Praxo Back to dashboard

Privacy Policy

Last updated: 31 May 2026

Responsible party: Praxo (Pty) Ltd ("Praxo", "we", "us")

1. Information We Collect

We collect the following personal information when you use the Praxo platform:

  • Account information: Name, email address, organisation name
  • Project data: Project descriptions, geographic coordinates (latitude/longitude), process type selections, document uploads
  • Usage data: Login timestamps, feature usage, API interactions
  • Payment data: Processed by Paystack (our payment processor). We store subscription identifiers but do not store card numbers or banking details.

2. Lawful Basis for Processing

Under the Protection of Personal Information Act (POPIA), we process your personal information on the following grounds:

  • Contract: Processing necessary to deliver the SaaS service you subscribed to
  • Legitimate interest: Service improvement, security monitoring, and fraud prevention
  • Consent: Where explicitly requested for optional features

3. How We Use Your Information

  • Providing and maintaining the Praxo platform
  • Processing environmental assessment workflows
  • Generating compliance documents from templates
  • Computing regulatory deadlines
  • AI-assisted screening and compliance review (when available)
  • Billing and subscription management
  • Security monitoring and incident response

4. Data Retention

  • Active subscription: All data retained indefinitely while your subscription is active
  • Cancelled subscription: 90-day grace period to reactivate. After 90 days, documents are scheduled for permanent deletion.
  • Account data: Retained for 12 months after account closure for audit purposes, then deleted

5. Cross-Border Data Transfer

Your data may be processed in the following locations:

  • Cloudflare global edge network: Application hosting and content delivery
  • Microsoft Azure (South Africa North region): AI processing services

Both providers maintain appropriate safeguards for international data transfers in compliance with POPIA Section 72.

6. Data Security

  • TLS 1.3 encryption for all data in transit
  • Encrypted storage for documents (R2 with server-side encryption)
  • SHA-256 hashing for authentication tokens
  • HMAC-SHA512 verification for payment webhooks
  • Role-based access control (RBAC) with six defined roles
  • IP-based rate limiting on authentication endpoints

7. Your Rights Under POPIA

As a data subject, you have the right to:

  • Access: Request a copy of your personal information
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your personal information
  • Objection: Object to processing of your personal information
  • Portability: Request your data in a structured, machine-readable format
  • Withdraw consent: Where processing is based on consent

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Cookies

Praxo uses essential session cookies for authentication. We do not use tracking cookies or third-party analytics cookies.

9. Breach Notification

In the event of a data breach that poses a risk to your rights, we will:

  • Notify the Information Regulator within 72 hours
  • Notify affected data subjects as soon as reasonably possible
  • Document the breach and remediation steps taken

10. Information Regulator

If you believe your personal information has been processed unlawfully, you may lodge a complaint with:

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: [email protected]
Tel: 012 406 4818

11. Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the "last updated" date and notify active users via email.