Privacy Policy

Jabaricom Technologies Limited ("Jabaricom", "we", "us", or "our") is a company incorporated in the Republic of Zambia. We operate the Jabaricom platform (the "Service"), an AI-powered workflow and document intelligence tool designed for professional services firms, with accounting and audit firms in Zambia as our primary market.

This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with the Service. It is issued in compliance with the Zambia Data Protection Act No. 3 of 2021 (the "Act").

This Privacy Policy applies specifically where Jabaricom acts as a data controller, meaning it governs the personal data of individuals who interact directly with us: users of the platform, administrators, and visitors to our website.

1.1 Scope: What This Policy Does Not Cover

Jabaricom also acts as a data processor when subscriber firms upload or process their own clients' data through the Service, for example audit files, client financial statements, and engagement records. In that capacity, Jabaricom processes such data on behalf of the subscribing firm, which is the data controller. That processing relationship is not governed by this Privacy Policy. It is governed by the Data Processing Agreement ("DPA") between Jabaricom and the subscribing firm, which forms part of the firm's subscription agreement.

If you have queries about personal data that your firm has uploaded to the Service, those should be directed to your firm's designated privacy contact, not to Jabaricom.

1.2 Who to Contact

Jabaricom Technologies Limited

Lusaka, Republic of Zambia

Email: hello@jabaricom.com (subject line: "Data Protection Request")

We collect the following categories of personal data when you use the Service or interact with us.

2.1 Account Data

• Full name, email address, and phone number
• Password (stored using one-way cryptographic hashing; we cannot read your password)
• Organisation name, address, and industry
• Role and access level within your organisation on the platform

2.2 Organisation Data

• Company name, registered address, and sector
• Team member names, email addresses, and roles as entered by your organisation's administrator

2.3 Engagement and Workflow Data

• Engagement names, statuses, deadlines, and team assignments
• Client or entity names and reference identifiers as entered by your firm
• Evidence checklists/tracker, comments, and workflow progress data

2.4 Uploaded Documents

Where users upload documents through the Service, Jabaricom processes those documents as a data processor on behalf of the subscribing firm. This includes financial statements, tax records, correspondence, and any other files uploaded. Document metadata (file names, sizes, upload dates, and format) is processed as part of platform functionality.

2.5 Email Integration Data

Where a user connects their email account to the Service, we process:

• Email metadata: sender, recipient, subject line, date, and thread identifiers
• Email body content, where analysed for engagement-linking purposes, attachments, and summaries

Email integration requires explicit consent and administrator authorisation within your organisation's Microsoft 365 tenant or other providers. You may disconnect email integration at any time.

2.6 AI Interaction Data

• Queries you submit to the AI assistant and the responses generated
• Context data transmitted to AI providers to generate a response (see Section 5)

AI interaction data is processed as described in Section 5. We do not use your AI queries or responses to train or fine-tune any AI model.

2.7 Usage and Technical Data

• Feature usage patterns, page views, session duration, and interaction events
• IP address, browser type, device type, and operating system
• Error logs and diagnostic data for platform stability

We do not currently use any third-party analytics platform. Usage data is processed internally. If this changes, this policy will be updated and you will be notified.

We use personal data only for the purposes described below. We do not sell your personal data to any third party.

• Platform functionality: To create and manage your account, provide the Service, and process your instructions within the platform.
• AI-powered features: To provide email-to-engagement linking, document analysis, AI chat assistance, and proactive workflow insights. See Section 5 for detail.
• Communication: To send transactional emails (account creation, password resets, subscription notices), service updates, and important notifications.
• Security and fraud prevention:To detect, investigate, and respond to unauthorised access, abuse, and security incidents.
• Platform improvement: To analyse usage patterns and diagnose issues in order to improve the reliability and functionality of the Service. This analysis uses aggregated or anonymised data where possible.
• Legal compliance: To comply with applicable law, regulatory requirements, and lawful requests from competent authorities.

Under the Zambia Data Protection Act No. 3 of 2021, all processing of personal data must rest on a recognised legal ground. The table below sets out the legal basis we rely on for each category of processing activity.

