1. Information we collect

• Account & identity data — name, email address, phone number, job title, and your branch, department, role and supervisor within your organisation.
• Authentication data — your password (stored only as a secure hash), and any two-factor authentication or passkey credentials you set up.
• Process & document data — information you enter into process-flow forms and applications, attachments and files you upload, electronic signatures, and the documents you create, sign, share or archive.
• Activity & technical data — audit logs of actions you take (e.g. submitting, approving or declining a request), together with date/time, IP address, browser and operating system, for security and accountability.

2. Why we collect it (purpose)

We collect personal information only for specified, explicit and legitimate purposes: to create and manage your account, to operate document management and approval workflows, to route requests to the correct approvers, to generate and archive signed documents, to keep an audit trail for accountability and compliance, and to keep the platform secure. We do not use your data for purposes incompatible with these without your consent.

3. How we use it

• Authenticating you and securing your account and sessions.
• Processing the applications, approvals and documents you participate in.
• Sending you in-app and email notifications about activity that concerns you (e.g. a request awaiting your action, or one that was approved or declined).
• Generating, storing and auto-archiving the finalised documents of completed flows.
• Maintaining logs for security monitoring, troubleshooting and audit.

4. Consent & legal basis

In line with the DPA, we process personal data on one or more lawful bases: your consent; the performance of a contract or your employment/engagement with the controlling organisation; compliance with a legal obligation; and the legitimate interests of the organisation in operating its workflows securely. Where we rely on consent — including for any sensitive personal information such as an electronic signature — you may withdraw it at any time, without affecting processing already carried out.

5. Who can access your data

• You, for your own records, applications and documents.
• Authorised users in your organisation — limited by role-based permissions, e.g. the approvers and reviewers assigned to a process flow you participate in, and system administrators.
• Mugonat Systems, as platform provider/processor, strictly for support, maintenance and security, under confidentiality and only as needed.

We do not sell your personal information or share it with third parties for marketing. Any sharing with sub-processors or transfer of data outside Zimbabwe is done only with appropriate safeguards as required by the DPA.

6. Data retention

We keep personal information only for as long as necessary to fulfil the purposes above and to meet the organisation's legal, audit and record-keeping obligations. Documents and completed process records may be retained for the organisation's defined record-retention period. Deleted items may be held temporarily in a recycle bin before permanent removal, after which data is deleted or anonymised.

7. Your rights as a data subject

Under the DPA you have the right to:

• be informed about how your data is processed;
• access the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request erasure of your data where there is no lawful reason to keep it;
• object to, or request restriction of, certain processing;
• withdraw consent where processing is based on consent;
• lodge a complaint with the Data Protection Authority (POTRAZ).

To exercise any of these rights, contact your organisation's administrator or data controller (see section 9).

8. Security measures

• Encryption of data in transit (HTTPS/TLS) and encryption at rest for sensitive fields.
• Passwords stored only as salted hashes; optional two-factor authentication and passkeys.
• Role-based access control so users see only what their role permits.
• Private, access-controlled document storage (documents are not publicly served).
• Audit logging of significant actions, and regular backups.

No system can be guaranteed perfectly secure, but we apply appropriate technical and organisational measures proportionate to the risk, as required by the DPA, and will notify affected parties and the Authority of a personal data breach where the law requires.

9. Contact & complaints

For any privacy question or to exercise your rights, contact the administrator or data controller of your Mugonat Dokflow organisation. If you believe your data protection rights have been infringed, you may also lodge a complaint with the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) as the Data Protection Authority.