Privacy Policy

POPIA Compliance

SlipScan is fully compliant with the Protection of Personal Information Act (POPIA) of South Africa. As a responsible party under POPIA, Cleva AI (Pty) Ltd processes personal information lawfully, in a reasonable manner, and only for the purposes for which it was collected.

Who We Are

SlipScan is a product of Cleva AI (Pty) Ltd, a South African company. For data protection enquiries, contact our Information Officer at slipscan@cleva-ai.co.za.

What Data We Collect

We collect the following personal information when you use SlipScan:

• Account information: email address, first name, last name, role
• Authentication credentials: 6-digit PIN (stored as a bcrypt hash, never in plain text)
• Receipt photos: images you upload for AI scanning
• Expense data: trip details, line items, amounts, categories, vendor names
• Chat messages: if you use the AI Chat Assistant via WhatsApp, Telegram, or Slack
• Usage data: login times, feature usage, session information
• Contact form submissions: name, email, company, message

How We Use Your Data

Your data is used exclusively for:

• Providing the SlipScan expense management service
• AI-powered receipt scanning and data extraction
• Processing expense claims through the approval workflow
• Generating reports and analytics for your organisation
• Sending service communications (welcome emails, PIN resets)
• Improving our AI models for better receipt recognition

We never sell your personal information to third parties.

Data Isolation

SlipScan uses a database-per-tenant architecture. Each company gets a completely isolated MongoDB database. Your data is never mingled with data from other organisations. This provides the strongest possible isolation between tenants.

Third-Party Processors

We use the following third-party services to provide SlipScan:

• Anthropic (Claude AI): for receipt scanning and AI features. Receipt images are sent to Claude Vision API for data extraction.
• Yoco: for payment processing. We do not store your card details.
• SMTP provider: for transactional emails (welcome, PIN reset).

Data Retention

Your data is retained for as long as your organisation's account is active. If a tenant account is cancelled:

• Account data is retained for 90 days to allow reactivation
• After 90 days, all data including receipt photos may be permanently deleted
• You may request immediate deletion by contacting us

Security

We protect your data with the following measures:

• HTTPS encryption for all data in transit
• Bcrypt-hashed PINs (never stored in plain text)
• JWT-based authentication with 7-day expiry
• Account lockout after 5 failed login attempts
• Immutable audit trail for all system actions
• Role-based access control (4-tier system)

Your Rights Under POPIA

As a data subject, you have the right to:

• Access: request a copy of your personal information
• Correction: request correction of inaccurate data
• Deletion: request deletion of your personal information
• Objection: object to the processing of your data
• Complaint: lodge a complaint with the Information Regulator

To exercise any of these rights, contact our Information Officer at slipscan@cleva-ai.co.za.

Cookies

SlipScan uses secure HttpOnly cookies for authentication and IndexedDB for offline data storage. We do not use tracking cookies or third-party analytics.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the platform. The "last updated" date at the top of this page reflects the most recent revision.

Contact

For any privacy-related enquiries, contact:

Cleva AI (Pty) Ltd
Information Officer
Email: slipscan@cleva-ai.co.za
South Africa