Where we rely on legitimate interest, we have assessed that our interests do not override your rights and freedoms as a data subject. Where we rely on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5.1 AI Features We Provide

• Email-to-Engagement Linking:The AI analyses email content, including sender, subject, and body text, to suggest which engagement or client file an email relates to. This is assistive; the user confirms or overrides the suggestion.
• AI Chat Assistant:Users may ask the AI questions about their engagements, clients, documents, and applicable accounting and regulatory standards. The AI draws on your organisation's data within the platform to generate a contextual answer.
• Document Analysis: AI may analyse uploaded documents to assist with classification, information extraction, and compliance checking.
• Proactive Insights: AI may surface risks, upcoming deadlines, and workflow recommendations based on engagement data.

5.2 What Data Is Transmitted to AI Providers

To generate a response, the relevant AI feature transmits a prompt to an AI model provider via an encrypted API call. That prompt may include:

• The text of your query
• Relevant context retrieved from your organisation's data on the platform (engagement names, document excerpts, email metadata)

Only the minimum data necessary to generate a useful response is transmitted. Jabaricom does not transmit bulk data to AI providers; data is retrieved contextually per query.

5.3 AI Provider Commitments

We use the following AI model providers:

• Microsoft Azure OpenAI Service (primary inference, hosted in Azure South Africa North or Sweden Central)
• Anthropic Claude via API (secondary inference, processed in the United States)

Under our agreements with these providers, both operate under API terms that currently prohibit using customer inputs or outputs to train or fine-tune their models. We periodically review these terms. If a provider's commitments change in a way that affects your data, we will update this policy and notify you.

5.4 AI Outputs Are Assistive

All AI outputs within the Service are assistive tools to support professional judgement. They do not constitute professional accounting, audit, tax, or legal advice. Users remain responsible for reviewing, verifying, and applying any AI-generated output. Jabaricom accepts no liability for decisions made in reliance on AI outputs without independent professional review.

5.5 Withdrawing AI Consent

You may withdraw your consent to AI data processing at any time . Withdrawing consent will disable AI-powered features for your account. It does not affect processing carried out before withdrawal.

We share your personal data only with the sub-processors listed below, who are necessary for us to provide the Service. We do not sell, rent, or trade your personal data to any third party for commercial purposes.

All sub-processors are bound by written data processing agreements requiring them to protect your data, process it only on our instructions, and apply appropriate technical and organisational security measures.

We will notify you of any material addition to our sub-processor list before that sub-processor begins processing your data, except where we are required by law to maintain confidentiality. You may object to a new sub-processor within 30 days of notification by contacting us at hello@jabaricom.com.

We may also disclose personal data where required by applicable law, a court order, or a lawful request from a competent regulatory or law enforcement authority. We will notify you of any such request where legally permissible.

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by applicable law. The following schedule sets out our standard retention periods.

Where data is subject to a legal hold, regulatory investigation, or dispute, we may retain it beyond the periods above until the matter is resolved.

Jabaricom implements technical and organisational measures proportionate to the risks associated with processing personal data in a professional services context. Our current measures include:

• Encryption of all data in transit using TLS 1.2 or higher
• Encryption of data at rest within Azure infrastructure using AES-256
• Role-based access controls limiting data access to authorised personnel only
• Secure password storage using one-way cryptographic hashing
• Access logging and monitoring for unauthorised or anomalous activity
• Regular internal security reviews of platform architecture and configuration
• Sub-processor compliance assessments conducted periodically

No security system is impenetrable. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and, where required, ZICTA, in accordance with our obligations under the Act. We will take prompt steps to contain and remediate any breach and provide information on the nature of the breach, data affected, and remediation measures.

Under the Zambia Data Protection Act No. 3 of 2021, you have the following rights in relation to your personal data. These rights apply where Jabaricom acts as data controller. For data processed on behalf of your firm (see Section 1.1), your rights should be directed to your firm.

• Right of access: Request a copy of the personal data we hold about you and how it is processed.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of personal data where we no longer have a lawful basis to retain it.
• Right to restrict processing:Request that we limit use of your data in defined circumstances.
• Right to data portability:Request your data in a structured, commonly used, machine-readable format.
• Right to withdraw consent: Where processing is based on consent, you may withdraw at any time.
• Right to object to automated decision-making:Object to decisions made solely by automated means, including AI-powered processing, that produce legal or similarly significant effects.
• Right to lodge a complaint: Lodge a complaint with the Zambia Data Protection Commissioner (ZICTA) atwww.zicta.zm.

