Information Stewardship Statement
Active from 15 January 2025
Understanding Our Responsibility Framework
Running a working capital analysis platform means we handle specifics about your business operations—financial patterns, transaction rhythms, cash movement timelines. This isn't just regulatory box-ticking for us. When someone shares operational data with Web42 Orbit, they're handing over insights that could expose vulnerabilities if mishandled. We treat that exchange as a trust arrangement, not a data extraction exercise.
Our entire approach centers on minimal necessity. We don't collect information because we might find it useful later. Every piece of data we request serves a direct function within your analysis workflow—whether that's calculating working capital ratios, generating cash flow projections, or identifying operational bottlenecks. If it doesn't contribute to delivering your requested service, we don't ask for it.
This document walks through exactly what emerges during your interaction with our platform, what happens to those details afterward, and the mechanisms you control throughout. Unlike boilerplate privacy statements that describe theoretical possibilities, we're explaining our actual operational reality as it functions today in South Africa's financial services context.
Data Emergence Across Your Journey
Information doesn't just "get collected" in some abstract way. Different details surface at specific moments as you move through our platform. Here's how that actually unfolds:
Account Creation Phase
When you establish an account, we record identification elements—your full name, business name, email address, phone number, and physical business location. South African regulatory frameworks require we verify business legitimacy before providing financial analysis services. Your password gets encrypted immediately; we can't retrieve it even if asked.
Analysis Configuration Stage
As you set up your first working capital analysis, you provide operational specifics—accounts receivable aging patterns, inventory turnover rates, supplier payment terms, typical collection periods. These metrics constitute the core of what we analyze. You're essentially teaching our system how your particular cash conversion cycle operates.
Platform Interaction Period
While using Web42 Orbit, technical markers accumulate—session timestamps, feature usage patterns, report generation requests, dashboard configuration preferences. Our system logs which analysis tools you access most frequently, how long sessions typically last, which reports get downloaded. This operational metadata helps us understand where users struggle or succeed.
Support Communication Exchanges
When you reach out via email, phone, or our help system, those conversations become part of your account record. We maintain communication history to provide contextual support—so you don't have to re-explain issues repeatedly. If you share additional financial documents during troubleshooting, those get treated with the same protection as your primary analysis data.
Payment Transaction Moments
Subscription payments generate financial transaction records—billing amounts, payment methods used, transaction timestamps. Our payment processor handles the actual card details; we receive confirmation tokens and transaction identifiers. Your complete payment card numbers never enter our database infrastructure.
Categories We Actually Work With
Names, business registration details, contact coordinates, role within organization
Cash flow patterns, working capital metrics, receivables/payables timelines, inventory cycles
Session behaviors, feature access frequency, report preferences, system configuration choices
Support ticket contents, email exchanges, phone call notes, help request histories
Billing records, payment confirmations, subscription status changes, invoice histories
Browser specifications, operating system details, screen resolution data, connection timestamps
Operational Handling and Internal Movement
Once information enters our system, it moves through specific operational pathways—not randomly scattered across our infrastructure. Our platform architect designed three distinct handling zones, each with different access permissions and security protocols.
Analysis Processing Environment
Your working capital data flows into isolated calculation engines. Automated systems perform ratio analysis, generate cash flow projections, identify pattern anomalies—all within encrypted processing containers. These engines can't communicate with external networks during calculation. Human staff can't directly access raw financial figures here; they only see aggregated system performance metrics.
Support Access Layer
When you submit a help request, our support team gains temporary access to your account context—but with limitations. They see the technical issue you're experiencing, your communication history with us, and relevant platform usage patterns. Financial specifics remain masked unless you explicitly share additional details during troubleshooting. Access gets logged with timestamps and automatically expires after case resolution.
Administrative Operations Zone
Billing administration, account status management, and regulatory compliance documentation happen in a separate environment. Staff handling subscription management see payment histories and contact information but can't access your actual financial analysis data. This segregation prevents unnecessary exposure—your accounts receivable aging doesn't need to be visible to someone processing your subscription renewal.
Who Actually Touches Your Information
Our team in Benoni includes financial analysts, platform support specialists, and technical infrastructure staff. Specific role restrictions determine data access. An analyst reviewing system accuracy might work with anonymized calculation outputs—the mathematical patterns without identifying business details. Support staff see enough context to resolve issues. Infrastructure engineers work with encrypted databases where content remains unreadable to them.
