Draft — pending legal review.This policy is being finalized and hasn’t yet been reviewed by an attorney. If you have questions about how your data is handled in the meantime, contact anton@sparkconsulting.co.za.

Privacy Policy

Cin7 Core Toolbox — operated by Spark Consulting

1. Who we are

Cin7 Core Toolbox (“the App”) is operated by Spark Consulting, based in South Africa. This policy is written primarily to comply with South Africa’s Protection of Personal Information Act (POPIA). If a client’s own data processed through the App includes personal information of individuals in the European Union or United Kingdom, the GDPR/UK GDPR may also apply to that data — see section 8.

Contact for privacy matters: anton@sparkconsulting.co.za.

2. What the App does

The App connects to a client’s own Cin7 Core account(s) to help the client import, validate, audit, migrate, and report on their own inventory, sales, and product data. Clients provide their own Cin7 API credentials; the App uses those credentials only to act on the client’s Cin7 account, at the client’s direction.

3. What information we process

  • Account data— your name/email, used for login (one-time email code — we don’t store passwords) and to identify who performed which action.
  • Organization data — the organization(s) you belong to, and which App features are enabled for your organization.
  • Cin7 credentials — your Cin7 Core account ID and application key, encrypted at rest (AES-256-GCM) before storage, decrypted only in server memory when making a request to Cin7 on your behalf. Never stored or logged in plaintext.
  • Your Cin7 business data — product, sales, purchase, assembly/production, customer, and supplier records you import or that the App pulls live from your connected Cin7 instance(s). This may include personal information about your own customers or suppliers if present in your Cin7 data.
  • Activity log — a record of every write the App makes back to your Cin7 instance(s): what changed, which user triggered it, and when.
  • Basic technical logs — standard hosting-provider request logs, used only to operate and debug the App.

We do not sell personal information, and we don’t use client data for advertising.

4. Why we process it

Processing is necessary to perform the service you’ve engaged Spark Consulting to provide. Where your own Cin7 data contains personal information about your customers or suppliers, you remain the responsible party for that data under POPIA/GDPR, and Spark Consulting acts on your behalf — see our Data Processing Agreement.

5. Where data is stored and processed

Application hosting is provided by Vercel; the primary database is Supabase (Postgres), currently hosted in the Ireland (eu-west-1) region. This means data may be processed outside South Africa. The precise cross-border-transfer basis is still being finalized and will be published here once confirmed — if this matters for your specific engagement, contact us before relying on this page.

6. Data isolation between organizations

The App is multi-tenant: multiple organizations use the same underlying database, but database-level access rules enforce that a user can only ever query their own organization’s data.

7. Retention and deletion

Our specific retention commitment is still being finalized. As things stand, data is retained for the duration of your engagement with Spark Consulting and deleted on request afterward. Contact us if you need a specific commitment in writing for your organization.

8. GDPR

This section only applies if your own Cin7 data includes personal information of individuals located in the EU/UK. In that case, you remain the data controller for that information, and our Data Processing Agreement is intended to serve as the Article 28 processor terms. Contact us if this applies to you.

9. Your rights

Under POPIA, you (or, where applicable, individuals whose personal information appears in your Cin7 data) have the right to request access to, correction of, or deletion of personal information held about you, subject to POPIA’s exceptions. To exercise these rights, contact anton@sparkconsulting.co.za.

10. Security

  • Cin7 credentials are encrypted at rest (AES-256-GCM) and never logged in plaintext.
  • Login uses a one-time email code rather than a password, with optional two-factor authentication.
  • Database access is enforced per-organization at the database level.
  • All writes the App makes to your Cin7 instance are recorded in an auditable activity log.

11. Sub-processors

We use Vercel (hosting) and Supabase (database, authentication) to provide the App. Your own Cin7 Core account is not a sub-processor — it’s your pre-existing system that this App connects to at your direction, using credentials you supply.

12. Changes to this policy

We’ll notify registered users by email of material changes to this policy before they take effect.

← Back to sign in