Embedded Files
1. Introduction and Scope
1.1. Identification of the Responsible Party
Pocketfind (RF) Pty Ltd (hereafter referred to as "Pocketfind," "the Company," "we," "us," or "our") is the "Responsible Party" as defined by the Protection of Personal Information Act (POPIA). In this capacity, we serve as the primary custodian of the digital ecosystem and are responsible for determining the purpose and means for processing personal information.
Our commitment to data privacy is integrated into our corporate hierarchy, with ultimate oversight provided by the Chief Executive Officer (CEO), who acts as the highest authority for statutory compliance and governance. Operational accountability is managed by our designated Information Officer, ensure that our data practices remain transparent, auditable, and compliant with South African regulatory standards.
As a registered entity, we ensure that all processing activities—from user onboarding to financial payouts, are conducted with the technical and organizational safeguards necessary to protect your digital identity.
1.2. Scope of the Digital Ecosystem
This Privacy Policy applies to all data subjects who interact with the Pocketfind and Supanect digital infrastructure. The scope of our ecosystem is designed to ensure that every participant, from casual users to professional service providers, is protected by our unified governance standards.
The digital ecosystem encompasses the following participant categories:
Users and Consumers: Individuals utilizing the "Supa" suite of applications for personal services, commerce, or social interaction.
Service Providers and Merchants: Businesses, independent contractors, and professional entities listed within the our platforms and delivery frameworks who provide services to the community.
Ambassadors and Consultants: Internal and external growth representatives responsible for ecosystem expansion, referral tracking, and business onboarding.
Delivery and Logistics Fleet: Personnel involved in the fulfilment of orders and ride-hailing services managed through our logistics engine.
1.3. Internal Governance & The "Hand-in-Glove" Approach
To ensure that the promises made in this Privacy Policy are matched by our internal actions, Pocketfind operates under a "Hand-in-Glove" governance model. This means our public privacy commitments are directly enforced by our internal Standard Operating Procedures (SOPs), creating a seamless link between digital policy and operational execution.
Policy-to-SOP Alignment: Every data protection promise in this document is mapped to a specific internal control within our Governance, Technology, and Operations SOPs.
Centralized Oversight: The CEO acts as the Compliance Custodian, ensuring that departmental activities in Finance, Growth, and Operations never bypass established privacy gates.
The "Umbrella" Mandate: Our Governance SOP serves as the single source of truth that centralizes compliance, oversight, and escalation protocols across all departments to prevent "siloed" data handling.
Zero-Tolerance for Overrides: Our internal governance strictly prohibits bypassing compliance safeguards; any systemic failure or unauthorized data access is escalated immediately to the Compliane Team.
Audit-Ready Integrity: We maintain a 100% audit-ready digital trail of all data processing activities, ensuring that our internal execution can withstand external statutory scrutiny at any time.
1.4. Statutory Alignment (POPIA, FICA, RICA, SARB)
Pocketfind operates within a highly regulated environment, and our data processing activities are strictly aligned with South African statutory frameworks to ensure legal standing and consumer protection. This alignment is a non-negotiable governance objective that overrides departmental discretion.
Our ecosystem is engineered to meet the following regulatory requirements:
POPIA (Protection of Personal Information Act): We serve as the "Responsible Party," ensuring that all personal data—including identity, financial, and location data—is processed lawfully, transparently, and with adequate security safeguards.
FICA (Financial Intelligence Centre Act): To prevent financial crime and maintain financial integrity, we perform mandatory "Know Your Customer" (KYC) verifications. This includes validating bank account ownership and identity documents before wallet activations or payouts are authorized.
RICA (Regulation of Interception of Communications and Provision of Communication-Related Information Act): We adhere to RICA requirements regarding the collection and storage of communication-related metadata to ensure the integrity of our digital interactions.
SARB (South African Reserve Bank): Our data retention and financial reporting protocols are designed to satisfy SARB requirements for audit-ready records of all internal wallet transfers and financial transactions.
SARS (South African Revenue Service): We maintain accurate records of merchant transactions to ensure 100% compliance with statutory taxation and reporting obligations.
2. Information We Collect
2.1. Data Linked to Your Identity
We collect the following information, which is directly linked to your account and identity to ensure a secure, accountable environment within the ecosystem:
Full Name and Contact Details: We collect your first and last name, mobile phone number, and email address to facilitate account creation, secure logins, and Multi-Factor Authentication (MFA).
Government-Issued Identification: For Service Providers, Merchants, and Delivery Fleet personnel, we collect National ID or Passport copies to perform mandatory SAPS Criminal Record Clearances and identity cross-referencing. Drivers license copies are collected for fleet drivers.
Proof of Residence: As part of our FICA and RICA compliance boundaries, we collect residential or business address documentation to verify the physical location of participants.
Profile Imagery: We collect photos provided for user profiles and business listings to enhance trust and allow for visual verification during service delivery.
Business Registration Data: For merchants and professional entities, we collect formal registration documents to validate the legal standing of the provider before they are listed in the "Explore Nearby" ecosystem.
2.2. Financial and Purchase Information (FICA & SARB)
In compliance with the Financial Intelligence Centre Act (FICA) and South African Reserve Bank (SARB) regulations, Pocketfind collects and processes financial data to maintain a secure and transparent payment ecosystem. This data is essential for enabling wallet activations, processing payouts, and preventing financial crime.
