Orinex OS — Premium Financial Operations Platform

1. Introduction

Orinex OS ("we", "us", "our", or the "Platform") is a cloud-based financial operations platform operated by Orinex OS (Pty) Ltd, a company registered in the Republic of South Africa. We are committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and all applicable data protection legislation.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have concerning your data when you use Orinex OS.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect:

Full name (first name and last name)
Email address
Password (stored in hashed form — we never store plaintext passwords)
Company name and trading name
Company registration number and VAT number
Phone number
Physical and postal address

2.2 Business and Financial Data

In the course of using the Platform, you may upload or create:

Debtor records: Names, email addresses, phone numbers, billing addresses, and communication preferences of your customers
Invoices: Invoice amounts, line items, billing references, payment terms, and status
Payments and transactions: Payment amounts, dates, references, and bank statement data uploaded for reconciliation
Expense documents: Receipts, supplier invoices, and related images uploaded for processing
Supplier records: Supplier names, contact details, VAT numbers, and banking information
Purchase orders and quotations: Procurement documents and associated line items
Email communications: Email addresses, subject lines, and delivery status of automated correspondence

2.3 Usage and Technical Data

We automatically collect:

IP address and browser information
Login timestamps and session duration
Pages visited and features used
Device type and operating system

2.4 Email & Payment Gateway Configuration Data

If you configure a custom SMTP email server, we store your SMTP host, port, and sender details. SMTP passwords are encrypted at rest using industry-standard encryption and are never stored in plaintext or transmitted to any third party.

If you configure a payment gateway (currently Payfast), we store your merchant ID and, optionally, your merchant key and passphrase. These credentials are encrypted at rest using the same encryption mechanism as SMTP credentials. They are decrypted only at the moment a payment URL is generated or an ITN (Instant Transaction Notification) webhook is validated, and are never logged or transmitted to any party other than the gateway itself.

3. How We Use Your Information

We process your personal information for the following purposes:

Service Delivery

To provide invoicing, collections, reconciliation, expense management, procurement, cashbook, and reporting functionality.

AI-Powered Features

To extract data from bank statements and receipts, match payments to invoices, and categorise expenses using artificial intelligence.

Communications & Collections

To send automated payment reminders, collection notices, recurring invoice notifications, Pay Now payment links, welcome emails, and system notifications on your behalf.

Online Payment Processing

To generate Pay Now URLs, embed payment buttons in invoice emails and PDFs, validate gateway callbacks (ITN webhooks), and automatically reconcile confirmed payments to invoices.

Security & Compliance

To detect fraud, maintain audit logs, enforce credit controls, and comply with legal obligations under South African law.

Analytics & Improvement

To generate dashboards, aging reports, cash flow projections, and to improve platform features and performance.

Account Management

To manage user accounts, authenticate users, enforce role-based access, and maintain multi-tenant data isolation.

4. AI and Third-Party Data Processing

Orinex OS uses OpenAI's API to power AI features including bank statement extraction, invoice matching, receipt scanning, and expense categorisation.

What we send to OpenAI: Only the minimum data required for the specific task — such as transaction descriptions, amounts, and document images. We do not send your full account details, passwords, or personal identification numbers to AI services.

OpenAI's data usage policy states that API data is not used to train their models. We recommend reviewing OpenAI's Privacy Policy for full details on their data handling practices.

5. Payment Gateway Data

When the Payfast payment gateway is enabled by a tenant, Orinex OS acts as an intermediary to generate payment URLs and process ITN (Instant Transaction Notification) callbacks.

What Payfast receives: Debtor first name, debtor email address, invoice amount, invoice number (as item description), and a platform-generated merchant payment ID. We do not transmit full identity numbers, banking details, or any other sensitive data to the gateway beyond what is strictly required to initiate a transaction.

Payfast confirms payment via a server-to-server ITN webhook. The raw ITN payload is stored in our database for audit and dispute resolution purposes. Payfast's own Privacy Policy governs how they handle data collected during checkout.

Payment gateway credentials (merchant key and passphrase) are encrypted at rest and are decrypted only at the moment a payment URL is generated or an ITN signature is validated. They are never logged, stored in plaintext, or transmitted to any party other than Payfast.

6. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

AI Service Providers: OpenAI, for the AI features described above
Email Service Providers: Your configured SMTP provider or our platform email service for sending automated communications
Payment Gateway Providers: When you enable online payment collection via Payfast, the following data is transmitted to initiate a payment: debtor first name, debtor email address, invoice amount, invoice number, and a platform-generated merchant payment ID. No banking credentials, identity numbers, or sensitive personal data are transmitted beyond what Payfast requires. Payfast's own privacy policy governs how they handle this data
Practitioner Accounts: If you are managed by a practitioner (accountant, bookkeeper), they will have access to your business data as configured by their access role
Legal Requirements: When required by law, court order, or to protect the rights, safety, or property of Orinex OS, our users, or the public

7. Multi-Tenant Data Isolation

Orinex OS is a multi-tenant platform. Each business (tenant) operates in a fully isolated data environment. Your financial data, debtor records, invoices, and all business information are accessible only to authorised users within your tenant, or by practitioners you have explicitly granted access to.

System administrators have restricted access to platform-level data for operational purposes only (e.g., user management, tier assignment). They do not have access to your financial transaction data.

8. Data Retention

We retain your data as follows:

Active accounts: Data is retained for as long as your account is active
Deactivated accounts: Data is soft-deleted and retained for 90 days to allow account recovery, after which it may be permanently purged
Audit logs: Retained for a minimum of 5 years in compliance with South African financial record-keeping requirements
Email logs: Retained for 2 years for troubleshooting and compliance purposes
Financial records: Retained in accordance with the South African Companies Act (No. 71 of 2008) and Tax Administration Act (No. 28 of 2011)

9. Data Security

We implement industry-standard security measures including:

Encryption of data in transit (TLS/HTTPS) and at rest
Passwords hashed using ASP.NET Identity with PBKDF2
SMTP credentials encrypted at rest using AES-256 via ASP.NET Data Protection
Payment gateway credentials (Payfast merchant key and passphrase) encrypted at rest using the same mechanism — never stored in plaintext
Role-based access control (RBAC) with tenant-level isolation
Global query filters preventing cross-tenant data leakage
Anti-forgery tokens on all form submissions
Regular security updates and patch management

10. Your Rights Under POPIA

As a data subject under the Protection of Personal Information Act, you have the right to:

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate or incomplete personal information
Deletion: Request deletion of your personal information, subject to legal retention requirements
Objection: Object to the processing of your personal information in certain circumstances
Data Portability: Request your data in a structured, commonly used format
Withdraw Consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at support@orinexos.co.za. We will respond within 30 days as required by POPIA.

11. Cookies and Local Storage

Orinex OS uses:

Essential cookies: Authentication session cookies required for you to remain signed in (ASP.NET Identity cookies)
Anti-forgery cookies: Security cookies to prevent cross-site request forgery attacks
Local storage: To persist your theme preference (dark/light mode)

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

12. Children's Privacy

Orinex OS is a business-to-business platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify registered users of material changes via email or an in-app notification. The "Last Updated" date at the top of this page indicates when this policy was last revised.

14. Contact Us

Orinex OS (Pty) Ltd

Republic of South Africa

Email

support@orinexos.co.za

Information Officer

support@orinexos.co.za