Privacy Policy
This policy explains how Sorae, operated by Sinneo Financial Technologies (Pty) Ltd, collects, processes, and protects information when you use our bank statement intelligence platform. We have designed this policy to be readable, not just legally compliant.
Who We Are
Sorae is a financial technology service operated by Sinneo Financial Technologies (Pty) Ltd, a company registered in the Republic of South Africa and a division of the Sinneo Group. In this policy, "Sorae", "we", "us", and "our" refer to Sinneo Financial Technologies (Pty) Ltd.
Under the Protection of Personal Information Act 4 of 2013 (POPIA), Sinneo Financial Technologies acts in the capacity of an Information Operatorwhen processing bank statement data submitted by our business clients. Our clients (the lenders, agents, and employers who use Sorae) are the Responsible Partiesin respect of the personal information of the individuals whose statements are submitted.
What Information We Collect
We collect different types of information depending on whether you are a business client (a company that signs up for Sorae) or an individual whose statement is submitted by a client.
Information from business clients (account holders)
- Full name and work email address provided at signup
- Company name and registration details
- Password (stored only as a cryptographic hash — never in plain text)
- IP address at the time of Data Processing Agreement acceptance (stored as a one-way hash)
- Session metadata: IP address hash, browser user-agent string, login timestamps
- API key usage metadata: call timestamps, response codes, processing times
- Credit transaction records: top-up amounts, dates, and analysis deductions
- Communication history if you contact our support
Information processed on behalf of clients (statement subjects)
When a bank statement is submitted to Sorae for analysis, we temporarily process the following data in memory only:
- Transaction records (dates, amounts, descriptions)
- Account balance information
- Statement period (from and to dates)
- Bank name and account type
None of this information is stored. See Section 5 (Zero Data Retention Policy) for the complete technical explanation.
Information we do not collect
- South African ID numbers
- Physical addresses
- Phone numbers
- Biometric data of any kind
- Raw bank statement PDFs (stored anywhere)
- Account holder names from statements (processed in memory, never logged)
- Account numbers or card numbers
How We Use Your Information
We use account information for the following purposes, all of which are necessary to provide the Sorae service:
| Purpose | Legal basis under POPIA |
|---|---|
| Authenticating your login and maintaining your session | Necessary for the performance of a contract |
| Sending email verification codes during signup | Necessary for the performance of a contract |
| Sending a welcome email after account activation | Legitimate interest |
| Processing credit top-up payments via PayFast | Necessary for the performance of a contract |
| Deducting credits per analysis and maintaining your transaction ledger | Necessary for the performance of a contract |
| Providing the API key management interface | Necessary for the performance of a contract |
| Maintaining audit logs of API calls for your account records | Legal obligation and legitimate interest |
| Sending low-balance email warnings | Legitimate interest |
| Detecting and preventing fraudulent or abusive API usage | Legitimate interest |
| Responding to support queries | Legitimate interest |
We do not use your information for advertising, profiling, or sale to third parties. We do not use the financial data from bank statements for any purpose other than returning the analysis result to the submitting client.
Bank Statement Processing
The core function of Sorae is to process bank statement PDFs and return structured financial intelligence. This section explains exactly what happens technically when a statement is submitted.
- The PDF is received over an encrypted HTTPS connection and loaded into server memory.
- Text is extracted from the PDF using a parsing library. The raw PDF binary is immediately discarded from memory.
- The extracted text is passed through our Capitec statement parser, which identifies transactions, income patterns, balances, and statement metadata.
- The parsed data is run through our analysis engine: income verification, expense categorisation, affordability scoring, and risk flag detection.
- The structured analysis data is sent to OpenAI's API to generate a plain-language summary paragraph. Only the structured numbers and categories are sent — not raw transaction descriptions or personal identifiers.
- The complete analysis result is returned to the submitting client in JSON format.
- All in-memory data from steps 1–5 is released. Nothing is written to disk, a database, a cache, or any persistent storage.
- An audit log entry is written containing only: timestamp, detected bank name, statement period (month/year), processing time in milliseconds, response status, and a hashed IP address. No transaction content, no names, no account details.
Zero Data Retention Policy
Sorae operates a strict zero data retention policy for all bank statement content. This is not simply a business decision — it is a core architectural principle. The system was designed from the ground up to make persistent storage of statement content technically impossible at the application level.
What is never stored
- Bank statement PDF files
- Extracted statement text
- Individual transaction records
- Account holder names
- Account numbers or branch codes
- Raw balance figures from the statement
- Any personal information about the statement subject
What is stored (audit log only)
- Call ID (a random UUID with no connection to statement content)
- Detected bank name (e.g. "CAPITEC")
- Statement period as month/year only (e.g. "2025-01")
- Processing time in milliseconds
- Response status (SUCCESS or ERROR code)
- Client reference string, if provided by the submitting client
- SHA-256 hash of the submitting client's IP address (not the raw IP)
The affordability grade, income figure, and other analysis outputs are returned to the client in the API response and are not retained by Sorae. If a client needs to store analysis results, they must store them in their own systems.
