BestieTMS
Sign inGet started

Privacy Policy

Last updated: 24 April 2026

1. Introduction

BestieTMS, a product operated by MaestroSAT (Pty) Ltd ("we", "us", or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our tender management platform. This policy applies to all users of the Platform, including company administrators, managers, and members.

2. Information We Collect

2.1 Account Information

  • Email address (verified against your company's registered domain)
  • First name and last name
  • Password — stored securely using bcrypt hashing, never in plaintext
  • Role within your company (e.g. Administrator, Manager, Member)

2.2 Company Information

  • Company name and legal name
  • Registered email domain (used to enforce team membership boundaries)
  • Subscription tier and status
  • Administrator contact details

2.3 Tender Data

  • Tender, RFP, and RFQ records — including title, issuing organisation, reference numbers, closing dates, statuses, and notes
  • Requirements and milestones associated with each tender
  • Uploaded documents (e.g. tender notices, responses, supporting documents)
  • Activity logs capturing changes to tender records

2.4 Payment and Transaction Information

  • Subscription records, tier, and payment references (where billing is enabled)
  • Invoices and billing history

We do not store your payment card details. All payment processing is handled by Paystack, our third-party payment processor.

2.5 Information Collected Automatically

  • IP address and approximate geographic location
  • Device type, browser, and operating system
  • Session and authentication cookies
  • Usage data — pages visited and feature interactions
  • Activity log entries for security and audit purposes

3. How We Use Your Information

  • Create and manage your user account and your company's tenant workspace
  • Authenticate you and maintain secure sessions
  • Provide the tender management features of the Platform
  • Send transactional emails (email verification, password reset, invitations)
  • Send deadline reminders and notifications relating to your tenders
  • Process subscription payments via Paystack (where applicable)
  • Maintain activity logs for audit, compliance, and security
  • Detect and prevent fraud or unauthorised access
  • Improve our services, diagnose technical issues, and provide support
  • Comply with legal obligations

4. Tenant Isolation and Data Sharing

4.1 Within Your Company

Tender data, documents, and activity logs created under your company account are visible to authorised users within your company, according to their assigned role. For example, Administrators can manage users and see all tenders; Members see the tenders they are granted access to.

4.2 Between Companies

Data belonging to one company tenant is never shared with another company tenant. Tenant isolation is enforced at the application and database layer.

4.3 Third Parties

We may share your information with:

  • Paystack: transaction details required to process subscription payments
  • Email delivery providers: to deliver transactional emails (verification, password reset, invitations, deadline alerts)
  • Hosting and infrastructure providers: to operate the Platform securely. Self-hosted deployments may store data entirely on infrastructure you control.
  • Legal and regulatory authorities: when required by law, regulation, or valid legal process

We do not sell your personal information.

5. Documents and Uploads

Documents uploaded to the Platform are:

  • Stored on secure server infrastructure controlled by your deployment
  • Never served from public URLs — all downloads are gated by authentication
  • Scoped to the owning company tenant — no cross-tenant access is possible via the Platform
  • Soft-deleted on removal: marked inactive and retained for a configurable period for audit and recovery purposes before being permanently removed

6. Data Security

We implement appropriate technical and organisational measures, including:

  • Encryption in transit: all data is transmitted over HTTPS/TLS
  • Password security: passwords hashed with bcrypt and never stored in plaintext
  • Session security: JWT access tokens with refresh tokens delivered via httpOnly, SameSite-Strict cookies scoped to the auth path
  • Access controls: role-based access control at the application layer with multi-tenant isolation
  • Rate limiting: in-memory rate limiting on sensitive endpoints to mitigate brute-force attacks
  • Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • Sensitive field encryption: selected sensitive fields are encrypted at rest using AES-256-GCM
  • Activity logging: a full audit trail of changes within each tenant

7. Your Privacy Rights

Under POPIA and applicable law you have the right to:

  • Access: request a copy of the personal information we hold about you
  • Correction: request correction of inaccurate information
  • Deletion: request deletion of your data and account, subject to legal retention obligations
  • Objection: object to processing in certain circumstances
  • Withdraw consent: withdraw previously given consent
  • Complaint: lodge a complaint with the Information Regulator of South Africa

To exercise any of these rights, please contact us at sales@maestrosat.co.za.

8. Data Retention

We retain your personal information for as long as your account is active or as required to provide services. Upon account or company deletion:

  • User profile data is deleted
  • Tender records and associated documents are deleted from active storage
  • Activity logs may be retained for a limited period for audit, security, and fraud prevention purposes
  • Subscription and payment transaction records may be retained as required for financial, tax, and audit compliance
  • Anonymised data may be retained for statistical and analytical purposes

9. Cookies

We use cookies for essential Platform functionality, including:

  • Authentication cookies: refresh tokens delivered as httpOnly, Secure, SameSite-Strict cookies scoped to /api/auth
  • Preference cookies: to remember UI preferences such as theme

Disabling essential cookies will prevent you from signing in to the Platform. We do not use third-party tracking or advertising cookies.

10. International Data Transfers

BestieTMS is built for South African organisations, but your information may be processed on infrastructure located outside South Africa depending on your deployment configuration. Where this occurs, appropriate safeguards are applied in line with applicable data protection laws.

11. Children's Privacy

The Platform is intended for business use by organisations and is not directed at individuals under 18. We do not knowingly collect personal information from children. If we become aware that we have done so, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and, where appropriate, notifying you via email. Your continued use of the Platform after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related inquiries, to exercise your rights, or to contact our Information Officer, please reach us at sales@maestrosat.co.za.