Home
8
Eight Books

Privacy Policy

Last Updated: July 11, 2025 · Effective for all accounts created on or after this date.

1. Introduction & Identity of Data Controller

Eight Books ("we", "our", "the Platform") is operated by Nawa Simalumba, based in Zambia. For the purposes of this Privacy Policy, Eight Books acts as a Data Processor on behalf of each client organisation (the Data Controller). The client organisation determines the purposes and means of processing the personal data of their employees, customers, and business contacts within the Platform.

This Policy describes how we collect, use, store, and protect personal data in connection with providing the Eight Books ERP service. By using the Service, you acknowledge and agree to the practices described herein.

2. Data We Collect

Account Data: Name, email address, business name, phone number, and billing information provided during registration.

Business & Financial Data: Invoice records, expense entries, payroll data (including employee salaries, PAYE, NAPSA, NHIMA figures), customer and vendor details, loan records, budget data, and financial reports created within the Platform. This data is classified as Client Data and is owned by you.

Employee Personal Data: Where you process your employees' personal data (names, national IDs, salaries, bank details) through the payroll module, you do so as the Data Controller and we process this data solely on your instruction as Data Processor.

Technical Data: IP addresses, browser type, device identifiers, session tokens, and usage logs collected automatically for security and service operation purposes.

Communication Data: Any correspondence with our support team.

3. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contractual Necessity: Processing required to deliver the ERP service under your subscription agreement.
  • Legitimate Interests: Security monitoring, fraud prevention, service improvement, and abuse prevention.
  • Legal Obligation: Compliance with Zambian laws and regulatory requirements.
  • Consent: For optional communications (e.g., product updates), where you have explicitly opted in.

4. Data Isolation & Multi-Tenancy Security

Eight Books implements strict data isolation between client organisations. All data is logically separated at the database level using Supabase Row Level Security (RLS) policies. Each organisation's data is scoped to their unique Organisation ID, and no user or administrator can access another organisation's data through the Platform interface.

Our database is hosted on Supabase infrastructure, which provides encryption at rest (AES-256) and in transit (TLS 1.2/1.3). Supabase is SOC 2 Type II compliant.

5. Sub-Processors & Third Parties

As a Data Processor, we engage the following key sub-processors to deliver the Service:

Sub-ProcessorPurposeData Location
Supabase Inc.Database hosting, authentication, storage, real-time servicesAWS (configurable region)
Vercel / Hosting ProviderApplication hosting and CDNGlobal edge network
Google LLC (OAuth)Optional Google Sign-In authenticationGoogle global infrastructure

We do not sell, rent, or share Client Data with any other third party for marketing or commercial purposes.

6. Data Ownership & Client Rights

You own your data. All Client Data inputted into Eight Books remains your property at all times. Eight Books does not use Client Data for any purpose other than delivering the agreed Service.

As a Data Controller, you have the right to: access a copy of all personal data we process on your behalf; request correction of inaccurate data; request deletion of data (subject to legal retention obligations); request data portability in a structured, machine-readable format; and object to certain processing activities.

To exercise these rights, contact: [email protected]. We will respond within 30 days.

7. Data Retention

We retain Client Data for the duration of your subscription plus 30 days post-termination to allow for data export. After this period, data is permanently deleted from production systems. Technical logs may be retained for up to 90 days for security purposes. Backups may persist for up to 30 days beyond deletion on production systems.

8. Security Measures

We implement industry-standard technical and organisational security measures, including: TLS encryption for all data in transit; AES-256 encryption for data at rest; Role-based access control (RBAC) within the Platform; Row Level Security (RLS) at the database layer; Secure, httpOnly session tokens managed via Supabase Auth; Regular security reviews and dependency audits.

9. Cookies & Local Storage

We use session cookies and local storage tokens (including Supabase authentication tokens prefixed sb-) strictly for authentication and session management. These are classified as Strictly Necessary and cannot be disabled without preventing access to the Service. For full details, see our Cookie Policy.

10. Children's Privacy

The Service is intended for use by businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice within the Service at least 14 days before they take effect. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Policy.

12. Contact & Data Protection Enquiries

For privacy enquiries, data subject access requests, or to report a suspected data breach, contact: [email protected] · WhatsApp: 0767338528 · Lusaka, Zambia. We take data breach notifications seriously and will respond within 72 hours of becoming aware of any confirmed breach affecting personal data.

© 2026 Eight Books. All rights reserved.