E-SiteThe Procedural
Legal

Privacy Policy

Effective: 25 May 2026· Version 1.0

This Privacy Policy describes how Lenchen Engineering (Pty) Ltd ("E-Site", "we", "us", "our") collects, uses, stores, and shares personal information in the operation of the E-Site construction project- and contract-management platform (the "Service"). We process personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and the Electronic Communications and Transactions Act 25 of 2002 ("ECTA").

1. Who we are and how to contact us

The responsible party for purposes of POPIA is Lenchen Engineering (Pty) Ltd, registration number 1997/008488/07, VAT number 4070166279, with its registered office at 716 Toermalyn Street, Moreleta Park, Pretoria, 0167.

Our designated Information Officer is Arno Mattheus. All privacy-related enquiries, access requests, and complaints may be addressed to arno@watsonmattheus.com. General product enquiries should go to support@e-site.live.

2. The personal information we collect

We collect and process personal information in two main categories: information you provide when you register and use the Service, and information automatically generated through your use of the Service.

2.1 Account and identity information

  • Full name (first and last) — collected at sign-up; self-attested.
  • Business email address — collected at sign-up; verified via confirmation link issued by our authentication provider.
  • Mobile telephone number — collected at first organisation creation; verified via SMS one-time password.
  • Password — hashed using bcrypt by our authentication provider; we do not have access to your plaintext password at any time.
  • Organisation name and role — self-attested; the role within an organisation is assigned by an organisation owner.

2.2 Billing information (collected on paid subscription, paid module unlock, or marketplace activity)

  • Organisation legal name — self-attested and cross-checked against the CIPC public registry on first paid purchase.
  • CIPC company registration number — validated against the CIPC public registry.
  • VAT number (if applicable) — validated via SARS VAT vendor search.
  • Billing address and tax category — self-attested.
  • Card token and transaction references — held by Paystack, our payment processor; we never store full card numbers. Paystack tokenises the card at point of sale and returns a reference that we associate with your account.

2.3 Enhanced Due Diligence information (suppliers only)

Suppliers who receive payouts through the E-Site marketplace are subject to additional verification, including:

  • South African ID document or passport of the responsible director or sole proprietor;
  • Paystack subaccount details (bank, account number, account holder name) — verified by Paystack for name-match against the CIPC-registered company;
  • BBBEE certificate (if available);
  • Sanctions / PEP screening against the publicly available OFAC SDN list and the UN Consolidated Sanctions List.

2.4 Operational information generated through use of the Service

  • Project, snag, inspection, JBCC notice, and marketplace order records you create or that members of your organisation create;
  • Photographs and documents you upload (including site photos, compliance documents, drawings, and proof of identity for supplier onboarding);
  • Session data — IP address, device fingerprint, browser user-agent — logged in our authentication system's metadata for security monitoring;
  • Anonymised product-analytics events (e.g. page views, feature usage), collected in aggregate by PostHog without auto-capture of clicks or form values, and without session recordings.

3. Why we process your personal information

We process personal information for the following defined purposes:

  • To provide the Service — authenticate you, give you access to your organisation's data, store the records you create, and process payments;
  • To communicate with you about your account — verification, security notifications, billing receipts, dispute updates, and material changes to the Service or to this Policy;
  • To verify the identity of paying organisations and suppliers — for fraud prevention, KYC compliance with our payment processor's rules, and to satisfy our obligations under the Financial Intelligence Centre Act where applicable;
  • To detect, investigate, and prevent fraud or abuse of the Service — including monitoring for suspicious sign-ups, dispute patterns, and chargeback patterns;
  • To improve the Service — through aggregate, anonymised analytics that do not identify individual users;
  • To comply with legal and regulatory obligations — including record-retention periods imposed by tax, VAT, and construction-related legislation.

4. Lawful basis for processing

We rely on the following lawful grounds under section 11 of POPIA:

  • Performance of a contract — to deliver the Service you have signed up for;
  • Compliance with a legal obligation — including KYC checks, tax record-keeping, and statutory record-retention;
  • Pursuit of a legitimate interest — including fraud prevention, security monitoring, and aggregate product analytics, in each case balanced against the rights and freedoms of data subjects;
  • Consent — for any marketing or non-essential communications, which you may withdraw at any time.

5. Who we share your personal information with

We share personal information only with the third-party operators required to deliver the Service. Each operator processes data on our behalf under a data-processing addendum compatible with POPIA section 19 (security safeguards) and, where data crosses borders, compatible with POPIA section 72 (cross-border transfers).

