Privacy Policy
Orange Dot Technology (Pty) Ltd  t/a  Office Vault
Version 1  |  April 2026  |  Effective Date: 12 May 2026

1. Introduction

Orange Dot Technology (Pty) Ltd, trading as Office Vault ("we", "us", "our"), is committed to protecting the privacy and personal information of all individuals with whom we interact. This Privacy Policy explains how we collect, use, share, and protect personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and all applicable South African data protection legislation.

This Policy applies to:

▪  clients and their authorised users who use the Office Vault platform and services ("Platform Clients");

▪  visitors to our website at officevault.co.za ("Website Visitors"); and

▪  reseller partners and their representatives ("Reseller Partners").

By using our services or website, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you should not use our services or website.

2. Who We Are

Office Vault is a cloud-based AI document management platform that enables businesses to capture, classify, store, retrieve, and manage documents and workflows digitally. Our core capabilities include OCR-based document capture, AI-powered categorisation, digital signing, workflow routing, and audit trail management. In the context of data we process on behalf of our Platform Clients, we act as an Operator as defined in section 1 of POPIA. Our Platform Clients are the Responsible Parties who determine the purpose and means of processing their data. We process that data only in accordance with their instructions and the terms of our agreements. In the context of data we collect directly from Website Visitors and Reseller Partners, we act as the Responsible Party.

3. Personal Information We Collect

3.1  Platform Clients and Their Users

When a business subscribes to Office Vault, we collect and process the following on their behalf:

▪  Account information: company name, registration number, billing address, contact person name, email address, and telephone number.

▪  User account details: names, email addresses, and role/permission settings of individuals authorised to use the platform.

▪  Document content: any personal information contained within documents uploaded to the platform, including names, identity numbers, contact details, signatures, financial information, employment records, and other business document content.

▪  Usage data: login activity, document access logs, workflow events, and audit trail records.

▪  Payment information: billing details and transaction records (payment card details are processed by our payment provider and not stored on our systems).

3.2  Website Visitors

When you visit officevault.co.za, we may collect:

▪  Contact form submissions: name, email address, company name, telephone number, and any information you voluntarily provide.

▪  Technical data: IP address, browser type, operating system, pages visited, referral source, and session duration, collected via cookies and analytics tools.

▪ Communication records: emails and messages you send to us.

3.3  Reseller Partners

When a business enters into a Reseller Agreement with us, we collect:

▪  Business information: company name, registration number, VAT number, and physical address.

▪  Contact details: names, email addresses, and telephone numbers of authorised representatives.

▪  Financial information: banking details for commission payments and billing records.

▪ Performance data: sales activity, client referral records, and usage data related to the reseller's client base.

4. Lawful Basis for Processing

We process personal information only when we have a lawful basis to do so under section 11 of POPIA. The lawful bases we rely on are:

Basis How We Apply It
Contractual necessityProcessing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This applies to Platform Client accounts, user account management, service delivery, and Reseller Partner agreements.
Legitimate interestsProcessing is necessary for our legitimate business interests, provided those interests are not outweighed by your rights. This includes platform security monitoring, fraud prevention, improving our services, and maintaining business records.
ConsentWhere you have given us specific, informed, and voluntary consent to process your personal information. This applies to marketing communications and the use of non-essential cookies on our website. You may withdraw consent at any time.
Legal obligationProcessing is necessary to comply with a legal obligation, including tax and financial reporting obligations, responding to lawful requests from authorities, and complying with POPIA and PAIA.

5. How We Use Personal Information

5.1  Platform Clients

▪  To set up, manage, and administer your account and provide access to the platform.

▪  To process, store, index, and retrieve documents in accordance with your instructions.

▪  To provide customer support, training, and technical assistance.

▪  To send service-related communications including maintenance notices and updates.

▪  To process billing and manage subscription renewals.

▪  To maintain audit trails and access logs as required by POPIA and your own compliance obligations.

▪  To improve the platform based on aggregated, anonymised usage data.

5.2  Website Visitors

▪  To respond to enquiries submitted through our contact form.

▪  To analyse website traffic and improve the user experience.

▪  To send marketing communications where you have consented.

▪  To detect and prevent fraudulent or unauthorised activity.

5.3  Reseller Partners

▪  To manage the reseller relationship, process commissions, and administer agreements.

▪  To provide access to partner resources, training materials, and sales support.

▪  To track referrals and calculate performance-based payments.

▪  To communicate updates to products, pricing, and partner programmes.

6. How We Share Personal Information

We do not sell, rent, or trade personal information to third parties. We share personal information only in the following circumstances:

6.1  Sub-Operators and Service Providers

We engage the following third-party sub-operators to support the delivery of our services. Each sub-operator is contractually bound by data protection obligations equivalent to those we apply:

Sub-Operator Location Purpose
Amazon Web Services (AWS)South Africa (af-south-1)Primary cloud infrastructure, data storage, and backups. All Platform Client data is hosted within the Republic of South Africa.
Google LLCIreland / United StatesAncillary platform integrations and productivity services. Cross-border transfer safeguards (Standard Contractual Clauses) are in place.
Microsoft CorporationUnited StatesAncillary platform services. Cross-border transfer safeguards (Standard Contractual Clauses) are in place.
Oracle CorporationSouth AfricaCloud infrastructure services within the Republic of South Africa.

