Mighty Workflow logo
Sign in Get Mighty free

Privacy Policy

  • Effective Date: 7 Sep 2025
  • Last Updated: 7 Sep 2025

1. Introduction

Welcome to Mighty Workflow (“Mighty Workflow,” “ we,” “our,” or “us”). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you access or use our websites, applications, and related services (the “Services”).

This Policy applies to Subscribers, Invited Users, and visitors of our Services. It covers both:

  • Customer Data submitted into a Workspace, where the Subscriber is the Controller and Mighty Workflow acts as the Processor, and
  • Personal data we collect directly (such as billing, support, analytics, and marketing data), where Mighty Workflow acts as the Controller.

We are committed to protecting personal information in compliance with the Protection of Personal Information Act, 2013 (POPIA) and, where applicable, the General Data Protection Regulation (GDPR).

This Privacy Policy should be read together with our Terms of Service - V0.5 and Data Processing Agreement (DPA) - V0.5

2. Who We Are

Mighty Workflow is a workflow automation platform that enables Subscribers and their Invited Users to create and manage workflow steps and collect documents or information from clients.

Mighty Workflow is owned and operated by MIGHTY TOOLKIT (PTY) LTD, a company registered in South Africa under registration number 2025/685291/07. For purposes of this Privacy Policy, Mighty Toolkit (Pty) Ltd is responsible for processing personal information as described in this Policy.

  • Registered Address: 2 Willow Ridge, Royal Ascot, Cape Town, Western Cape, 7441, South Africa
  • General Contact Email: [email protected]
  • Information Officer (POPIA) / Data Protection Officer (GDPR): Allister Smith — [email protected]
  • EU/UK Representative: If required by law, we will appoint a representative in the EU/UK and update this Policy with their details.

3. Key Roles

  • “Subscriber”: The individual or legal entity that enters into these Terms by signing up for and creating a Workspace in the Services. The Subscriber is legally responsible for the Workspace, including payment of any applicable fees, control of User access and management of User roles and permissions. In Mighty Workflow, the Subscriber is assigned the role of Owner.
  • “Invited User”: Any individual the Subscriber invites to access the Workspace within the Services (e.g., employees, contractors, external clients). The Subscriber controls Invited Users’ roles, permissions, and access, and may change or revoke such access at any time. This includes:
    • Team Members – added by the Subscriber to collaborate in creating and managing workflows.
    • Contacts – external participants (e.g., clients, applicants, suppliers) who are added by the Subscriber or Team Members to complete assigned workflow steps, upload documents, or provide information.
  • Data Controller vs. Data Processor:
    • Mighty Workflow as Controller (POPIA: Responsible Party): We act as the Controller for personal data you provide directly to us (e.g., workspace registration, billing, support, product analytics, and marketing communications).
    • Subscriber as Controller, Mighty Workflow as Processor (POPIA: Operator): You act as the Controller for personal data you collect from your clients or contacts through the Services. In these cases, Mighty Workflow acts as your Processor, processing such data solely on your documented instructions and in accordance with our Data Processing Agreement (DPA) .

4. What Personal Information We Collect

We collect and process different types of personal information depending on how you interact with our Services. This includes information we process as a Controller (for our own business purposes) and as a Processor (on behalf of Subscribers, under their instructions).

  • Information You Provide (Controller):
    • Company or business name (if applicable)
    • First and last name
    • Email address
    • Login credentials (passwords are stored in hashed form)
    • Payment and billing details (processed by Paddle.com, our authorized Merchant of Record and independent Controller for payment processing and tax remittance — we do not collect or store card details)
    • Support requests, emails, or other communications with us
  • Information we collect automatically (Controller)
    • IP address, device and browser type
    • Usage data (pages visited, actions performed, timestamps)
    • Cookies and similar tracking technologies
    • Log files and metadata related to your use of the Services
  • Information we process on behalf of Subscribers (Processor)
    • Customer Data submitted to or generated within a Workspace, which may include documents, forms, identity information, proof of income, proof of residence, or any other information determined by the Subscriber.
    • Actions completed as part of workflows, such as uploads, approvals, comments, or other interactions within a Workspace.

