Legal

POPIA Notice

Last updated: 4 April 2026

Responsible Party

Akha Digital (Pty) Ltd is the responsible party as defined in Section 1 of the Protection of Personal Information Act 4 of 2013 (POPIA).

Responsible PartyAkha Digital (Pty) Ltd
Information Officerprivacy@akhadigital.co.za
Registered AddressCape Town, South Africa
PAIA ManualAvailable on request

What is POPIA?

The Protection of Personal Information Act (POPIA) is South Africa's data protection law, effective since 1 July 2021. It regulates how organisations collect, process, store, and share personal information. POPIA gives you rights over your personal information and imposes obligations on responsible parties like Akha.

Information We Process

CategoryExamplesPurpose
IdentityName, ID number, company registrationAccount creation, verification
ContactEmail, phone, addressCommunication, notifications
FinancialRevenue data, bank statements, tax clearanceAkha Score calculation, funder matching
ComplianceCIPC certificates, B-BBEE, BO declarationsDocument verification, trust badges
AssessmentQuestionnaire responses, scoresReadiness scoring, roadmap generation
TechnicalIP address, device info, session dataSecurity, performance optimisation
CommunicationMessages, support ticketsCustomer support, service improvement

Special Personal Information

We do not intentionally collect special personal information as defined in POPIA Section 26 (race, ethnicity, religion, health, sexual orientation, political persuasion, trade union membership, biometric data, or criminal behaviour). Where B-BBEE-related demographic data is voluntarily provided, it is processed solely for compliance scoring purposes with your explicit consent.

Lawful Basis for Processing

We process personal information under the following POPIA Section 11 grounds:

  • Consent (s11(1)(a)): You consent when registering, uploading documents, and granting vault access.
  • Contract (s11(1)(b)): Processing necessary to perform the services you signed up for.
  • Legal obligation (s11(1)(c)): Processing required by FICA, the Companies Act, or tax legislation.
  • Legitimate interest (s11(1)(f)): Anonymised analytics to improve the Platform, where this does not prejudice your rights.

POPIA Processing Conditions

We adhere to all eight conditions for lawful processing:

  1. Accountability: We take responsibility for compliance with POPIA.
  2. Processing limitation: We collect only what is necessary for defined purposes.
  3. Purpose specification: Information is collected for specific, lawful purposes disclosed in this notice.
  4. Further processing limitation: We do not process information for incompatible purposes.
  5. Information quality: We take reasonable steps to ensure accuracy and completeness.
  6. Openness: We are transparent about our processing activities through this notice.
  7. Security safeguards: We implement technical and organisational measures to protect information.
  8. Data subject participation: You can access, correct, and delete your information.

Information Sharing

We share personal information with:

  • Funders: Only through explicit Compliance Vault permissions you grant. Anonymous teasers do not reveal identity.
  • Consultants: Only when you add them to your workspace with defined access levels.
  • Infrastructure providers: AWS (hosting), Payfast (payments), and email services under POPIA-compliant processing agreements.
  • Regulatory authorities: When required by law, subpoena, or court order.
  • Professional advisors: Legal and audit advisors under confidentiality obligations.

Trans-border Data Transfers

Our infrastructure is hosted on AWS in regions that may include servers outside South Africa. In accordance with POPIA Section 72, we ensure that any trans-border transfer is to a jurisdiction with adequate data protection, or is subject to binding agreements that provide equivalent safeguards.

Retention Periods

Data TypeRetentionBasis
Account dataActive account + 2 yearsContractual
Assessment scoresActive account + 5 yearsLegitimate interest
Vault documentsUntil deleted by youConsent
Audit logs7 yearsFICA / Companies Act
Financial records5 yearsTax Administration Act
Analytics24 months (anonymised)Legitimate interest

Your Rights Under POPIA

You have the right to:

  • Be informed: Know what information we hold and how we process it.
  • Access: Request a copy of your personal information.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request destruction of personal information no longer needed.
  • Object: Object to processing on reasonable grounds.
  • Complain: Lodge a complaint with the Information Regulator.

To exercise any right, email privacy@akhadigital.co.za. We will respond within 30 days as required by POPIA.

Data Breach Notification

In the event of a personal information breach that poses a risk to you, we will notify you and the Information Regulator as soon as reasonably possible after becoming aware of the breach, in accordance with POPIA Section 22.

Our notification will include the nature of the breach, the information affected, measures taken to address it, and recommended steps you can take.

Complaints Procedure

If you believe your POPIA rights have been violated:

  1. Contact us first: Email privacy@akhadigital.co.za. We aim to resolve complaints within 30 days.
  2. Escalate to the Regulator: If unsatisfied, lodge a complaint with the Information Regulator of South Africa.
  3. Legal recourse: You may approach a court for relief under POPIA Section 99.

Information Regulator
Email: enquiries@inforegulator.org.za
Tel: 012 406 4818
Website: inforegulator.org.za

Information Officer

Akha Digital (Pty) Ltd
Information Officer: privacy@akhadigital.co.za
Cape Town, South Africa

Related: Privacy Policy · Terms of Use · Security