Welcome to our consolidated Privacy and Legal information.
1. Introduction
At ToTheMoon ("we," "us," or "our"), we are committed to protecting the privacy and security of our users' data. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our software product, Carl the Clerk. This policy is designed to comply with the EU and UK General Data Protection Regulation (GDPR) and the Protection of Personal Information Act (POPIA) in South Africa. By using our services, you agree to this Privacy Policy. For any questions or concerns, please contact our Data Protection Officer (DPO) at jacques@tothemoon.build.
2. About Carl the Clerk
Carl the Clerk is a software solution that processes bank statements and invoices for corporate clients to streamline financial operations. Our platform consolidates bank transactions, classifies them, applies relevant tax rates, and links them to invoices for efficient management. The system processes primarily company-related data; however, personal data may be incidentally processed, in which case, we aim to adhere to applicable data protection laws.
3. Contact Information
For any questions or concerns about this Privacy Policy or to exercise your data protection rights, you may contact our DPO:
4. Scope of Data Processed
ToTheMoon processes the following types of data primarily related to company financial transactions:
While we primarily process company-related data, we recognize that some personal data may be incidentally included (e.g., names in transaction records or details related to sole proprietors). In such cases, we handle this data with care and aim to apply data protection principles that align with GDPR, UK GDPR, and POPIA, focusing on security, confidentiality, and limited access.
5. Lawful Basis for Processing
ToTheMoon processes your data based on:
6. How We Collect and Use Your Information
Direct Collection: We collect data directly from you during registration, communications, or
when information is submitted through our platform.
Automated Collection: Cookies are used solely for user authentication to secure account
access.
Purpose of Use:
7. Data Sharing with Third-Party Service Providers
To provide our services, we may share your data with third-party providers. These subprocessors are expected to use data solely for tasks on our behalf, in alignment with GDPR and POPIA requirements. Our subprocessors currently include:
We strive to work with providers that prioritize data protection and confidentiality. To the best of our knowledge, these providers follow applicable laws, and we aim to ensure compliance with GDPR’s Standard Contractual Clauses (SCCs) and POPIA’s standards for cross-border data transfers. However, please note that specific data handling and retention practices may vary based on each provider's policies.
8. International Data Transfers
Your data may be transferred to and processed in countries outside of the EU/UK and South Africa, where our servers or service providers operate. For such transfers:
We continuously monitor our subprocessors to ensure they maintain high standards of data protection.
9. Your Data Rights
ToTheMoon respects your rights under GDPR, UK GDPR, and POPIA. You may:
To exercise these rights, please email jacques@tothemoon.build. We will verify your identity and respond to your request promptly.
10. Automated Decision-Making and Human Intervention
Our AI models process financial data to provide efficient service, including transaction classification and tax rate assignment. No significant automated decision-making is performed without the option for human intervention. If you wish to contest an automated decision or request human review, please contact us at jacques@tothemoon.build.
11. Data Storage and Retention
Your data is securely stored in AWS S3, AWS RDS, and Pinecone databases. We retain your data for as long as necessary to fulfill our contractual obligations and for an additional period as required by law. Upon verified deletion requests, we will erase your data from our systems in accordance with GDPR and POPIA.
12. Security Measures
ToTheMoon implements robust security protocols, including:
13. Use of Cookies
Cookies are used exclusively for user authentication to secure account access. We do not use tracking or analytics cookies on our platform.
14. Children’s Data
Our services are intended solely for business use and are not designed for individuals under the age of 18. We do not knowingly collect data from minors. If we become aware that personal data of minors has been collected, we will promptly delete it.
15. Dispute Resolution and Complaints
If you have a complaint about our data practices, please contact us at jacques@tothemoon.build. We aim to resolve disputes amicably and offer arbitration as an alternative dispute resolution option before resorting to legal proceedings. You also have the right to lodge a complaint with your regional data protection authority:
16. Opt-Out Preferences
You may opt out of non-essential communications, such as marketing emails, by contacting jacques@tothemoon.build.
17. Updates to This Privacy Policy
We may update this Privacy Policy periodically. We will notify you of significant changes via email. The updated policy will be effective upon posting.
Thank you for trusting ToTheMoon with your data. We prioritize your privacy and are committed to upholding your rights under GDPR, UK GDPR, and POPIA.
