upstash — managed Redis for session and dedup state (AWS, USA)
• Cloudflare R2 — encrypted file storage (default jurisdiction; AES-256 at rest)
• OpenAI — OCR (GPT-4o-mini Vision), language understanding (GPT-4o-mini), and voice note transcription (Whisper). Receipt images, message text, free-text questions and voice audio sent to OpenAI are not used to train OpenAI models per our API agreement.
• Inngest — background job orchestration; receives full inbound WhatsApp message payloads for processing (USA)
• Sentry — error monitoring (USA; PII scrubbed before send)
• Axiom — log ingestion (USA; PII scrubbed before send)
• Vercel — marketing site & web dashboard hosting (global CDN)
• Peach Payments / Stitch — payment processing (Premium tier only; SA-resident)
• Frankfurter / ECB — FX rates (no personal data sent)

Section 51 of the Promotion of Access to Information Act, 2000 (PAIA) requires every private body to publish an Information Manual setting out the records it holds and the procedure for requesting access. Section 51(3), read with the Minister’s exemption notice GN 1383 of 21 November 2022 (as in force on this date), exempts private bodies with annual turnover below R2 million and fewer than 50 employees from the publication requirement.

Imali falls within that exemption and accordingly does not currently publish a PAIA Manual. We will publish one when the exemption ceases to apply. In the interim, PAIA requests can be sent to imali@ebstar.co and will be processed in accordance with PAIA Chapter 4 (private body access).

If you think we’ve mishandled your data and emailing us didn’t resolve it, you can lodge a complaint with the Information Regulator of South Africa:

Information Regulator

JD House, 27 Stiemens Street, Braamfontein, Johannesburg 2001

Phone

+27 (0) 10 023 5200

Email

complaints.IR@justice.gov.za

Web

inforegulator.org.za

When we change this notice in a way that affects how we handle your data, we’ll message you on WhatsApp before the change takes effect. Versioned diffs are kept and available on request.

For anything else — questions, requests, complaints, or to be put through to a human:

imali@ebstar.co · replies within one business day, usually faster.