Back to Home

Privacy Policy

Last Updated: May 2026
Effective Date: May 2026

1. Introduction

Welcome to STEWARD. This Privacy Policy is issued by JTS Tekobo (Pty) Ltd (Registration No. 2022/755276/07), a company registered in the Republic of South Africa, trading as STEWARD ("we," "our," or "us"). We are the Responsible Party as defined under POPIA and the Data Controller as defined under GDPR. We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our financial management application ("Service" or "Application").

This Privacy Policy complies with:

  • POPIA (Protection of Personal Information Act, 2013) - South Africa
  • GDPR (General Data Protection Regulation) - European Union
  • Other applicable data protection laws in jurisdictions where we operate

By using our Service, you consent to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use our Service.

2. Information We Collect

2.1 Personal Information You Provide

We collect personal information that you voluntarily provide when you:

  • Register for an account
  • Complete the onboarding process
  • Use our financial tracking features
  • Contact us for support
  • Subscribe to our services

This includes:

  • Identity Information: First name, last name, username, preferred name
  • Contact Information: Email address, country of residence
  • Account Credentials: Password (stored as encrypted hash)
  • Financial Information: Transaction data, budget information, income sources, account balances, spending categories
  • Payment Information: Payment method details (processed securely through our authorised payment processors — we do not store card details)
  • Marketing Preferences: Referral source information
  • Usage Data: How you interact with our Service

2.2 Automatically Collected Information

We automatically collect certain information when you use our Service:

  • Device Information: IP address, browser type, operating system
  • Usage Data: Pages visited, features used, time spent on Service
  • Technical Data: Error logs, performance metrics

2.3 Cookies and Local Storage

STEWARD uses a minimal set of cookies and browser storage technologies strictly necessary to operate the Service. We do not use advertising, analytics, or tracking cookies.

Session Cookie

When you log in, we set a session cookie on your browser. This cookie:

  • Is strictly necessary to authenticate your session and keep you logged in
  • Is HttpOnly (not accessible to JavaScript) and transmitted over HTTPS only in production
  • Expires after 2 hours of inactivity
  • Contains no personal information — only a session identifier

Because this cookie is strictly necessary for the Service to function, it does not require your consent under GDPR or POPIA.

Browser Local Storage

We store the following in your browser's local storage (not cookies):

  • Authentication token: A short-lived JWT token (expires in 1 hour) used to authenticate API requests
  • UI preferences: Theme (dark/light mode) and sidebar state, so your preferences are remembered across sessions
  • Onboarding state: A flag indicating whether you have completed the welcome tour

Local storage data is stored only on your device and is never transmitted to third parties. You can clear it at any time through your browser settings.

No Third-Party Tracking

STEWARD does not use Google Analytics, Facebook Pixel, or any other third-party tracking or advertising cookies. The only external resources loaded are UI libraries (Font Awesome icons, Google Fonts, Chart.js) served from trusted CDNs solely for display purposes — these do not set tracking cookies.

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Provision

  • Create and manage your account
  • Process transactions and financial data
  • Provide budgeting and financial tracking features
  • Send account-related notifications
  • Process subscription payments

3.2 Communication

  • Send verification emails
  • Respond to support requests
  • Send important service updates
  • Send subscription-related communications

3.3 Legal and Compliance

  • Comply with legal obligations
  • Enforce our Terms and Conditions
  • Protect our rights and prevent fraud
  • Respond to legal requests

3.4 Service Improvement

  • Analyze usage patterns
  • Improve Service functionality
  • Develop new features
  • Conduct research and analytics

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal information based on:

  • Consent: When you explicitly consent to processing
  • Contract Performance: To provide services under our Terms and Conditions
  • Legal Obligation: To comply with applicable laws
  • Legitimate Interests: To improve our Service and prevent fraud

5. Information Sharing and Disclosure

We do NOT sell your personal information. We may share information in the following circumstances:

5.1 Service Providers

We share information with trusted third-party service providers who assist us in:

  • Payment processing (via authorised processors who are PCI DSS compliant)
  • Email delivery
  • Hosting and infrastructure
  • Analytics and monitoring

These providers are contractually obligated to protect your information and use it only for specified purposes.

5.2 Legal Requirements

We may disclose information if required by law, court order, or government regulation, or to:

  • Comply with legal processes
  • Protect our rights and property
  • Prevent fraud or security threats
  • Protect user safety

6. Data Security

We implement industry-standard security measures to protect your information:

6.1 Technical Safeguards

  • Encryption: Data encrypted in transit (HTTPS/TLS) and at rest
  • Access Controls: Limited access to personal information on a need-to-know basis
  • Authentication: Secure password hashing (bcrypt)
  • Payment Security: Payment details processed by authorised PCI DSS-compliant processors — we never store card details

6.2 Organizational Safeguards

  • Employee training on data protection
  • Regular security audits
  • Incident response procedures

However, no method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You use our Service at your own risk.

6.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the South African Information Regulator and, where required, affected users as soon as reasonably possible and within 72 hours of becoming aware of the breach, in accordance with POPIA and GDPR obligations.

7. Data Retention

We retain your personal information for as long as:

  • Your account is active
  • Necessary to provide our Service
  • Required by law or legal obligations
  • Necessary for legitimate business purposes

When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law.

8. Your Rights (POPIA & GDPR)

You have the following rights regarding your personal information:

  • Access Rights: Request a copy of your personal information
  • Correction Rights: Request correction of inaccurate information
  • Deletion Rights: Request deletion of your personal information
  • Objection Rights: Object to processing based on legitimate interests
  • Restriction Rights: Request restriction of processing in certain circumstances
  • Data Portability: Request transfer of your data in a machine-readable format
  • Withdrawal of Consent: Withdraw consent where processing is based on consent

To exercise these rights, contact us at: admin@stewardbudget.co.za

We will respond to your request within 30 days (or as required by applicable law).

9. International Data Transfers

Your information is hosted on Microsoft Azure cloud infrastructure, which may process and store data in data centres located outside your country of residence, including within the European Union and the United States. Microsoft Azure maintains Standard Contractual Clauses (SCCs) and other appropriate transfer mechanisms compliant with GDPR and applicable data protection law. By using our Service, you consent to your information being transferred to and processed in these locations. Where we transfer data internationally, we take reasonable steps to ensure your information is protected to a standard equivalent to that required under South African law.

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will:

  • Notify you of material changes via email or Service notification
  • Update the "Last Updated" date
  • Require re-acceptance for significant changes

Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Data Protection Officer (GDPR)

For GDPR-related inquiries, contact our Data Protection Officer at: admin@stewardbudget.co.za

13. Information Regulator (POPIA)

The Responsible Party under POPIA is JTS Tekobo (Pty) Ltd t/a STEWARD. For POPIA-related inquiries, you may contact us directly at admin@stewardbudget.co.za, or escalate to the South African Information Regulator:

14. Contact Us

For privacy-related questions or to exercise your rights, contact us:

JTS Tekobo (Pty) Ltd t/a STEWARD
Email: admin@stewardbudget.co.za
Address: Moreleta Park, Pretoria

By using STEWARD, a service of JTS Tekobo (Pty) Ltd, you acknowledge that you have read, understood, and agree to this Privacy Policy.