We collect the following financial and purchase-related information:
Verified Banking Details: To facilitate secure payouts and commissions, we collect bank account numbers, branch codes, and account holder names.
Proof of Bank Account Ownership: In line with our internal policies, we require a bank confirmation letter or statement (not older than three months) to verify that funds are being directed to the correct, legally validated recipient.
Transaction History: We record all digital ledger movements, including internal wallet transfers, merchant sales, and referral commissions, to ensure a 100% audit-ready financial trail.
Tax Information: We collect SARS-related data, such as Tax Identification Numbers, as required for statutory reporting and merchant compliance.
Payment Metadata: We capture details regarding successful or failed payment attempts, including timestamps and provider references (e.g., Paystack transaction IDs), to facilitate dispute resolution and refund management.
2.3. Precise Location & GPS Data
In accordance with App Privacy requirements regarding "Precise Location," this section discloses how and why we process your geographical data. Our use of GPS data is strictly functional and governed by our internal policies to ensure service integrity.
Service Fulfilment & Logistics: We collect precise GPS coordinates to facilitate real-time tracking for the delivery fleet and ride-hailing services, ensuring accurate arrival estimates and secure handovers.
"Explore Nearby" Accuracy: For users seeking local services, we use location data to surface the most relevant merchants and providers within your immediate vicinity.
Verification & Digital Timestamps: To maintain our "Gold Standard" for safety, our system captures location-stamped data at the moment of merchant onboarding and service completion to prevent fraudulent activity and verify that services were rendered at the correct physical location.
Safety & Incident Response: Precise location is utilized to assist in emergency response or dispute resolution during active service windows.
No Background Tracking without Purpose: We do not track your location in the background unless it is essential for an active service you have requested (e.g., a live delivery or ride).
2.4. Service Specific Privacy Practices
Tracking Services: We collect and process location data only when users opt in to tracking features. Location data is stored securely and used solely for family, employee, or asset tracking. Tracking is strictly opt‑in, requiring explicit user consent. Data is retained only for the duration of the service and may be deleted upon user request.
Medical Consultation: Patient data, including video consultations and health records, is encrypted and transmitted securely. We comply with POPIA and applicable healthcare regulations to protect patient confidentiality. Medical services are provided exclusively by licensed professionals whose credentials are verified before onboarding.
Alcohol Delivery: Alcohol delivery services require proof of age. Customers must present valid identification at delivery. Users under the legal drinking age are prohibited from accessing alcohol services. Delivery is restricted to jurisdictions where alcohol distribution is legally permitted.
2.5. User Content & Verification Media
To maintain a "Gold Standard" for safety and authenticity within the digital ecosystem, Pocketfind processes media and content provided by users. This collection is essential for verifying the legitimacy of merchants and the quality of services rendered.
In accordance with Mobile Applications Privacy requirements for "User Content," we collect the following:
Profile and Display Photos: We collect images uploaded by users, ambassadors, and service providers to personalize the experience and provide visual identification during service interactions.
Verification Media: As mandated by our Operations SOP, we collect photos of physical business premises, service certifications, and ID documents. This media is used exclusively to validate that a merchant or provider meets our stringent compliance benchmarks.
Service Evidence: To facilitate dispute resolution and ensure "Supa" quality standards, we may collect photos or videos uploaded as proof of service completion or as part of a delivery report.
Ratings and Reviews: We collect written feedback and star ratings provided by users. This data is used to optimize the "Explore Nearby" listings and is governed by our internal performance reporting logic.
Customer Support Communications: Any media or text shared during interactions with our support teams are logged within our secure CRM to ensure a 100% audit-ready trail of problem resolution.
2.6. Diagnostics and Device Integrity (MDM Telemetry)
In accordance with Mobile Applications Privacy requirements for "Diagnostics" and "Other Data," this section details the technical telemetry we collect to ensure system resilience and data security. This collection is governed by our Technology and Operations SOPs to maintain a 99.9% system uptime and protect against unauthorized data access.
Device Identifiers: We collect unique device IDs (such as UDID or IMEI) for all hardware used by our field teams and ambassadors. This is a core component of our Mobile Device Management (MDM) protocol, ensuring that sensitive ecosystem data is only accessed via authorized, company-managed devices.
Crash Logs and Performance Data: We collect diagnostic information regarding app crashes, memory usage, and load times. This data is used to identify technical regressions and ensure the platform remains stable for all users.
Security Telemetry: As part of our Multi-Factor Authentication (MFA) and encryption protocols, we log successful and failed login attempts, as well as the security posture of the device (e.g., whether a device is jailbroken or lacks required encryption).
System Interaction Logs: We monitor how users interact with specific app features to optimize the "Growth Engine" and improve the user interface.
Audit Trail Metadata: In line with our Governance SOP, every significant action within the app is timestamped and logged. This creates a 100% audit-ready record of system activity to prevent fraud and ensure accountability.
3. Methods of Collection & Digital Integrity
3.1. Direct vs. Automated Collection
Pocketfind ensures that all personal data is gathered through structured, secure, and transparent channels. Our collection methods are categorized into direct and automated processes, both governed by the Technology SOP to ensure data accuracy and security.
