01Who we are
Subflow is operated by Subflow (Pty) Ltd, a company registered in South Africa, Cape Town. For the purposes of POPIA, our Information Officer can be reached at [email protected].
02What we collect
We practise data minimisation — we collect only what's needed to run payments and subscriptions.
Information you give us
- Account & waitlist data: name, work email, company, and the gateway(s) you connect.
- Merchant configuration: plans, pricing, subscription settings and gateway credentials you enter (gateway secrets are stored encrypted).
Information we process on a merchant's behalf
- End-customer data: customer name, email, subscription and charge records flowing through a merchant's funnel.
- Payment tokens: gateway-issued tokens. We do not receive or store card numbers, CVV or expiry — see Security.
Information collected automatically
- Technical logs: IP address, device/browser metadata, and webhook/audit events, used for security, fraud-prevention and debugging.
03Why we process it
We process personal information on these lawful bases under POPIA:
- Contract
- To provide the platform, process charges and run subscriptions you configure.
- Legitimate interest
- To secure the service, prevent fraud, and improve reliability.
- Legal duty
- To meet financial-record-keeping and tax obligations.
- Consent
- For optional product updates and marketing email, which you can withdraw at any time.
04Controller vs. operator
For your own account data, Subflow is the responsible party (controller). For end-customer data moving through a merchant's funnel, the merchant is the responsible party and Subflow is the operator (processor) acting only on the merchant's documented instructions. Merchants are responsible for having a lawful basis and a privacy notice covering their own customers.
05Who we share with
We never sell personal information. We share it only with the sub-processors needed to run the service — payment gateways, hosting, and operational tooling — listed and kept current on our sub-processor list. We may also disclose information where required by law or to protect the rights and safety of Subflow, our merchants or the public.
06Cross-border transfers
Subflow runs on Cloudflare's European edge, so some personal information is processed outside South Africa. Where we transfer data across borders we rely on POPIA's transfer conditions and ensure a comparable level of protection through contractual safeguards with our sub-processors.
07Retention
We keep personal information while your account is active and for as long afterwards as South African financial-record law requires, after which it is deleted or de-identified. Waitlist data is kept until you ask us to remove it or the launch programme concludes.
08Your rights
Subject to POPIA, you have the right to access the personal information we hold about you, to ask us to correct or delete it, to object to certain processing, and to withdraw consent for marketing. To exercise any of these, email [email protected] — we respond within the timeframes POPIA prescribes. If a request concerns data we process for a merchant, we will refer you to, or coordinate with, that merchant as the responsible party. You also have the right to lodge a complaint with the Information Regulator of South Africa.
09Cookies
The marketing site uses only the cookies needed to make it work and to understand aggregate traffic. We don't use third-party advertising cookies.
10Changes to this policy
We may update this policy as the product evolves. Material changes will be announced on this page and, where appropriate, by email. The "last updated" date above always reflects the current version.
11Contact
Privacy questions and data-subject requests: [email protected]. Postal: Subflow (Pty) Ltd, Cape Town, South Africa.