Legal & Privacy Policy

1. Introduction

This policy applies to all AOLC (Pty) Ltd services: StaffWatch, ServiceDesk, HRPay, Auth Platform, and GRC (collectively "the Platform").

AOLC (Pty) Ltd (Registration: 2013/192846/07), operating under The Ivest Trust (IT2171/2010), is the data controller for all personal information processed through the Platform.

2. POPIA Compliance

We process personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA), South Africa.

Lawful basis for processing:

• Consent — Staff members consent to monitoring when accepting the StaffWatch terms of use
• Contract — Processing necessary to fulfil our service agreement with your organisation
• Legitimate interest — Security monitoring, fraud prevention, system administration

Information Officer:

As required by POPIA, the Information Officer for AOLC (Pty) Ltd can be contacted at privacy@aolc.tech.

3. Data Collection & Processing

What we collect:

• Identity data — Name, email, job title, department
• Authentication data — Password hashes (bcrypt), MFA secrets, session tokens
• Monitoring data (StaffWatch) — Application usage, website visits, screenshots, active/idle time, policy violations
• Business data (ServiceDesk) — Tickets, invoices, contracts, time entries, client records
• HR data (HRPay) — Leave balances, payroll information, employee records
• Device data — Hostname, OS version, agent version, IP address, last seen timestamp

Data residency:

All data is stored in South Africa (Vultr Johannesburg data centres + MinIO on Vultr JHB). No data is transferred outside South Africa.

4. Data Retention

• Activity logs & screenshots: 90 days rolling (configurable per tenant)
• Audit logs: 90 days active + 365 days cold storage
• Login events: 90 days
• Business records (invoices, contracts): 7 years (per SARS requirements)
• Account data: retained while the account is active, deleted within 30 days of account closure

5. Security

• All data in transit encrypted via TLS 1.2+
• Passwords hashed with bcrypt (cost factor 12)
• MFA available via TOTP (authenticator app) or email verification
• API authentication via JWT tokens (HS256, 8-hour expiry)
• RMM integration credentials encrypted with Fernet (AES-128-CBC)
• Per-tenant data isolation (separate databases or tenant_id filtering)
• Automated nightly backups to encrypted object storage

6. Your Rights (POPIA)

You have the right to:

• Access your personal information
• Correct inaccurate information
• Delete your data (right to be forgotten)
• Object to processing
• Data portability — request your data in a machine-readable format

To exercise these rights, contact privacy@aolc.tech. We will respond within 30 days.

7. Cookies & Tracking

The Platform uses localStorage for authentication tokens. We do not use third-party cookies, tracking pixels, or analytics services. No data is shared with advertisers.

8. Third-Party Services

• Vultr (Johannesburg) — Server infrastructure
• Xero — Accounting integration (ServiceDesk only, per-tenant opt-in)
• SendGrid — Transactional email delivery
• Anthropic Claude — AI-generated insights (StaffWatch only, no personal data sent)

9. Terms of Service

By using the Platform, you agree to:

• Use the services only for lawful business purposes
• Not attempt to circumvent security measures or access other tenants' data
• Maintain the confidentiality of your authentication credentials
• Inform employees when StaffWatch monitoring is active (employer's responsibility)

AOLC reserves the right to suspend or terminate access for violations of these terms.

10. Contact

AOLC (Pty) Ltd
Registration: 2013/192846/07
Operating under The Ivest Trust (IT2171/2010)
South Africa

Privacy: privacy@aolc.tech
Support: support@aolc.tech