We do not intentionally collect special categories of personal data (e.g., health information, biometric identifiers, or children’s data) unless expressly permitted in the Terms of Service and DPA, and only with appropriate safeguards and consent.

5. Legal Basis for Processing

Under the GDPR (Articles 6 & 9) and POPIA (section 11), we rely on the following lawful bases to process personal information, depending on the context:

  • Consent
    • When you opt in to receive marketing communications or accept optional cookies and tracking.
    • You may withdraw consent at any time (this does not affect processing carried out before withdrawal).
  • Contract / performance of a contract
    • To create and maintain your Workspace.
    • To provide, support, and secure the Services under our Terms of Service.
    • To handle billing and payment (via Paddle).
  • Legal obligation
    • To comply with tax, accounting, and regulatory requirements.
    • To respond to lawful requests from regulators or authorities.
  • Legitimate interests (where these are not overridden by your rights and freedoms)
    • To maintain and improve the security and performance of the Services.
    • To prevent fraud, misuse, or abuse.
    • To analyse aggregated, anonymised usage data for service development and benchmarking.

Controller vs Processor: When we act as a Controller (e.g., account, billing, analytics), these legal bases apply directly. When we act as a Processor (e.g., Customer Data inside your Workspace), the Subscriber is responsible for establishing a lawful basis, and we process data solely on the Subscriber’s instructions as set out in our Data Processing Agreement (DPA)

6. How We Use Your Information

We use personal information for the following purposes, in line with the legal bases described in Section 5:

  • As a Controller (our own business purposes):
    • To create and manage Subscriber accounts and Workspaces.
    • To provide, maintain, support, and secure the Services.
    • To communicate with you about updates, features, billing, or service issues.
    • To respond to support requests or inquiries.
    • To process payments and manage subscriptions (through Paddle, our Merchant of Record).
    • To monitor and investigate usage for security, fraud prevention, and abuse detection.
    • To improve, develop, and personalise the Services.
    • To generate Anonymised Data (aggregated and de-identified) for analytics, benchmarking, and business insights.
    • To comply with applicable laws, regulations, and legal processes.
  • As a Processor (on behalf of Subscribers):
    • To process Customer Data within a Workspace, solely on the Subscriber’s instructions, in order to facilitate workflows (e.g., collecting documents, managing approvals, completing workflow steps).

We do not sell personal data to third parties.

7. Sharing Your Information

We do not sell your personal information. We may share it only in the following circumstances:

  • Service providers / sub-processors – such as hosting, cloud storage, analytics, communications, and billing/payment providers. All sub-processors are bound by contractual obligations to protect your information and may only process it on our documented instructions. A current list of sub-processors is maintained [here/link] and available on request.
  • Legal or regulatory authorities – where required by applicable law, regulation, legal process, or enforceable government request.
  • Business transfers – in connection with a merger, acquisition, reorganisation, or sale of assets, in which case your information may be transferred to the new entity subject to this Privacy Policy.

For Customer Data inside Workspaces, we act as a Processor. This means we only share such data with sub-processors as authorised by the Subscriber and described in our Data Processing Agreement (DPA)

8. Payment Processing

We use Paddle.com as our authorized Merchant of Record to process all subscription payments.

  • When you make a purchase, your payment details (such as card information) are collected and processed directly by Paddle, not by Mighty Toolkit (Pty) Ltd.
  • Paddle acts as an independent Controller for payment information and may process personal data in accordance with its own Privacy Policy and GDPR/POPIA obligations.
  • Paddle calculates, collects, and remits applicable taxes (e.g., VAT, GST, sales tax) on our behalf.
  • We only receive limited information from Paddle necessary to confirm your order (e.g., name, email address, transaction ID, tax jurisdiction), and use this solely to provide our Services and maintain records.