6.2  Legal and Regulatory Disclosure

We may disclose personal information where required to do so by law, court order, or regulatory authority, including the Information Regulator. We will, where legally permissible, notify you before making such a disclosure.

6.3  Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal information may be transferred to the acquiring entity, subject to equivalent privacy protections.

7. Cross-Border Transfers

Our primary infrastructure is hosted on AWS Cape Town (af-south-1), ensuring that Platform Client data resides within the Republic of South Africa.

Where sub-operators process personal information outside South Africa (Google LLC and Microsoft Corporation), we ensure that appropriate safeguards are in place in accordance with section 72 of POPIA. These safeguards include Standard Contractual Clauses approved by relevant data protection authorities, which require the recipient to protect the personal information to a standard equivalent to POPIA.

We regularly review our cross-border transfer arrangements and will update this Policy if new sub-operators are engaged or existing arrangements change.

8. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our general retention periods are:

Category Retention Period
Platform Client dataFor the duration of the subscription and for 30 days after termination, after which it is securely deleted or returned upon written request.
User account recordsFor the duration of the account and 12 months thereafter for audit and dispute resolution purposes.
Financial and billing records7 years from the date of the transaction, as required by the Companies Act and tax legislation.
Website enquiry data12 months from the date of submission, unless an ongoing relationship is established.
Marketing consent recordsUntil consent is withdrawn, plus 3 years thereafter.
Reseller Partner recordsFor the duration of the agreement and 5 years thereafter.

9. Your Rights Under POPIA

Subject to applicable law and certain exceptions, you have the following rights in relation to your personal information:

Right & Reference Explanation
Right of access (s.23)You may request confirmation of whether we hold your personal information and request a copy of that information.
Right to rectification (s.24)You may request that we correct or update personal information that is inaccurate, incomplete, or out of date.
Right to erasure (s.24)You may request the deletion of your personal information where we no longer have a lawful basis to retain it.
Right to object (s.11)You may object to the processing of your personal information on grounds relating to your particular situation, or where processing is for direct marketing purposes.
Right to withdraw consentWhere processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to lodge a complaintYou have the right to lodge a complaint with the Information Regulator at www.inforegulator.org.za or inforeg@justice.gov.za.

To exercise any of the above rights, please contact our Information Officer at info@orangedot.co.za. We will respond to your request within 30 days. In some cases we may need to verify your identity before processing your request.

10. Security

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, loss, destruction, or alteration. These measures include:

▪  Data hosted on AWS Cape Town (af-south-1) with South African data residency.

▪  Encryption of data at rest (AES-256) and in transit (TLS 1.2 or higher).

▪  Role-based access controls (RBAC) and least-privilege principles.

▪  Multi-factor authentication for administrative access.

▪  Regular automated backups with tested recovery procedures.

▪  Full audit trails and access logging for all platform interactions.

▪  Intrusion detection, monitoring, and regular security patching.

▪  Confidentiality agreements with all personnel who have access to personal information.

Despite these measures, no system is entirely immune from security incidents. In the event of a data breach, we will notify affected parties and the Information Regulator in accordance with section 22 of POPIA and within 72 hours of becoming aware of the breach.

11. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to improve your browsing experience and analyse website traffic. Cookies are small text files placed on your device.

Cookie Type Purpose
Essential cookiesRequired for the website to function. These cannot be disabled.
Analytics cookiesHelp us understand how visitors interact with our website (e.g. Google Analytics). These are only set with your consent.
Preference cookiesRemember your settings and preferences to personalise your experience.
You can manage cookie preferences through your browser settings. Disabling essential cookies may affect website functionality. For more information about cookies, visit www.allaboutcookies.org.

12. Children's Privacy

Our services are intended for use by businesses and adults aged 18 years and older. We do not knowingly collect personal information from children under the age of 18. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete such information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will: update the version number and effective date at the top of this Policy; publish the updated Policy on our website at officevault.co.za; and where required by law or where changes significantly affect your rights, notify Platform Clients and Reseller Partners directly by email.

We encourage you to review this Policy periodically. Your continued use of our services after an update constitutes acceptance of the revised Policy.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal information, please contact our Information Officer:

Information Officer

Name: Suniel Seejiram

Title: Founder / Information Officer

Email: info@orangedot.co.za

Tel: 010 500 1589

Address: 56 Church Street, Olivedale, Johannesburg North, Randburg, 2188

Information Regulator (SA)

Website: www.inforegulator.org.za

Email: inforeg@justice.gov.za

If you are not satisfied with our response, you have the right to lodge a complaint directly with the Information Regulator.

This Privacy Policy was last reviewed and approved by the Information Officer in April 2026.