Last Updated: 2024-10-07
THESE TERMS OF SERVICE (THE "AGREEMENT") GOVERN YOUR ACCESS TO AND USE OF THE SERVICES PROVIDED BY TOTHEMOON ("TOTHEMOON," "WE," "US," OR "OUR"). BY ACCESSING OR USING OUR SERVICES, YOU ("CUSTOMER") AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS, YOU MUST NOT ACCESS OR USE THE SERVICES. THE INDIVIDUAL ACCEPTING THIS AGREEMENT DOES SO ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY AND REPRESENTS THAT THEY HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THESE TERMS.
1. The Service
1.1 Service Description
ToTheMoon owns and operates Carl the Clerk, a software solution designed to process bank statements and invoices of clients and consolidate bank transactions (the "Service"). The Service classifies bank transactions, determines relevant tax rates, and links them to invoices to streamline financial operations.
1.2 User Submissions
All data, information, or material that the Customer or its authorized users ("Users") upload, submit, or otherwise transmit through the Service are considered "User Submissions." The Customer is solely responsible for all User Submissions, including ensuring compliance with all applicable laws and regulations.
1.3 Ownership
ToTheMoon retains all rights, title, and interest, including all intellectual property rights, in and to the Service, including any software, documentation, templates, scripts, and other materials provided (collectively, the "ToTheMoon Materials"). No rights are granted to the Customer other than as expressly set forth herein.
2. Subscription and Access
2.1 Subscription Terms
Subject to the terms and conditions of this Agreement, ToTheMoon hereby grants the Customer a non-exclusive, non-transferable, revocable right to access and use the Service during the Subscription Period specified herein, solely for the Customer's internal business purposes.
2.2 Free Trial
Each new Customer is granted 1,000 seconds of free processing time upon signing up for the Service. This free trial is subject to the terms and conditions of this Agreement.
2.3 User Accounts
Access to the Service is restricted to Users authorized by the Customer. The Customer shall be responsible for:
3. Fees and Payment Terms
3.1 Fees
The Customer agrees to pay all fees associated with the use of the Service ("Fees") as invoiced by ToTheMoon. Fees are based on the Customer's usage of the Service during the preceding month and are charged in South African Rand (ZAR).
3.2 Payment Method
Payments shall be made via Electronic Funds Transfer (EFT) to the bank account specified by ToTheMoon. Invoices will be issued at the start of each month, detailing the Fees due for the previous month's usage. The Customer agrees to settle invoices within thirty (30) days of the invoice date.
3.3 Third-Party Payment Processor
ToTheMoon may use Stripe or other third-party payment processors ("Payment Processors") to facilitate payments. The use of Payment Processors is subject to their respective terms and conditions.
3.4 Taxes
All Fees are exclusive of any applicable taxes, levies, or duties imposed by taxing authorities. The Customer is responsible for paying all such taxes associated with its purchases hereunder.
3.5 Late Payments
In the event of late payment, ToTheMoon reserves the right to:
4. Term and Termination
4.1 Term
This Agreement commences on the date the Customer first accesses or uses the Service and continues until terminated in accordance with the provisions herein ("Term").
4.2 Termination by Customer
The Customer may terminate this Agreement at any time by:
4.3 Termination by ToTheMoon
ToTheMoon may terminate this Agreement or suspend the Customer's access to the Service immediately upon written notice if:
4.4 Effect of Termination
Upon termination of this Agreement for any reason:
5. Use Restrictions
5.1 Customer Responsibilities
The Customer is responsible for:
5.2 Prohibited Activities
The Customer shall not, and shall not permit any third party to:
6. Third-Party Services
6.1 Integration with Third-Party Services
The Service may integrate with or utilize third-party services, including but not limited to OpenAI, Anthropic, AWS, Pinecone, and Stripe ("Third-Party Services"). The Customer acknowledges that:
6.2 Disclaimer
ToTheMoon disclaims all liability arising from the Customer's use of Third-Party Services. The Customer assumes all risks associated with Third-Party Services.
7. Confidentiality
7.1 Definition
"Confidential Information" means any non-public information disclosed by one party ("Disclosing Party") to the other ("Receiving Party") that is designated as confidential or that should reasonably be understood to be confidential given the nature of the information.