Direct Collection:
User-Provided Information: We collect information that you voluntarily enter into our applications during account registration, profile setup, or service requests.
Onboarding Documentation: For merchants and providers, merchant and service providers upload the required identity and compliance documents (e.g., ID copies, business registrations) directly onto the mobile application.
Communication: Information shared through customer support channels, email, or in-app messaging is captured directly to facilitate assistance and dispute resolution.
Automated Collection:
Precise Location Tracking: When you use our logistics or delivery services, our system automatically captures high-integrity GPS coordinates to facilitate real-time tracking and arrival estimates.
Metadata and Timestamps: Every transaction, onboarding event, and compliance check is automatically stamped with a digital date, time, and location to ensure a 100% audit-ready trail.
Device Telemetry: Our Mobile Device Management (MDM) systems automatically capture device-specific identifiers and security posture data to ensure that only authorized, secure hardware interacts with our ecosystem.
System Usage Analytics: We automatically collect data on how you navigate our app to identify performance bottlenecks and optimize the "Growth Engine" for a better user experience.
3.2. The "No Local Storage" Mandate
A cornerstone of Pocketfind’s digital integrity is the strict prohibition of local data storage on unmanaged or personal hardware. This mandate ensures that your sensitive information remains within our high-security cloud perimeter and is never vulnerable to local device theft, loss, or unauthorized access.
In accordance with our Operations and Technology SOPs, we enforce the following:
Zero Local Footprint: Pocketfind applications are designed to act as secure portals; data captured or service delivery is transmitted immediately to our encrypted servers and is not saved to the device’s local storage, gallery, or cache.
Prohibition of Personal Devices: Our internal "No-Go Rules" strictly forbid ambassadors, consultants, and field staff from using personal laptops, tablets, or phones to store applicant, referral, or merchant data.
Encrypted Transmission: All data in transit between the mobile application and our centralized CRM is protected by Industry-standard Transport Layer Security (TLS) encryption.
Automated Clearing: Our managed applications include protocols to automatically clear temporary session data, ensuring that no residual "digital breadcrumbs" remain on the hardware after a task is completed.
4. Purpose of Data Processing
4.1. Powering the Growth Engine & Referral Logic
The primary purpose of processing personal data within our ecosystem is to drive the "Growth Engine", a proprietary logic that facilitates community-led expansion, accurate referral tracking, and automated commission structures. This process is governed by the Growth SOP to ensure that every interaction is traceable and brings value to the ecosystem.
We process data for the following growth-related purposes:
Referral Tracking and Validation: We use unique identifiers and referral codes to link new users, merchants, and providers to the specific Ambassadors or Consultants who onboarded them. This ensures that the "Chain of Growth" is accurately recorded for performance reporting and audit readiness.
Automated Commission/Referral Calculation: Our system processes transaction and onboarding data to automatically calculate and distribute commissions and incentives. This ensures that "Growth Ambassadors" are rewarded accurately based on verified, non-fraudulent activity.
Ecosystem Velocity Analytics: We aggregate anonymized data to measure "onboarding velocity" and "referral ROI." This allows us to optimize the Growth Engine by identifying high-performing sectors (such as Health, Education, or Professional Services) and geographical regions.
Targeted Merchant Matching: By processing location and service category data, we power the "Explore Nearby" logic, ensuring that users are connected with the most relevant service providers in their immediate vicinity.
Incentive Alignment: We use performance data to align internal incentives with our "Gold Standard" benchmarks, ensuring that growth is not just fast, but compliant and sustainable.
4.2. Security, Fraud Prevention, and Verification
A primary purpose for processing personal and device data is to maintain the "Gold Standard" of safety and integrity within the ecosystem. We use collected data to build a proactive defence against fraud and to ensure that all participants are who they claim to be.
SAPS and Identity Verification: We process identification documents and biometric data to facilitate SAPS Criminal Record Clearances for all service providers and fleet personnel. This ensures that the ecosystem remains a safe environment for all users.
Fraud Detection and Prevention: We analyse transaction patterns, device identifiers, and metadata to identify and flag anomalous behaviour. Our CRM automatically flags inconsistencies in referral data or financial movements for manual review.
Digital "Proof of Life" & Presence: We use GPS data and digital timestamps to verify that services (such as deliveries or on-site consultations) were physically performed at the correct location, preventing "ghost" transactions and fraudulent commission or rewards claims.
Multi-Factor Authentication (MFA): We use your contact information to deliver MFA codes, ensuring that only authorized users can access sensitive wallet features or personal profiles.
System Resilience: Diagnostic data and system logs are processed to detect security breaches or unauthorized access attempts in real-time, allowing our Technology Lead to initiate rapid response protocols.
4.3. Statutory and Audit Compliance
Beyond operational growth and security, Pocketfind processes personal data to fulfil its legal obligations as a "Responsible Party" within the South African regulatory landscape. This processing ensures that our digital ecosystem remains 100% audit-ready and compliant with national laws governing finance, communications, and data privacy.
Regulatory Record-Keeping: We process and retain identity and financial data to satisfy the record-keeping requirements of FICA and SARB. This allows us to provide a transparent audit trail of "Know Your Customer" (KYC) verifications and wallet transactions to regulatory authorities when requested.
