Privacy Policy

1. Introduction

Welcome to Accord. This Privacy Policy explains how Accord ("we," "us," or "our"), a product of Peiso Media Group, collects, uses, discloses, and protects your personal information when you use our RFP platform for hospitality venues and organizations.

By using Accord, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our services.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

• Email address (required for account creation and login)
• Full name
• Password (stored as a cryptographic hash using industry-standard)
• Role and status within your organization

Organization Information:

• Company name
• Business address
• Phone number
• Business registration number
• Tax ID
• Industry type
• Website URL
• Company logo (uploaded and stored securely)

Profile Information:

• Avatar/profile picture (optional)
• User preferences (email notifications, SMS notifications, theme, language)
• Two-factor authentication settings (if enabled)

Business Content:

• Quote requests (RFPs) including event details, requirements, guest counts
• Quote responses including pricing, line items, terms and conditions
• Invoices and payment information
• Documents attached to quotes and invoices (PDFs, images, Word, Excel files up to 10MB)
• Comments and internal notes on quotes and invoices
• Banking details for payment verification (bank name, account name, account number, SWIFT code)

2.2 Information Collected Automatically

Usage Data:

• Login history
• Activity logs
• Session data
• Feature usage and interaction patterns

Technical Data:

• IP address
• Browser type and version
• Device type and operating system
• Referring/exit pages
• Date and time stamps
• Clickstream data

Performance Data:

• API response times
• Error logs (for debugging and system improvement)
• Cache performance metrics

2.3 Information from Third Parties

Authentication Providers:
If you choose to sign in using third-party authentication (e.g., Google, Microsoft), we receive:

• Email address
• Name
• Profile picture
• Account ID from the provider

Payment Processors:
We do not directly process or store credit card information. Payment processing is handled by third-party payment gateways that comply with PCI-DSS standards.

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Core Service Delivery

• Create and manage your account
• Authenticate your identity and maintain session security
• Enable RFP creation, quote responses, and invoice management
• Facilitate communication between venues and organizations
• Process and track payments
• Store and retrieve documents securely
• Provide customer support

3.2 Service Improvement

• Analyze usage patterns to improve platform performance
• Identify and fix bugs and technical issues
• Develop new features based on user behavior
• Optimize user experience and interface design

3.3 Communication

• Send transactional emails (RFP notifications, quote approvals, invoice reminders)
• Provide customer support responses
• Send service updates and important notices
• Send marketing communications (only if you opt in)

3.4 Security and Compliance

• Detect and prevent fraud, abuse, and security incidents
• Enforce our Terms of Service
• Comply with legal obligations and regulatory requirements
• Maintain audit trails for compliance purposes
• Monitor system health and performance

3.5 Analytics and Reporting

• Generate aggregated, anonymized statistics about platform usage
• Provide dashboard analytics to venues (revenue forecasting, conversion rates)
• Track invoice payment workflows
• Monitor RFP response rates

4. How We Share Your Information

We may share your information only in the following limited circumstances:

4.1 Within the Accord Platform

• Between Connected Parties: When a venue and organization are connected through Accord, they can see each other's business information (company name, contact details, quotes, invoices) as necessary for the business relationship.
• Within Your Organization: Team members within your organization can access shared data based on their role and permissions.

4.2 Service Providers

We work with trusted third-party service providers who process data on our behalf. These providers include:

• Payment processors
• Cloud Infrastructure providers
• Email service providers
• Analytics providers

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal processes (subpoenas, court orders)
• Government or regulatory requests
• Protection of our rights, property, or safety
• Prevention of fraud or illegal activity
• Enforcement of our Terms of Service

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our platform before your information is transferred and becomes subject to a different privacy policy.

5. Data Security

We take data security seriously and implement industry-standard measures to protect your information:

5.1 Technical Safeguards

• Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3
• Password Security: Passwords are hashed using bcrypt with salt before storage
• Session Management: Secure, httpOnly cookies with automatic expiration
• File Validation: Uploaded files are validated using magic-byte verification to prevent malicious uploads
• Rate Limiting: Protection against brute-force attacks and abuse
• CSRF Protection: Cross-site request forgery protection on all state-changing operations

5.2 Access Controls

• Role-based access control (RBAC) ensures users only access data they're authorized to see
• Multi-factor authentication (2FA) available for enhanced account security
• Session timeout after periods of inactivity
• Audit logging of all sensitive actions

