Privacy Notice

Apex Accounting Worx (Pty) Ltd (“Apex”, “we”, “us”, “our”) is a South African company that develops and operates a cloud-based accounting platform for professional accounting firms.

Our Information Officer is Warren Scrimgeour, registered with the Information Regulator of South Africa in terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”). POPIA/PAIA enquiries may be directed to privacy@apexworx.co.za.

This notice applies to two distinct contexts:

A. Our marketing website (apexworx.co.za) — information collected from visitors to our public website, including contact form submissions and website analytics.

B. Our platform (*.apexworx.online) — information processed by Apex on behalf of accounting firms (“tenants”) who subscribe to the Apex platform.

The legal basis and our role differ between these two contexts, as explained below.

3.1 Website (Responsible Party)

In respect of our marketing website, Apex acts as the Responsible Party. We determine the purpose and means of processing personal information submitted through the website.

3.2 Platform (Operator)

In respect of the Apex platform, Apex acts as an Operator. The accounting firm (tenant) that subscribes to the platform is the Responsible Party for their clients’ personal information. Apex processes that information solely on the tenant’s behalf and in accordance with their instructions.

Apex does not access, use, or disclose tenant client data for any purpose other than providing the platform services, except as required by law.

4.1 Contact form submissions

When you submit an enquiry through our contact form, we collect:

• Your name
• Your firm name
• Your email address
• Your phone number (optional)
• The content of your message

Purpose: To respond to your enquiry and, where applicable, to follow up regarding Apex products and services.

Legal basis: Processing is necessary for our legitimate interest in responding to prospective customer enquiries, and where you have voluntarily provided your details for this purpose.

4.2 Website analytics

Our website uses Vercel Analytics, a cookieless analytics tool. Vercel Analytics does not use cookies and does not track individual users across sessions or across websites. It collects aggregated data including page views, referrer information, browser type, device type, and approximate geographic region (country level).

No personal information is collected by Vercel Analytics that can be used to identify you individually. No consent banner is required for this processing.

Purpose: To understand how our website is used and to improve it.

When an accounting firm subscribes to Apex, their staff and their clients’ information is processed on the platform. This may include:

• Firm staff: names, email addresses, contact details, login credentials (stored as salted hashes), and activity logs
• End clients of the firm: names, contact details, financial records, bank statement data, receipts, invoices, and documents uploaded to the platform

Purpose: Solely to provide the Apex platform services to the subscribing accounting firm.

Our role:Apex is an Operator in respect of this data. The accounting firm is the Responsible Party and is responsible for ensuring their own POPIA compliance in respect of their clients’ information.

All data processed by Apex is hosted on infrastructure located in South Africa or within Microsoft Azure regions with appropriate data residency controls.

We apply the following security measures:

• All data in transit is encrypted using TLS 1.2 or higher
• Databases are protected by SQL-level authentication and access controls
• File storage uses per-tenant encryption keys and access-scoped credentials
• Platform secrets are stored using OS-level encryption tied to a dedicated service account
• Regular encrypted backups are taken covering all platform data, file storage, and databases
• Access to production systems is restricted to authorised personnel only

No security measure is infallible. In the event of a security compromise affecting your personal information, we will notify affected parties in accordance with our obligations under POPIA.

7.1 Website enquiries

Contact form submissions are retained for as long as necessary to manage the enquiry and any resulting business relationship. If no relationship results, enquiries are retained for a maximum of 12 months.

7.2 Platform data — active subscriptions

Tenant and client data is retained for the duration of the subscription and for as long as required to provide the services.

7.3 Platform data — after cancellation

Following cancellation of a subscription, all tenant and client data is retained for 90 days to allow for data retrieval or transition. After 90 days, all data is permanently deleted from our systems and backups are cycled out within normal backup retention windows.

Apex does not sell personal information to third parties.

We share personal information only in the following circumstances:

• Service providers: We engage third-party service providers (including cloud infrastructure, email delivery, and backup services) who process data on our behalf under appropriate data processing agreements
• Legal obligation: Where we are required by law, court order, or regulatory authority to disclose information
• Tenant instruction: Where an accounting firm instructs us to share data as part of the platform services

All third-party service providers engaged by Apex are contractually required to process personal information only for the purposes instructed and to maintain appropriate security standards.

You have the right to:

• Access the personal information we hold about you
• Correction of inaccurate, incomplete, or outdated information
• Deletion of your personal information, subject to our legal obligations
• Objection to the processing of your personal information
• Withdrawal of consent where processing is based on consent

To exercise any of these rights, contact our Information Officer at privacy@apexworx.co.za. We will respond within a reasonable time and no later than required under POPIA.

You also have the right to lodge a complaint with the Information Regulator of South Africa:

• Website: www.inforegulator.org.za
• Email: inforeg@justice.gov.za

Our marketing website (apexworx.co.za) does not use tracking cookies. Our analytics provider (Vercel Analytics) is cookieless.

The Apex platform (*.apexworx.online) uses session cookies strictly necessary for authentication. These cookies are essential to the operation of the platform and do not track you across third-party websites.

Our services are not directed at persons under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has submitted personal information to us, please contact us at privacy@apexworx.co.za and we will delete it promptly.

We may update this Privacy Notice from time to time. Material changes will be communicated to active platform subscribers by email. The effective date at the top of this notice will always reflect the most recent version.

For any privacy-related queries, requests, or complaints: