Last Updated: July 11, 2025 · Effective for all accounts created on or after this date.
Eight Books ("we", "our", "the Platform") is operated by Nawa Simalumba, based in Zambia. For the purposes of this Privacy Policy, Eight Books acts as a Data Processor on behalf of each client organisation (the Data Controller). The client organisation determines the purposes and means of processing the personal data of their employees, customers, and business contacts within the Platform.
This Policy describes how we collect, use, store, and protect personal data in connection with providing the Eight Books ERP service. By using the Service, you acknowledge and agree to the practices described herein.
Account Data: Name, email address, business name, phone number, and billing information provided during registration.
Business & Financial Data: Invoice records, expense entries, payroll data (including employee salaries, PAYE, NAPSA, NHIMA figures), customer and vendor details, loan records, budget data, and financial reports created within the Platform. This data is classified as Client Data and is owned by you.
Employee Personal Data: Where you process your employees' personal data (names, national IDs, salaries, bank details) through the payroll module, you do so as the Data Controller and we process this data solely on your instruction as Data Processor.
Technical Data: IP addresses, browser type, device identifiers, session tokens, and usage logs collected automatically for security and service operation purposes.
Communication Data: Any correspondence with our support team.
We process personal data under the following legal bases:
Eight Books implements strict data isolation between client organisations. All data is logically separated at the database level using Supabase Row Level Security (RLS) policies. Each organisation's data is scoped to their unique Organisation ID, and no user or administrator can access another organisation's data through the Platform interface.
Our database is hosted on Supabase infrastructure, which provides encryption at rest (AES-256) and in transit (TLS 1.2/1.3). Supabase is SOC 2 Type II compliant.
As a Data Processor, we engage the following key sub-processors to deliver the Service:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, storage, real-time services | AWS (configurable region) |
| Vercel / Hosting Provider | Application hosting and CDN | Global edge network |
| Google LLC (OAuth) | Optional Google Sign-In authentication | Google global infrastructure |
We do not sell, rent, or share Client Data with any other third party for marketing or commercial purposes.
You own your data. All Client Data inputted into Eight Books remains your property at all times. Eight Books does not use Client Data for any purpose other than delivering the agreed Service.
As a Data Controller, you have the right to: access a copy of all personal data we process on your behalf; request correction of inaccurate data; request deletion of data (subject to legal retention obligations); request data portability in a structured, machine-readable format; and object to certain processing activities.
To exercise these rights, contact: [email protected]. We will respond within 30 days.
We retain Client Data for the duration of your subscription plus 30 days post-termination to allow for data export. After this period, data is permanently deleted from production systems. Technical logs may be retained for up to 90 days for security purposes. Backups may persist for up to 30 days beyond deletion on production systems.
We implement industry-standard technical and organisational security measures, including: TLS encryption for all data in transit; AES-256 encryption for data at rest; Role-based access control (RBAC) within the Platform; Row Level Security (RLS) at the database layer; Secure, httpOnly session tokens managed via Supabase Auth; Regular security reviews and dependency audits.
We use session cookies and local storage tokens (including Supabase authentication tokens prefixed sb-) strictly for authentication and session management. These are classified as Strictly Necessary and cannot be disabled without preventing access to the Service. For full details, see our Cookie Policy.
The Service is intended for use by businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice within the Service at least 14 days before they take effect. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Policy.
For privacy enquiries, data subject access requests, or to report a suspected data breach, contact: [email protected] · WhatsApp: 0767338528 · Lusaka, Zambia. We take data breach notifications seriously and will respond within 72 hours of becoming aware of any confirmed breach affecting personal data.
© 2026 Eight Books. All rights reserved.