To exercise any of the rights set out in Section 9, you may:

• Email us at hello@jabaricom.com with the subject line "Data Protection Request," specifying the right you wish to exercise and sufficient information to identify your account

We will acknowledge your request within 5 business days and respond substantively within 30 days. In cases of complexity or volume, we may extend this period by a further 30 days, in which case we will notify you of the extension and reason before the initial 30-day period expires.

We may ask you to verify your identity before processing a request. We will not charge a fee for routine requests. Where requests are manifestly unfounded or excessive, we reserve the right to charge a reasonable administrative fee or decline the request, with reasons provided.

11.1 Primary Data Residency

Your personal data is primarily stored within the Microsoft Azure South Africa North region (Johannesburg, Republic of South Africa). We have deliberately selected an African hosting region to keep your data within the continent and to minimise cross-continental data flows.

11.2 Transfers Outside Zambia

The Zambia Data Protection Act requires that personal data transferred outside Zambia is afforded adequate protection. Because Zambia has not yet published a formal list of countries with adequate protection under the Act, we rely on contractual safeguards with each sub-processor to ensure your data is protected to a standard at least equivalent to that required under Zambian law.

• South Africa: Primary data storage via Microsoft Azure. Microsoft Azure South Africa North holds ISO 27001, SOC 1, SOC 2, and PCI DSS certifications.
• Sweden: AI inference via Azure OpenAI Service may be routed through Azure Sweden Central when South Africa capacity is constrained.
• United States: AI inference via Anthropic Claude API and transactional email delivery via SendGrid (Twilio).

11.3 Safeguards Summary

All transfers are protected by written data processing agreements, recognised security certifications where applicable, and encryption of data in transit and at rest. We review sub-processor compliance periodically.

We use cookies and similar technologies to operate and improve the Service. Cookies are small text files stored on your device.

You can manage preferences through the consent banner on first visit, or via Settings > Privacy > Cookie Preferences. Refusing non-essential cookies does not affect core platform functionality.

The Service is intended solely for professional use by individuals aged 18 and above. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected personal data from a person under 18, we will delete that data promptly. If you believe we may have collected such data, contact us at hello@jabaricom.com.

In the event of a personal data breach, Jabaricom will:

• Assess the breach promptly to determine the data affected and risk posed
• Where risk exists, notify affected users without undue delay with necessary details and mitigation steps
• Notify the Zambia Data Protection Commissioner (ZICTA) in accordance with the Act
• Take immediate steps to contain, investigate, and remediate the breach
• Maintain an internal record of all breaches, including those not externally notifiable

We will not use a data breach as an opportunity to request unnecessary information. Communication will be limited to what is needed to protect your interests.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

• Update the version number and effective date at the top of this document
• Notify you via email and in-app notification at least 14 days before the change takes effect, where the change is material
• For changes that require fresh consent, present the updated policy for review and re-acceptance through our version-tracked consent system

Your continued use of the Service after the effective date of a non-material change constitutes acceptance of the updated policy. For material changes requiring consent, continued use is conditional on acceptance.

Version history is maintained internally. You may request a prior version at hello@jabaricom.com.

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Zambia, including the Zambia Data Protection Act No. 3 of 2021. Any dispute arising out of or in connection with this Privacy Policy that is not resolved through our complaints process shall be subject to the exclusive jurisdiction of the courts of Lusaka, Republic of Zambia.

The supervisory authority responsible for data protection in Zambia is the Data Protection Commissioner within ZICTA. You may lodge a complaint with ZICTA if you believe your rights have been infringed.

Zambia Information and Communications Technology Authority (ZICTA)
www.zicta.zm

For all privacy-related inquiries, data subject rights requests, or complaints:

We aim to acknowledge all privacy inquiries within 5 business days.

Jabaricom Technologies Limited | Lusaka, Zambia | hello@jabaricom.com | jabaricom.com