Privacy Policy
Effective date: 19 May 2026
Ops Assist (“we”, “us”, or “our”) operates WC Manager(“the Service”), a WooCommerce store management platform. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and other applicable South African law.
By registering for or using the Service, you confirm that you have read and understood this Policy and consent to the processing of your personal information as described herein.
1. Responsible Party
| Entity | Ops Assist |
| Product | WC Manager |
| Website | https://opsassist.net |
| Information Officer | support@opsassist.net |
| Governing law | Republic of South Africa |
Our designated Information Officer (as required by POPIA Section 55) can be reached at support@opsassist.net for any privacy-related queries, requests, or complaints.
2. What Personal Information We Collect
2.1 Account information
- Full name and email address (required for account creation)
- Organisation / store name
- Password (stored as a bcrypt hash — we never store plaintext passwords)
- Preferred display currency (ZAR, USD or EUR) to render prices in your chosen currency across the app
2.2 WooCommerce store credentials
- WooCommerce store URL
- WooCommerce REST API consumer key and consumer secret
- WordPress Application Password and admin username (if you choose to enable WP integration features — used for media uploads, cashier name resolution, and TeraWallet balances)
These credentials are stored encrypted at rest. They are used exclusively to fetch and update data on your WooCommerce / WordPress store at your direction. We do not use them for any other purpose. When you connect a store we also register an outbound webhook on your WooCommerce site so we can receive near real-time order notifications; this webhook is removed when you disconnect the store.
2.3 Payment information
Subscription payments and AI credit top-ups are processed by PayFast. We do not store credit card or banking details. PayFast transmits payment confirmation (ITN) to us. We record the subscription status, plan, billing dates, PayFast payment reference, and — for AI credit top-ups — the credit balance and bundle history only.
2.4 Usage and activity data
- Actions performed within the Service (product edits, stock takes, team invitations, role changes, support-access decisions, AI generations) — stored in our activity log for audit purposes
- Browser push-notification subscriptions (endpoint + cryptographic keys) when you opt in to PWA notifications
- Log data: IP address, browser type, pages visited, timestamps (collected by our hosting provider, Vercel)
2.5 AI features (Insights & Descriptions)
When you use AI Insights or AI Descriptions, we send the relevant subset of your store data (sales totals, customer cohorts, product fields, the controls you chose such as tone or audience) to a Large Language Model provider — currently Groq or xAI (Grok) — to generate the response. We do not include any personally-identifying customer information beyond what is essential for the prompt. The generated short / long descriptions, meta tags, and the prompt controls you used are stored in our database under your organisation so you can re-open recent generations.
The LLM providers we use have published commitments not to use API inputs for model training. We do not retain a copy of your prompts at the provider — only the response we receive is stored on our side.
2.6 Support access requests
When a member of our support team requests temporary access to your organisation, a record of the request (requester name, reason, expiry, and the outcome of your owner/admin's decision) is stored against your org. Approved support sessions create a temporary membership row that auto-expires after 24 hours and is reflected in your activity log.
2.7 Your customers' data
The Service fetches order, product, and customer data from your WooCommerce store via the WooCommerce REST API. This data belongs to you and your customers. We process it solely to render it within the Service and to power AI Insights / Descriptions that you trigger — we do not use it for profiling, marketing, or any purpose unrelated to providing the Service to you.
3. Purpose of Processing
We process personal information for the following lawful purposes (POPIA Section 11):
| Service delivery | Authenticate you, display your store data, and execute changes you make within the Service |
| AI generation | Forward the data you select to an LLM provider to generate insights, action lists, or product copy at your request |
| Subscription & credit management | Process payments via PayFast, manage subscription status, top up AI credit balances, send billing-related emails |
| Security & audit | Detect abuse, maintain audit logs, log support-access sessions, investigate incidents |
| Customer support | Respond to queries, run approved support-access sessions to resolve issues |
| Legal compliance | Comply with applicable South African law including POPIA and the Electronic Communications and Transactions Act (ECT Act) |
4. Lawful Basis for Processing
We rely on the following grounds under POPIA Section 11:
- Consent — you provide explicit consent by accepting this Policy when registering; AI generations and support-access approvals require additional in-app actions
- Contractual necessity — processing is necessary to provide the Service you subscribed to
- Legal obligation — certain processing is required by applicable law
- Legitimate interest — security monitoring and fraud prevention
5. How We Store and Protect Your Information
- Data is stored in MongoDB Atlas (cloud database with encryption at rest)
- The Service is hosted on Vercel with HTTPS enforced on all connections
- WooCommerce API credentials and WordPress Application Passwords are encrypted before storage
- Access to production data is restricted to authorised personnel only, and any production access by our team via the support-access flow requires owner/admin approval in your organisation and is logged
- We apply the principle of least privilege across our systems
Despite our precautions, no internet transmission is 100% secure. We will notify affected data subjects and the Information Regulator within the timeframes prescribed by POPIA in the event of a data breach.