Taxation and Financial Reporting: In alignment with our Finance SOP, we process merchant and consultant transaction data to generate accurate tax reports for SARS. This ensures that all platform-generated income is correctly accounted for and compliant with statutory taxation laws.
Audit Trail Integrity: Our system processes metadata (timestamps, user IDs, and action logs) to create a permanent, tamper-proof record of every significant administrative action. This "Golden Standard" for logging ensures that we can withstand external audits from statutory bodies.
Legal and Claims Management: We process information to manage and defend legal claims, insurance requirements or to comply with a court order or subpoena.
Compliance Safeguards ("No-Go Rules"): Data is processed through automated "Compliance Gates" within our CRM. If a user or merchant fails to provide the required statutory data (e.g., valid ID or proof of residence), the system automatically restricts their participation in the ecosystem until they are compliant.
5. Legal Basis for Processing
5.1. Consent and Contractual Necessity
In accordance with POPIA, Pocketfind ensures that every instance of data processing is anchored in a valid legal basis. We primarily rely on your explicit consent and the necessity of data processing to fulfil our contractual obligations to you.
Explicit Consent: By registering an account and interacting with the Pocketfind ecosystem, you provide voluntary, specific, and informed consent for us to process your personal information as described in this policy.
For high-sensitivity actions—such as accessing your device’s Precise Location or Camera, our mobile applications will prompt you for specific permission. You have the right to withdraw this consent at any time through your device settings, though this may limit the functionality of certain services like real-time delivery tracking.
Contractual Necessity: Processing is required to fulfil the "Contract" between you and Pocketfind. For example, we cannot facilitate a payout to a merchant without processing their bank details, nor can we complete a delivery without processing the user's location data.
The Growth Engine and referral tracking are core components of our service agreement with Ambassadors and Consultants. Processing referral codes and performance data is a contractual necessity to ensure accurate commission payouts and ecosystem integrity.
Legitimate Interest: We process certain data (such as device identifiers and system logs) based on our legitimate interest in maintaining a secure, fraud-free environment and ensuring 99.9% system uptime as mandated by our Technology SOP.
5.2. Compliance with South African Law (POPIA, FICA, RICA)
Pocketfind is a South African entity, and our data processing is fundamentally driven by the need to comply with specific national statutes. In many instances, the collection of your data is not merely a service preference, but a legal obligation imposed on us as a Responsible Party.
Under POPIA Section 11(1)(c), we are authorized to process personal information where it is necessary to comply with an obligation imposed by law. These obligations include:
POPIA (Protection of Personal Information Act): We process data to uphold your rights to privacy while ensuring our operations meet the "Eight Conditions for Lawful Processing," including accountability, processing limitation, and security safeguards.
FICA (Financial Intelligence Centre Act): As part of our commitment to preventing money laundering and terrorist financing, FICA mandates that we identify and verify the identity of our clients (KYC). This includes the collection of ID documents, proof of residence, and the verification of bank account ownership before any financial relationship is formalized.
RICA (Regulation of Interception of Communications and Provision of Communication-Related Information Act): To assist in the prevention of criminal activity, RICA requires the verification of users associated with communication-related services. We collect and store the necessary metadata and identification details to ensure that all interactions within our digital ecosystem are traceable and legally compliant.
Tax and Corporate Law: We are required by the Companies Act and Tax Administration Act to retain records of transactions, merchant agreements, and employee/ambassador data for statutory periods (typically 5 to 7 years) to satisfy SARS and audit requirements.
6. Data Retention & Destruction
6.1. Statutory Retention Periods (SARB & SARS)
Pocketfind does not store your data indefinitely. Our retention schedule is strictly aligned with South African legislative requirements, balancing your right to privacy under POPIA with our legal obligations to maintain records for financial and tax oversight.
The following retention periods are enforced within our ecosystem:
Financial & Transactional Records (SARS): In accordance with the Tax Administration Act (28 of 2011), we retain all records related to returns, income, and business transactions for a period of 5 years from the date of submission.
Corporate Governance Records (Companies Act): General accounting records, including supporting schedules and financial statements, are retained for 7 years to ensure compliance with the Companies Act (71 of 2008).
Customer Due Diligence (FICA): To satisfy the Financial Intelligence Centre Act, records pertaining to the establishment of a business relationship (KYC documents) and transaction records are kept for 5 years from the date the business relationship is terminated or the transaction is concluded.
Communication Metadata (RICA): Data related to the provision of communication services is retained for the period prescribed by RICA, typically for a minimum of 3 years, to assist in potential law enforcement investigations.
Audit Trail & System Logs: Internal logs required for our Governance SOP are retained for the duration of the relevant statutory period to provide a 100% audit-ready trail for regulators.
6.2. Secure Deletion Protocols
Once the statutory retention period for a specific data set has lapsed, Pocketfind implements a formal "Secure Deletion" workflow. This ensures that personal information is not just removed from view but is rendered permanently irretrievable, fulfilling the "Security Safeguards" requirement of POPIA Section 19.
Our deletion protocols follow the NIST 800-88 standard for media sanitization, ensuring a high-integrity "Gold Standard" for data destruction:
Logical Sanitization (Clear/Purge): For cloud-based records and database entries, we use cryptographic erasure and multi-pass overwriting techniques. This ensures that even advanced forensic software cannot reconstruct the deleted data.