OperatorPurposeJurisdiction
PaystackCard tokenisation, payment processing, subscription billing, marketplace splits, payouts to supplier subaccounts.South Africa
SupabaseAuthentication, database, file storage, real-time sync. Hosts the bulk of the platform's data.European Union (Frankfurt)
VercelHosting and content-delivery network for the web application.European Union / United States (edge network)
ResendTransactional email delivery (account verification, billing receipts, invitations).European Union
SentryApplication error monitoring — IP address, stack traces, and limited request metadata only.European Union / United States
PostHogAggregate product analytics — configured to disable auto-capture and session recording of personal data.European Union

We do not sell personal information, and we do not share it with advertising networks or data brokers. We may disclose personal information to law-enforcement or regulatory bodies where compelled by law (for example, a properly issued subpoena under section 205 of the Criminal Procedure Act).

6. Cross-border transfers

Some of our operators are based outside South Africa, principally in the European Union and the United States. Where personal information is transferred outside South Africa, we rely on one or more of the lawful grounds in POPIA section 72:

  • The receiving party is subject to a law or contractual scheme that upholds principles for reasonable processing substantially similar to POPIA (notably the EU General Data Protection Regulation);
  • The data subject has consented to the transfer;
  • The transfer is necessary for the performance of the contract between the data subject and the responsible party.

Each operator listed in section 5 has signed a data-processing addendum with us that binds them to substantially equivalent standards.

7. How long we keep your personal information

We retain personal information for as long as your account is active. After cancellation:

  • Account and project data — preserved for 90 days after cancellation so the organisation can reactivate without data loss; permanently deleted thereafter, unless a statutory retention obligation requires longer.
  • Billing records — retained for the statutory period required by the South African Revenue Service (currently five years).
  • Compliance records and signed-off inspection records — retained for the period required by the Occupational Health and Safety Act and the National Building Regulations; you may export these from the platform at any time before deletion.
  • Marketplace transaction records and chargeback evidence — retained for the statutory period required by financial-services legislation and our payment processor's recordkeeping rules.

8. Your rights under POPIA

Under POPIA you have the right to:

  • Be notified that your personal information is being collected, and notified when it has been accessed or acquired by an unauthorised person;
  • Access the personal information we hold about you, and the identities of any third parties to whom we have disclosed it;
  • Request the correction of personal information that is inaccurate, irrelevant, excessive, misleading, or obtained unlawfully;
  • Request the deletion of personal information that we no longer need to retain;
  • Object to processing on reasonable grounds, including processing for direct-marketing purposes;
  • Submit a complaint to the Information Regulator of South Africa if you believe we have processed your personal information unlawfully.

To exercise any of these rights, email the Information Officer at arno@watsonmattheus.com or use the data-subject request form at /privacy/request. We respond within the timeframes set by POPIA — typically no later than 30 days from receipt of a verified request.

9. Security of your personal information

We protect personal information through a combination of organisational and technical measures:

  • TLS encryption in transit between your browser and our servers, and between us and each of our operators;
  • Encryption at rest for the underlying database and file storage, managed by our hosting provider;
  • Row-level security policies in the database that enforce per-organisation isolation — users see only the records of the organisations they belong to;
  • Role-based access control within each organisation (owner, admin, contractor, supplier, inspector, project manager, client viewer), restricting what each user can read or write;
  • Logging of authentication events and an immutable audit trail for changes to material records (inspections, JBCC notices, billing events);
  • Regular review of who can access production data within our team — strictly limited to staff whose role requires it.

10. Breach notification

Where we have reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we will notify both the affected data subjects and the Information Regulator of South Africa as soon as reasonably possible, in compliance with POPIA section 22. The notification will describe the nature of the compromise, the personal information involved, the measures we are taking, and the steps the affected data subject may take to protect themselves.

11. Cookies and tracking technologies

E-Site uses only functional cookies — the ones necessary for authentication, session management, and CSRF protection. We do not use advertising cookies or third-party tracking pixels. A separate Cookie Policy is available at /cookies.

12. Children

The Service is intended for use by adults working in the South African construction industry. We do not knowingly collect personal information from children under 18 years of age. If you believe a child has provided us with personal information without parental consent, email the Information Officer and we will take prompt steps to delete it.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to organisation owners at least 14 days before they take effect, except where the change is required by law or to address a pressing security issue, in which case the change may take effect immediately. The "Effective" date at the top of this page reflects the most recent material update.

14. Complaints to the Information Regulator

If we have not resolved a privacy concern to your satisfaction, you may lodge a complaint with the Information Regulator of South Africa:

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: complaints.IR@justice.gov.za
Website: https://inforegulator.org.za

Lenchen Engineering (Pty) Ltd · Registration number 1997/008488/07 · VAT 4070166279 · 716 Toermalyn Street, Moreleta Park, Pretoria, 0167