7.2 Obligations
The Receiving Party agrees to:
7.3 Exceptions
Confidential Information does not include information that:
8. Warranties and Disclaimers
8.1 Mutual Warranties
Each party represents and warrants that:
8.2 Disclaimer of Warranties
EXCEPT AS EXPRESSLY PROVIDED HEREIN, THE SERVICE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. TOTHEMOON DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
9. Limitation of Liability
9.1 Exclusion of Consequential Damages
IN NO EVENT SHALL TOTHEMOON BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, DATA, OR BUSINESS OPPORTUNITIES, ARISING OUT OF OR RELATED TO THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
9.2 Limitation of Liability
TOTHEMOON'S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE TOTAL AMOUNT PAID BY THE CUSTOMER TO TOTHEMOON IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.
10. Data Protection
10.1 Compliance with Laws
Each party agrees to comply with all applicable data protection and privacy laws in connection with its activities under this Agreement.
10.2 Data Processing Agreement
ToTheMoon processes personal data in accordance with its Data Processing Agreement ("DPA"), which is hereby incorporated by reference and available at https://tothemoon.build/legal/digits/data-processing-agreement.
11. Governing Law and Dispute Resolution
11.1 Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the Republic of South Africa, without regard to its conflict of law provisions.
11.2 Venue
Any disputes arising out of or relating to this Agreement shall be resolved exclusively in the courts located in Gauteng Province, South Africa. Each party consents to the personal jurisdiction of such courts.
12. General Provisions
12.1 Notices
All notices under this Agreement shall be in writing and shall be deemed to have been duly given when delivered via email to:
12.2 Assignment
Neither party may assign or transfer any of its rights or obligations under this Agreement without the prior written consent of the other party, except in connection with a merger, acquisition, or sale of all or substantially all of its assets.
12.3 Entire Agreement
This Agreement constitutes the entire agreement between the parties and supersedes all prior or contemporaneous agreements, understandings, and communications.
12.4 Amendments
No modification or amendment of this Agreement shall be effective unless in writing and signed by both parties.
12.5 Severability
If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
12.6 Waiver
The failure of either party to enforce any right or provision of this Agreement shall not constitute a waiver of future enforcement of that right or provision.
12.7 Force Majeure
Neither party shall be liable for any failure or delay in performance due to causes beyond its reasonable control, including acts of God, war, terrorism, civil unrest, governmental action, and natural disasters.
13. Contact Information
For any questions regarding this Agreement, please contact:
BY ACCESSING OR USING THE SERVICE, THE CUSTOMER ACKNOWLEDGES THAT IT HAS READ, UNDERSTOOD, AND AGREES TO BE BOUND BY THE TERMS OF THIS AGREEMENT.
Data Processing Agreement (DPA) - TOTHEMOON
This DPA is structured as follows:
Section A – Key Terms
| Variable | Value |
|---|---|
| Responsible Party(s) | Controller, Controller address Contact: Controller person (Controller email) |
| Operator(s) | ToTheMoon Contact: TOBIAS JACQUES WINTERBACH (Jacques@tothemoon.build ) (together with the Responsible Party, the "Parties") |
| Processing purpose | Processing in the context of the Privacy policy dated 22 October 2024 (the "Base Agreement") |
| Duration of processing | As long as required for the Base Agreement |
| Categories of data subjects |
• Customers (natural and juristic persons) • Potential clients (natural and juristic persons) |
| Categories of personal data |
• Contact data (email, phone) • Name • Company names • Registration numbers • Financial information |
| Place of storage & processing | Data will be stored and processed primarily in the EU (AWS region eu-west-1) and the UK (if applicable) through AWS services (e.g., Lambda, S3, and RDS) as managed by Laravel Vapor. Data may also be processed by the following sub-operators outside the EU/UK: OpenAI, Anthropic, and Pinecone, where appropriate data transfer mechanisms (such as Standard Contractual Clauses) are applied, and in compliance with POPIA and UK GDPR requirements for cross-border data transfers. |
| On-premise audits | No |
| Sub-processors |
Sub-processors: - AWS: Ireland (eu-west-1) for cloud infrastructure (hosting, databases, object storage). - OpenAI: U.S. for LLM processing (configurable for “No Log” mode). - Anthropic: U.S. for LLM processing. - Pinecone: Vector database services, available in U.S. and EU regions. |
| Transfer Outside of EU/EEA, UK, and South Africa | Only allowed to countries where the operator or an approved sub-operator is registered and where adequate protection measures are in place as per GDPR, UK GDPR, and POPIA. |
Section B – Legal Terms
1. Purpose and Scope
(a) The purpose of this Data Processing Agreement (the "DPA") is to ensure
compliance with Article 28(3) and (4) of the EU General Data Protection Regulation
("GDPR"), the UK GDPR, and the relevant provisions of the Protection of Personal
Information Act ("POPIA") of South Africa, with respect to each law only if and to the
extent applicable to the respective processing activity.
