Privacy Policy

1. Introduction

Lominy ("we", "our", or "us") is committed to protecting your privacy and complying with the Protection of Personal Information Act, 2013 (POPIA) and other applicable South African data protection laws. This Privacy Policy explains how we collect, use, process, disclose, and safeguard your personal information when you visit our website (lominy.co.za) and use our TagFlow service.

2. Information Officer

Our designated Information Officer for POPIA compliance:

• Company: Lominy
• Email: support@lominy.co.za
• Location: Pretoria, South Africa

3. Personal Information We Collect

3.1 Information You Provide to Us

When you register for TagFlow or use our services, we collect:

• Contact Information: Full name, email address, phone number (optional)
• Account Credentials: Username, password (encrypted)
• Business Information: Business name, industry, website URL
• Payment Information: Processed securely by Paddle (we do not store full payment card details)
• Communication Data: Support requests, feedback, correspondence

3.2 Information Automatically Collected

When you use our website and services, we automatically collect:

• Technical Data: IP address, browser type and version, device type, operating system
• Usage Data: Pages visited, time spent on pages, clickstream data, referral source
• TagFlow Service Data: NFC tag scan data, scan locations, timestamps, device information
• Cookies and Tracking: Session cookies, analytics cookies (see Section 8)

3.3 3D Printing Services

For custom 3D printing orders, we may collect:

• Delivery address and shipping information
• Project specifications and design files
• Order history and preferences

4. Lawful Basis for Processing (POPIA Compliance)

We process your personal information based on the following lawful grounds:

• Consent: You have given explicit consent for specific purposes
• Contract Performance: Processing is necessary to fulfill our service agreement with you
• Legal Obligation: Required to comply with South African laws and regulations
• Legitimate Interest: For business operations, fraud prevention, and service improvement

5. How We Use Your Personal Information

We use your personal information for the following purposes:

5.1 Service Provision

• Create and manage your TagFlow account
• Provide NFC tag management and tracking services
• Process payments and maintain billing records
• Deliver customer support and respond to inquiries
• Fulfill 3D printing orders and arrange delivery

5.2 Service Improvement

• Analyze usage patterns to improve our platform
• Develop new features and functionality
• Conduct research and analytics
• Monitor service performance and reliability

5.3 Communication

• Send service-related notifications and updates
• Provide technical and customer support
• Notify you of changes to our services or policies
• Send marketing communications (with your consent, opt-out available)

5.4 Legal and Security

• Comply with legal obligations and regulatory requirements
• Prevent fraud, abuse, and security threats
• Enforce our Terms of Service
• Protect our rights and interests

6. Disclosure of Personal Information

We do not sell your personal information. We may share your information with the following third parties:

6.1 Service Providers and Third Parties

• Paddle.com Market Limited (Merchant of Record): Paddle acts as the Merchant of Record for payment processing and is an independent data controller for payment information. When you make a payment, you provide information directly to Paddle, which is subject to Paddle's Privacy Policy (available at paddle.com/legal/privacy). Paddle collects and processes: payment card details, billing address, transaction history, IP address, and tax identification information. Paddle is PCI-DSS Level 1 certified. We receive only limited transaction data from Paddle (transaction ID, amount, status, customer email) but never your full payment card details.
• Frappe Framework/ERPNext: Application hosting and infrastructure
• Cloud Hosting Providers: Data storage and server infrastructure
• Email Service Providers: Transactional and marketing emails
• Analytics Providers: Website and service analytics

6.2 Legal Requirements

We may disclose your information when required by South African law, including:

• Court orders, subpoenas, or legal processes
• Requests from law enforcement or government authorities
• Protection of our legal rights and safety
• Prevention of fraud or criminal activity

6.3 Business Transfers

If Lominy is involved in a merger, acquisition, or sale of assets, your personal information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

7. Cross-Border Data Transfers

Your personal information is primarily stored and processed in South Africa. However, some of our service providers process data outside of South Africa, particularly:

• Paddle: Operates globally with data processing in the United States and European Union. Payment data is processed in multiple jurisdictions to support global payment processing and tax compliance.
• Cloud Infrastructure: May utilize servers in multiple regions for redundancy and performance.

