Privacy Policy
Yieldwise Multi-Tenant Restaurant Operations Platform
INTRODUCTION
[Yieldwise / Legal Entity Name] ("Yieldwise", "we", "us", or "our") is committed to protecting the privacy of all individuals who interact with the Yieldwise platform ("Platform").
This Privacy Policy describes how we collect, use, store, protect, share, and handle personal information in connection with the Platform and our Services, in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Electronic Communications and Transactions Act 25 of 2002 ("ECT Act"), and other applicable South African law.
INFORMATION OFFICER
- Name: Rickus Ferreira
- Email: admin@yieldwise.co.za
- Postal Address: Somerset West, Western Cape, South Africa
- Information Regulator: www.inforegulator.org.za
- Email: inforeg@justice.gov.za
SCOPE OF THIS POLICY
- (a)natural persons who register for and use the Platform ("Registered Users");
- (b)Authorised Users added to the Platform by a Subscriber;
- (c)individuals whose contact information is uploaded into the Platform by a Subscriber (e.g., supplier contacts added to the Supplier Management module); and
- (d)visitors to our website at [www.yieldwise.co.za].
PERSONAL INFORMATION WE COLLECT
We process the following categories of personal information:
3.1 — Account and Authentication Data
Collected at registration and maintained throughout the subscription:
- Full name
- Business email address
- Encrypted password (hashed; never stored in plain text)
- Profile photo (if uploaded)
- Organisation/entity name and registration details
- Billing address and company registration number
- Subscription tier and account status
Authentication is managed through Supabase Auth, which handles credential storage, session management, and token issuance. Supabase stores authentication data on infrastructure subject to its own security certifications and data processing policies.
3.2 — Business Operational Data
Uploaded or generated by Subscribers and Authorised Users:
- Recipe names, ingredient lists, portion sizes, and preparation notes
- Ingredient costs, supplier pricing, and purchase unit data
- Stock par levels, stock-take records, and variance data
- Supplier names, contact details, and delivery/pricing history
- Roster data: staff names, scheduled hours, and role assignments
- Dish and menu structure data
3.3 — Session, Cookie, and Technical Data
Collected automatically when you access the Platform:
| Data Type | Description |
|---|---|
| Bootstrap API Cookies | current_entity_id, current_site_id, and current_view_key — functional cookies essential to Platform operation. |
| IP address / geolocation | Approximate location (country/city level). |
| Browser & device | Browser type, version, OS, device type, and screen resolution. |
| Session logs | Duration and page/feature access logs. |
| Error & performance telemetry | Error logs used to diagnose platform issues. |
3.4 — Communications Data
- Support queries, feedback, or complaints submitted to the Operator
- Email correspondence between you and the Operator
3.5 — Data We Do NOT Collect
HOW WE COLLECT PERSONAL INFORMATION
We collect personal information through the following channels:
| Channel | Description |
|---|---|
| Direct input | Information you provide when registering, creating your organisation, completing your profile, or using Platform features. |
| Authorised User provisioning | Information added by a Subscriber when onboarding their team members. |
| Automated collection | Technical and session data collected via the Bootstrap API, server logs, and cookies when you access the Platform. |
| Third-party infrastructure | Authentication and session telemetry from Supabase's auth services. |
PURPOSE AND LEGAL BASIS FOR PROCESSING
We process your personal information for the following purposes and on the following legal bases under POPIA:
| Purpose | Legal Basis (POPIA s.11) |
|---|---|
| Account creation, authentication, and session management | Contractual necessity |
| Provision and delivery of the Services | Contractual necessity |
| Resolution of organisational context via Bootstrap API | Contractual necessity |
| Billing, invoicing, and subscription management | Contractual necessity / Legal compliance |
| Platform security monitoring and fraud prevention | Legitimate interest |
| Technical troubleshooting and platform improvement | Legitimate interest |
| Responding to support queries and communications | Contractual necessity |
| Aggregate, anonymised analytics for product development | Legitimate interest |
| Compliance with legal obligations (POPIA, ECT Act, SARS) | Legal compliance |
| Service-related communications (account notices, updates) | Contractual necessity |
| Marketing communications | Consent |
COOKIES AND SESSION TECHNOLOGY
6.1 — Functional Cookies (Strictly Necessary)
The Platform uses the following functional cookies that are essential for Platform operation and cannot be disabled without disrupting core functionality:
| Cookie | Purpose |
|---|---|
current_entity_id | Stores your active Entity context resolved by the Bootstrap API. |
current_site_id | Stores your active Site context for data scoping and navigation. |
current_view_key | Stores your active navigation/view preference. |
| Supabase auth session token | Maintains your authenticated session. |
These cookies are session-scoped and/or short-lived. They do not track you across third-party websites and are used solely to provide the Services you have requested.
