1. Introduction
Artemis Innovations (Pty) Ltd ("we", "us", or "our") operates the POPIAdesk platform ("Service"). We are committed to protecting your personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA) and the Electronic Communications and Transactions Act, 2002 (ECTA).
This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we keep it, and what rights you have.
3. Personal Information We Collect
We collect the following categories of personal information:
3.1 Information you provide
- Account details: name, email address, organisation name, and password (stored as a salted hash — we never store your password in plain text).
- Organisation profile: registration number, industry, employee count, B-BBEE level, and compliance-related flags (e.g. whether you process children's data, conduct cross-border transfers, or do direct marketing).
- Document data: information you enter into compliance document wizards (e.g. information officer name, data categories, retention periods).
- Assessment responses: answers to readiness assessments and gap analyses.
- Data subject requests: requester name, email, and ID number hash for DSR processing.
- Supplier records: supplier name, contact email, DPA status.
3.2 Information collected automatically
- Audit logs: action type, timestamp, IP address, and entity references for security and compliance purposes.
- Error tracking: anonymised error reports via Sentry for service reliability. No personal information is deliberately included.
3.3 Website Scanner data
Our free public website compliance scanner collects the website address (URL) you submit, the email address you provide to receive the report, and the IP address of the request. We use this information only to run the scan, to apply rate limiting and prevent abuse, and to email you the resulting report. Scanner data is not used to market to you and is retained only as long as needed for these purposes before it is deleted.
4. Purpose of Processing
We process your personal information for these specific purposes:
- Service delivery: to create your account, generate compliance documents, process assessments, manage DSRs, and provide the Service (legal basis: contract).
- Billing: to process subscription payments via PayFast (legal basis: contract).
- Security: to maintain audit logs, detect fraud, and protect the Service (legal basis: legitimate interest).
- Service emails: to send verification emails, password resets, invitation links, and trial reminders (legal basis: contract).
- Legal compliance: to comply with applicable laws and respond to lawful requests (legal basis: legal obligation).
5. Third-Party Sharing
We share personal information only with the following categories of third parties, and only to the extent necessary:
- PayFast (Pty) Ltd: payment processing. We do not store your credit card details — PayFast handles all payment data directly. See PayFast Privacy Policy.
- Resend (via US infrastructure): transactional email delivery. Only your email address and email content are shared.
- Sentry: error monitoring. Anonymised error data only — no personal information is deliberately included.
- Backblaze B2: document storage (generated PDFs). Files are encrypted at rest.
We do not sell, rent, or trade your personal information to any third party.
6. Cross-Border Transfers
Your data is stored on South African–hosted infrastructure. Some third-party services (Resend, Sentry, Backblaze) may process data outside South Africa. Where this occurs, we ensure adequate safeguards are in place as required by POPIA Section 72.
7. Data Retention
We retain your personal information as follows:
- Active accounts: data is retained for as long as your account is active and your subscription is current.
- After cancellation: you have 30 days to export your data. After 60 days, all organisation data is permanently deleted.
- Audit logs: retained for 12 months for security and compliance purposes, then automatically purged.
- Account deletion: upon request, your account and all associated data will be deleted within 30 days.
8. Security Safeguards
We implement appropriate technical and organisational measures:
- Encryption in transit (TLS) and at rest.
- Row-level security (RLS) in our database ensuring strict tenant isolation.
- Salted password hashing (Argon2id) with breach detection.
- JWT-based session management with token version checks.
- HMAC-SHA256 verification on payment webhooks.
- Comprehensive audit logging of all data access and mutations.
- IP-based access restrictions on API endpoints where applicable.
9. Your Rights (POPIA Data Subject Rights)
Under POPIA, you have the right to:
- Access: request confirmation of whether we hold your personal information and obtain a copy.
- Correction: request correction of inaccurate or incomplete personal information.
- Deletion: request deletion of your personal information. You can delete your account at any time from your profile settings.
- Objection: object to the processing of your personal information for direct marketing or on grounds relating to your particular situation.
- Data portability: export your data (documents, assessments, DSR records, data maps, supplier records, and audit logs) from your profile settings.
- Complaint: lodge a complaint with the Information Regulator if you believe your rights have been violated.
To exercise any of these rights, email privacy@popiadesk.co.za or use the self-service options in your account settings.
10. Cookies
POPIAdesk uses only essential cookies required for the Service to function (authentication session cookies). We do not use tracking cookies, analytics cookies, or advertising cookies.
If we introduce non-essential cookies in future, we will obtain your consent before setting them.
11. Breach Notification
In the event of a personal information breach that poses a risk to you, we will:
- Notify the Information Regulator within 72 hours of becoming aware of the breach.
- Notify affected data subjects as soon as reasonably possible.
- Provide details of the nature of the breach, potential consequences, and measures taken.
12. Children's Information
POPIAdesk is not directed at children under 18 and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate consent, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before they take effect. The latest version will always be available at this page.
14. Information Regulator
If you are unsatisfied with how we handle your personal information, you may lodge a complaint with:
15. Contact Us
For any questions about this Privacy Policy or to exercise your data subject rights, contact us at: