AKHA
South African Privacy Law

POPIA Notice

Protection of Personal Information Act 4 of 2013. Last updated: 4 April 2026

The Protection of Personal Information Act 4 of 2013 (POPIA) regulates how organisations in South Africa collect, store, use, and share personal information. This notice sets out how Akha Integrated Platform (Pty) Ltd complies with POPIA and what rights you have as a data subject. This notice should be read together with our Privacy Policy.

1Responsible Party

Entity

Akha Integrated Platform (Pty) Ltd

Registration

Registered in the Republic of South Africa

Information Officer

Data Protection Officer

Akha has registered its Information Officer with the Information Regulator as required under section 55 of POPIA and has developed and implemented a POPIA compliance framework.

2What is POPIA?

POPIA is South Africa's primary data protection legislation. It came into full effect on 1 July 2021 and establishes minimum requirements for the lawful processing of personal information. It applies to every responsible party that processes personal information in South Africa, regardless of whether processing is automated or manual.

POPIA grants individuals (data subjects) rights including the right to access their personal information, correct inaccurate data, object to processing, and lodge complaints with the Information Regulator. Organisations that fail to comply face fines of up to R10 million and/or imprisonment.

3Information We Process

Depending on your role on the Platform, we process the following categories of personal information:

CategoryExamplesApplies To
IdentityFull name, ID number, date of birthAll users
ContactEmail, phone number, business addressAll users
Account & AuthLogin credentials, OTP history, session dataAll users
BusinessCompany reg. no., CIPC status, B-BBEE level, tax clearance, financialsFounders / SMEs
FinancialBank account details, wallet balance, transaction historyFounders / Funders
ProfessionalQualifications, accreditations, firm registrationConsultants / Funders
AssessmentAkha Score, questionnaire responses, remediation tasksFounders / SMEs
CommunicationsMessages sent via platform chat, WhatsApp opt-in statusAll users
TechnicalIP address, device type, browser, usage logsAll users

4Special Categories of Information

POPIA provides heightened protection for certain categories of personal information including race/ethnic origin, health, biometrics, trade union membership, religious and political beliefs, criminal record, and children's data.

The Akha Platform does not intentionally collect special-category information as part of its standard operation. However, B-BBEE assessments may touch on race/ethnic composition of ownership and management. This information is:

  • Collected only with your explicit consent
  • Used exclusively for B-BBEE score calculation and compliance reporting
  • Never used for profiling, discrimination, or marketing purposes
  • Subject to enhanced security controls and access restrictions

5Lawful Basis for Processing (POPIA s.11)

Under POPIA s.11, personal information may only be processed if at least one lawful ground is met. Our processing relies on the following grounds:

Consent

You have given consent to the processing of your personal information, for example opting in to WhatsApp notifications or agreeing to share your VDR with a specific funder.

Contract

Processing is necessary to fulfill our obligations to you under the Terms of Use, for example generating your Akha Score, managing your account, or processing wallet transactions.

Legal Obligation

Processing is required to comply with a legal obligation, for example FICA customer due diligence, SARS tax record-keeping obligations, or court orders.

Legitimate Interest

Processing is necessary for our legitimate interests or those of a third party, for example platform security, fraud prevention, and aggregate market analytics, where these do not override your interests.

6POPIA's Eight Processing Conditions

POPIA establishes eight conditions for lawful processing. Here is how Akha applies each condition:

1

Accountability

Akha takes responsibility for ensuring that the conditions in POPIA are complied with at the time of collection and during subsequent processing.

2

Processing Limitation

We collect personal information only for the specific, explicitly defined purposes set out in this notice and do not process it further in a way incompatible with those purposes.

3

Purpose Specification

Purposes are clearly communicated at the point of collection. We do not retain personal information longer than necessary.

4

Further Processing Limitation

Personal information will not be used for secondary purposes that are incompatible with the original purpose of collection.

5

Information Quality

We take reasonable steps to ensure personal information is complete, accurate, and up to date, particularly where it may affect a decision.

6

Openness

We maintain this POPIA notice and Privacy Policy so that data subjects are aware of our identity, purposes, and contact details.

7

Security Safeguards

We implement technical and organisational security measures appropriate to the risk, type, and confidentiality of the personal information held.

8

Data Subject Participation

We honour data subject requests to access, correct, or delete personal information and provide clear channels for doing so.

7Sharing Your Information

We share personal information only in the following circumstances:

Funders / Investors

Only when you explicitly grant access to your VDR profile. You control what is shared and can revoke access at any time.

Consultants

Only when you authorise a Consultant to manage your profile. Their access is logged and can be revoked.

Service Operators (Operators)

Cloud infrastructure (GCP), payment processors (Stripe), authentication providers (Firebase), document storage providers, all under binding data processing agreements (DPAs) that meet POPIA operator requirements.

Regulatory / Legal Disclosure

Government authorities, regulators, or courts when required by law, including SARS, FSCA, CIPC compliance requests, and FICA reporting obligations.

Business Transfer

In the event of a merger, acquisition, or sale, personal information may be transferred to the successor entity subject to equivalent protections.

8Trans-border Data Flows

POPIA section 72 restricts the transfer of personal information outside South Africa unless the recipient country provides an adequate level of protection, or appropriate safeguards are in place.

Where Akha uses service providers that process data in other jurisdictions (e.g., Google Cloud regions outside South Africa), we ensure compliance by:

Entering into binding Data Processing Agreements (DPAs) with all operators
Preferring Google Cloud africa-south1 (Johannesburg) as the primary data region
Using Standard Contractual Clauses (SCCs) where data must leave South African jurisdiction
Conducting transfer impact assessments where required

9Retention

We retain personal information only for as long as necessary to fulfill the purpose of collection or as required by applicable law.

Data TypeRetention Period
Active account dataDuration of account plus 90 days
Akha Score history5 years (for audit and dispute resolution)
Financial transaction records5 years (FICA / SARS requirement)
Compliance documents (VDR)7 years after last use (NCA / SARS)
Access logs12 months rolling
Security event logs3 years
Anonymised analyticsIndefinitely

10Your Rights as a Data Subject

Under POPIA, you have the following rights. You may exercise any of these by contacting privacy@akha.co.za. We will respond within 30 days.

Right to Access

Request a copy of the personal information we hold about you.

Right to Correction

Request correction of inaccurate, incomplete, or outdated personal information.

Right to Deletion

Request deletion of personal information where we no longer have a lawful basis for processing, subject to legal retention obligations.

Right to Object

Object to the processing of your personal information where we rely on legitimate interest.

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent. Withdrawal does not affect prior lawful processing.

Right to Complain

Lodge a complaint with the Information Regulator if you believe we have violated your privacy rights.

11Data Breach Notification

In the event of a security compromise that is reasonably likely to result in harm to a data subject, Akha will:

1Notify the Information Regulator as soon as reasonably possible after becoming aware of the breach
2Notify affected data subjects directly, via email and in-platform notification
3Provide information on the nature of the compromise, the personal information affected, and recommended protective steps
4Maintain an internal breach register and document the remediation actions taken

12Complaints Procedure

If you believe Akha has violated your privacy rights, please follow these steps:

1

Contact Us First

Email privacy@akha.co.za describing your concern. We will acknowledge receipt within 5 business days and respond within 30 days.

2

Internal Escalation

If unsatisfied with the initial response, request escalation to the Information Officer in writing.

3

Information Regulator

If the matter remains unresolved, you may lodge a complaint with the South African Information Regulator.

Information Regulator (South Africa)

Website: www.inforegulator.org.za

Email: inforeg@justice.gov.za

Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

13Contact the Information Officer

For any queries, access requests, or complaints relating to your personal information, contact our Information Officer:

Akha Integrated Platform (Pty) Ltd, Information Officer

Email: privacy@akha.co.za

Subject line: POPIA Request: [Your Name]

Privacy PolicyTerms of UseSecurity