Privacy Policy

Last updated: 25 April 2026

Sumtra processes personal information to run our workshop, quotations, invoicing, diagnostics, reporting, customer support, and selected internal AI-assisted workflows. We aim to process personal information lawfully, minimally, and transparently in line with POPIA.

1. Who We Are

This website and our internal business systems are operated by Sumtra, South Africa. For privacy queries, contact info@sumtra.app.

2. Information We Collect

Depending on your relationship with us, we may collect and process:

  • Website enquiry details, including your name, email address, telephone number, and message.
  • Customer, supplier, and business information, including contact details, company details, VAT information, addresses, and account records.
  • Vehicle, workshop, and job-related information, including registration numbers, VINs, engine details, licence-disk data, diagnostics, notes, quotations, invoices, job cards, statements, and related attachments.
  • Uploaded or generated documents such as PDFs, slips, signatures, diagrams, and reports.
  • Account and security information for portal or admin access, including login activity, optional passkey credentials, and security-event records.
  • AI governance, audit, and compliance records used to review how our internal systems process information.

3. How We Use Personal Information

We use personal information to:

  • Respond to website enquiries and customer requests.
  • Create and manage quotes, invoices, statements, credit notes, job cards, and workshop records.
  • Diagnose, repair, report on, and support vehicle-related work.
  • Maintain accounting, operational, compliance, and security records.
  • Operate selected internal AI-assisted features described in our AI Usage Policy.
  • Protect our systems, detect abuse, investigate incidents, and meet legal or regulatory obligations.

4. AI-Assisted Processing

Some internal workflows use AI-assisted tools to improve operational efficiency and drafting speed. These uses are governed by our internal controls, reviewer roles, audit schedules, and feature flags. Examples include internal drafting, summarisation, structured extraction, reporting assistance, content drafting, and compliance-monitoring support.

  • Licence-disk barcode extraction is handled locally and is not sent to external AI.
  • Some features send selected text or structured context to external AI services where needed for an internal workflow.
  • We aim to minimise the amount of personal information sent externally and keep human review in place for high-impact outputs.
  • Our compliance monitor is an early-warning review tool only. It does not make final legal decisions for us.

5. Sharing and Operators

We do not sell personal information. We may share information with service providers or operators where necessary to run our business systems, communications, security controls, hosting, CAPTCHA protection, or selected AI-assisted internal workflows. This may include providers such as our hosting and infrastructure partners, email and operational service providers, Cloudflare Turnstile for spam protection on website forms, and OpenAI for selected internal AI-assisted features.

Where an operator processes information on our behalf, we aim to limit the data shared to what is reasonably necessary for the purpose.

6. Cross-Border Processing

Some service providers we use may process or store information outside South Africa. Where cross-border processing is involved, we assess the use case as part of our compliance and vendor review process and aim to apply reasonable safeguards consistent with POPIA.

7. Security Measures

We use layered security controls to protect information, including appropriate access restriction, HTTPS in transit, secure authentication controls, AI monitoring, audit logging, compliance reviews, and encryption for sensitive stored payloads such as key document blobs and AI raw response data. No security measure is perfect, but we work to reduce risk and improve controls over time.

8. Retention

We keep records for as long as reasonably necessary for workshop operations, accounting, legal, security, backup, and compliance purposes. Retention periods can differ depending on the type of record, the purpose for which it was collected, and any legal obligations that apply.

9. Your POPIA Rights

Subject to applicable law, you may ask us to access, correct, update, or delete personal information we hold about you, or to object to or restrict certain processing. You may also raise a complaint with the Information Regulator of South Africa if you believe your information has been handled unlawfully.

To make a request, email info@sumtra.app.

10. Legal Context

This policy is intended to reflect our current processing practices in South Africa. POPIA is in force, and updated POPIA regulations were published by government on 6 March 2026. South Africa's AI-specific framework is still developing and, as at 25 April 2026, appears to remain at draft policy stage rather than a final standalone AI Act.

11. Policy Updates

We may update this policy from time to time as our systems, service providers, or legal obligations change. The latest version will be published on this page with the updated date.

Sumtra.App