Privacy Policy
Last updated: 11 June 2026 Effective date: 11 June 2026
ArcDev (Pty) Ltd ("ArcDev", "we", "us", or "our") operates the Arc Forms platform accessible at arc-form.co.za ("Platform"). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you use our Platform, and describes your rights under the Protection of Personal Information Act 4 of 2013 ("POPIA"), the General Data Protection Regulation (EU) 2016/679 ("GDPR") where applicable, and other applicable privacy laws.
By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.
1. Who We Are
Information Officer / Data Responsible Party: ArcDev (Pty) Ltd South Africa Contact: theuns@arcdev.co.za
If you are located in the European Economic Area, ArcDev acts as the data controller in respect of your personal information.
2. Information We Collect
2.1 Information You Provide Directly
- Account information: name, email address, password (stored as a one-way hash), and any profile details provided during registration.
- Form responses: any personal, financial, or sensitive information you submit through forms built on the Platform. The scope of this data varies per form and is determined by the service operator who created the form.
- Communications: messages, support requests, or other correspondence you send to us.
- Credentials: when service operators connect third-party integrations (such as WhatsApp Business accounts), we store the relevant credentials in encrypted form.
2.2 Information Collected Automatically
- Log data: IP address, browser type and version, operating system, referring URL, pages visited, time and date of access, and time spent on pages.
- Device information: device identifiers and hardware model where relevant to service delivery.
- Cookies and session data: session identifiers, authentication tokens, and preference cookies. See Section 10 for details.
- Audit events: when a form field is designated as an audit field (e.g. a consent checkbox or signature), we record the date, time, IP address, and user agent at the moment the field is completed. This constitutes a legally binding audit trail.
2.3 Information from Third Parties and External Services
- Meta Business (WhatsApp Business API): when outbound WhatsApp messages are sent through the Platform, Meta processes the recipient's phone number and message content and may return delivery status information (sent, delivered, read, failed) and inbound reply content, which we log in our communication records. Meta's processing is governed by its own Privacy Policy and Terms of Service.
- Third-party CRM integrations: where a service operator has enabled a CRM integration, workflow and form data may be transmitted to that external system. ArcDev acts as a data processor in this context; the operator is responsible for ensuring the integration complies with applicable privacy law.
3. How We Use Your Information
We process personal information for the following purposes and on the following legal bases:
| Purpose | Legal basis (POPIA) | Legal basis (GDPR) |
|---|---|---|
| Providing and operating the Platform | Contractual necessity | Art. 6(1)(b) — performance of a contract |
| User authentication and account security | Legitimate interest, contractual necessity | Art. 6(1)(b), Art. 6(1)(f) |
| Processing and storing form responses on behalf of operators | Contractual necessity (data processor role) | Art. 6(1)(b) |
| Sending transactional communications (OTPs, draft resume links, contract links) | Contractual necessity | Art. 6(1)(b) |
| Sending WhatsApp messages you have consented to receive via form submission | Consent / contractual necessity | Art. 6(1)(a), Art. 6(1)(b) |
| Audit trail generation for legally binding records | Legal obligation, legitimate interest | Art. 6(1)(c), Art. 6(1)(f) |
| Billing and invoice generation | Legal obligation, contractual necessity | Art. 6(1)(b), Art. 6(1)(c) |
| Fraud prevention and platform security | Legitimate interest | Art. 6(1)(f) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
| Analytics and platform improvement | Legitimate interest | Art. 6(1)(f) |
We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects without human review.
4. Data Processor vs. Data Responsible Party
ArcDev operates in two distinct capacities depending on the context:
As a Data Responsible Party (Controller): We determine the purposes and means of processing your account information, platform logs, billing records, and system-level data.
As a Data Operator (Processor): When service operators (businesses who subscribe to our Platform) collect form responses from their customers, ArcDev processes that data strictly on behalf of the operator according to their instructions. In this capacity, the service operator is the data responsible party and their own privacy policy governs the data they collect. ArcDev does not access or use such data beyond what is necessary to deliver the service.
5. Disclosure of Your Information
We do not sell, rent, or trade your personal information. We may disclose it to:
5.1 Service Providers (Sub-Processors)
We engage trusted third-party service providers who assist in delivering the Platform. Each processes personal data only to the extent necessary for their function:
- Infrastructure and hosting providers: servers, storage, and related services underpinning the Platform.