Physical Destruction: In rare cases where data is stored on physical hardware (such as decommissioned managed devices), the media is physically shredded or pulverized via certified IT Asset Disposal (ITAD) partners to ensure no data fragments remain.
Verification & Certification: Our Technology SOP mandates that every deletion event is verified. We generate a Certificate of Destruction (or a digital log equivalent) that records the date, method, and the specific data categories destroyed for our permanent audit trail.
Automatic Triggering: Our CRM is configured with automated "Data Sunset" triggers. Once a record hits its statutory limit (e.g., 5 years for FICA records), it is moved into a restricted deletion queue for final authorization by the Information Officer.
7. Security & Infrastructure Oversight
7.1. Technical Safeguards (MFA, Encryption, Firewalls)
To fulfil our role as a "Responsible Party" under POPIA Section 19, Pocketfind implements a multi-layered technical defence strategy. These safeguards are designed to protect the integrity, confidentiality, and availability of personal information against unauthorized access or systemic threats.
Our infrastructure is fortified by the following "Gold Standard" controls:
Multi-Factor Authentication (MFA): Access to the Pocketfind CRM and administrative back-ends requires more than just a password. We mandate MFA (typically via a time-based one-time password or biometric prompt) for all staff, ambassadors, and consultants to prevent account takeovers, even if credentials are compromised.
End-to-End Encryption (E2EE) & TLS: * Data in Transit: All communication between our mobile applications and cloud servers is protected by Transport Layer Security (TLS), ensuring that data cannot be intercepted or modified during transmission.
Data at Rest: Sensitive datasets, including identity documents and financial records, are stored using Advanced Encryption Standard (AES). This ensures that even in the event of physical storage compromise, the data remains unreadable without the specific cryptographic keys managed by our Technology Lead.
Next-Generation Firewalls (NGFW): Our digital perimeter is guarded by firewalls that utilize deep packet inspection and application awareness. These systems monitor incoming and outgoing traffic to block malicious intent, such as SQL injections or Cross-Site Scripting (XSS) attacks, before they reach our database.
Intrusion Detection and Prevention Systems (IDPS): We employ real-time monitoring tools that scan for anomalous behavior within the ecosystem. Any deviation from standard operational patterns triggers an immediate alert to our security team for investigation.
7.2. Endpoint Protection & Mobile Device Management (MDM)
To eliminate the risks associated with "Shadow IT" and unmanaged hardware, Pocketfind employs a rigorous Mobile Device Management (MDM) strategy. This ensures that every device used by our Ambassadors, Consultants, and field teams is a secure extension of our core infrastructure, governed by the Technology SOP.
Our endpoint protection strategy includes:
Enforced Hardware Enrollment: No field agent is permitted to access the Pocketfind ecosystem via a personal, unmanaged device. All tablets and smartphones used for onboarding or service fulfilment must be enrolled in our central MDM platform.
Application Whitelisting: Our MDM restricts the installation of third-party apps on managed devices. Only verified, business-critical applications are permitted, preventing the introduction of malware or data-leaking software.
Remote Wipe & Kill Switch: In the event a managed device is lost, stolen, or a staff member's contract is terminated, the Technology Lead can remotely erase all ecosystem data and revoke access credentials instantly, ensuring no "residual data" remains at risk.
OS Integrity Monitoring: The MDM system continuously checks for "jailbroken" or "rooted" status. If a device’s operating system security is bypassed, the Pocketfind device is automatically disabled to protect the encrypted data tunnel.
Automatic Security Patching: We push critical security updates and firmware patches to all field devices simultaneously, ensuring that no endpoint remains vulnerable to known exploits.
7.3. Google Workspace & Cloud Hosting Security
To provide a resilient and globally recognized "Gold Standard" for data protection, Pocketfind hosts its core ecosystem on Google Cloud Platform (GCP) and utilizes Google Workspace for internal operations. This infrastructure provides an enterprise-grade security layer that is independently audited and compliant with international and local standards.
Global Compliance Certifications: Our choice of Google Cloud ensures your data resides in an environment that meets the world’s most stringent security benchmarks, including ISO/IEC 27001, SOC 2/3, and HIPAA. In the South African context, this infrastructure supports our compliance with POPIA by providing built-in privacy and security controls.
Encryption by Default:
At Rest: All customer data—including identity documents, financial records, and profile information—is automatically encrypted at the storage layer using AES-256.
In Transit: Data moving between your mobile app and our cloud is protected by TLS (Transport Layer Security), ensuring a secure tunnel that prevents interception by unauthorized parties.
Zero Trust & Identity Management: We leverage Google’s Identity and Access Management (IAM) and Context-Aware Access. This means that even our internal staff can only access specific data sets if they are on a managed device, in a verified location, and have passed multi-factor authentication (MFA).
Data Loss Prevention (DLP): We employ Google’s automated DLP tools to scan and identify sensitive information (such as credit card numbers or ID numbers) within our system to ensure they are handled with elevated security and are not accidentally shared or exposed.
High Availability & Durability: Your data is stored redundantly across multiple secure Google data centres. This ensures that even in the event of a regional hardware failure, the Pocketfind ecosystem remains functional and your data remains intact.
