Back
YieldwiseYieldwise
Version 1.0

Privacy Policy

Yieldwise Multi-Tenant Restaurant Operations Platform

Version 1.0Effective: [Insert Effective Date]Governing Law: Republic of South Africa

INTRODUCTION

[Yieldwise / Legal Entity Name] ("Yieldwise", "we", "us", or "our") is committed to protecting the privacy of all individuals who interact with the Yieldwise platform ("Platform").

This Privacy Policy describes how we collect, use, store, protect, share, and handle personal information in connection with the Platform and our Services, in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Electronic Communications and Transactions Act 25 of 2002 ("ECT Act"), and other applicable South African law.

By registering for, accessing, or using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal information as described herein. If you are accepting this Privacy Policy on behalf of a legal entity, you warrant that you are authorised to do so and that the entity is bound by its terms.
1

INFORMATION OFFICER

1.1
In terms of POPIA, [Yieldwise / Legal Entity Name] is the Responsible Party for all personal information processed through the Platform.
1.2
Our designated Information Officer can be contacted at:
  • Name: Rickus Ferreira
  • Email: admin@yieldwise.co.za
  • Postal Address: Somerset West, Western Cape, South Africa
1.3
You have the right to submit a complaint to the Information Regulator of South Africa if you believe your personal information rights have been infringed:
  • Information Regulator: www.inforegulator.org.za
  • Email: inforeg@justice.gov.za
2

SCOPE OF THIS POLICY

2.1
This Privacy Policy applies to:
  • (a)natural persons who register for and use the Platform ("Registered Users");
  • (b)Authorised Users added to the Platform by a Subscriber;
  • (c)individuals whose contact information is uploaded into the Platform by a Subscriber (e.g., supplier contacts added to the Supplier Management module); and
  • (d)visitors to our website at [www.yieldwise.co.za].
2.2
This Privacy Policy does not apply to personal information processed by Subscribers about their own customers or end-users through data they input into the Platform. Subscribers are independently responsible for compliance with POPIA and applicable privacy law in respect of their own customers' data.
3

PERSONAL INFORMATION WE COLLECT

We process the following categories of personal information:

3.1Account and Authentication Data

Collected at registration and maintained throughout the subscription:

  • Full name
  • Business email address
  • Encrypted password (hashed; never stored in plain text)
  • Profile photo (if uploaded)
  • Organisation/entity name and registration details
  • Billing address and company registration number
  • Subscription tier and account status

Authentication is managed through Supabase Auth, which handles credential storage, session management, and token issuance. Supabase stores authentication data on infrastructure subject to its own security certifications and data processing policies.

3.2Business Operational Data

Uploaded or generated by Subscribers and Authorised Users:

  • Recipe names, ingredient lists, portion sizes, and preparation notes
  • Ingredient costs, supplier pricing, and purchase unit data
  • Stock par levels, stock-take records, and variance data
  • Supplier names, contact details, and delivery/pricing history
  • Roster data: staff names, scheduled hours, and role assignments
  • Dish and menu structure data

3.3Session, Cookie, and Technical Data

Collected automatically when you access the Platform:

Data TypeDescription
Bootstrap API Cookiescurrent_entity_id, current_site_id, and current_view_key — functional cookies essential to Platform operation.
IP address / geolocationApproximate location (country/city level).
Browser & deviceBrowser type, version, OS, device type, and screen resolution.
Session logsDuration and page/feature access logs.
Error & performance telemetryError logs used to diagnose platform issues.

3.4Communications Data

  • Support queries, feedback, or complaints submitted to the Operator
  • Email correspondence between you and the Operator

3.5Data We Do NOT Collect

We do not collect, store, or process: payment card data; biometric data; criminal records; health or medical information; or special categories of personal information as defined in section 26 of POPIA. Payment processing, if implemented, will be handled exclusively by a PCI-DSS compliant third-party gateway.
4

HOW WE COLLECT PERSONAL INFORMATION

We collect personal information through the following channels:

ChannelDescription
Direct inputInformation you provide when registering, creating your organisation, completing your profile, or using Platform features.
Authorised User provisioningInformation added by a Subscriber when onboarding their team members.
Automated collectionTechnical and session data collected via the Bootstrap API, server logs, and cookies when you access the Platform.
Third-party infrastructureAuthentication and session telemetry from Supabase's auth services.
5

PURPOSE AND LEGAL BASIS FOR PROCESSING

We process your personal information for the following purposes and on the following legal bases under POPIA:

