Privacy Policy

Last updated: 20 April 2026 · Version 6 · Effective from: 20 April 2026

This Privacy Policy explains how mybill.city ("we", "us", "the service") collects, uses, stores, and protects personal information when you use the service. We are committed to compliance with the South African Protection of Personal Information Act, 2013 (POPIA).

1. Who we are

The Responsible Party (as defined in POPIA) for personal information processed via mybill.city is:

• Ryan Roseveare, an individual resident of Johannesburg, South Africa, trading as mybill.city
• Contact: support@mybill.city

Ryan Roseveare is the registered Information Officer for mybill.city under POPIA, registered with the Information Regulator of South Africa. For details on how to make a formal access request to records we hold, see our PAIA Manual.

2. What information we collect

Information we collect when you sign in

You may sign in using either a Microsoft account (via Microsoft Entra ID) or a Google account (via Google Identity Services). When you sign in, we receive an authentication token from your chosen provider that contains a unique identifier: Microsoft's oid (object identifier) or Google's sub (subject identifier). We store only this identifier as your account key.

We do not store, log, or persist your email address, your name, your tenant identifier, or any other personal information from your sign-in provider during normal use of the service. We do not receive or store your password.

Information we collect at the moment of consent

The single exception to the rule above is the consent record. When you accept this Privacy Policy and the Terms & Conditions, we store a row containing:

• Your unique identifier (oid for Microsoft accounts, sub for Google accounts)
• Which sign-in provider you used (Microsoft or Google)
• The date and time of acceptance
• The version numbers of the documents you accepted
• Your email address (or username) and display name, taken from the authentication token at the moment you click "I agree"
• Your tenant identifier (Microsoft accounts only)

This single row is retained as audit-defensible evidence of consent under POPIA's "demonstrable consent" principle. It is removed in full when you trigger account deletion (see section 7).

Information you provide

When you add a property and upload municipal statement PDFs, we extract and store:

• The municipal account number(s) you have explicitly added to your account
• An optional nickname for each property (e.g. "Home", "Flat") — set by you
• Numeric statement data extracted from each uploaded PDF: dates, billing periods, consumption (kWh, kL), per-service charges, totals, payments, balances
• Application preferences (e.g. which property is currently selected)

Information we explicitly do NOT keep

• The original PDFs you upload are deleted immediately after parsing — whether parsing succeeded or failed. We do not retain a copy.
• We do not collect IP addresses, browser fingerprints, behavioural analytics, or location data.
• We do not use cookies for tracking. The only browser storage used is required for sign-in (Microsoft's authentication libraries).

3. Why we collect this information

We process personal information for one purpose: to enable you to view, analyse, and export your own municipal billing history.

Your municipal account number is necessary to associate parsed statements with the right property. Your unique identifier (oid or sub) is necessary to ensure that only you can access your data.

4. How we store and protect your information

• All data is stored in Microsoft Azure data centres in the South Africa North region (Johannesburg).
• Data is encrypted at rest by Azure Storage's default encryption.
• Data is encrypted in transit via TLS 1.2 or higher between your browser, our API, and Azure.
• Access to your data requires a valid Microsoft authentication token issued to your account; without that token, no one (including us) can read your data via the application.
• Our backend storage is secured by Microsoft Azure's access controls. Backups are managed by Azure (soft-delete enabled with a 7-day window).

5. Who we share your information with

We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes.

The following service providers process data on our behalf, strictly to deliver the service:

• Microsoft Azure (data storage, region: South Africa North)
• Microsoft Entra ID (authentication — Microsoft's privacy policy applies to your Microsoft account)
• Google Identity Services (authentication — Google's privacy policy applies to your Google account)
• Cloudflare, Inc. (edge network, DNS, and serverless compute that powers our API)
• cdn.jsdelivr.net and Cloudflare CDN (delivery of three open-source JavaScript libraries used by the website: MSAL, Chart.js, SheetJS). These CDNs see your IP address as part of normal web traffic but do not receive any of your personal or billing data.

Administrator access: A small number of designated service administrators may review aggregated, anonymised statistics about overall usage — total user counts, total statement counts, average consumption trends across users, and total anomaly counts. Administrators cannot view individual users' personal data or statement details without that user's authentication token. Aggregated views are used for product improvement and operational monitoring only.