Every internal access event generates audit trail entries—who viewed what, when, for how long, from which location. These logs undergo monthly review by our operations director. Unusual access patterns trigger immediate investigation. We've terminated staff contracts over unauthorized data curiosity before. That precedent reinforces our internal culture.
External Information Movement
We dislike sending data outside our controlled environment. But certain operational realities and legal obligations require specific external transfers. Here's the complete list of scenarios where your information moves beyond Web42 Orbit's direct infrastructure:
| Receiving Entity | Information Transferred | Purpose and Constraint |
|---|---|---|
| Payment Processor (South African financial institution) | Transaction amounts, billing contact details, payment timestamps | Subscription payment processing only; governed by banking confidentiality obligations and card network security standards |
| Cloud Infrastructure Provider | Encrypted database contents, system backups, application files | Technical hosting services; all data encrypted at rest and in transit; provider cannot decrypt business specifics |
| Email Delivery Service | Email addresses, message contents, delivery timestamps | Sending platform notifications and analysis reports; contractually prohibited from using data for other purposes |
| Legal or Regulatory Authorities | Whatever specific information they legally compel | Only in response to valid South African legal process—court orders, warrants, statutory demands; we notify you unless prohibited |
| Professional Advisors | Relevant information necessary for their specific engagement | Legal counsel, auditors, or compliance consultants under professional confidentiality obligations; access terminated when engagement ends |
Notice what's absent from that list—advertising networks, data brokers, analytics aggregators, marketing platforms, social media companies. We don't participate in the ecosystem where businesses treat customer data as a monetizable asset. Your working capital analysis information holds no value to us beyond enabling the service you're actually paying for.
If Web42 Orbit were ever acquired or merged with another entity, your data would transfer as part of operational continuity. Any acquiring organization would inherit our obligations under this statement—or they'd need to offer you the opportunity to close your account and request deletion before transition. Business sales don't erase privacy commitments.
Cross-Border Transfer Reality
Our cloud infrastructure operates within South African data centers, but our hosting provider maintains backup facilities in Europe for disaster recovery. This means encrypted copies of your data may physically exist on European servers. South African and European data protection frameworks maintain comparable standards, and our hosting contracts include specific transfer safeguards. Still, you should understand your information isn't exclusively stored on South African soil.
Your Authority Over Your Information
South African data protection law grants you several specific rights regarding information held about you. These aren't just theoretical—we've built actual mechanisms for exercising them. But let's be honest about practical realities alongside legal rights.
What You Can Actually Do
Request a complete export of what we hold about you. We deliver this within 30 days as a structured data file—usually JSON or CSV format. Your dashboard shows most operational data already, but formal requests capture everything including system logs and internal notes.
If your business name changed, your contact information updated, or financial metrics need revision, you can edit most elements directly through your account settings. For corrections requiring our intervention, submit a support ticket with the specific inaccuracies and accurate replacements.
Ask us to remove your account and associated data entirely. We'll comply within 30 days unless legal retention obligations prevent immediate deletion—tax documentation must persist for prescribed periods, for example. Once deleted, recovery becomes impossible; we can't restore your analysis history.
While you maintain an active account, you can limit specific uses—like opting out of occasional product update communications. But you can't restrict processing essential to service delivery; working capital analysis requires analyzing your working capital data. Restricting core functions effectively means stopping service.
Raise concerns about particular data uses you consider inappropriate or excessive. We'll review objections case-by-case. If you object to something fundamental to our service model, we might need to discuss whether Web42 Orbit remains suitable for your needs rather than forcing an uncomfortable compromise.
Get your financial analysis data in machine-readable formats you could theoretically transfer to another platform. Our export function provides CSV files of your metrics, ratios, and historical analysis results—though finding another service with compatible import capabilities might prove challenging given our specialized focus.
The Practical Limitations Reality
Some rights sound absolute but face practical constraints. You can request deletion, but if you're party to an ongoing legal dispute where your account records constitute potential evidence, we might need to preserve that information until resolution. You can object to processing, but if that processing forms the core service function you contracted for, exercising that objection essentially terminates the relationship. These aren't loopholes—they're inherent tensions in data protection frameworks designed for broader contexts than specialized financial services.
