Thola Home

Privacy Policy

Last updated 21 June 2026

This policy explains how Thola ("we") handles personal information, in line with South Africa's Protection of Personal Information Act, 2013 (POPIA). Thola is a tool businesses use to manage their own leads and customers; where a business uses Thola, that business is the responsible party for its contacts' data and Thola acts as its operator(processor) under a written agreement.

Who we are

Thola (tholaleads.com). Our Information Officer is designated under POPIA §55 — contact privacy@tholaleads.com.

What we collect

  • Account data — your name, email, and password (hashed) when you sign up.
  • Lead & customer data you enter — names, phone numbers, emails, messages, notes.
  • Usage & audit logs — actions taken in the product, for security and POPIA accountability.
  • Essential cookies — to keep you signed in (see our Cookie Policy).

Lawful basis & purpose

We process account data to provide the service (contract). Businesses must record a lawful basis — consent, legitimate interest, or an existing-customer relationship — before any message is sent to a contact; Thola blocks sends without one. We never use a business's contact data for our own marketing.

Who we share it with (operators)

We use vetted sub-processors strictly to run the service: Neon (database hosting), Meta/WhatsApp and email providers (message delivery, only when you connect them), and payment gateways (when you enable billing). Each is bound by data-processing terms. We do not sell personal information.

Cross-border & residency

Personal data is hosted with appropriate safeguards; our roadmap moves primary hosting to AWS Cape Town (af-south-1) so South African data stays in South Africa. Any transfer outside the country is done only with POPIA §72 safeguards in place.

Retention

We keep personal data only as long as needed. Erased records are soft-deleted immediately and hard-deleted after a 30-day grace window; suppression (opt-out) entries are retained so we keep honouring an opt-out. See our retention schedule for detail.

Your rights

Under POPIA you may request access, correction, or deletion of your personal information, and object to processing. Email privacy@tholaleads.com. You may also complain to the Information Regulator (South Africa).

Security

Access is scoped per tenant and per role; every personal-data read, export, send, and erasure is audited; secrets are encrypted and never exposed to the browser. No system is perfectly secure, but we hold ourselves to POPIA's "appropriate, reasonable" standard and review it regularly.

Changes

We'll update this page when our practices change and revise the date above.

PrivacyTermsPAIA manualCookies