M
Mighty Toolkit

Privacy Policy

Effective: February 19, 2026Last updated: February 19, 2026

This Privacy Policy explains how Mighty Toolkit (Pty) Ltd (registration number 2025/685291/07) ("Mighty Toolkit," "we," "us," or "our") collects, uses, and protects personal information when you use our products and services (the "Services"), including but not limited to Mighty Workflow, Mighty Monitor, and any other products we offer.

1. Introduction

This policy covers Subscribers, Invited Users, and visitors to our websites. It addresses two data roles:

  • Customer Data submitted into a workspace, where the Subscriber is the Controller and Mighty Toolkit acts as the Processor.
  • Account and usage data that Mighty Toolkit collects directly as Controller.

2. Who We Are

Mighty Toolkit (Pty) Ltd is registered in South Africa (2025/685291/07). Our address is 2 Willow Ridge, Royal Ascot, Cape Town, Western Cape, 7441, South Africa. Our Data Protection Officer is Allister Smith, contactable at [email protected].

3. Definitions

  • Subscriber: The account holder/Owner with workspace management responsibility.
  • Invited Users: Team Members (collaborators) or Contacts (external participants) invited by the Subscriber.
  • Merchant of Record: Dodo Payments Inc., which handles payment processing independently.

4. Information We Collect

As Controller

We collect the following information directly:

  • Company/business name, first and last name, email address
  • Hashed passwords
  • Payment details (processed by our Merchant of Record)
  • Support communications
  • IP address, device and browser type
  • Usage data and analytics
  • Cookies (see our Cookie Policy)

As Processor

When you submit Customer Data into a workspace, you (the Subscriber) are the Controller and we process that data on your behalf under our Data Processing Agreement.

5. Legal Basis for Processing

We process personal data based on one or more of the following legal bases:

  • Consent: Where you have given us explicit consent
  • Contract: Where processing is necessary to perform our contract with you
  • Legal obligation: Where we are required by law to process your data
  • Legitimate interests: Where processing is necessary for our legitimate interests (such as security maintenance and fraud prevention), provided these are not overridden by your rights and freedoms

6. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Services
  • Manage your account and subscriptions
  • Process payments and billing
  • Monitor security and prevent fraud
  • Analyse usage patterns and improve user experience
  • Comply with legal obligations
  • Communicate with you about updates, billing, and support

7. How We Share Your Information

We share personal data with service providers and sub-processors who are under contractual obligations to protect your data. We do not sell personal data.

We may share information with legal authorities when required by law, and in connection with business transfers (such as mergers or acquisitions).

8. Payment Processing

Payment card details are collected directly by our Merchant of Record (Dodo Payments Inc.) and are never stored on our servers. The Merchant of Record acts as an independent Controller for payment information and may process personal data in accordance with its own privacy policy.

9. International Data Transfers

Our primary servers are located in the European Union. Data may be transferred from your location to the EU for storage and processing. Transfers from South Africa are permitted under POPIA section 72 due to GDPR's adequate level of protection. Other international transfers use Standard Contractual Clauses or equivalent safeguards.

10. Data Retention

  • Customer Data: Retained during your active subscription plus 60 days post-termination for export and account reactivation
  • Account and billing records: Retained as required by applicable law
  • Backups: Securely deleted per our standard backup cycles

11. Security

We implement encryption (TLS in transit and at rest), role-based access controls, optional multi-factor authentication, and regular monitoring. No system is 100% secure, but we work continuously to monitor, improve, and safeguard the Services.

12. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Withdraw consent
  • Restrict or object to processing
  • Data portability (GDPR)
  • File a complaint with a supervisory authority

For South African residents, complaints may be directed to the Information Regulator. We will respond to rights requests within 30 days.

13. Cookies

We use cookies for authentication, preferences, analytics, and marketing. Non-essential cookies require consent and can be managed via our cookie banner or your browser settings. For more details, see our Cookie Policy.

14. Children

Our Services are not directed to individuals under 18. If we become aware that we have collected personal data from a child without valid consent, we will take steps to delete that information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated with at least 30 days' notice where practical, via our website or in-app notification. Continued use of the Services after changes constitutes acceptance.

16. Contact Us

Data Protection Officer: Allister Smith
Email: [email protected]
Address: 2 Willow Ridge, Royal Ascot, Cape Town, Western Cape, 7441, South Africa