(b) This DPA applies with respect to the processing of personal information as
specified in Section A.
2. Interpretation
(a) Where this DPA uses terms defined in the GDPR, UK GDPR, or POPIA, as
applicable, those terms shall have the same meaning as in those laws.
(b) This DPA shall be read and interpreted in the light of the provisions of the GDPR,
UK GDPR, and POPIA.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and
obligations provided for in the GDPR, UK GDPR, or POPIA, or prejudices the
fundamental rights or freedoms of the data subjects.
3. Hierarchy
In the event of a conflict between this DPA and the provisions of any other agreement between the Parties existing at the time when this DPA is agreed or entered into thereafter, this DPA shall prevail, except where explicitly agreed otherwise in writing.
4. Description of Processing
The details of the processing operations, and in particular the categories of personal information and the purposes of processing for which the personal information is processed on behalf of the responsible party, are specified in Section A.
5. Obligations of the Parties
5.1 General
(a) The operator shall process personal information only on documented instructions
from the responsible party, unless required to do so by law to which the operator is
subject. Such instructions are specified in Section A. In such cases, the operator shall
inform the responsible party of that legal requirement before processing, unless the
law prohibits this on important grounds of public interest. Subsequent instructions
may also be given by the responsible party throughout the duration of the processing
of personal information. Such instructions shall always be documented.
(b) The operator shall immediately inform the responsible party if, in its opinion, an
instruction infringes applicable data protection laws.
(c) The operator agrees to process personal information with the knowledge or
authorization of the responsible party and shall treat all personal information as
confidential.
5.2 Purpose Limitation
The operator shall process the personal information only for the specific purpose(s) of the processing, as set out in Section A.
5.3 Erasure or Return of Data
(a) Processing by the operator shall only take place for the duration specified in
Section A.
(b) Upon termination of the provision of personal information processing services or
termination pursuant to Clause 9, the operator shall, at the choice of the responsible
party, delete or return all personal information processed on behalf of the responsible
party and certify to the responsible party that it has done so, unless retention of the
personal information is required by law.
5.4 Security of Processing
(a) The operator shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(b) In assessing the appropriate level of security, the operator shall take due account
of the risks involved in the processing, the nature of the personal information, and the
nature, scope, context, and purposes of processing.
(c) The operator shall ensure that persons authorized to process the personal
information have committed themselves to confidentiality or are under an appropriate
statutory obligation of confidentiality.
(d) If the processing involves special categories of personal information, the operator
shall apply specific restrictions and/or additional safeguards as reasonably required
by the responsible party.
5.5 Documentation and Compliance
(a) The operator shall make available to the responsible party all information
necessary to demonstrate compliance with the obligations set out in this DPA and
under applicable data protection laws.
(b) Upon the responsible party's written request, the operator shall provide responses
to reasonable data protection questionnaires that are necessary to confirm
compliance with this DPA.
(c) The operator may satisfy the obligations in this Clause by providing up-to-date
attestations, certifications, or reports from independent sources (e.g., external
auditors, data protection authorities), or by providing a summary of its data
processing facilities and safeguards.
(d) The operator and responsible party agree that audits and inspections shall be
limited to the information necessary to demonstrate compliance and shall not include
access to the operator's premises or physical infrastructure, except as required by
applicable law.
(e) Any audits shall be conducted during regular business hours, with reasonable
advance notice, and in a manner that does not disrupt the operator's business
operations.
