Privacy Policy
1. Overview
Statotech Systems (“Statotech”, “we”, “us”, or “our”) is committed to protecting the privacy of everyone who uses our products and services. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over your data.
This policy applies to statotec.com and all Statotech products, including Statotech Account (accounts.statotec.com), Shop POS, MenuWise, School ERP, ZimRate, ToraShaout, and Health. By using any of these services, you agree to the practices described in this policy.
2. Who We Are
Statotech Systems is a software company incorporated and operating in Harare, Zimbabwe. We build software products for Zimbabwean businesses and provide custom software development services.
Data controller: Statotech Systems
Address: Harare, Zimbabwe
Contact: contact@statotec.com
3. Data We Collect
3.1 Account registration (email and password)
When you create a Statotech Account using email and password, we collect:
- Your full name
- Your email address
- Your password — stored as a bcrypt hash. We never store passwords in plain text and we cannot retrieve your password.
3.2 Account registration (Google Sign-In)
When you sign in using Google, we receive data from Google as described in Section 4 below. We do not collect a password in this case — your identity is verified by Google.
3.3 Product usage data
When you use our products, we collect data necessary to provide those services. This varies by product and may include:
- Shop POS: Business name and address, product catalogue, sales transactions, stock records, payment amounts and methods, customer receipts
- MenuWise: Restaurant name, menu items, prices, categories
- School ERP: School name, student enrolment records, attendance, grades, fee payment records, staff records
- ZimRate: API usage logs (for rate limiting and abuse prevention)
- ToraShaout: Order details, celebrity booking requests, delivery information, payment records
- Health: Clinic name, patient records, appointment schedules, prescription records, billing records
Data you enter into our products (such as student records, patient records, or sales data) belongs to you. See Section 7 for details on data ownership.
3.4 Billing and payment data
When you pay for a subscription, we record the transaction amount, date, payment method (e.g., EcoCash, OneMoney, card), and transaction reference. We do not store full card numbers. Card payments are processed by our payment providers and we receive only a tokenised reference.
3.5 Technical data collected automatically
When you use our services, we automatically collect:
- IP address
- Browser type and version
- Device type (desktop, mobile, tablet)
- Pages visited and features used, with timestamps
- Session cookies (used for authentication — see Section 9)
3.6 Contact form submissions
If you submit the contact form on statotec.com, we collect your name, email address, company name (optional), and your message. This is processed via Formspree.
4. Google Sign-In (OAuth 2.0)
Statotech Account supports signing in with your Google account via OAuth 2.0. This section explains exactly what data we receive from Google, how we use it, and how you can revoke access.
4.1 What Google data we request
We request only two OAuth scopes from Google:
- email — your Google account email address
- profile — your display name and profile picture URL
We do not request access to your Google Drive, Gmail, Calendar, Contacts, or any other Google service. We do not request any sensitive or restricted Google OAuth scopes beyond email and profile.
4.2 What data we receive from Google
When you sign in with Google, Google sends us:
- Your name (as set in your Google account)
- Your email address
- Your Google profile picture URL
- A unique Google account ID (used to link your Google account to your Statotech account — we do not share this ID)
4.3 How we use Google user data
We use the data received from Google exclusively to:
- Create and identify your Statotech account
- Display your name and profile picture within our products
- Send you transactional emails (password resets, subscription confirmations) to your Google email address
We do not use your Google user data for advertising. We do not use your Google user data to build advertising profiles. We do not use your Google user data for any purpose other than providing and improving our services to you.
4.4 How we store Google user data
Google user data (name, email, profile picture URL, Google account ID) is stored in our PostgreSQL database hosted on Neon. All data is encrypted in transit using TLS. Access to our databases is restricted to authorised Statotech personnel only.
We do not store your Google password. Authentication is managed by Google — we only receive the data Google provides after you authorise our app.
4.5 Sharing of Google user data
We do not sell, rent, or trade your Google user data. We do not transfer your Google user data to third parties for their own use. We share Google user data only as strictly necessary to provide our services — specifically with Neon (database hosting) and Vercel (application hosting), both of which process data on our behalf under confidentiality obligations.
4.6 Revoking Google access
You can revoke Statotech's access to your Google account at any time by visiting your Google Account permissions page:
myaccount.google.com/permissions
Revoking access prevents future Google Sign-In but does not automatically delete your Statotech account or your data. To delete your account and all associated data, see Section 10.
