This Privacy Policy explains how Qelo ("we", "us", "our"), the provider of SlipStack ("the Service"), collects, uses, stores, shares and protects your personal information. We are committed to handling your information lawfully and transparently in line with the Protection of Personal Information Act, 2013 (POPIA).
The short version: SlipStack only messages you in response to receipts and requests you send us on WhatsApp. We store your receipts in your own Google Drive and post them to your own accounting system. We do not sell your data, and you can ask us to delete it at any time.
On this page
1. Who we are 2. Information we collect 3. How we use your information 4. WhatsApp & how messaging works 5. Who we share information with 6. AI processing of receipts 7. How long we keep it 8. How we protect it 9. Your rights under POPIA 10. Deleting your data 11. Children 12. Changes to this policy 13. Contact & Information Officer1. Who we are
SlipStack is a product of Qelo, based in Cape Town, South Africa. SlipStack is a WhatsApp-based service that lets businesses photograph receipts and supplier invoices, automatically extracts the details, files them to the user's own Google Drive, and posts them to the user's connected accounting system (such as Xero or Sage One ZA).
For the purposes of POPIA, Qelo is the responsible party for the personal information described in this policy.
2. Information we collect
We collect only the information we need to provide the Service:
| Category | Examples | Why we collect it |
|---|---|---|
| Contact & account details | Your name, business name, WhatsApp phone number, email address | To identify your account and communicate with you |
| Receipt content | Photos of receipts/invoices and the data extracted from them (vendor, date, amounts, line items, VAT) | This is the core function of the Service |
| WhatsApp messages | The messages you send to and receive from SlipStack | To process your requests and respond to you |
| Integration tokens | Secure authorisation (OAuth) tokens for Google Drive and your accounting system | To file and post receipts to your own accounts on your behalf |
| Usage & technical data | Logs, timestamps, error and diagnostic information | To keep the Service reliable and secure |
| Billing details | Plan, subscription status (payments are handled by our payment provider) | To manage your subscription |
We do not deliberately collect special categories of personal information. Please don't send us receipts or documents containing information you don't want processed for this purpose.
3. How we use your information
- To read your receipts and extract their details.
- To file receipts to your Google Drive and post entries to your accounting system.
- To respond to you on WhatsApp and let you confirm or correct captured data.
- To provide support, manage your subscription, and send essential service messages.
- To maintain, secure, debug and improve the Service.
- To comply with our legal obligations.
Our lawful bases under POPIA include performance of our contract with you, your consent (which you give by using the Service), our legitimate interests in running and improving the Service, and compliance with the law.
4. WhatsApp & how messaging works
SlipStack operates over the WhatsApp Business Platform, provided by Meta Platforms, Inc.
- You opt in by messaging SlipStack first, or by providing your number to start the Service.
- We send messages only in response to receipts and requests you send us, plus essential service notifications. We do not send marketing spam.
- You can opt out at any time by replying STOP; we will stop messaging you.
- Your use of WhatsApp is also subject to Meta's own privacy and messaging policies.
5. Who we share information with
We do not sell your personal information. We share it only with the service providers (operators) needed to run SlipStack, and only as far as necessary:
- Meta Platforms — to deliver messages over WhatsApp.
- Google — to store receipts in your own Google Drive and log them to Google Sheets, using authorisation you grant.
- Your accounting provider (e.g. Xero, Sage) — to post entries to your own books, using authorisation you grant.
- Our AI vision provider — to read the details from your receipt photos (see section 6).
- Hosting & infrastructure providers — to run the Service securely.
- Our payment provider — to process subscriptions.
We may also disclose information if required by law, or to protect our rights, users or the public.
International transfers. Some of our service providers (including Meta, Google, your accounting provider, and our AI vision provider) process information on servers outside South Africa. Where we transfer your personal information abroad, we do so only as permitted by section 72 of POPIA — for example because the recipient is bound by laws or agreements that provide adequate protection, or because the transfer is necessary to provide the Service you have requested.
6. AI processing of receipts
To read your receipt, the photo is sent to a trusted third-party AI vision provider that extracts the details (vendor, date, amounts, VAT, line items). This processing is used solely to provide the extraction feature. Your receipts are not used to train AI models, in line with our provider's API terms.
7. How long we keep it
We keep your account and receipt data for as long as you use the Service, and for up to 5 years afterwards to meet SARS record-keeping and other legal, tax and audit obligations, after which it is deleted. Note that receipts filed into your own Google Drive and accounting system remain there under your control even after you stop using SlipStack. You can request deletion of the data we hold at any time (see section 10).
8. How we protect it
We use appropriate technical and organisational measures to protect your information, including encryption in transit, access controls, and secure handling of integration tokens. No system is perfectly secure, but we take reasonable steps to safeguard your data and will notify you and the Information Regulator of a material breach without undue delay, as required by POPIA.
9. Your rights under POPIA
You have the right to:
- Access the personal information we hold about you.
- Ask us to correct or update inaccurate information.
- Object to processing or withdraw consent (this may mean we can no longer provide the Service).
- Request deletion of your information.
- Lodge a complaint with the Information Regulator of South Africa.
Information Regulator (South Africa)
Email: POPIAComplaints@inforegulator.org.za
Website: inforegulator.org.za
10. Deleting your data
You can ask us to delete the personal information we hold about you at any time by emailing info@qelo.co.za, or by following the steps on our Data Deletion page. We will action verified requests within 30 days.
11. Children
SlipStack is a business tool and is not directed at children under 18. We do not knowingly collect personal information from children.
12. Changes to this policy
We may update this policy from time to time. We'll post the updated version here with a new "Last updated" date, and notify you of material changes where appropriate.
13. Contact & Information Officer
For any privacy question or request, contact our Information Officer:
Qelo (Information Officer)
Cape Town, South Africa
Email: info@qelo.co.za
Note: This policy is a good-faith plain-language summary of our practices. Please have it reviewed by a legal professional before relying on it commercially, and confirm your registered company name/number and appointed Information Officer.