5.6 Use of Sub-Operators
(a) The responsible party provides a general authorization for the operator to engage
sub-operators to assist in the processing of personal information under this DPA,
provided that the operator informs the responsible party of any intended changes
concerning the addition or replacement of sub-operators, thereby giving the
responsible party the opportunity to object to such changes within 15 days after
being informed.
(b) The operator shall ensure that any sub-operator it engages to process personal
information on its behalf is bound by data protection obligations compatible with
those of the operator under this DPA.
(c) The operator shall remain fully responsible to the responsible party for the
performance of the sub-operator's obligations under its contract with the operator.
(d) The operator shall, upon the responsible party's request, provide the responsible
party with a list of sub-operators and the categories of processing they perform.
5.7 International Transfers
(a) Data transfers to countries outside the EU/EEA and South Africa (e.g., the U.S.)
shall be made in compliance with Chapter V of the GDPR, UK GDPR, and Sections 72
and 73 of POPIA, using Standard Contractual Clauses or other approved transfer
mechanisms.
(b) The operator shall ensure that appropriate safeguards are in place for international
transfers and shall provide evidence of such safeguards upon the responsible party's
reasonable request.
6. Assistance with Data Subject Rights
(a) The operator shall assist the responsible party by appropriate technical and
organizational measures, insofar as this is possible, for the fulfilment of the
responsible party's obligations to respond to requests for exercising the data
subject's rights under GDPR, UK GDPR, and POPIA.
(b) The operator shall promptly notify the responsible party if it receives a request
from a data subject under any data protection law in respect of personal information
processed under this DPA.
(c) The operator shall not respond to such requests except on the documented
instructions of the responsible party or as required by applicable laws.
(d) The operator shall be entitled to charge the responsible party on a time and
materials basis in the event that the operator considers, in its reasonable discretion,
that assistance under this Clause 6 exceeds the scope of the services agreed in the
Base Agreement.
7. Data Breach Notifications
(a) The operator shall notify the responsible party without undue delay after becoming
aware of a personal data breach affecting personal information processed under this
DPA.
(b) The notification shall include sufficient information to allow the responsible party
to meet any obligations to report or inform data subjects or supervisory authorities of
the personal data breach under applicable data protection laws.
(c) The operator shall cooperate with the responsible party and take reasonable
commercial steps as directed by the responsible party to assist in the investigation,
mitigation, and remediation of each such personal data breach.
8. Data Protection Impact Assessments and Prior Consultation
The operator shall provide reasonable assistance to the responsible party with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities, in each case solely in relation to processing of personal information and taking into account the nature of the processing and information available to the operator.
9. Deletion or Return of Personal Information
(a) Subject to Clause 9b, the operator shall promptly and in any event within 30 days of
the date of cessation of any services involving the processing of personal information
(the "Cessation Date"), delete and procure the deletion of all copies of those personal
information.
(b) The operator shall, subject to the Base Agreement, return all the personal
information to the responsible party and delete existing copies unless applicable law
requires storage of the personal information.
10. Audit Rights
(a) The operator shall make available to the responsible party on request all
information necessary to demonstrate compliance with this DPA.
(b) The operator shall allow for and contribute to audits, including inspections,
conducted by the responsible party or an auditor mandated by the responsible party,
provided that:
(c) The operator may require the responsible party to enter into a non-disclosure
agreement before the audit.
(d) Each party shall bear its own costs in relation to any audits or inspections.
11. Liability
(a) Each party's liability arising out of or related to this DPA shall be subject to the
limitations and exclusions of liability set out in the Base Agreement, except to the
extent that such liability cannot be limited under applicable law.
(b) The operator's total aggregate liability towards the responsible party, whether in
contract, tort, or under any other theory of liability, shall be limited to the total fees
paid under the Base Agreement in the 12 months preceding the event giving rise to
the liability.
12. Governing Law and Jurisdiction
(a) This DPA shall be governed by and construed in accordance with the laws specified
in the Base Agreement.
(b) Any disputes arising out of or in connection with this DPA shall be subject to the
exclusive jurisdiction of the courts specified in the Base Agreement.
Section C – Technical and Organizational Measures (TOMs)
The operator shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
The operator may update or modify these measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the processing of personal information.
