Privacy notice
PoP-Eye is operated under the Protection of Personal Information Act (POPIA) of South Africa. This page tells you what we collect, how we use it, how long we keep it, and how to ask us to delete it.
What we collect
- The PDF you upload, treated as Proof of Payment subject to a forensic scan.
- Any optional cross-check fields you fill in on the upload form (business name, beneficiary account, branch code).
- An irreversible hash of your IP address, used to detect when the same Proof of Payment is being recycled across different submitters. We never store the raw IP.
We do not ask for your email or your name. There is no account to create.
The pop-eye-client-id cookie
When your first scan completes we set a pop-eye-client-id cookie on your browser that expires after 30 days. It exists solely to recognise re-uploads of the same PDF from the same browser, so your verdict stays consistent if you scan again. The cookie is a random tag — it doesn't identify you, carries no personal information, and isn't shared with anyone. Clearing your cookies removes it.
The pop-eye-language cookie
If you choose a language, we set a pop-eye-language cookie on your browser that remembers it for about a year. It holds only the language tag you picked (for example, en), carries no personal information, and isn't shared with anyone. Clearing your cookies removes it; the site falls back to its default language.
The report URL
After every successful scan you get a private report URL of the form /r/<random-token>. It's the only handle you have on your submission. Save it (copy/paste, bookmark, share with yourself by email) because we cannot email it to you. Anyone with the URL can view the verdict and delete the submission — treat it like a password.
How long we keep it
We keep your PDF and your optional claim fields for up to 30 days after the scan. After 30 days — or as soon as you tell us your bank confirmed the outcome on the report URL — we anonymise the record: the PDF is deleted from our storage, the claim fields are nulled. The verdict and derived signals remain so the system keeps working for other merchants who scan the same PDF.
The irreversible hash of your IP is retained indefinitely. This is intentional — the cross-submission signal it powers ("has this exact PDF been seen from a different network before?") only works if the hash continues to match across time.
How to delete your data yourself
Open the report URL and click Delete this report at the bottom. Confirm once, and the PDF and your claim fields are gone immediately. The verdict and IP-hash stay (see above).
If you've lost the report URL
Email us at privacy@pop-eye.io. Include whatever you can about the submission (approximate date, the PDF's file name or content, the bank you claimed). We'll find matching rows and run the same anonymisation on your behalf. We act within 5 business days.
Scope of "deletion" — what goes, what stays
When you delete (or when the 30-day cron fires) we delete:
- The raw PDF.
- The optional cross-check fields you supplied at upload.
- The extracted text from the PDF (amount, reference, beneficiary, etc.).
We retain (none of these identify you):
- A non-reversible hash of the PDF's bytes — so the system can recognise the same file if it's submitted again by someone else.
- A non-reversible hash of your IP — same purpose, different dimension of the same adversarial signal.
- The verdict, signal categories, and any recorded bank-confirmed outcome.
- The internal per-check signals (font fingerprints, structural anomalies, etc.). These are abstract numbers that don't identify you.
We also retain operational telemetry (rate-limit events, audit log) under separate retention rules.
Advertising on this site
Some pages display a single editorially-curated sponsor card below the verdict on a successful scan. The sponsor pays PoP-Eye for the placement; we review every line of copy before it ships.
What the sponsor sees: nothing about you. We do not embed any third-party scripts, advertising pixels, or cookies on the page. The sponsor's link includes a ?ref=pop-eye query parameter so they can count how many sessions arrived from PoP-Eye — they never receive your IP, your report URL, the PDF you uploaded, or anything you typed.
Sponsored placements never appear next to a Fail verdict, on the privacy or delete-confirm pages, or while your scan is still in flight. The rule is built into the renderer (ADR-0033 §2) and is not configurable per advertiser.
Other POPIA rights
You can also ask us to access or correct your information by emailing privacy@pop-eye.io. We'll respond within 5 business days.