We don't use "legitimate interests" as a blanket excuse to override your preferences. When we invoke that legal basis, we can explain the specific interest at stake and why it outweighs potential privacy impact. Usually it involves operational security—like logging access attempts to detect unauthorized intrusion patterns, even though those logs include timestamps of your legitimate usage.
Retention Duration and Deletion Triggers
We don't keep information indefinitely "just in case." Each data category has a specific retention period tied to operational necessity or legal obligation. Once that period expires and no active reason for retention remains, deletion happens automatically through scheduled purge routines.
Active Account Operational Data
While your subscription continues, we maintain your complete working capital analysis history. That enables trend analysis across multiple periods—you might want to compare this quarter's cash conversion cycle against patterns from eight months ago. Deleting historical data would undermine the platform's core value. As long as you're actively using Web42 Orbit, your operational data persists.
Closed Account Records
When you close your account, we retain basic transaction documentation for seven years—South African tax regulations require maintaining billing records for that duration. But your actual financial analysis data gets deleted within 90 days of account closure. That three-month buffer allows you to change your mind during a reasonable reconsideration window. After 90 days, your working capital metrics become permanently unrecoverable.
Support Communication Archives
Help desk conversations remain accessible for two years after your last interaction. This retention period supports quality review and helps identify recurring issues across multiple users. But support tickets older than 24 months undergo anonymization—we strip identifying details while preserving the technical problem description for knowledge base development.
System Access Logs
Security audit trails persist for one year, then get purged unless flagged for investigation. If suspicious access patterns emerged or a security incident occurred involving your account, relevant logs might need preservation beyond standard periods—though we'd notify you if your specific records required extended retention for security investigation purposes.
Legal Hold Exception
Court orders, regulatory investigations, or credible legal dispute warnings can override standard deletion schedules. If we receive valid legal process demanding preservation of specific records, those records freeze—no deletion until the legal matter resolves or the hold gets formally lifted. We'll inform you when legal holds affect your information unless notification would interfere with legal proceedings.
Security Measures and Remaining Risks
Discussing security feels uncomfortable because absolute protection doesn't exist. We can't promise your data will never be exposed—every system contains potential vulnerabilities, and sufficiently motivated attackers with enough resources eventually breach even well-protected infrastructure. What we can describe is our actual security architecture and the residual risks that persist despite our protective measures.
Our Technical Defenses
All data transmits through TLS encryption between your browser and our servers. At rest, databases use AES-256 encryption with keys stored separately from the encrypted content. Access requires multi-factor authentication for all staff accounts. Our infrastructure operates behind firewalls configured to deny all traffic except specifically approved connections. Automated vulnerability scanning runs weekly, and we maintain contracts with penetration testing firms who attempt breaching our defenses quarterly.
What Could Still Go Wrong
An employee with legitimate access credentials could misuse their permissions—our audit logging should detect this, but some damage could occur before discovery. A sophisticated attacker might exploit an unknown vulnerability in our infrastructure software before patches become available—zero-day attacks happen to major platforms regularly. Our cloud hosting provider could suffer a breach despite their security investments. Someone could compromise your individual account through phishing or credential theft—our security doesn't protect against attacks targeting you directly.
We maintain cyber insurance coverage and incident response protocols. If a breach occurs, affected users receive notification within 72 hours of our discovery—the sooner you know, the sooner you can take protective steps. We'll explain what information was exposed, what we're doing about it, and what you should consider doing. We won't minimize incidents or delay disclosure to protect our reputation.
Questions, Concerns, or Rights Requests?
[email protected]
+27113264296
K 15 Cranbourne Ave, Benoni, 1500, South Africa
For formal complaints about our data handling practices, you can contact South Africa's Information Regulator directly—their escalation process operates independently of us.
Policy Evolution and Notification
This statement will change as our platform evolves, regulatory requirements shift, or operational realities demand adjustments. We don't treat privacy policies as static legal documents—they should reflect actual current practices, which means updates become necessary periodically.
Material changes—like introducing new data categories, adding external service providers, or altering fundamental handling approaches—trigger direct notification to active account holders via email at least 30 days before implementation. Minor clarifications or organizational updates might happen without individual notification, but we'll always update the effective date at the top of this page and maintain a change history.
If you fundamentally disagree with a policy change, you can close your account before the new version takes effect. Continued use after the implementation date constitutes acceptance of the updated terms. We won't bury significant changes in lengthy revision logs hoping users won't notice—privacy policy updates shouldn't feel like ambush tactics.