Plain English summary: Scannly collects only what it needs to operate. We never sell your data. We are fully compliant with the Protection of Personal Information Act (POPIA). You can request deletion of your data at any time.
1. Who We Are
Scannly is a QR-based lead generation and tracking platform operated from South Africa. References to "Scannly", "we", "us", or "our" refer to the Scannly platform and its operators.
We act as both a data controller (for account and platform data) and a data processor (for lead data captured on behalf of our business customers).
2. What Information We Collect
2.1 Account holders (businesses and their staff)
- Name, email address, phone number
- Organisation name, logo, and branding preferences
- Billing information (processed securely via PayFast — we do not store card details)
- Login credentials (managed securely via Clerk)
- Usage data: pages visited, features used, login timestamps
2.2 Prospects (leads captured via QR scans)
- First name, last name, email address, phone number
- Company name and any optional message submitted
- Custom form field responses (if configured by the business)
- Explicit consent record: timestamp, IP address, and consent statement accepted
- Device type, approximate location (city/country from IP), user agent string
- UTM campaign parameters from the URL at time of scan
2.3 Automatically collected data
- QR scan events: timestamp, device type, city, country
- IP addresses (used for rate limiting and geographic analytics)
- Browser and device information
3. How We Use Your Information
For account holders
- To provide, operate, and improve the Scannly platform
- To process billing and manage subscriptions
- To send transactional emails (new leads, invoices, team invites)
- To provide customer support
- To generate analytics and performance reports
For prospects (lead data)
- To route lead information to the correct sales representative
- To display lead data in the business customer's dashboard
- To generate analytics for the business customer (scan counts, conversion rates)
- To provide AI-assisted lead scoring (Growth plan and above)
We never use prospect data for Scannly's own marketing purposes. Lead data belongs to the business customer that collected it.
4. Lawful Basis for Processing (POPIA)
Under the Protection of Personal Information Act 4 of 2013 (POPIA), we process personal information on the following grounds:
- Consent: Prospects explicitly consent to their information being collected and shared with the relevant business at the point of QR scan. Consent is recorded with timestamp and IP address.
- Contract: Account holder data is processed to fulfil our service agreement.
- Legitimate interest: Platform analytics and security monitoring.
Our Information Officer is responsible for ensuring POPIA compliance. Contact details are listed in Section 12.
5. Sharing Your Information
We do not sell personal information to third parties. We share data only in the following circumstances:
Service providers (sub-processors)
- Clerk — authentication and identity management
- PayFast — payment processing (South Africa)
- Resend — transactional email delivery
- OpenAI — AI lead scoring (Growth plan, anonymised data only)
- Clearbit / Apollo — company data enrichment (Growth plan)
- Microsoft Azure — database hosting (South Africa region where available)
Legal requirements
We may disclose information where required by South African law, court order, or to protect the rights and safety of Scannly, our customers, or the public.
Business transfers
In the event of a merger or acquisition, personal information may be transferred as part of the transaction. Affected parties will be notified.
6. Data Retention
- Account data is retained for the duration of the subscription plus 90 days after cancellation
- Lead data is retained until the business customer deletes it or their account is closed
- After account cancellation, data is permanently deleted within 90 days
- Payment records are retained for 7 years as required by South African tax law
- Audit logs are retained for 3 years
Business customers are notified at 90, 30, and 7 days before scheduled data deletion.
7. Data Security
We implement the following technical and organisational measures to protect personal information:
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Authentication managed via Clerk with support for multi-factor authentication
- Row-level data isolation between organisations
- API keys stored as hashed values — never in plain text
- Regular automated backups with 30-day retention
- Access to production systems restricted to authorised personnel only
- All administrative actions are logged in an immutable audit trail
In the event of a data breach that poses a risk to data subjects, we will notify affected parties and the Information Regulator within 72 hours as required by POPIA.
8. Your Rights
Under POPIA, you have the following rights regarding your personal information:
- Right of access: Request a copy of the personal information we hold about you
- Right to correction: Request correction of inaccurate or incomplete information
- Right to erasure: Request deletion of your personal information ("right to be forgotten")
- Right to object: Object to the processing of your personal information
- Right to withdraw consent: Withdraw previously given consent at any time
- Right to complain: Lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, email us at privacy@scannly.co.za. We will respond within 30 days. Prospects wishing to have their lead data deleted should contact the business that collected their information, or contact us and we will facilitate the request.
You may also contact the Information Regulator of South Africa at inforegulator.org.za.
9. Cookies
Scannly uses the following types of cookies:
- Essential cookies: Required for authentication and session management. Cannot be disabled.
- Analytics cookies: Used to understand how the platform is used. Only set with your consent.
- Preference cookies: Remember your settings (dark mode, language). Only set with your consent.
You can manage cookie preferences via the cookie consent banner displayed on your first visit. Withdrawing consent for non-essential cookies will not affect your ability to use the platform.
10. Children's Privacy
Scannly is a business platform and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has submitted information through our platform, please contact us immediately and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify account holders of material changes via email at least 14 days before they take effect. Continued use of Scannly after the effective date constitutes acceptance of the updated policy.
The current version is always available at scannly.co.za/privacy-policy.