4.7 Google API Services User Data Policy
Statotech Systems' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
5. How We Use Your Data
We use the personal data we collect to:
- Create and manage your Statotech account
- Authenticate you when you sign in
- Provide the features and functionality of our products
- Manage your subscription and process payments
- Send transactional emails — account confirmations, password resets, payment receipts, and subscription notices
- Respond to support requests and enquiries
- Monitor and improve the performance and security of our systems
- Comply with applicable Zimbabwean laws and regulations
We do not:
- Sell your personal data to any third party
- Use your data for targeted advertising
- Share your data with advertisers
- Use Google user data for any purpose beyond providing our services
- Send unsolicited marketing emails (we only send emails you would reasonably expect)
6. How We Store and Protect Your Data
6.1 Where data is stored
Your data is stored in PostgreSQL databases hosted by Neon (a cloud database provider). Our applications are hosted on Vercel. Both providers operate secure, industry-standard data centres.
6.2 Security measures
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL.
- Encryption at rest: Database storage is encrypted at the infrastructure level by Neon.
- Password hashing: Passwords are hashed using bcrypt before storage. We cannot retrieve your password.
- Session security: Session cookies are set with the
httpOnly,Secure, andSameSiteflags to prevent cross-site attacks. - Access control: Database access is restricted to authorised Statotech personnel on a need-to-know basis.
- Backups: Data is backed up regularly. Backups are encrypted.
6.3 Limitations
No system is completely secure. While we implement strong security measures, we cannot guarantee absolute security against all threats. If we become aware of a security breach that affects your personal data, we will notify you promptly in accordance with applicable law.
8. Data Retention and Deletion
8.1 Retention periods
- Account data: Retained while your account is active.
- Product data: Retained while your subscription is active and for 30 days after account deletion to allow recovery.
- Payment records: Retained for 7 years for tax and accounting compliance under Zimbabwean law, even after account deletion.
- Contact form submissions: Retained for up to 2 years.
- Anonymised usage analytics: May be retained indefinitely, as they cannot be linked to an individual.
8.2 Account deletion
You can delete your Statotech account at any time through your account settings or by emailing contact@statotec.com. When you delete your account:
- Your personal data (name, email, profile picture, Google account ID) is deleted within 30 days.
- Your product data (sales records, student records, etc.) is deleted within 30 days.
- Payment records are retained for 7 years as required by law, but are no longer linked to an identifiable account after deletion where possible.
- Backups containing your data are overwritten within our standard backup rotation cycle (maximum 90 days).
8.3 Google Sign-In data deletion
If you signed in using Google, deleting your Statotech account deletes the Google user data we hold (your name, email, profile picture URL, and Google account ID) within 30 days. Revoking Google access at myaccount.google.com/permissions prevents future sign-ins but does not automatically delete your Statotech account data — you must separately delete your account if you wish your data removed.
10. Your Rights
You have the following rights regarding your personal data:
10.1 Access
You can view most of your personal data directly in your Statotech account settings. To request a full copy of all data we hold about you, email contact@statotec.com. We will respond within 30 days.
10.2 Correction
You can update your name, email address, and profile picture in your account settings at any time. If you cannot correct something yourself, email us and we will correct it.
10.3 Deletion
You can delete your account through your account settings or by emailing contact@statotec.com. See Section 8 for what is deleted and when.
10.4 Data portability
You can export your product data (sales records, menu items, student records, etc.) at any time through the export features in each product. To request an export of your account data in a machine-readable format, email us.
10.5 Revoking Google access
You can revoke Statotech's Google OAuth access at any time at myaccount.google.com/permissions.
10.6 Objection and restriction
If you believe we are processing your data in a way that is unlawful or that you object to, please contact us. We will review your objection and respond within 30 days.
11. Children's Privacy
Our services are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at contact@statotec.com and we will delete that data promptly.
Note: School ERP is used by schools to manage student records. In this context, student data is entered and controlled by the school (the data controller), not by the students themselves. Schools using School ERP are responsible for obtaining any necessary consents under applicable law.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes — particularly changes that affect how we handle Google user data — we will:
- Update the effective date at the top of this page
- Send a notification to your registered email address
- Display a notice within our products
Continued use of our services after the updated policy takes effect constitutes your acceptance of the changes. If you do not agree with a change, you may delete your account before the change takes effect.
13. Contact Us
For any questions, requests, or concerns about this Privacy Policy or how we handle your personal data, please contact us:
- Email: contact@statotec.com
- Company: Statotech Systems
- Location: Harare, Zimbabwe
We aim to respond to all privacy-related enquiries within 5 business days.