LedgerTax Privacy Notice

This Privacy Notice explains how we collect, use, share, store, and protect personal information when you use LedgerTax. It is intended to support compliance with South Africa's Protection of Personal Information Act, 2013 ("POPIA").

1) Scope

This notice applies to:

• Individuals using LedgerTax directly.
• Enterprise users, including accountants, auditors, and businesses, using LedgerTax on behalf of their clients.

If you do not agree with this notice, do not use LedgerTax.

2) Personal information we collect

Depending on how you use LedgerTax, we may collect or process:

2.1 Account and identity information

• Name and surname.
• Email address.
• South African ID number and or tax number where required for reporting context.

2.2 Crypto activity information (provided by you or connected by you)

• Wallet addresses.
• Deposit and withdrawal addresses, including hosted wallet or exchange deposit and withdrawal addresses you provide.
• Transaction histories, such as dates, amounts, assets, fees, and counterparties where available.
• Transaction identifiers, for example transaction IDs or hashes supplied in your data sources.
• Exchange account identifiers or metadata included in statements or API responses.

2.3 User edits, classifications and audit logs

We may collect and process user-generated changes and audit-log information, including:

• Transaction classifications and reclassifications.
• Base cost inputs or adjustments.
• Capital-versus-income assignments.
• Tax-year or financial year-end settings.
• Changes made to imported or uploaded transaction data.
• Timestamps and user or account identifiers linked to those changes.

This information is processed to provide the Service, maintain data integrity, support report review, troubleshoot issues, and protect against misuse.

2.4 Authentication information

• If you use SSO, we receive limited login data from your provider, currently Google and Microsoft, such as your email and basic profile identifiers required to authenticate you.

2.5 Technical information (website or app usage)

• Device and browser information, for example IP address, device type, and browser type.
• Activity logs, such as sign-ins, uploads, sync events, and errors.
• Cookies and similar technologies. See Section 9.

3) How we collect personal information

We collect personal information when you:

• Create an account using email and password or SSO.
• Upload CSV files or complete templates.
• Connect exchange accounts via API using read-only keys you create.
• Use the platform through logs and analytics.
• Contact support through emails and ticket information.

4) Why we process your personal information (purposes)

We process personal information to:

• Provide LedgerTax functionality, including imports, calculations, reports, and completeness scoring.
• Maintain your account and authenticate access.
• Support data syncing from connected integrations.
• Provide customer support and respond to requests.
• Secure the platform, prevent fraud or abuse, and maintain audit logs.
• Improve the Service through debugging, quality monitoring, and feature development.

Anonymised and aggregated use

We may use anonymised data for product development, quality monitoring, debugging, research, and improvement. We may also use aggregated, anonymised data for macro-level reporting, including market, compliance, or ecosystem trend reports.

We will take reasonable steps to ensure that anonymised or aggregated outputs do not identify you, including by excluding direct identifiers and applying appropriate aggregation, suppression, or thresholding where needed to reduce re-identification risk. We will not intentionally publish macro-level reports that identify an individual user, taxpayer, wallet owner, or End Client.

Direct marketing

We may send service communications related to your account, reports, security, billing, or use of LedgerTax. We may send marketing communications only where permitted by law, including where you have consented or where we may lawfully market similar products or services to existing customers. You may opt out of marketing communications at any time.

5) Lawful grounds for processing (POPIA)

We process personal information on lawful grounds such as:

• Performance of a contract to provide the Service you requested.
• Legitimate interests to secure and improve the Service.
• Consent where required or appropriate, such as optional analytics settings if implemented.
• Legal obligations where applicable.

6) Sharing your personal information

We do not sell your personal information.

We may share personal information only as necessary with:

• Service providers who help us operate LedgerTax, such as hosting, storage, security monitoring, and email support tooling, under confidentiality and security obligations.
• Authentication providers such as Google and Microsoft to enable SSO login flows.
• Pricing data sources where needed to obtain price feeds for calculations when pricing is not available via your connected statements or APIs.
• Enterprise customers where they are acting on your behalf and have the mandate to process your data.
• Authorities if required by law or valid legal process.

7) Where we host and process data (location)

LedgerTax is hosted in South Africa.

Some service providers, such as authentication or infrastructure vendors, may process limited data outside South Africa. Where cross-border processing occurs, we take reasonable steps to ensure appropriate safeguards and contractual protections.

8) Security and protection measures

We apply reasonable administrative, technical, and organisational safeguards designed to protect personal information.

Specific measures include:

• Encryption of stored API credentials.
• Access controls and least-privilege practices for internal access.
• Logging and monitoring to detect misuse and operational issues.

Important: LedgerTax does not currently offer MFA. You should secure your email or SSO account and use strong passwords. We may introduce MFA in future.

No system can be guaranteed 100% secure. You use the Service and store data at your own risk.

Security compromises

If we have reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we will take reasonable steps to investigate, contain, and remediate the incident and will make any notifications required by POPIA or other applicable law.

9) Cookies and similar technologies

See Cookie Policy for details.

10) Data retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Privacy Notice, including providing the Service, maintaining reports and audit logs, supporting account access, resolving disputes, complying with legal obligations, enforcing our Terms, and maintaining security records.

Unless a different retention period is required or justified by law, contract, dispute, security, audit-log integrity, or legitimate business purposes:

• Account and billing records are retained for as long as required for accounting, tax, and legal record-keeping purposes.
• Transaction data, report data, user classifications, tax-year settings, and calculation assumptions are retained while your account or relevant workspace remains active.
• Audit logs may be retained to preserve report integrity, investigate misuse, support dispute resolution, and maintain a record of user changes.
• Security logs may be retained for security, fraud-prevention, and operational purposes.
• Anonymised data may be retained indefinitely where it can no longer reasonably identify you.

You may request account deletion or data export by contacting [email protected]. Following a verified deletion request, we will delete or de-identify personal information from active systems within a reasonable period, unless we are required or permitted to retain it. Backup copies may remain for a limited period until overwritten or deleted in the ordinary course of backup management.

11) Your rights (POPIA)

Subject to POPIA and applicable limits, you may request to:

• Access your personal information.
• Correct or update it.
• Delete it through account deletion.
• Object to certain processing where applicable.
• Request data export where feasible.

To exercise these rights, email [email protected]. We may request verification before acting on a request.

12) Enterprise use (accountants, auditors, businesses representing individuals)

Where an enterprise user processes personal information on behalf of an end client, the enterprise is responsible for ensuring that it has a lawful basis, mandate, consent, or other authority to upload and process the end client's data.

To the extent Sixpence processes End Client personal information on behalf of an Enterprise Customer, Sixpence acts as an operator or service provider for the purpose of providing LedgerTax. Additional enterprise-specific obligations are set out in the Enterprise Addendum to the Terms of Use.

13) Children

LedgerTax is not intended for use by children who cannot enter into binding agreements. If we learn we have collected personal information unlawfully from such a person, we will take reasonable steps to delete it.

14) Changes to this Privacy Notice

We may update this notice from time to time. If changes are material, we will take reasonable steps to notify you, for example by in-app notice or email. Continued use indicates acceptance of the updated notice.

15) PAIA and contact details

Questions, requests, or complaints may be sent to: [email protected].

Information Officer contact: [email protected]

Physical and service address: 1269 Gordon Hood Rd, Centurion Central, Centurion, 0046, South Africa

Our PAIA Manual is available on request.

If you are not satisfied with how we handle a privacy request or complaint, you may have the right to lodge a complaint with the Information Regulator of South Africa.