6. Data Retention
| Account & profile data | Duration of your account, plus 12 months after closure |
| WooCommerce credentials & WP App Password | Deleted immediately upon store disconnection or account closure |
| Activity logs | 24 months from the date of each log entry |
| AI generation history (descriptions + insights cache) | 12 months from generation, or until you delete the organisation |
| Support access requests | 24 months from creation for audit purposes |
| Payment records & credit purchases | 7 years (required by South African tax law) |
| Push notification subscriptions | Until you disable push or your browser invalidates the endpoint |
| Server/access logs | 90 days (Vercel default) |
7. Sharing of Personal Information
We share your information only with the following categories of third parties, and only to the extent necessary:
| PayFast | Payment processing for subscriptions and AI credit top-ups — see PayFast Privacy Policy at payfast.io |
| Groq / xAI | LLM inference for AI Insights and AI Descriptions, only when you trigger a generation |
| Frankfurter / ECB FX feed | Currency conversion rates fetched server-side; no personal data sent |
| MongoDB Atlas (MongoDB, Inc.) | Cloud database hosting — your data is stored in MongoDB Atlas servers |
| Vercel Inc. | Application hosting and CDN — access and request logs |
| Resend | Transactional email (subscription receipts, support replies) |
| Auth.js | Open-source authentication library — session management |
We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not share your WooCommerce store data with any third party for any purpose other than service delivery and the AI generations you explicitly trigger.
We may disclose personal information if required to do so by a South African court, the Information Regulator, or another competent authority.
8. Transborder Information Flows
MongoDB Atlas, Vercel, Groq, xAI, and Resend may process data in data centres located outside South Africa (typically the United States or European Union). These providers maintain appropriate technical and organisational safeguards. Where required by POPIA Section 72, we ensure that adequate data protection standards are contractually agreed with sub-processors.
9. Your Rights as a Data Subject (POPIA)
Under POPIA, you have the following rights:
- Right of access (Section 23) — request a copy of the personal information we hold about you
- Right to correction (Section 24) — request correction of inaccurate or incomplete information
- Right to deletion (Section 24) — request deletion of your personal information where we no longer have lawful grounds to process it
- Right to object (Section 11(3)) — object to the processing of your personal information on grounds of legitimate interest
- Right to withdraw consent — withdraw previously given consent at any time (without affecting the lawfulness of prior processing). For AI features, you simply stop triggering generations; for support access you can revoke an active session at any time from the in-app banner.
- Right to complain — lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za)
To exercise any of these rights, contact our Information Officer at support@opsassist.net. We will respond within 30 days as required by POPIA.
10. Cookies, Local Storage and Session Data
The Service uses the following cookies and browser-storage items:
| Session cookie (next-auth.session-token) | Strictly necessary — authenticates your logged-in session. No cookie consent required as it is essential for the Service to function. |
| CSRF token (next-auth.csrf-token) | Strictly necessary — protects against cross-site request forgery attacks. |
| wcm_currency_v1 (localStorage) | Preference cache — remembers your chosen display currency between visits. Also synced to your user record once signed in. |
| wcm_fx_rates_v1 (localStorage) | Performance cache — stores the latest FX conversion rates for 6 hours so prices render instantly on first paint. |
| wcm_sidebar_view_v1 / wcm_sidebar_hidden_v1 (localStorage) | UI preferences — remember whether you want list/blocks layout and whether the sidebar is collapsed. |
| wm:po-prefill (sessionStorage) | Short-lived handoff for the Restock Predictor → Purchase Orders flow. |
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. The landing page does not set any cookies before you log in.
11. Children
The Service is intended for use by businesses and is not directed at persons under 18 years of age. We do not knowingly collect personal information from minors.
12. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will notify you by email or by placing a prominent notice within the Service at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
13. Contact Us
For any privacy-related questions, requests, or complaints:
| Information Officer | Ops Assist |
| support@opsassist.net | |
| Website | https://opsassist.net |
If you are not satisfied with our response, you may escalate to the Information Regulator of South Africa:
Website: inforegulator.org.za
Email: inforeg@justice.gov.za