Privacy Policy

WebconstructGlobal (Pty) Ltd ("AdmicoHub", "we", "us") is the Responsible Party as defined in the Protection of Personal Information Act 4 of 2013 (POPIA) in respect of the personal information we collect and process. We collect only the personal information that is necessary to deliver our services.

Account & Identity Information

• Full name and surname of the account owner and authorised users
• Business email address and contact phone number
• Job title or role within the organisation
• Password (stored in hashed, salted form — we never store plaintext passwords)

Company & Registration Details

• Registered company or trading name
• CIPC registration number and company type (PTY, sole proprietor, trust, etc.)
• Registered and physical business address
• VAT registration number (where applicable)
• CIDB contractor grading and NHBRC enrolment number (for construction users)

Billing Information

• Subscription plan and billing cycle preference
• Payfast transaction reference numbers (we do not store full card numbers, CVV codes, or bank account numbers)
• Invoice and payment history

Platform Usage Data

• Features accessed, pages visited, and actions performed within the platform
• Error logs and diagnostic information to support service stability
• IP address, browser type, operating system, and device type
• Session timestamps and duration

Customer Data (processed as Operator)

When you upload your clients' information, employee details, supplier records, or financial documents into the platform, that data is Customer Data. We process it on your instruction as an Operator under POPIA. You remain the Responsible Party for that data and are responsible for ensuring it is lawfully collected and processed.

We collect personal information through the following means:

• Registration forms. When you create an account, set up your company profile, or invite team members to the platform.
• Platform activity. As you use features such as invoicing, bank reconciliation, and project management, we collect the data you enter and log your interactions to maintain audit trails and service logs.
• Cookies and local storage. We use session cookies and browser local storage to maintain your authenticated session and preserve your preferences. See Section 8 for full details on our cookie usage.
• Payfast payment callbacks. When a subscription payment is processed, Payfast sends us an Instant Transaction Notification (ITN) containing the transaction status, amount, and a reference identifier. We use this to activate or renew your subscription.
• Support communications. When you contact us via email or the support portal, we retain your correspondence to resolve your query and improve our service.
• Referrals and integrations. If you connect third-party services or are referred by a partner, we may receive limited information from those sources, which will be processed in accordance with this policy.

We use your personal information for the following specific purposes:

• Service delivery. To create and manage your account, provide access to the platform features you have subscribed to, and fulfil our contractual obligations to you.
• Billing and subscription management. To process payments via Payfast, issue VAT-compliant tax invoices, manage renewals and cancellations, and maintain your billing history.
• Transactional and compliance communications. To send you account confirmations, payment receipts, subscription renewal reminders, security alerts, and legally required notices. These communications are essential to the service and cannot be opted out of while your account is active.
• Product improvement. To analyse aggregated and anonymised usage patterns to improve platform features, prioritise development, and fix bugs. Individual user data is not sold or shared for this purpose.
• Security and fraud prevention. To detect, investigate, and prevent unauthorised access, fraudulent transactions, and abuse of the platform.
• Legal and regulatory compliance. To meet our obligations under POPIA, ECTA, the Companies Act 71 of 2008, the Income Tax Act 58 of 1962, and any other applicable South African legislation.
• Customer support. To respond to your queries, troubleshoot issues, and improve our support processes.

Under POPIA, personal information may only be processed if it satisfies one or more of the prescribed conditions for lawful processing set out in Chapter 3 of the Act. We rely on the following conditions:

• Contractual necessity (Section 11(1)(b)). Processing is necessary to perform our obligations under the subscription agreement you enter into with us when you register, and to take pre-contractual steps at your request. This covers account creation, feature delivery, billing, and support.
• Legitimate interest (Section 11(1)(f)). We process certain data — such as platform usage analytics, error logs, and security monitoring — based on our legitimate interest in maintaining a secure, stable, and improving service, provided that interest is not overridden by your right to privacy.
• Consent (Section 11(1)(a)). Where we send optional marketing communications (e.g. product update newsletters, feature announcements), we will only do so with your specific, informed, and voluntary consent. You may withdraw consent at any time by clicking the unsubscribe link in such communications or by contacting us directly.
• Legal obligation (Section 11(1)(c)). Where processing is required to comply with a legal obligation imposed on us by South African law, including record-keeping requirements under SARS legislation.

We do not sell, rent, or trade your personal information to third parties. We only share personal information with the following carefully selected service providers who act as Operators on our behalf under binding data processing agreements:

• Payfast (Pty) Ltd — Payment processing. Payment transactions are processed by Payfast, a South African Payment Card Industry (PCI DSS) compliant payment gateway. We share your subscription amount and a unique transaction reference with Payfast to initiate and verify payments. Payfast's own privacy policy governs their handling of your card details.
• SMTP / Transactional Email Provider — Email delivery. We use a transactional email service to deliver system-generated emails such as invoices, receipts, and account notifications. Only your email address and email content are shared for this purpose.
• MongoDB Atlas (MongoDB Inc.) — Data storage. Your data is stored on MongoDB Atlas cloud infrastructure. Data is hosted in compliance with our data residency requirements and is secured with encryption at rest and in transit.

We may disclose personal information if required to do so by law, court order, or at the direction of a lawful regulatory authority such as the South African Police Service (SAPS), the South African Revenue Service (SARS), or the Information Regulator. Where legally permitted, we will notify you of such a disclosure.

We retain personal information only for as long as is necessary to fulfil the purpose for which it was collected, or as required by applicable South African law, whichever is longer.

• Active accounts. Personal and business data is retained for the full duration of your subscription and remains accessible to you at all times via your account.
• Post-cancellation retention — 5 years. Following the cancellation or termination of your account, we retain your financial records, invoices, tax-related documents, and audit logs for a minimum of five (5) years from the date of the last relevant transaction. This retention period is required by the Income Tax Act 58 of 1962, the Value-Added Tax Act 89 of 1991, and SARS record-keeping guidelines, which require taxpayers and their service providers to retain records for at least 5 years.
• Support communications. Retained for 3 years from the date of the last interaction, then permanently deleted.
• Security and access logs. Retained for 12 months, then deleted unless required for an ongoing investigation.

Upon expiry of the applicable retention period, personal information will be permanently deleted or anonymised so that it can no longer be attributed to a specific individual or company.

The Protection of Personal Information Act 4 of 2013 grants you specific rights in respect of your personal information. You may exercise any of the following rights by contacting our Information Officer at hello@admicohub.com:

We will respond to all rights requests within 30 days of receipt. Where a request requires additional time to process, we will notify you of the delay and the reason for it within the initial 30-day period.

Information Regulator contact details:
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za | Website: www.justice.gov.za/inforeg

AdmicoHub uses a minimal and privacy-respecting approach to cookies and browser-based storage. We do not deploy third-party advertising cookies or tracking pixels.

Session Cookies. We use a single, essential session cookie to maintain your authenticated login state during your browser session. This cookie:

• Is set only after you successfully log in
• Expires when you close your browser or explicitly log out
• Is marked HttpOnly and Secure to prevent client-side script access and to require HTTPS transmission
• Contains only a cryptographically signed session identifier — it does not contain your personal information

Local Storage. We use browser local storage to persist your UI preferences (such as sidebar state and theme selection) across sessions. This data never leaves your device and is not transmitted to our servers.

No Third-Party Ad Tracking. We do not embed Google Analytics, Meta Pixel, or any other third-party behavioural tracking or advertising technology on the platform or on our public website pages. We use only server-side access logs for aggregate traffic analysis.

CSRF Tokens. We issue a Cross-Site Request Forgery (CSRF) token with each session to protect your account from cross-site request forgery attacks. This token is a security measure and does not track your behaviour.

Because we do not use non-essential or third-party cookies, no cookie consent banner is required for the authenticated platform. Our public marketing pages are equally cookie-light.

In terms of Section 55 of POPIA, WebconstructGlobal (Pty) Ltd has designated an Information Officer who is responsible for ensuring the company's compliance with the provisions of the Act and for handling all privacy-related queries, complaints, and data subject requests.

We will acknowledge all written privacy requests within 2 business days and provide a substantive response within 30 days. If your request requires additional time, we will inform you accordingly.

If you are not satisfied with our response, you have the right to escalate your complaint to the Information Regulator of South Africa at inforeg@justice.gov.za.

This Privacy Policy was last reviewed in May 2026. We may update it from time to time to reflect changes in our practices, legal requirements, or platform features. We will notify active subscribers of any material changes via email and in-platform notification at least 14 days before the changes take effect.