Privacy Policy
- Effective date:
- 25 April 2026
- Last updated:
- 25 April 2026
1. Who We Are
CasePilot is a South African SaaS product operated by CasePilot (Pty) Ltd (“CasePilot”, “we”, “us”, or “our”). CasePilot provides small and medium-sized businesses with a workflow tool to manage employee disciplinary processes in compliance with the Labour Relations Act 66 of 1995.
We are a responsible party as defined in the Protection of Personal Information Act 4 of 2013 (POPIA). We take your privacy seriously and are committed to processing personal information lawfully, fairly, and transparently.
Contact: legal@casepilot.co.za | casepilot.co.za
2. What Information We Collect
Account and billing information: name, email, business name, industry, mobile number, payment information processed via PayFast (we do not store card details).
Employee data: full name, job title, employment type, start date, disciplinary records, warnings, incident descriptions, and generated documents. You are the responsible party for your employees’ data under POPIA.
Usage data: log data, IP addresses, browser type, pages visited, device information, and error data.
3. How We Use Your Information
To provide, maintain, and improve CasePilot. To process payments and send billing notices. To verify identity and prevent fraud. To send service notifications. To respond to support requests. To comply with legal obligations. We do not use your data for advertising or profiling.
4. Legal Basis for Processing
Contractual necessity, legal compliance, legitimate interest, and consent where applicable.
5. AI-Assisted Processing
CasePilot uses the Anthropic Claude AI API to classify incidents and generate document content. Incident descriptions are sent to Anthropic’s API for processing. We do not use this data to train AI models. All AI outputs are clearly identified as AI-assisted and do not constitute legal advice.
6. Data Sharing
We share data only with: PayFast (payments), Anthropic (AI processing), Railway (hosting), Supabase (database), Cloudflare (CDN/DNS), Resend/Postmark (email), SMSPortal (SMS). We do not sell or trade your data.
7. Data Retention
Active account: data retained indefinitely. After cancellation: 30 days full access, then soft-deleted. After 12 months: permanently deleted. You will be notified at cancellation, day 25, and 30 days before deletion. Request deletion at legal@casepilot.co.za.
8. Security
TLS encryption in transit. Encryption at rest. Signed URLs for all file access. Strict account isolation. Full audit trail. OTP phone verification for public-domain signups.
9. Your Rights Under POPIA
Access, correction, deletion, objection, and the right to lodge a complaint with the Information Regulator (inforegulator.org.za | inforeg@justice.gov.za).
10. Cookies
Strictly necessary session cookies only. No advertising or tracking cookies.
11. Children
CasePilot is for adults operating in a commercial context. We do not knowingly collect data from persons under 18.
12. Changes to This Policy
We will notify you by email and in-app at least 14 days before material changes take effect.