POPIA Compliance Notice

1. Responsible Party

The Responsible Party for purposes of POPIA is:

Paarl IT
info@paarlit.co.za
+27 21 501 0105
Paarl, Western Cape, South Africa

2. Information Officer

We have appointed an Information Officer responsible for overseeing our POPIA compliance:

Paarl IT
info@paarlit.co.za

Our Information Officer is registered with the Information Regulator of South Africa.

3. Personal Information We Process

We process the following categories of personal information:

4. Conditions for Lawful Processing

We process personal information only when at least one of the following conditions is met:

• Consent: The data subject has given specific, informed, and voluntary consent
• Contract: Processing is necessary to perform a contract to which the data subject is a party
• Legal obligation: Processing is required to comply with a legal obligation
• Legitimate interest: Processing is necessary for our legitimate business interests, where not overridden by the data subject's rights
• Public interest: Where required or permitted by law

5. Purpose Limitation

Personal information is collected for specific, explicitly defined purposes. We do not process personal information in a manner incompatible with those purposes. Specifically:

• Customer data is used to deliver services, process payments, and communicate about accounts
• Technical data is used for security monitoring and service improvement
• Marketing communications are only sent with consent and may be opted out at any time

6. Operators (Third Parties)

We use the following operators who process personal information on our behalf, under data processing agreements:

• iKhokha — payment processing
• PayFast (DPO PayGate) — recurring billing and online payments
• The Courier Guy / Shiplogic — logistics and delivery
• Hetzner / VPS hosting provider — infrastructure and data hosting
• Google / Microsoft — email service

We do not sell personal information to any third party.

7. Cross-Border Transfers

Some of our operators may be based outside South Africa. Where personal information is transferred across borders, we ensure the recipient country or organisation provides an adequate level of protection equivalent to POPIA, or we have appropriate safeguards in place.

8. Data Subject Rights

You have the following rights under POPIA:

• Right to be notified (Section 18): To be informed when we collect your personal information
• Right of access (Section 23): To request access to your personal information we hold
• Right to correction (Section 24): To request correction of inaccurate or outdated information
• Right to object (Section 11(3)): To object to processing on grounds of legitimate interest or direct marketing
• Right to complain (Section 74): To lodge a complaint with the Information Regulator

To exercise any of these rights, submit a written request to info@paarlit.co.za. We will respond within 30 days as required by POPIA.

9. Security Measures

We implement the following security measures to protect personal information:

• Data encrypted at rest and in transit (HTTPS/TLS)
• Passwords hashed using bcrypt — never stored in plain text
• Role-based access control — staff access data on a need-to-know basis
• Regular security monitoring and IP-based threat detection
• Secure, isolated hosting environment

10. Data Breach Notification

In the event of a data breach that poses a risk to the rights of data subjects, we will:

• Notify the Information Regulator as soon as reasonably possible
• Notify affected data subjects where required
• Take immediate steps to contain and remedy the breach

11. Complaints to the Information Regulator

If you believe your personal information rights have been infringed, you may lodge a complaint directly with the Information Regulator of South Africa:

12. Review of This Notice

This POPIA Compliance Notice is reviewed annually and updated as required. Last reviewed: 2026.