PurposeLegal Basis (POPIA s.11)
Account creation, authentication, and session managementContractual necessity
Provision and delivery of the ServicesContractual necessity
Resolution of organisational context via Bootstrap APIContractual necessity
Billing, invoicing, and subscription managementContractual necessity / Legal compliance
Platform security monitoring and fraud preventionLegitimate interest
Technical troubleshooting and platform improvementLegitimate interest
Responding to support queries and communicationsContractual necessity
Aggregate, anonymised analytics for product developmentLegitimate interest
Compliance with legal obligations (POPIA, ECT Act, SARS)Legal compliance
Service-related communications (account notices, updates)Contractual necessity
Marketing communicationsConsent
5.1
We will not use your personal information for purposes incompatible with those listed above without seeking your consent or without a lawful basis.
6

COOKIES AND SESSION TECHNOLOGY

6.1Functional Cookies (Strictly Necessary)

The Platform uses the following functional cookies that are essential for Platform operation and cannot be disabled without disrupting core functionality:

CookiePurpose
current_entity_idStores your active Entity context resolved by the Bootstrap API.
current_site_idStores your active Site context for data scoping and navigation.
current_view_keyStores your active navigation/view preference.
Supabase auth session tokenMaintains your authenticated session.

These cookies are session-scoped and/or short-lived. They do not track you across third-party websites and are used solely to provide the Services you have requested.

6.2Analytics and Performance Cookies

6.2.1
We may use analytics tools (such as server-side telemetry) to collect aggregated, anonymised usage data. Where such tools use cookies, we will seek your consent in accordance with applicable law.

6.3No Third-Party Advertising Cookies

6.3.1
We do not use third-party advertising cookies, behavioural tracking pixels, or cross-site tracking technologies on the Platform.
7

DATA SHARING AND DISCLOSURE

7.1We Do Not Sell Your Data

We do not sell, rent, lease, or trade your personal information to any third party for their own marketing or commercial purposes.

7.2Service Providers and Operators (POPIA Operators)

We may share personal information with third-party service providers ("Operators" under POPIA) who process data on our behalf, strictly to provide the Services:

ProviderPurposeLocation
Supabase Inc.Database, authentication, storageUSA (with data transfer safeguards)
[Hosting/CDN Provider]Platform hosting and content delivery[Location]
[Email Provider]Transactional email delivery[Location]
[Payment Gateway — if applicable]Subscription billing processing[Location]
7.2.1
All Operators are bound by written data processing agreements that require them to implement appropriate technical and organisational security measures and to process personal information only on our documented instructions.
7.2.2
Where personal information is transferred to Operators outside the Republic of South Africa, we take reasonable steps to ensure that the recipient jurisdiction affords an adequate level of protection, or we implement appropriate contractual safeguards (such as standard contractual clauses) as contemplated by section 72 of POPIA.

7.3Legal Disclosure

We may disclose personal information where required by law, court order, or lawful government or regulatory authority request, including compliance with POPIA enforcement, SARS or other lawful tax authority requests, or response to a court order, subpoena, or other lawful legal process. We will, where legally permissible, notify you of such disclosures.

7.4Business Transfers

In the event of a merger, acquisition, sale of substantially all assets, or business restructuring, personal information held by the Operator may be transferred to the successor entity. We will notify affected Subscribers and provide an opportunity to opt out where feasible and required by law.

7.5No Sharing Between Tenants

We implement Row-Level Security (RLS) at the database layer to ensure that data belonging to one Entity is not accessible to another Entity on the Platform. Internal data access within an Entity is governed by the Subscriber's own role assignment decisions.

8

DATA SECURITY

8.1Technical Measures

MeasureDescription
Encryption in transitAll data transmitted between your device and the Platform is encrypted using TLS/HTTPS.
Encryption at restPersonal information stored in the Platform's database is encrypted at rest by the underlying infrastructure provider (Supabase).
Row-Level Security (RLS)Database-layer policies enforce tenant and role-based data isolation.
Hashed credentialsUser passwords are never stored in plain text and are hashed using industry-standard algorithms managed by Supabase Auth.
Access controlsAccess to production systems is limited to authorised Operator personnel on a need-to-know basis.

8.2"As Is" Security Acknowledgement

While we implement reasonable and industry-standard security measures, no digital platform can guarantee absolute security. The Platform is provided "As Is" without warranty of uninterrupted or breach-free security.
8.2.1
The Operator shall not be liable for any data breach, loss, or unauthorised access resulting from circumstances beyond its reasonable control, including third-party infrastructure incidents or sophisticated cyberattacks, subject to its obligations under applicable law.
8.2.2
In the event of a data breach that is likely to result in material harm to data subjects, the Operator will notify the Information Regulator and affected data subjects in accordance with section 22 of POPIA.
9

DATA RETENTION

We retain personal information for no longer than is necessary for the purposes for which it was collected, subject to applicable legal retention obligations.