Data Processing Agreement (DPA)
POPIA requires that when one entity (an Information Operator) processes personal information on behalf of another entity (the Responsible Party), there must be a written agreement governing that processing relationship.
All Sorae business clients are required to accept a Data Processing Agreement during the signup process before they may submit any bank statements. The DPA:
- Establishes Sinneo Financial Technologies as the Information Operator and the client as the Responsible Party
- Specifies the purpose for which processing is permitted (financial intelligence analysis only)
- Confirms the zero data retention model and the client's understanding of it
- Confirms that the client has lawful authority to submit statements and has complied with their own obligations to the individuals concerned
- Is governed by the laws of the Republic of South Africa
DPA acceptance is timestamped and the client's IP address hash is recorded at the time of acceptance, creating a verifiable record for POPIA compliance purposes.
Security Measures
We apply the following technical and organisational measures to protect information:
| Measure | Detail |
|---|---|
| Encryption in transit | All connections to Sorae use TLS 1.3. HTTP connections are redirected to HTTPS. |
| Password hashing | Passwords are hashed using SHA-256 with a server-side secret salt. Plain-text passwords are never stored. |
| API key hashing | API keys are stored only as SHA-256 hashes. Raw keys are shown once at generation and never stored. |
| Session security | Session tokens are stored in HTTP-only cookies, inaccessible to JavaScript, with a 30-day expiry. |
| IP address hashing | IP addresses in audit logs are hashed with a secret salt and cannot be reverse-engineered. |
| Zero persistent statement data | Statement content exists only in server memory during processing and is never written to any storage layer. |
| Row-Level Security | Supabase RLS policies ensure clients can only access their own data. |
| HTTPS-only headers | HSTS, X-Frame-Options, X-Content-Type-Options headers are set on all responses in production. |
Despite these measures, no system is completely impenetrable. We encourage business clients to use strong passwords, rotate API keys regularly, and report any suspected unauthorised access immediately to security@sorae.co.za.
Your Rights Under POPIA
The Protection of Personal Information Act grants data subjects (individuals whose personal information is processed) the following rights:
| Right | What it means for Sorae |
|---|---|
| Right to be notified | This privacy policy serves as notification of our processing activities. |
| Right of access | Business clients may request a copy of all personal information we hold about their account by emailing privacy@sorae.co.za. |
| Right to correction | You may update your name, company name, and email address in account settings, or request correction via email. |
| Right to deletion | You may request deletion of your account and all associated data. Note: audit log metadata may be retained for the legally required period. Statement content was never stored and therefore cannot be deleted (there is nothing to delete). |
| Right to object to processing | You may object to processing of your information for purposes other than providing the service. We do not use your information for any other purpose, so this right is unlikely to apply. |
| Right to lodge a complaint | You have the right to lodge a complaint with the Information Regulator of South Africa at inforeg.org.za. |
To exercise any of these rights, email privacy@sorae.co.za. We will respond within 30 days. We may need to verify your identity before processing a request.
Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Bank statement content | Zero — not retained | Core product design principle |
| Account information (name, email, company) | Duration of account + 3 years after closure | Contractual and legal obligation |
| Session tokens | 30 days from creation, or until logout | Authentication requirement |
| Email verification tokens | 10 minutes (expired tokens deleted) | Security — short-lived by design |
| API keys (hashed) | Duration of account | Audit trail |
| Credit transaction records | Duration of account + 5 years | Financial record-keeping obligation |
| Audit log metadata | 3 years from creation | Legal obligation and fraud prevention |
| DPA acceptance records | Duration of account + 7 years | POPIA compliance evidence |
| Pending payment records | 2 years from creation | Financial record-keeping |
Children
Sorae is a business-to-business service intended solely for use by registered companies and their authorised employees. We do not knowingly collect personal information from individuals under the age of 18. If you believe a minor has registered for an account, please contact us immediately at privacy@sorae.co.za and we will delete the account.
Changes to This Policy
We may update this privacy policy from time to time as the product evolves or as legal requirements change. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send a notification email to all active account holders
- Display a notice in the dashboard for 30 days after the change
Continued use of Sorae after a material change constitutes acceptance of the updated policy. If you disagree with a change, you may close your account at any time by emailing support@sorae.co.za.
Contact Us
For any privacy-related questions, requests, or concerns, contact our Information Officer:
You also have the right to lodge a complaint with the Information Regulator of South Africa if you believe we have not handled your personal information in accordance with POPIA.