9. International Data Transfers

  • Hosting: Our primary servers are located in the European Union (EU), and Customer Data is hosted in this region. If you or your clients are located outside the EU, this means personal information will be transferred internationally for storage and processing. By using the Services, you acknowledge that Customer Data and personal information may be transferred from South Africa (or your location) to the EU for storage and processing. Transfers to the EU are permitted under section 72 of POPIA, as the EU is subject to the General Data Protection Regulation (GDPR), which provides an adequate level of protection substantially similar to POPIA.
  • Other transfers: Some of our sub-processors may process data outside the EU or South Africa. In such cases, we implement appropriate safeguards, such as Standard Contractual Clauses (SCCs), adequacy decisions, or binding agreements that uphold equivalent protections, to ensure compliance with GDPR and POPIA.
  • POPIA compliance: Transfers from South Africa are only made where the recipient is subject to a law, contract, binding corporate rules, or binding scheme that effectively upholds data-protection principles substantially similar to those contained in POPIA.
  • Subscriber responsibility: As the Controller, the Subscriber is responsible for ensuring that their use of the Services and any transfer of Customer Data complies with applicable data-transfer laws in relation to their own clients or contacts.

10. Data Retention

We retain personal information for as long as necessary to provide the Services or as otherwise required by law. Specifically:

  • Customer Data: Retained for the duration of your subscription. After termination, Customer Data is retained for up to 60 days to allow you to export or reactivate your Workspace, after which it may be permanently deleted from our systems, subject to legal retention obligations.
  • Account and billing records: Retained as required by applicable law (e.g., tax, accounting, audit).
  • Backups: Data may persist temporarily in backup systems, but is securely deleted or overwritten within standard backup cycles.
  • Analytics and security logs: May be retained in pseudonymised or anonymised form for longer periods to detect abuse, ensure system integrity, and improve our Services.

You may request deletion of your information at any time, unless retention is required by law or necessary to protect our legitimate interests (e.g., resolving disputes, enforcing agreements).

11. Security

We implement appropriate technical, organisational, and physical measures to protect personal information, including:

  • Encryption in transit (TLS) and at rest.
  • Role-based access controls and least-privilege policies.
  • Optional multi-factor authentication (MFA) for accounts.
  • Regular monitoring, logging, and security testing.
  • Restricted physical access to hosting facilities.

We also require our sub-processors to implement equivalent security safeguards.

Security is a shared responsibility. Subscribers are responsible for configuring their Workspace (e.g., enforcing MFA, managing roles/permissions, and removing departing Users) to maintain security. No system is 100% secure, but we work continuously to monitor, improve, and safeguard the Services.

12. Your Rights

Under GDPR and POPIA, you have the following rights (subject to certain limitations under law):

  • Access – request a copy of the personal data we hold about you.
  • Correction – ask us to correct or update inaccurate or incomplete data.
  • Deletion (“right to be forgotten”) – request that we delete your personal data, unless retention is required by law or for legitimate business purposes.
  • Withdraw consent – where processing is based on your consent (e.g., marketing), you may withdraw it at any time.
  • Restrict or object – to processing in certain circumstances, including direct marketing.
  • Portability (GDPR only) – request a portable copy of your personal data in a structured, commonly used, machine-readable format.
  • Lodge a complaint – with your local regulator if you believe your rights have been infringed.

In South Africa, you may lodge a complaint with the Information Regulator:

👉 www.justice.gov.za/inforeg

To exercise any of these rights, contact us at [email protected]. We may need to verify your identity before fulfilling your request. We aim to respond within 30 days, as required by POPIA and GDPR.

13. Cookies

We use cookies and similar technologies for purposes including:

  • Authentication and session management (strictly necessary)
  • User preferences (functional)
  • Analytics and performance monitoring (consent/legitimate interests)
  • Marketing and retargeting (consent, if enabled in future)

For non-essential cookies (analytics, marketing), we rely on your consent, which you can manage through our cookie banner or withdraw at any time via your browser settings. See our Cookie Policy for details.

14. Children’s Privacy

Our Services are not directed to children under 18, and we do not knowingly collect personal data from minors. If we become aware that personal data has been collected from a child without appropriate parental or guardian consent, we will take steps to delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will not apply retrospectively. Where practical, we will provide at least 30 days’ notice by email or in-app notification. Continued use of the Services after the effective date of updates means you accept the revised Policy.

16. Contact Us

For privacy-related questions or requests, please contact our Information Officer / Data Protection Officer:

  • 📧 [email protected]
  • 🏢 2 Willow Ridge, Royal Ascot, Cape Town, Western Cape, 7441, South Africa

If you are located in the EU/UK, you may also contact our representative (once appointed under Article 27 GDPR/UK GDPR).