Privacy Policy — AdminOS

1. Who We Are

Mirembe Muse (Pty) Ltd ("we", "us", "our") operates AdminOS, an AI-powered business operating system available at adminos.co.za. We are the responsible party (operator) as defined under POPIA for personal information processed through our platform.

Contact our Information Officer: privacy@mirembemuse.co.za

2. Information We Collect

2.1 Account Information

Business name, contact name, email address, phone number
Business registration details (for compliance and billing)
Payment information (processed by PayFast — we do not store card details)

2.2 Business Operations Data

WhatsApp conversations between your business and your clients (processed via Meta WhatsApp Business API)
Invoice and financial data you upload or create within AdminOS
Staff information you enter for wellness check-ins and leave management
Documents uploaded for processing (contracts, quotes, compliance documents)
Client contact details entered into the CRM

2.3 Usage Data

Feature usage metrics and session data (via Vercel Analytics)
Error logs (anonymised, no PII)
API call volumes per tenant (for billing and rate limiting)

3. How We Use Your Information

We process personal information only for the following purposes:

Service delivery: Providing AI agents, WhatsApp automation, document processing, and analytics features
Billing: Processing subscription payments via PayFast
Support: Responding to support requests and onboarding assistance
Security: Fraud prevention, rate limiting, audit logging
Legal compliance: Meeting our obligations under POPIA and other applicable South African law
Product improvement: Aggregated, anonymised analytics to improve features (no individual profiling)

We do not sell your data. We do not use your data for advertising purposes or share it with third parties for their own marketing.

4. AI Processing and Third Parties

AdminOS uses the following third-party services to operate:

Anthropic (Claude AI)

Natural language processing for AI agents

Conversation data is sent to Anthropic API. Anthropic does not train on API data. See anthropic.com/privacy.

Supabase

Database storage and authentication

Data stored in Supabase-hosted PostgreSQL with row-level security enforcement.

Meta (WhatsApp Business API)

WhatsApp messaging and automation

WhatsApp messages are sent and received directly via the Meta Cloud API. See meta.com/privacy.

PayFast

Payment processing

Card details are processed by PayFast and are never stored by AdminOS.

Upstash Redis

Rate limiting and caching

Anonymised rate limit identifiers stored temporarily.

Vercel

Hosting and analytics

Application hosted on Vercel Edge infrastructure. Vercel Analytics captures page-level usage data.

5. How We Protect Your Data

Multi-tenant isolation: every client's data is strictly partitioned using Row-Level Security (RLS)
Encryption in transit (TLS 1.3) and at rest
Immutable audit logs for all data access and modifications
Rate limiting on all API endpoints to prevent abuse
No sensitive business data (invoice amounts, PII) in application logs
Webhook signature verification (PayFast, Meta WhatsApp)
Content Security Policy and HSTS headers enforced on all responses

6. Data Retention

Active account dataRetained while your subscription is active

WhatsApp conversation history90 days by default (configurable per tenant)

Invoice and financial records5 years (as required by South African tax law)

Audit logs2 years minimum

Deleted account dataPurged within 30 days of cancellation request

7. Your Rights Under POPIA

You have the following rights regarding your personal information:

Right of access

Request a copy of all personal information we hold about you

Right to correction

Request correction of inaccurate personal information

Right to erasure

Request deletion of your personal information (subject to legal retention requirements)

Right to object

Object to processing of your personal information in certain circumstances

Right to data portability

Export your business data in machine-readable format at any time

Right to complain

Lodge a complaint with the Information Regulator of South Africa

To exercise any of these rights, email privacy@mirembemuse.co.za. We respond within 30 days in accordance with POPIA requirements.

8. Cookies

AdminOS uses the following cookies:

Authentication cookies: Supabase session tokens for keeping you logged in. Strictly necessary.
Analytics cookies: Vercel Analytics for page-level usage statistics. No personal profiling.
Preference cookies: Storing your UI preferences (language, dashboard layout).

You can manage cookies through your browser settings.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address and by displaying a notice in your AdminOS dashboard at least 14 days before the change takes effect.

10. Contact Us

Information Officer: Mirembe Muse (Pty) Ltd

Email: privacy@mirembemuse.co.za

Address: South Africa

You may also lodge a complaint with the Information Regulator of South Africa: www.justice.gov.za/inforeg