CategoryRetention Period
Account and authentication dataDuration of subscription + 3 years
Business operational data (recipes, stock, rosters)Duration of subscription + 30 days post-termination (available for export)
Session and technical log data12 months
Support communications3 years from resolution
Financial/billing records5 years (as required by tax and accounting legislation)
9.1
After the applicable retention period, personal information will be securely deleted or anonymised in a manner that makes re-identification impossible.
9.2
Subscribers may request an export of their operational data within 30 (thirty) days of subscription termination. After this window, the Operator may proceed with secure deletion without further notice.
10

YOUR RIGHTS UNDER POPIA

As a data subject under POPIA, you have the following rights in respect of your personal information:

RightDescription
Right of Access (s.23)Request confirmation of whether we hold your personal information and access to that information.
Right to Correction/Deletion (s.24)Request correction of inaccurate, incomplete, misleading, or outdated information, or deletion where processing is unlawful.
Right to Object (s.11(3))Object to the processing of your personal information, subject to lawful overriding grounds.
Right to Withdraw ConsentWhere processing is based on consent, withdraw it at any time (this does not affect prior processing).
Right to ComplainLodge a complaint with the Information Regulator if you believe your rights have been infringed.
10.1
To exercise any of these rights, submit a written request to our Information Officer at privacy@yieldwise.app. We will respond within the timeframes prescribed by POPIA (generally 30 days, extendable by 30 days with notice).
10.2
We may require proof of identity before processing access or correction requests.
11

DATA SUBJECTS OTHER THAN REGISTERED USERS

11.1Supplier and Contact Data

Subscribers may input the names, email addresses, phone numbers, and business details of their suppliers and other contacts into the Platform's Supplier Management module. In doing so:

  • (a)the Subscriber acts as the Responsible Party for that third party's personal information;
  • (b)the Subscriber warrants that they have a lawful basis under POPIA to provide such contact information to the Platform;
  • (c)Yieldwise processes this data as an Operator on behalf of the Subscriber, solely to provide the Services.

11.2Staff Roster Data

Roster and scheduling data (staff names, shift hours, role assignments) input into the Platform constitutes personal information of the Subscriber's employees. The Subscriber is responsible for:

  • (a)obtaining lawful authority to process their employees' data through the Platform;
  • (b)ensuring their staff are informed of the Platform's use and this Privacy Policy to the extent required by POPIA; and
  • (c)ensuring that only minimum necessary employee data is entered into the Platform.
12

CHILDREN

12.1
The Platform is designed for use by businesses and professional operators. It is not directed at children under the age of 18.
12.2
We do not knowingly collect personal information from individuals under 18. If we become aware that we have inadvertently collected such information, we will delete it promptly.
13

CROSS-BORDER TRANSFERS

13.1
As noted in clause 7.2, certain service providers used to deliver the Platform (including Supabase) are located or operate infrastructure outside the Republic of South Africa, including in the United States.
13.2
Where personal information is transferred outside South Africa, the Operator takes steps to ensure adequate protection as required by section 72 of POPIA, including:
  • (a)transferring to jurisdictions that have been assessed to provide an adequate level of protection;
  • (b)implementing appropriate contractual safeguards; or
  • (c)relying on the consent of the data subject.
14

CHANGES TO THIS PRIVACY POLICY

14.1
The Operator reserves the right to amend this Privacy Policy from time to time. Where changes are material, we will notify Subscribers via the email address associated with their account or via an in-platform notice, no less than 14 (fourteen) days before the changes take effect.
14.2
Continued use of the Platform after the effective date of a revised Privacy Policy constitutes acceptance of the revised terms.
14.3
We encourage you to review this Privacy Policy periodically to stay informed of how we protect your information.
15

GOVERNING LAW

15.1
This Privacy Policy is governed by and construed in accordance with the laws of the Republic of South Africa, including POPIA, the ECT Act, and other applicable legislation.
15.2
Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the South African courts.
16

CONTACT US

For all privacy-related queries, data subject rights requests, or breach notifications, please contact our Information Officer:

[Yieldwise / Legal Entity Name]

Information Officer: [Name]

Email: privacy@yieldwise.app

Postal Address: [●]

Website: www.yieldwise.app

This Privacy Policy was last updated on [Insert Date]. For our Terms of Use, please visit yieldwise.app/terms.