- Meta Business (WhatsApp Business API): outbound and inbound WhatsApp messaging. Meta acts as an independent data controller for its own platform data.
- Electronic communications providers: delivery of transactional emails including OTPs, notifications, and document links.
- Third-party CRM systems (operator-configured): where a service operator enables a CRM integration, data flows to that system under the operator's instruction and their own data processing agreements.
5.2 Legal Requirements
We may disclose your information where required to do so by law, court order, or in response to a valid request by a public authority, including to meet national security or law enforcement requirements.
5.3 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your personal information becomes subject to a different privacy policy.
6. International Transfers
Our servers are located in South Africa. Where we transfer personal information to recipients outside South Africa, we ensure that equivalent levels of protection apply, including through standard contractual clauses or adequacy decisions. If you are located in the EEA, transfers to South Africa are subject to appropriate safeguards in accordance with GDPR Chapter V.
7. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data category | Retention period |
|---|---|
| Account information | Duration of account + 3 years after closure |
| Form responses | As directed by the service operator; minimum 5 years for legally binding contracts |
| Audit trail records | 7 years (legal obligation for signed documents) |
| Communication logs (WhatsApp) | 2 years |
| Billing records | 5 years (South African tax law) |
| System logs (IP, access logs) | 90 days |
| Deleted account data | Purged within 30 days of deletion request, subject to legal hold obligations |
8. Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, and destruction, including:
- Encryption of data in transit using TLS 1.2 or higher.
- One-way hashing of passwords using bcrypt.
- Encryption at rest for sensitive credentials (WhatsApp access tokens, webhook secrets) using AES-256 encryption. Credentials are never stored in plain text or application configuration files.
- Role-based access controls enforced at the application layer.
- Audit logging of significant administrative actions.
- Signed URLs with expiry for sensitive operations (draft resume, document delivery).
No method of transmission over the internet or method of electronic storage is 100% secure. In the event of a security breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected data subjects as required by applicable law.
9. Your Rights
Under POPIA (South Africa)
- Right of access: request confirmation of whether we hold your personal information and obtain a copy.
- Right to correction: request correction of inaccurate or incomplete information.
- Right to deletion: request deletion of your personal information, subject to legal retention obligations.
- Right to object: object to the processing of your personal information on grounds relating to your particular situation.
- Right to lodge a complaint: lodge a complaint with the Information Regulator of South Africa at www.justice.gov.za/inforeg or by email at complaints.IR@justice.gov.za.
Under GDPR (European Economic Area)
In addition to the rights above:
- Right to data portability: receive your personal data in a structured, commonly used, machine-readable format.
- Right to restriction of processing: request that we restrict processing of your personal information in certain circumstances.
- Right to withdraw consent: where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: lodge a complaint with your local supervisory authority.
To exercise any of these rights, contact us at theuns@arcdev.co.za. We will respond within 30 days. We may need to verify your identity before acting on your request.
10. Cookies
| Category | Purpose | Basis |
|---|---|---|
| Strictly necessary | Session management, authentication, CSRF protection | Necessary for the Platform to function |
| Preference | Theme selection (light/dark mode) | Legitimate interest |
| Analytics | Anonymous usage statistics to improve the Platform | Legitimate interest (opt-out available on request) |
We do not use advertising or tracking cookies. You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies will prevent you from using authenticated areas of the Platform.
11. WhatsApp Communications
Where you or a service operator provides a WhatsApp phone number and a form is submitted through the Platform, we may send you automated WhatsApp messages via the Meta Cloud WhatsApp Business API.
- You may opt out at any time by replying STOP to any message.
- Message and data rates may apply depending on your mobile carrier.
- Outside the 24-hour customer service window, only Meta-approved template messages are sent.
12. Children's Privacy
The Platform is not directed at children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have done so, we will take steps to delete such information promptly. Contact us immediately if you believe we hold a child's personal information.
13. Third-Party Links
The Platform may contain links to third-party websites. We are not responsible for the privacy practices of those third parties and encourage you to review their privacy policies.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a prominent notice on the Platform. Your continued use of the Platform after any changes constitutes your acceptance of the revised policy.
15. Contact Us
ArcDev (Pty) Ltd Email: theuns@arcdev.co.za Website: arc-form.co.za
Information Regulator (South Africa) JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 Email: complaints.IR@justice.gov.za