When we transfer personal information internationally, we ensure appropriate safeguards are in place as required by POPIA, including:

• Data processing agreements with third-party providers
• Ensuring adequate data protection standards and certifications
• Compliance with POPIA's transborder data flow requirements
• Adherence to international data protection frameworks

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

8.1 Types of Cookies

• Essential Cookies: Required for service functionality (login, session management)
• Analytics Cookies: Help us understand how visitors use our website
• Functional Cookies: Remember your preferences and settings

8.2 Cookie Management

You can control cookies through your browser settings. Disabling certain cookies may affect service functionality. For more information, visit your browser's help documentation.

9. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, loss, destruction, or alteration:

• Encryption of data in transit (SSL/TLS) and at rest
• Secure password storage using industry-standard hashing
• Regular security audits and vulnerability assessments
• Access controls and authentication mechanisms
• Employee training on data protection and security
• Incident response and breach notification procedures

While we take reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9.1 Data Breach Notification

In accordance with POPIA requirements, in the event of a data breach that compromises your personal information, we will:

• Notify the South African Information Regulator as soon as reasonably possible and within the timeframes required by law
• Notify affected users via email within 72 hours of becoming aware of the breach, where feasible
• Provide details about the nature of the breach, the types of information affected, and the steps being taken to address it
• Offer guidance on protective measures you can take to safeguard your information
• Make available a point of contact for further information and support

10. Data Retention

We retain your personal information only as long as necessary:

• Active Accounts: Data retained while your account is active
• After Cancellation: Application data retained for 30 days for potential reactivation
• Billing Records: Retained for 5 years to comply with tax and accounting regulations
• Legal Requirements: Certain data may be retained longer to comply with legal obligations
• Anonymized Data: May be retained indefinitely for analytics and research

11. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

11.1 Right to Access

You have the right to request confirmation of whether we hold your personal information and to access that information.

11.2 Right to Correction

You have the right to request correction of inaccurate or incomplete personal information. You can update most information directly in your TagFlow account settings.

11.3 Right to Deletion

You have the right to request deletion of your personal information, subject to legal retention requirements.

11.4 Right to Object

You have the right to object to the processing of your personal information for direct marketing purposes.

11.5 Right to Data Portability

You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit it to another service provider.

11.6 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time.

11.7 Exercising Your Rights

To exercise any of these rights, please contact our Information Officer at:

• Email: support@lominy.co.za
• Subject line: "POPIA Rights Request"

We will respond to your request within 30 days. We may request additional information to verify your identity before processing your request.

12. Marketing Communications

We may send you marketing communications about our services with your consent. You can opt out at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your preferences in your TagFlow account settings
• Contacting us at support@lominy.co.za

Note: You cannot opt out of essential service-related communications.

13. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last updated" date
• Sending an email notification to registered users
• Displaying a prominent notice on our website

Your continued use of our services after changes become effective constitutes acceptance of the updated Privacy Policy.

15. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you without human intervention. Any analytics or usage data we collect is used solely for service improvement and aggregated reporting, not for automated decisions about individual users.

16. Complaints and Disputes

If you believe we have not complied with POPIA or have concerns about how we handle your personal information, you may:

1. Contact our Information Officer at support@lominy.co.za
2. Lodge a complaint with the South African Information Regulator:
   • Email: inforeg@justice.gov.za
   • Website: https://inforegulator.org.za
   • Phone: 012 406 4818

17. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or your personal information:

• Company: Lominy
• Email: support@lominy.co.za
• Sales Inquiries: sales@lominy.co.za
• Location: Pretoria, South Africa
• Website: https://lominy.co.za