Privacy policy.

For each user account: email address, full name, organisation, and role assigned by your organisation administrator. For each submission: the CSV dataset you upload, the validation findings produced by the rule engine, and the audit trail of actions performed against it.

To provide the validation service: parsing submissions, running rule checks, generating certificates, displaying audit trails, and notifying users. Submission file bytes are hashed (SHA-256) at certification time and the hash is published as part of the certificate. We do not use customer data for advertising or model training.

Pilot data is processed on managed cloud infrastructure operated under a written data-processing agreement and a POPIA-aligned handling regime. South African in-region residency is on the roadmap before commercial launch — the migration plan and target timeline are published in the documentation.

We use a small set of industry-standard managed services to operate the platform:

• A managed PostgreSQL database for metadata, audit log, and certificates.
• Encrypted object storage for submission file bytes (server-side encryption, versioning enabled).
• A managed identity provider for authentication and multi-factor enrolment.
• A transactional email provider for invitations, password resets, and co-sign notifications.
• A managed container runtime for the application itself.

A full, named sub-processor list is available on request to subscribed organisations under NDA. We do not use any analytics, advertising, or behavioural-tracking sub-processors.

You can request access to or deletion of your account data by emailing privacy@tmh18.com. Submission data deletion is subject to your organisation's retention policy and may require admin authorisation.

Questions: privacy@tmh18.com
Security disclosures: security@tmh18.com
General: admin@tmh18.co.za