Privacy Policy

Tunelo (“we”, “us”) is a South African web design and AI consulting business operated under Spectrum Holdings (Pty) Ltd, registration number 2026/298503/07. This policy explains what personal information we collect, why we collect it, and your rights under the Protection of Personal Information Act 4 of 2013 (POPIA).

1. Information we collect

We only collect what we need to provide our services:

• Contact details you submit via our quote, contact, or onboarding forms — name, email, phone number, business name.
• WhatsApp Business connection data when you connect your WhatsApp Business Account through our platform — your WABA ID, phone number ID, business display name, and an encrypted Meta access token. Tokens are encrypted with AES-256-GCM at rest and never logged.
• WhatsApp message content sent or received through your connected number, retained only as long as needed to operate the inbox you see in our app, or as required by South African tax / business records law.
• Website analytics — anonymised page views and referrers via our hosting provider. No cross-site tracking.

2. Why we collect it

• To respond to enquiries and deliver the services you’ve engaged us for.
• To send and receive WhatsApp messages on your behalf via the official WhatsApp Business Cloud API.
• To meet our legal obligations (SARS records, FICA, POPIA accountability).

3. Who we share it with

We do not sell your data. We share it only with:

• Meta Platforms Ireland Ltd — to send and receive messages through the WhatsApp Business Cloud API. Meta’s use of this data is governed by the WhatsApp Business Data Transfer Addendum.
• Vercel Inc. — our website and application host (United States). Data in transit is TLS-encrypted.
• Neon Inc. — managed Postgres database (EU region). Data at rest is encrypted by the provider; sensitive credentials are additionally encrypted by us before storage.
• SARS, regulators, or law enforcement — only when legally compelled.

4. Cross-border transfers

Some of our service providers process data outside South Africa. Under POPIA section 72 we only transfer personal information to providers bound by laws or contracts that uphold comparable protection (GDPR-equivalent jurisdictions or Standard Contractual Clauses).

5. How long we keep it

• Quote and contact submissions: 24 months from last contact.
• Active client records: for the duration of our relationship plus 5 years (SARS retention).
• WhatsApp tokens and connections: until you disconnect, then deleted within 30 days.
• WhatsApp message content: 24 months by default; you may request shorter retention in writing.

6. Your rights under POPIA

• Access the personal information we hold about you.
• Correct or update inaccurate information.
• Object to processing or withdraw consent.
• Request deletion (see our Data Deletion page).
• Lodge a complaint with the Information Regulator of South Africa.

7. Security

We follow reasonable technical safeguards: TLS in transit, encrypted database at rest, encrypted secrets, principle-of-least-privilege access, and audit logs on administrative actions. No system is perfectly secure; we will notify affected parties and the Information Regulator without undue delay if a breach occurs that is likely to result in harm.

8. Contact us

Information Officer: Stephan Trimm.
Email: hello@tunelo.co.za
Postal: Cape Town, South Africa.

9. Changes

We’ll update the “Last updated” date at the top of this page when we materially change this policy. For changes that affect how we handle data you’ve already given us, we’ll notify you by email.