6. Sharing your dashboard with other users

mybill.city includes an optional feature that lets you invite another user to view your dashboard in read-only mode. This section explains how that works and what data is processed as a result.

How sharing works

You may generate an invite link from within the application. The link can be optionally pinned to a specific email address (so only that person can redeem it), or left open for anyone with the link. Invite links expire after 7 days if not redeemed.

When someone redeems your invite and you approve their access request, they become a viewer of your dashboard. Viewers can see your municipal account numbers, statement amounts, consumption data, charts, and anomalies for as long as you grant them access.

What we store when sharing is used

• The invite record: the invite code, the date it was created and when it expires, the pinned email address (if specified), and a label (if you provided one).
• The share relationship: your unique identifier, the viewer's unique identifier, the viewer's email address at the time they redeemed the invite, and the date access was granted.

Your responsibilities as the sharer

• You are responsible for choosing who you share your data with. Only invite people you trust to see your municipal billing information.
• Viewers receive read-only access — they cannot upload, edit, delete, or re-share your data.
• You can revoke a viewer's access at any time from the Share modal in the application. Revocation is immediate.
• You can cancel a pending invite link at any time before it is redeemed.
• If you delete your account, all share relationships associated with your account are removed.

Viewers' data

If you accept someone else's invite and are granted viewer access to their dashboard, we store your unique identifier and email address (taken from your authentication token at the time of redemption) as part of the share relationship. This information is removed if either party deletes their account or revokes the share.

As a viewer, you may remove your own access at any time from the Share modal.

7. Advertising and monetisation

mybill.city is currently ad-free. We have introduced an optional voluntary support feature via Buy Me a Coffee, accessible from a button at the top of the application.

About Buy Me a Coffee:

• The button is a simple link that takes you to the Buy Me a Coffee website if you click it. Clicking is entirely voluntary and has no effect on your access to the service.
• If you click through and choose to support the project, your interaction from that point forward is between you and Buy Me a Coffee Ltd, governed by their own terms and privacy policy.
• We do not pass your account identifier, your name, your email address, your municipal account numbers, or your statement data to Buy Me a Coffee. They have no way of knowing who you are within mybill.city, and we have no way of knowing whether you supported us.

In future, we may also introduce advertising via Google AdSense or similar networks. If and when advertising is introduced:

• We will update this Privacy Policy and notify users in the application before activation.
• Ad networks may set their own cookies and collect data per their own privacy policies. You will be able to view information about and consent to such processing at that time.
• We will never share your municipal account numbers, statement data, or account identifier with advertisers.

8. How long we keep your information

Your data is retained for as long as your account exists. You may delete all of your data at any time via the "Delete my data" button in the application, or by emailing support@mybill.city. Once deleted:

• Your account identifier, account numbers, statement data, and preferences are removed from our active database within seconds.
• Soft-deleted Azure Storage records are permanently purged after 7 days.
• The deletion is irreversible. We cannot recover your data after it is deleted.

9. Your rights under POPIA

You have the following rights regarding your personal information:

• Right of access: You can view all data we hold about you at any time within the application. You can also export it as a Microsoft Excel workbook using the "Export as Excel" button.
• Right of correction: You can rename properties, delete individual statements, and re-upload corrected statements at any time.
• Right of deletion: Use the "Delete my data" button in the application, or email us. We will action this within 24 hours.
• Right to object: You may stop using the service at any time. To withdraw consent, delete your data using the methods above.
• Right to lodge a complaint: If you believe we have not handled your information lawfully, you may complain to the Information Regulator (South Africa): https://inforegulator.org.za/ or support@mybill.city.

10. Children

mybill.city is not directed at children under 18. We do not knowingly collect information from children. If you believe a child has provided us with information, please contact us so we can delete it.

11. Cross-border transfers

Your data is stored in South Africa. Authentication via Microsoft Entra ID or Google Identity Services may involve token verification against the respective provider's global infrastructure (which includes servers outside South Africa) — this is a brief technical operation involving only authentication tokens, not your billing data.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced in the application before they take effect, and the "Last updated" date at the top of this page will be revised. Continued use after a change indicates acceptance.

13. Contact us

For privacy questions, deletion requests, or any other concerns, email support@mybill.city.