1. Introduction

4U2C Signs and Energy Solutions (“Company”, “we”, “us”) is committed to protecting the privacy and personal information of our users. This Privacy Policy explains how we collect, use, store, and protect your information when you use the 4U2C Signs platform (“Service”).

This policy is prepared in accordance with the Protection of Personal Information Act, 2013 (POPIA) of the Republic of South Africa and other applicable data protection laws.

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

• Full name, email address, and phone number
• Username and encrypted password
• User role and permissions within the organisation

2.2 Customer Data

• Customer names, business names, and trading names
• Contact details (email addresses, phone numbers)
• Physical and installation site addresses
• VAT registration numbers

2.3 Business Operations Data

• Quotation details (AC units, room specifications, pricing)
• Installation job records (scheduling, checklists, technician assignments)
• Photographs (before and after installation photos)
• Invoices and payment records
• Customer sign-off signatures

2.4 QuickBooks Integration Data

• OAuth2 access tokens and refresh tokens (encrypted at rest)
• QuickBooks Company ID and Realm ID
• Synchronised records: customers, estimates, invoices, payments, and items

2.5 Technical Data

• IP address and browser type
• Session data and authentication tokens
• Usage patterns and access logs

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Create and manage quotations, installation jobs, and invoices
• Synchronise data with your QuickBooks Online account (when authorised)
• Communicate with you about the Service, including updates and support
• Ensure the security and integrity of the Service
• Comply with legal obligations and respond to lawful requests
• Generate aggregated, anonymised analytics to improve the Service

4. QuickBooks Data

When you authorise the QuickBooks Online integration, we access your QuickBooks data solely for the purpose of synchronising business records between the Service and your QuickBooks account. Specifically:

• What we sync: Customer records, estimates, invoices, payments, and service items.
• How tokens are stored: OAuth2 access tokens and refresh tokens are encrypted using Fernet symmetric encryption before being stored in our database. The encryption key is securely managed and is not stored alongside the tokens.
• Token refresh: Access tokens are automatically refreshed when they expire. If a refresh fails, you will be prompted to re-authorise the connection.
• Revocation: You can disconnect QuickBooks at any time from the Service’s settings or from your QuickBooks Online account. This stops future data synchronisation.

We do not sell, rent, or share your QuickBooks data with any third party. Data flows only between the Service and Intuit QuickBooks Online via Intuit’s official API.

5. Data Storage and Security

We implement appropriate technical and organisational measures to protect your data:

• Data is stored in a PostgreSQL database with access controls and encryption
• All data in transit is encrypted using HTTPS/TLS
• QuickBooks OAuth2 tokens are encrypted at rest using Fernet encryption
• User passwords are hashed using industry-standard algorithms
• Multi-factor authentication (MFA) is available for user accounts
• Media files (photographs, documents) are stored securely with access controls

While we take all reasonable steps to protect your information, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security.

6. Data Sharing

We do not sell, rent, or trade your personal information to third parties. We may share your data only in the following circumstances:

• QuickBooks Online: When you authorise the integration, data is exchanged with Intuit via their official API.
• Cloud infrastructure providers: Your data may be stored on servers operated by our cloud hosting provider, who act as data processors under appropriate agreements.
• Legal requirements: We may disclose data when required by law, regulation, or court order.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction, with notice provided to you.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Upon termination of your account, we will retain your data for a period of thirty (30) days, during which you may request an export. After this period, your data will be securely deleted unless retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

8. Your Rights under POPIA

Under the Protection of Personal Information Act (POPIA), you have the following rights regarding your personal information:

• Right of access: You may request confirmation of whether we hold personal information about you and request access to that information.
• Right to correction: You may request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, or misleading.
• Right to deletion: You may request deletion of your personal information, subject to any legal obligations that require us to retain it.
• Right to object: You may object to the processing of your personal information on reasonable grounds.
• Right to data portability: You may request an export of your personal information in a commonly used electronic format.
• Right to lodge a complaint: You may lodge a complaint with the Information Regulator of South Africa if you believe your rights have been infringed.

To exercise any of these rights, please contact us at info@signsapp.co.za. We will respond to your request within a reasonable period, and in any event within thirty (30) days as required by POPIA.

9. Cookies and Session Data

The Service uses essential cookies and session data to maintain your authentication state and provide core functionality. These are strictly necessary for the Service to operate and cannot be disabled. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Children’s Privacy

The Service is designed for business use and is not directed at children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

11. International Data Transfers

Your data may be processed or stored in jurisdictions outside of South Africa, including where our cloud infrastructure providers operate. In such cases, we ensure that appropriate safeguards are in place to protect your data in accordance with POPIA and other applicable data protection laws.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you via email or an in-app notification at least fourteen (14) days before taking effect. Your continued use of the Service after such changes constitutes acceptance of the revised Privacy Policy. We encourage you to review this page periodically for the latest information.

13. Contact

For questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact:

You may also lodge a complaint with the Information Regulator of South Africa: