← Back to HEDGR
Important Notice
This Privacy Policy complies with the Protection of Personal Information Act, 2013 (POPIA) of South Africa, the UK General Data Protection Regulation (UK GDPR), and the EU General Data Protection Regulation (EU GDPR). It explains how Hedgr collects, uses, stores, and protects your personal information.
1. Information Officer
Under POPIA, we have appointed an Information Officer responsible for ensuring compliance with data protection laws:
Information Officer: Timmy Elenjical
Email: [email protected]
Business Address: 16 Mandalay Road, London, SW4 9EE
Phone: +447356642143
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: When you connect your accounting software (e.g., Xero), we collect your email address and organization details.
- Communication Data: If you contact us for support, we collect your name, email, and the content of your messages.
2.2 Information from Accounting Platforms
When you authorize Hedgr to connect to your accounting software, we access the following information on a read-only basis. The data accessed is the same across all supported platforms:
- Organization Details: Business name, base currency, financial year settings
- Invoice Data: Invoice amounts, currencies, dates, statuses, and payment details
- Bank Balance Information: Current account balances in various currencies
- Profit & Loss Data: Financial performance data (if you choose to share it)
- Exchange Rate History: Historical rates from your accounting system
Important: We have read-only access. We cannot modify, create, or delete any data in your accounting system.
Supported Platforms
- Xero: Connected via OAuth 2.0. We request only the scopes needed for read-only access to invoices, bank accounts, and organization settings.
- QuickBooks Online (Intuit): Connected via OAuth 2.0. We access invoices, bills, bank accounts, and company information. Read-only.
- Sage Business Cloud Accounting: Connected via OAuth 2.0. We access sales invoices, purchase invoices, and bank accounts. Read-only.
- Sage One (South Africa): Connected via API key authentication (username and password). We access invoices, contacts, and account balances. Read-only. Your credentials are encrypted at rest using AES-256-GCM.
- CSV Upload: You may upload invoice data manually. Uploaded data is stored in your browser's local storage and is not transmitted to our servers.
2.3 AI-Powered Features
Hedgr includes an AI assistant ("Scout") that helps you understand your FX exposure through natural-language queries. When you use Scout:
- Queries are processed in your browser using data already loaded from your accounting platform. Your financial data is not sent to any third-party AI service for query processing.
- AI responses are generated using your live data (invoices, balances, rates) combined with a language model. The AI does not store, learn from, or retain your financial data between sessions.
- No automated decisions: Scout provides informational analysis only. It does not execute trades, modify hedging positions, or make financial decisions on your behalf. All hedging decisions are made by you in consultation with your financial advisors.
2.4 Automatically Collected Information
- Usage Data: Browser type, pages visited, time spent on pages
- Technical Data: IP address, device information, session data
- Cookies: Session cookies for authentication and functionality (see Section 9)
3. How We Use Your Information
We process your personal information for the following purposes, all of which are necessary for providing our services:
- Service Delivery: Calculate FX exposure, analyze currency risk, generate reports
- Authentication: Maintain secure access to your account
- Communication: Send service notifications, respond to support requests
- Improvement: Analyze usage patterns to improve our platform (anonymized data only)
- Legal Compliance: Meet legal and regulatory obligations
4. Legal Basis for Processing
We process your personal information based on the following legal grounds under POPIA (South Africa) and GDPR (UK/EU):
- Consent (POPIA s11 / GDPR Art 6(1)(a)): You explicitly consent when connecting your accounting software
- Contract Performance (POPIA s11 / GDPR Art 6(1)(b)): Processing is necessary to provide our services under our Terms of Service
- Legitimate Interests (POPIA s11 / GDPR Art 6(1)(f)): Preventing fraud, improving security, and enhancing user experience
- Legal Obligations (POPIA s11 / GDPR Art 6(1)(c)): Compliance with applicable laws and regulations in South Africa, the United Kingdom, and the European Union
5. Data Storage and Security
5.1 Where We Store Your Data
Your data is stored:
- Xero OAuth Tokens: Encrypted and stored on secure servers in the United Kingdom
- Session Data: Temporarily stored in your browser during active sessions
- Historical Rates Cache: Stored locally in your browser's local storage
5.2 Security Measures
We implement industry-standard security measures:
- Encryption: All data transmitted between your browser and our servers uses TLS/SSL encryption
- Token Encryption: Xero OAuth tokens are encrypted using AES-256-GCM
- Access Controls: Strict access controls limit who can access personal data
- Regular Audits: We conduct regular security audits and updates
- Session Management: Secure session handling with automatic timeout
5.3 Data Retention
- Session Data: Your financial data is processed in real-time and not stored on our servers
- Disconnected Accounts: OAuth tokens are deleted immediately when you disconnect Xero
- Browser Cache: Historical rate data cached in your browser can be cleared by clearing your browser data
6. Sharing Your Information
We do not sell your personal information. We share data only in the following limited circumstances:
- Service Providers: Third-party FX rate providers (Currencycloud, Frankfurter) - only for market data, not your personal information
- Xero: We access your data through Xero's API using your explicit authorization
- Legal Requirements: If required by law, court order, or regulatory authority
- Business Transfers: In the event of a merger, acquisition, or sale (with your notice and consent)
7. Your Rights Under POPIA and GDPR
Under POPIA (South Africa) and GDPR (UK/EU), you have the following rights:
- Right of Access: Request a copy of all personal information we hold about you
- Right to Correction: Request correction of inaccurate or incomplete data
- Right to Deletion: Request deletion of your personal data (right to be forgotten)
- Right to Object: Object to processing of your personal information
- Right to Restrict Processing: Request that we limit how we use your data
- Right to Data Portability: Request your data in a structured, machine-readable format
- Right to Withdraw Consent: Withdraw consent at any time by disconnecting Xero
- Right to Complain: Lodge a complaint with the Information Regulator of South Africa (POPIA) or the Information Commissioner's Office, UK (GDPR)
To exercise any of these rights, contact our Information Officer at [email protected]. We will respond within 30 days.
8. International Data Transfers
If your data is transferred outside of South Africa, we ensure adequate protection through:
- Standard contractual clauses approved by the Information Regulator
- Transfers to countries with adequate data protection laws
- Your explicit consent for the transfer
9. Cookies and Tracking Technologies
We use the following types of cookies:
- Essential Cookies: Required for authentication and core functionality (cannot be disabled)
- Performance Cookies: Help us understand how users interact with our platform (anonymized)
You can manage cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features.
10. Children's Privacy
Hedgr is intended for business use only and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from minors.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify you by email or through a prominent notice in the platform
- Your continued use after changes constitutes acceptance of the updated policy
12. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or your personal data:
Information Officer: Timmy Elenjical
Email: [email protected]
Legal Inquiries: [email protected]
Business Address: 16 Mandalay Road, London, SW4 9EE
Phone: +447356642143
Information Regulator (South Africa):
If you are not satisfied with our response, you may lodge a complaint with the Information Regulator:
www.justice.gov.za/inforeg/
Email: [email protected]