8. Third-Party Operators & Service Providers
8.1. Payment Processing (Paystack)
To facilitate secure financial transactions within the ecosystem, Pocketfind partners with Paystack (a Stripe-owned company) as our primary third-party payment operator. Paystack acts as a "Processor" on our behalf, ensuring that your payment data is handled with the highest level of financial security required by South African law and international standards.
Our integration with Paystack ensures the following protections:
PCI-DSS Level 1 Certification: Paystack is certified to the Payment Card Industry Data Security Standard (PCI-DSS) Level 1, the most stringent security level in the global payments industry. This ensures that sensitive cardholder data is never stored on Pocketfind’s servers or your local device.
Secure Tokenization: When you save a payment method, Paystack replaces your sensitive card details with a secure "token." Pocketfind only stores this token, which is useless to unauthorized parties, while your actual financial data remains within Paystack’s bank-grade vault.
Compliance with SARB & POPIA: Paystack is a registered Payment Service Provider in South Africa and adheres to the South African Reserve Bank (SARB) regulations and POPIA. They process data only as necessary to complete transactions, prevent fraud, and comply with statutory anti-money laundering (AML) requirements.
Advanced Fraud Monitoring: Paystack utilizes automated fraud detection systems that analyze transaction patterns across their entire network. If a fraud attempt is detected with any merchant, the system automatically strengthens protections for all other participants in the ecosystem, including Pocketfind users.
Multi-Channel Payment Security: Whether you pay via Card, SnapScan, Apple Pay, or Ozow EFT, the transaction is funnelled through Paystack’s encrypted gateway, ensuring that your data is protected regardless of the payment method chosen.
8.2. Cloud Infrastructure & Storage
To ensure 99.9% system availability and the highest levels of data durability, Pocketfind leverages a multi-cloud strategy utilizing Google Cloud Platform (GCP). By hosting our ecosystem within the South African Regions (Johannesburg for GCP), we ensure that your data remains on local soil, directly supporting POPIA’s requirements for data sovereignty.
Data Residency & Sovereignty: We prioritize storage in Google Cloud (Johannesburg) regions. This ensures that sensitive personal and financial information is processed and stored within South Africa’s borders, providing faster access speeds (low latency) and compliance with local jurisdictional mandates.
Enterprise-Grade Redundancy: Your data is replicated across multiple "Availability Zones." These are physically isolated data centres with independent power, cooling, and physical security. This architecture ensures that even in the event of a localized failure or load-shedding, the Pocketfind ecosystem remains resilient.
Shared Responsibility Model: While our cloud providers ensure the "Security of the Cloud" (physical security of servers and global networking), Pocketfind remains responsible for the "Security in the Cloud." This means we manage all encryption keys, access configurations, and firewall rules to protect your specific data sets.
Automated Threat Detection: We utilize advanced cloud-native security tools—such as Google Security Command Centre to monitor for unauthorized access attempts or suspicious database queries in real-time.
Secure Document Vaulting: High-sensitivity media, such as ID documents and bank letters captured during onboarding, are stored in "Private S3 Buckets" or "Cloud Storage" objects. These are not accessible via the public internet and can only be retrieved via encrypted, time-limited tokens generated by our central CRM.
8.3. Cross-Border Data Transfers
While Pocketfind prioritizes local data residency within the South African region of Google Cloud, certain operational requirements may necessitate the transfer of information across national borders. In such instances, we adhere strictly to Section 72 of POPIA, ensuring that your personal information receives a level of protection substantially similar to that provided under South African law.
We only transfer data outside of South Africa under the following conditions:
Adequacy of Recipient Jurisdictions: We transfer data to third parties in foreign countries only if that country has data protection laws, binding corporate rules, or binding agreements that offer an "adequate level of protection". This typically includes jurisdictions governed by the GDPR (European Union) or similar high-standard frameworks.
Contractual Safeguards: Where a recipient country lacks equivalent statutory protections, Pocketfind utilizes Standard Contractual Clauses (SCCs) or Data Transfer Agreements. These legally binding documents compel the foreign recipient to uphold POPIA-equivalent security and privacy standards.
Performance of Contract: Transfers may occur when necessary to fulfill a contract with you (e.g., processing an international payment or facilitating a service that involves a global provider).
Explicit Consent: For specific activities—such as utilizing a specialized global verification tool—we will obtain your explicit consent before your data leaves the Republic.
Managed Technical Tunnels: All cross-border flows are conducted via encrypted channels (TLS 1.3 or higher) to prevent interception during transit, maintaining our "Gold Standard" for digital integrity.
9. Specific Safeguards for Children (Supa Suite)
9.1. Educational Data & School Management Protocols
Within the Supa Suite, the processing of children's data is treated with the highest level of sensitivity. In accordance with POPIA Section 34, which prohibits the processing of personal information concerning a child unless a legal justification exists.
Our educational data protocols include:
Verified Parental/Guardian Consent: We do not process a child’s data without the explicit, verifiable consent of a parent or legal guardian.
Digital Integrity Note: Our Governance SOP mandates that any breach involving a child’s data is treated as a "Level 1" emergency, requiring immediate notification to the Information Regulator and the affected parents, regardless of the perceived risk.
