Legal

Privacy Policy

Last updated: 1 May 2026 · Effective: 1 May 2026

Summary: POPIA Guardian collects only the information needed to provide our service. We never sell your data, we store it in South Africa, and we will help you exercise your POPIA rights at any time.

1. Who we are

POPIA Guardian is a product of NGUNI FORCE (Pty) Ltd, a company registered in South Africa (Registration No. 2023/123456/07). We are the Responsible Party for personal information processed through our website and platform.

Our registered address is in Sandton, Johannesburg, Gauteng, South Africa. Our Information Officer can be reached at [email protected].

2. Information we collect

We collect the following categories of personal information:

Account information

Name, email address, company name, job title, and password (hashed) when you create an account.

Billing information

Payment details processed through PayFast. We do not store card numbers — these are handled by PayFast in accordance with PCI DSS.

Usage data

How you interact with our platform — pages visited, features used, session duration. Used to improve the product.

Platform content

Data you upload or create in the platform — data maps, policy documents, DSAR records, and consent logs. You own this data; we process it only to provide the service.

Communications

Messages you send us via email or our contact form.

Technical data

IP address, browser type, and device information collected automatically when you use our website.

3. How we use your information

We process your personal information for the following purposes, on the lawful bases indicated:

PurposeLawful basis
Providing and operating the POPIA Guardian platformContract
Processing payments and managing billingContract
Sending service notifications and updatesContract / Legitimate interest
Responding to support queriesContract / Legitimate interest
Improving our product through usage analyticsLegitimate interest
Sending marketing emails (you can opt out at any time)Consent
Complying with legal obligationsLegal obligation

4. Sharing your information

We never sell your personal information. We share it only in the following limited circumstances:

  • Service providers (Operators): Companies that help us deliver our service — hosting (AWS Cape Town), email delivery (Postmark), and payments (PayFast). All are bound by data processing agreements.
  • Legal requirements: Where we are required to disclose information by South African law or a valid court order.
  • Business transfers: If NGUNI FORCE (Pty) Ltd is acquired or merges, personal information may transfer to the acquiring entity, subject to equivalent privacy protections.

5. How long we keep your information

We retain personal information only as long as necessary for the purpose it was collected:

  • Account data: retained for the duration of your account, plus 1 year after closure.
  • Billing records: 5 years, as required by SA tax law.
  • Platform content (data maps, policies, DSAR records): retained until you delete them or close your account.
  • Server logs: 90 days.
  • Marketing consent records: retained for as long as you are subscribed, plus 3 years.

6. Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, or destruction. These include:

  • 256-bit TLS encryption for all data in transit.
  • AES-256 encryption for data at rest.
  • Multi-factor authentication for all internal systems.
  • Regular penetration testing by independent SA security firms.
  • Role-based access controls limiting who can access personal data.
  • All servers located in South Africa (AWS af-south-1, Cape Town).

7. Your rights under POPIA

As a data subject under POPIA, you have the following rights:

Right of access

Request a copy of the personal information we hold about you.

Right to correction

Ask us to correct inaccurate or incomplete information.

Right to deletion

Request deletion of your personal information, subject to legal retention requirements.

Right to object

Object to processing based on legitimate interest, including direct marketing.

Right to complain

Lodge a complaint with the Information Regulator if you believe we have violated POPIA.

Right to data portability

Receive your platform content in a machine-readable format.

To exercise any of these rights, submit a DSAR at /dsar or email [email protected]. We will respond within 30 days as required by POPIA.

8. Cookies

We use cookies and similar technologies to operate our platform and improve your experience. For full details, see our Cookie Policy.

9. Third-party services

Our platform integrates with the following third-party services, each governed by their own privacy policies:

  • PayFast — payment processing
  • Postmark — transactional email delivery
  • AWS (Cape Town region) — cloud infrastructure
  • Sentry — error monitoring (anonymised)

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by updating the "last updated" date at the top of this page. Continued use of the platform after changes constitutes acceptance.

11. How to contact us

NGUNI FORCE (Pty) Ltd

Information Officer: [email protected]

General enquiries: [email protected]

Sandton, Johannesburg, Gauteng, South Africa