5.3 Infrastructure Security

• Regular security updates and patches
• Automated backups with encryption at rest
• Database connection pooling with secure credential management
• Redis caching with automatic degradation on failure
• Health monitoring and alerting systems

5.4 Operational Security

• Employee access to customer data is strictly limited and logged
• Regular security audits and vulnerability assessments
• Incident response procedures in place
• Data retention policies to minimize unnecessary data storage

No system is 100% secure. While we implement robust security measures, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

6.1 Active Accounts

• Account data is retained while your account is active
• Activity logs are retained for 2 years for audit and compliance purposes
• Session data expires automatically (30 minutes of inactivity)

6.2 Deleted Accounts

• When you delete your account, we permanently delete your personal information within 30 days
• Some data may be retained in backups for up to 90 days before permanent deletion
• We may retain anonymized, aggregated data for analytics purposes
• Legal and compliance records may be retained longer as required by law

6.3 Business Records

• Quotes, invoices, and financial records are retained for 7 years for tax and audit compliance
• Documents uploaded to the platform are retained as long as the associated quote or invoice exists

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

7.1 Access and Portability

• Right to Access: Request a copy of the personal information we hold about you
• Data Portability: Request your data in a structured, machine-readable format

7.2 Correction and Deletion

• Right to Correct: Update or correct inaccurate information through your account settings
• Right to Delete: Request deletion of your account and associated data

7.3 Control and Objection

• Marketing Opt-Out: Unsubscribe from marketing emails at any time
• Notification Preferences: Control email, SMS, and push notifications in your account settings
• Right to Object: Object to processing of your data for certain purposes

7.4 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: accordprivacy@pmg.co.ls
• Subject Line: "Privacy Rights Request"

We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

8. Cookies and Tracking Technologies

8.1 Cookies We Use

• Essential Cookies: Required for authentication and session management (cannot be disabled)
• Performance Cookies: Help us understand how you use the platform to improve performance
• Preference Cookies: Remember your settings and preferences

8.2 Third-Party Cookies

Our service providers may set cookies for:

• Authentication (Better Auth)
• Error tracking and monitoring
• Analytics (anonymized usage data)

8.3 Your Cookie Choices

You can control cookies through your browser settings. Note that disabling essential cookies will prevent you from using Accord.

9. International Data Transfers

Accord is operated from South Africa. If you access our services from outside South Africa, your information may be transferred to, stored, and processed in South Africa or other countries where our service providers operate.

We ensure appropriate safeguards are in place for international data transfers, including:

• Standard contractual clauses with service providers
• Compliance with applicable data protection laws
• Encryption of data in transit and at rest

10. Children's Privacy

Accord is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will take steps to delete that information promptly.

If you believe we have collected information from a child, please contact us at accordprivacy@pmg.co.ls.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice on the platform

Your continued use of Accord after the effective date of the updated policy constitutes your acceptance of the changes.

12. Regional Privacy Rights

12.1 South African Residents (POPIA)

Under the Protection of Personal Information Act (POPIA), you have the right to:

• Access your personal information
• Correct or delete your personal information
• Object to processing of your personal information
• Lodge a complaint with the Information Regulator

Information Regulator Contact:

• Website: www.justice.gov.za/inforeg
• Email: inforeg@justice.gov.za

12.2 European Residents (GDPR)

If you are in the European Economic Area (EEA), you have additional rights under GDPR, including:

• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint with your local supervisory authority

12.3 California Residents (CCPA)

California residents have the right to:

• Know what personal information is collected
• Know whether personal information is sold or disclosed
• Opt-out of the sale of personal information (we do not sell personal information)
• Request deletion of personal information
• Non-discrimination for exercising privacy rights

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Peiso Media Group

• Privacy Email: accordprivacy@pmg.co.ls
• Website: www.pmg.co.ls
• Product: Accord (www.accordhq.co)

We will respond to your inquiry within 30 days.

14. Definitions

• Personal Information: Any information that identifies or can be used to identify an individual
• Processing: Any operation performed on personal information, including collection, storage, use, disclosure, or deletion
• Data Controller: The entity that determines the purposes and means of processing personal information (Peiso Media Group)
• Data Processor: A third party that processes personal information on behalf of the data controller
• Venue: A hospitality establishment (hotel, conference centre, lodge) using Accord
• Organization: A corporate client, NGO, or agency booking venues through Accord