← Back to HEDGR
Important Notice
This Privacy Policy complies with the Protection of Personal Information Act, 2013 (POPIA) and explains how Hedgr (Pty) Ltd collects, uses, stores, and protects your personal information.
1. Information Officer
Under POPIA, we have appointed an Information Officer responsible for ensuring compliance with data protection laws:
Information Officer: Timmy Elenjical
Email: timmy@hedgr.app
Business Address: 16 Mandalay Road, London, SW4 9EE
Phone: +447356642143
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: When you connect your accounting software (e.g., Xero), we collect your email address and organization details.
- Communication Data: If you contact us for support, we collect your name, email, and the content of your messages.
2.2 Information from Xero (via OAuth 2.0)
When you authorize Hedgr to connect to your Xero account, we access the following information on a read-only basis:
- Organization Details: Business name, base currency, financial year settings
- Invoice Data: Invoice amounts, currencies, dates, statuses, and payment details
- Bank Balance Information: Current account balances in various currencies
- Profit & Loss Data: Financial performance data (if you choose to share it)
- Exchange Rate History: Historical rates from your accounting system
Important: We have read-only access. We cannot modify, create, or delete any data in your Xero account.
2.3 Automatically Collected Information
- Usage Data: Browser type, pages visited, time spent on pages
- Technical Data: IP address, device information, session data
- Cookies: Session cookies for authentication and functionality (see Section 9)
3. How We Use Your Information
We process your personal information for the following purposes, all of which are necessary for providing our services:
- Service Delivery: Calculate FX exposure, analyze currency risk, generate reports
- Authentication: Maintain secure access to your account
- Communication: Send service notifications, respond to support requests
- Improvement: Analyze usage patterns to improve our platform (anonymized data only)
- Legal Compliance: Meet legal and regulatory obligations
4. Legal Basis for Processing (POPIA Compliance)
We process your personal information based on the following legal grounds under POPIA:
- Consent: You explicitly consent when connecting your Xero account
- Contract Performance: Processing is necessary to provide our services under our Terms of Service
- Legitimate Interests: Preventing fraud, improving security, and enhancing user experience
- Legal Obligations: Compliance with applicable South African laws and regulations
5. Data Storage and Security
5.1 Where We Store Your Data
Your data is stored:
- Xero OAuth Tokens: Encrypted and stored on secure servers in the United Kingdom
- Session Data: Temporarily stored in your browser during active sessions
- Historical Rates Cache: Stored locally in your browser's local storage
5.2 Security Measures
We implement industry-standard security measures:
- Encryption: All data transmitted between your browser and our servers uses TLS/SSL encryption
- Token Encryption: Xero OAuth tokens are encrypted using AES-256-GCM
- Access Controls: Strict access controls limit who can access personal data
- Regular Audits: We conduct regular security audits and updates
- Session Management: Secure session handling with automatic timeout
5.3 Data Retention
- Session Data: Your financial data is processed in real-time and not stored on our servers
- Disconnected Accounts: OAuth tokens are deleted immediately when you disconnect Xero
- Browser Cache: Historical rate data cached in your browser can be cleared by clearing your browser data
6. Sharing Your Information
We do not sell your personal information. We share data only in the following limited circumstances:
- Service Providers: Third-party FX rate providers (Currencycloud, Frankfurter) - only for market data, not your personal information
- Xero: We access your data through Xero's API using your explicit authorization
- Legal Requirements: If required by law, court order, or regulatory authority
- Business Transfers: In the event of a merger, acquisition, or sale (with your notice and consent)
7. Your Rights Under POPIA
Under the Protection of Personal Information Act, you have the following rights:
- Right of Access: Request a copy of all personal information we hold about you
- Right to Correction: Request correction of inaccurate or incomplete data
- Right to Deletion: Request deletion of your personal data (right to be forgotten)
- Right to Object: Object to processing of your personal information
- Right to Restrict Processing: Request that we limit how we use your data
- Right to Data Portability: Request your data in a structured, machine-readable format
- Right to Withdraw Consent: Withdraw consent at any time by disconnecting Xero
- Right to Complain: Lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, contact our Information Officer at timmy@hedgr.app. We will respond within 30 days.
8. International Data Transfers
If your data is transferred outside of South Africa, we ensure adequate protection through:
- Standard contractual clauses approved by the Information Regulator
- Transfers to countries with adequate data protection laws
- Your explicit consent for the transfer
9. Cookies and Tracking Technologies
We use the following types of cookies:
- Essential Cookies: Required for authentication and core functionality (cannot be disabled)
- Performance Cookies: Help us understand how users interact with our platform (anonymized)
You can manage cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features.
10. Children's Privacy
Hedgr is intended for business use only and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from minors.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify you by email or through a prominent notice in the platform
- Your continued use after changes constitutes acceptance of the updated policy
12. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or your personal data:
Information Officer: Timmy Elenjical
Email: timmy@hedgr.app
Legal Inquiries: sebastian@hedgr.app
Business Address: 16 Mandalay Road, London, SW4 9EE
Phone: +447356642143
Information Regulator (South Africa):
If you are not satisfied with our response, you may lodge a complaint with the Information Regulator:
www.justice.gov.za/inforeg/
Email: inforeg@justice.gov.za