9.2. Parental Consent Requirements
In the Pocketfind ecosystem, we recognize that a child (any natural person under the age of 18) does not have the legal capacity to provide consent for their data processing. To bridge this gap and remain compliant with POPIA Section 35, we mandate the involvement of a "Competent Person".
The Definition of a "Competent Person": Under POPIA, a competent person is any individual legally authorized to consent to actions or decisions on behalf of a child. Within the Supa Suite, this is typically a parent, legal guardian, or an authorized representative of the school acting under a specific legal mandate.
Consent Must Be Prior and Explicit: Consent cannot be assumed or "hidden" in general terms and conditions. Before a student’s data is captured, the competent person must provide an affirmative, voluntary, and informed expression of will.
The Burden of Proof: Pocketfind maintains a digital audit trail of all consents obtained. In accordance with POPIA Section 35(1)(a), we bear the burden of proof to show that a competent person provided valid consent before any processing commenced.
Right to Withdraw: A competent person has the absolute right to withdraw their consent at any time. If consent is withdrawn, Pocketfind will cease all processing of the child’s data and initiate our Secure Deletion Protocols, unless we are legally obligated to retain specific records by statutory bodies.
Transition to Majority: When a child reaches the age of 18, they are legally considered an adult. At this milestone, the previous parental consent becomes invalid for new processing. The student must then provide their own Adult Consent to continue using the platform’s features.
10. Your Statutory Rights (POPI Act)
10.1. Access, Correction, and Objection
Under POPIA Sections 23, 24, and 11, you are granted specific rights regarding your personal information. At Pocketfind, we don’t just view these as legal hurdles; they are the "Gold Standard" of user control that ensures our ecosystem remains transparent and accountable.
You have the following three primary rights:
Right of Access (Section 23): You have the right to confirm, free of charge, whether we hold any of your personal information. You may also request a record or a description of the personal information we hold about you, as well as the identity of any third parties (such as Paystack or Google Cloud) who have had access to it.
Right to Correction (Section 24): You have the right to request that we correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. If you believe your profile data or KYC documents are incorrect, we are obligated to update our central CRM promptly.
Right to Objection (Section 11): You have the right to object to the processing of your personal information at any time, on reasonable grounds relating to your particular situation, unless South African law (such as FICA or SARS requirements) mandates the processing. This includes an absolute right to object to processing for the purposes of direct marketing.
10.2. Right to Deletion (Right to be Forgotten)
In accordance with POPIA Section 24, you have the right to request that Pocketfind delete or destroy your personal information. This is often referred to as the "Right to be Forgotten," and it ensures that you remain the ultimate owner of your digital identity.
Requesting Deletion: You can trigger a deletion request through the "Delete Account" feature within the app settings or by contacting our Information Officer directly. Once requested, we will remove your data from our active production environments.
De-identification as an Alternative: In some cases, rather than physical destruction, we may "de-identify" your data. This process removes all identifiers so that the data can no longer be linked to you, allowing us to retain anonymous statistical information for ecosystem analytics without compromising your privacy.
The "Statutory Override": It is important to note that your right to deletion is not absolute. Under South African law, specifically FICA and SARS regulations, we are legally mandated to retain certain transaction and identity records for a period of 5 to 7 years. If you request deletion before these periods have lapsed:
We will deactivate your account and stop all processing for marketing or growth purposes.
We will move the required records to a secure, "cold" archive where they are inaccessible for daily operations.
The data will be permanently purged once the legal retention period expires.
Third-Party Propagation: When you exercise your right to deletion, we communicate this request to any third-party operators (such as Google Cloud or Paystack) who process your data on our behalf, ensuring your information is cleared across our entire technical stack.
11. Incident Response & Data Breach Notification
11.1. Transparency & Timelines
Despite our "Gold Standard" safeguards, Pocketfind maintains a rigorous Incident Response Plan (IRP) to address potential security compromises. In the event of a data breach, our priority is total transparency and swift action, as mandated by Section 22 of POPIA.
Our notification protocol is built on the following commitments:
Immediate Internal Escalation: Upon the first sign of a suspected "Security Compromise," our Technology Lead initiates an immediate lockdown of affected systems and notifies the Information Officer. This internal "Triage" phase is completed within hours of detection.
Mandatory Notification of the Regulator: Under POPIA, we are legally required to notify the Information Regulator as soon as reasonably possible after the discovery of a compromise. We commit to initiating this report without undue delay to ensure regulatory oversight.
User Notification: If there are reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorized person, we will notify you directly via the app, email, or SMS. This notification will include:
A description of the possible consequences of the breach.
The measures we are taking to address the breach.
Recommendations for you to mitigate potential risks (e.g., changing passwords or monitoring bank statements).
Public Disclosure: In cases where we cannot identify the specific individuals affected, we will place a prominent notice on the Pocketfind website and within the app to ensure the broader ecosystem is informed.
Post-Incident Audit: Every breach or "near-miss" is followed by a mandatory audit. We update our Governance SOP and technical firewalls based on the findings to prevent a recurrence, ensuring the ecosystem evolves to meet new threats.
11.2. Escalation to the Information Officer
The Information Officer (IO) serves as the primary guardian of the Pocketfind ecosystem, ensuring that every data processing activity remains within the guardrails of POPIA and our internal Governance SOP. The escalation process is designed to ensure that data privacy is never sidelined for operational speed.
