KlikSend
SA-Built · POPIA-aligned
LEGAL / DATA RETENTION

Data Retention Policy

This policy explains how long KlikSend keeps the information it processes, and how that information is securely disposed of once it is no longer required. KlikSend is a secure file-transfer service: staff upload files and share them through secure, optionally password-protected, expiring links. This policy covers the files you upload, the share links you create, and your KlikSend login account — nothing else.

KlikSend is operated by Municipex (Pty) Ltd trading as NanoCrew (the “Operator”, “we”, “us”). It is part of the NanoCrew family of tools and is built and hosted to serve South Africa, the wider African continent, and international users. This policy is aligned with the Protection of Personal Information Act, 2013 (POPIA) and should be read together with our Privacy Policy and Terms of Service.

This document is a professional template intended to be reviewed, adapted, and approved by the Operator’s appointed Information Officer and qualified legal counsel before reliance. It does not constitute legal advice.

01 / Retention principle

We follow the retention and restriction condition of POPIA (section 14): personal information is kept only for as long as is necessary to achieve the purpose for which it was collected or subsequently processed, unless a longer period is required or authorised by law, the Operator reasonably requires the record for a lawful purpose related to its functions, retention is required by contract, or the data subject has consented to it. When a retention period expires and no lawful basis to retain remains, the record is deleted, destroyed, or de-identified in a manner that prevents its reconstruction in an intelligible form.

Because KlikSend is designed around expiring links, retention is short by default. The schedule below describes the specific periods that apply to each category of information the service handles. Defaults are configurable by the Operator; the values shown reflect the standard configuration.

02 / Retention schedule

Uploaded files

The files you upload are stored in secure object storage so your share can be downloaded. Each share carries an expiry, which defaults to 7 days and can be configured per share at the time the share is created. At expiry the share’s link stops working and the files can no longer be downloaded through KlikSend. If you keep a file in your Drive, it stays available to you there until you remove it. Deleting a share — or a file from your Drive — removes the underlying objects from storage. Once a file is deleted it cannot be recovered.

Share groups & file metadata

Information describing a share — such as the share identifier, file names, file sizes, expiry, and password-protection status — is retained while the share exists. Deleting a share removes this information together with its files. We may keep limited diagnostic and security records for a short period for abuse prevention and dispute resolution, after which they are removed on a rolling basis.

KlikSend account data

Data associated with your KlikSend login account — for example your name, email address, and authentication credentials — is kept for as long as your account remains active so that we can provide the service. Passwords are never stored in plaintext; only a salted cryptographic hash is retained. When you close your account, this data is deleted or de-identified, subject to any overriding legal retention obligation (for example records required for tax or accounting purposes), which is kept for the minimum period the law allows.

Password-reset & email-verification tokens

Tokens issued for password resets and email-address verification are short-lived by design — valid for approximately one hour — and single-use. They expire automatically and are invalidated immediately upon use or once a newer token is issued. Expired or used tokens are deleted and cannot be replayed.

Access & security logs

Access and security logs (which may include request timestamps, authentication events, and error diagnostics) are retained for a limited period to maintain service integrity, detect and investigate abuse, and meet our security obligations. These logs are rotated and deleted on a rolling basis once that period elapses. Where a log entry is relevant to an ongoing security investigation or legal matter, it may be preserved until that matter is resolved, after which it is deleted or de-identified.

03 / Secure disposal

When a retention period ends, information is disposed of securely and in a manner reasonably calculated to prevent its reconstruction in an intelligible form, as contemplated by POPIA. For data held in object storage, this is achieved through deletion of the underlying objects. For records held in our managed databases, disposal is achieved by deletion or irreversible de-identification. Backups containing expired information are subject to their own rotation cycle and are overwritten or expired on a rolling basis; data deleted from live systems is removed from backups as those backups age out. We take reasonable steps to ensure that any processor acting on our behalf disposes of information in accordance with this policy.

04 / Access requests & PAIA

Subject to POPIA and the Promotion of Access to Information Act, 2000 (PAIA), you may request access to the personal information we hold about you, ask that it be corrected, or ask that it be deleted where we are no longer entitled to retain it. We will respond to such requests as required by those Acts and in line with the Operator’s PAIA manual. Note that, by design, once a share or file is deleted it cannot be recovered or produced. Requests may be sent to info@nanocrew.ai.

05 / Review cadence

This policy and the underlying retention schedule are reviewed at least annually, and additionally whenever there is a material change to the service, our technical infrastructure, or applicable law. The Operator’s Information Officer is responsible for maintaining this policy. Material changes will be reflected by updating the date below and, where appropriate, by notice through the service. As noted above, this document is a template and should be finalised with the Operator’s legal counsel before being relied upon.

Last updated: June 2026 · Municipex (Pty) Ltd t/a NanoCrew · info@nanocrew.ai