6.2 — Analytics and Performance Cookies
6.3 — No Third-Party Advertising Cookies
DATA SHARING AND DISCLOSURE
7.1 — We Do Not Sell Your Data
We do not sell, rent, lease, or trade your personal information to any third party for their own marketing or commercial purposes.
7.2 — Service Providers and Operators (POPIA Operators)
We may share personal information with third-party service providers ("Operators" under POPIA) who process data on our behalf, strictly to provide the Services:
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, storage | USA (with data transfer safeguards) |
| [Hosting/CDN Provider] | Platform hosting and content delivery | [Location] |
| [Email Provider] | Transactional email delivery | [Location] |
| [Payment Gateway — if applicable] | Subscription billing processing | [Location] |
7.3 — Legal Disclosure
We may disclose personal information where required by law, court order, or lawful government or regulatory authority request, including compliance with POPIA enforcement, SARS or other lawful tax authority requests, or response to a court order, subpoena, or other lawful legal process. We will, where legally permissible, notify you of such disclosures.
7.4 — Business Transfers
In the event of a merger, acquisition, sale of substantially all assets, or business restructuring, personal information held by the Operator may be transferred to the successor entity. We will notify affected Subscribers and provide an opportunity to opt out where feasible and required by law.
7.5 — No Sharing Between Tenants
We implement Row-Level Security (RLS) at the database layer to ensure that data belonging to one Entity is not accessible to another Entity on the Platform. Internal data access within an Entity is governed by the Subscriber's own role assignment decisions.
DATA SECURITY
8.1 — Technical Measures
| Measure | Description |
|---|---|
| Encryption in transit | All data transmitted between your device and the Platform is encrypted using TLS/HTTPS. |
| Encryption at rest | Personal information stored in the Platform's database is encrypted at rest by the underlying infrastructure provider (Supabase). |
| Row-Level Security (RLS) | Database-layer policies enforce tenant and role-based data isolation. |
| Hashed credentials | User passwords are never stored in plain text and are hashed using industry-standard algorithms managed by Supabase Auth. |
| Access controls | Access to production systems is limited to authorised Operator personnel on a need-to-know basis. |
8.2 — "As Is" Security Acknowledgement
DATA RETENTION
We retain personal information for no longer than is necessary for the purposes for which it was collected, subject to applicable legal retention obligations.
| Category | Retention Period |
|---|---|
| Account and authentication data | Duration of subscription + 3 years |
| Business operational data (recipes, stock, rosters) | Duration of subscription + 30 days post-termination (available for export) |
| Session and technical log data | 12 months |
| Support communications | 3 years from resolution |
| Financial/billing records | 5 years (as required by tax and accounting legislation) |
YOUR RIGHTS UNDER POPIA
As a data subject under POPIA, you have the following rights in respect of your personal information:
| Right | Description |
|---|---|
| Right of Access (s.23) | Request confirmation of whether we hold your personal information and access to that information. |
| Right to Correction/Deletion (s.24) | Request correction of inaccurate, incomplete, misleading, or outdated information, or deletion where processing is unlawful. |
| Right to Object (s.11(3)) | Object to the processing of your personal information, subject to lawful overriding grounds. |
| Right to Withdraw Consent | Where processing is based on consent, withdraw it at any time (this does not affect prior processing). |
| Right to Complain | Lodge a complaint with the Information Regulator if you believe your rights have been infringed. |
DATA SUBJECTS OTHER THAN REGISTERED USERS
11.1 — Supplier and Contact Data
Subscribers may input the names, email addresses, phone numbers, and business details of their suppliers and other contacts into the Platform's Supplier Management module. In doing so:
- (a)the Subscriber acts as the Responsible Party for that third party's personal information;
- (b)the Subscriber warrants that they have a lawful basis under POPIA to provide such contact information to the Platform;
- (c)Yieldwise processes this data as an Operator on behalf of the Subscriber, solely to provide the Services.
11.2 — Staff Roster Data
Roster and scheduling data (staff names, shift hours, role assignments) input into the Platform constitutes personal information of the Subscriber's employees. The Subscriber is responsible for:
- (a)obtaining lawful authority to process their employees' data through the Platform;
- (b)ensuring their staff are informed of the Platform's use and this Privacy Policy to the extent required by POPIA; and
- (c)ensuring that only minimum necessary employee data is entered into the Platform.
CHILDREN
CROSS-BORDER TRANSFERS
- (a)transferring to jurisdictions that have been assessed to provide an adequate level of protection;
- (b)implementing appropriate contractual safeguards; or
- (c)relying on the consent of the data subject.
CHANGES TO THIS PRIVACY POLICY
GOVERNING LAW
CONTACT US
For all privacy-related queries, data subject rights requests, or breach notifications, please contact our Information Officer:
[Yieldwise / Legal Entity Name]
Information Officer: [Name]
Email: privacy@yieldwise.app
Postal Address: [●]
Website: www.yieldwise.app
This Privacy Policy was last updated on [Insert Date]. For our Terms of Use, please visit yieldwise.app/terms.