Our escalation protocols mandate that the Information Officer is engaged in the following scenarios:
High-Risk Data Processing: Before any new feature is launched that involves sensitive data, the Technology Lead must submit a Data Protection Impact Assessment (DPIA) to the IO for formal sign-off.
Data Subject Rights Requests: If a user submits a complex request to access, correct, or delete their data that falls outside of automated app functions, the request is immediately escalated to the IO to ensure the 21-day statutory deadline is met.
Suspected Security Compromises: At the first alert of a potential breach, the IO takes command of the incident response team. They hold the sole authority to determine if a breach meets the "reasonable grounds" threshold for mandatory notification to the Information Regulator and affected users.
Third-Party Oversight: Any new partnership with a service provider (like a new payment gateway or logistics partner) must be vetted by the IO to ensure their privacy standards match our "Gold Standard" before any data integration occurs.
Annual Governance Review: The IO conducts a mandatory annual audit of all data storage, retention, and destruction logs, reporting directly to the Audit Committee to confirm 100% compliance with South African law.
12. Governance & Contact Information
12.1. Information Officer Contact Details
In compliance with Section 55 of POPIA, Pocketfind has appointed a dedicated Information Officer to oversee our data protection strategy and serve as your primary point of contact for all privacy-related matters. The Information Officer is legally responsible for ensuring our internal "Governance SOP" is followed and that your statutory rights are upheld.
If you have questions about this policy, wish to exercise your rights (Access, Correction, or Objection), or need to report a suspected security compromise, please contact us using the details below:
Attention: The Information Officer
Entity: Pocketfind (Pty) Ltd
Physical Address: Woodmead Country Club Estate, 21 Woodlands Drive Building 2, Country Club Estate, Woodmead, Sandton, 2191
Email Address: info@pocketfind.co.za
Response Timeline: We acknowledge all formal privacy inquiries within 2 business days and aim to resolve or fulfil requests within 21 business days as per our internal audit standards.
The Information Regulator (South Africa):
Should you feel that we have not addressed your privacy concerns adequately, or if you believe there has been an interference with the protection of your personal information, you have the right to lodge a complaint with the National Information Regulator:
Website: https://inforegulator.org.za/
Email: enquiries@inforegulator.org.za / complaints.IR@justice.gov.za
12.2. Audit Committee Oversight
At Pocketfind, data privacy is treated as a core fiduciary responsibility. To ensure that our "Gold Standard" policies are actually practiced, the Audit Committee provides an independent layer of internal oversight, separating technical execution from legal accountability.
The Audit Committee’s role includes:
Independent Compliance Audits: On a bi-annual basis, the committee reviews the Governance SOP against actual system logs. This ensures that the "No Local Storage" mandate and "Secure Deletion Protocols" are being followed without exception.
Verification of Statutory Filings: The committee verifies that all necessary reports have been made to the Information Regulator, SARS, and the SARB, ensuring that Pocketfind remains in good standing with South African authorities.
Review of Privacy Impact Assessments (PIA): For any significant changes to the ecosystem’s architecture, the committee reviews the findings of the Information Officer to ensure that growth never comes at the expense of user security.
Resource Allocation: The committee ensures that the Technology Lead has the necessary budget and tools (such as MDM licenses and encryption services) to maintain the technical safeguards outlined in this policy.
Ethical Oversight: Beyond mere legal compliance, the committee evaluates the ethical implications of our Growth Engine analytics, ensuring that our "People-First" value remains the primary driver of our data strategy.
Appendix A: Definitions & Legal Glossary
To ensure total transparency, the following terms used throughout the Pocketfind Privacy Policy are defined in accordance with South African legislation and international data standards.
Core Regulatory Frameworks
POPIA (Protection of Personal Information Act, No. 4 of 2013): South Africa’s primary data privacy law. it sets the conditions for how personal information must be collected, used, stored, and destroyed.
FICA (Financial Intelligence Centre Act, No. 38 of 2001): Legislation aimed at combating money laundering and terrorist financing. It mandates "Know Your Customer" (KYC) verifications for financial transactions.
RICA (Regulation of Interception of Communications and Provision of Communication-Related Information Act, No. 70 of 2002): A law requiring the verification of users associated with communication services to assist in crime prevention.
GDPR (General Data Protection Regulation): The European Union’s data privacy framework. While we operate under POPIA, we align with GDPR for "Gold Standard" international data transfers.
Key Roles & Entities
Data Subject: The individual to whom the personal information relates (e.g., You, the App User, Merchant, or Ambassador).
Responsible Party: The entity that decides why and how personal information is processed. In this context, Pocketfind (Pty) Ltd is the Responsible Party.
Operator: A third party who processes personal information for the Responsible Party in terms of a contract (e.g., Paystack for payments or Google Cloud for hosting).
Information Officer: The designated individual within Pocketfind responsible for ensuring POPIA compliance and handling data subject requests.
Competent Person: Any person legally authorized to provide consent on behalf of a child (typically a parent or legal guardian).
Technical & Processing Terms
Personal Information: Any information that can identify a living person or an existing juristic person (company). This includes names, ID numbers, location data, and even private correspondence.
Processing: Any activity involving personal information, including its collection, receipt, storage, updating, modification, and ultimate destruction.
De-identification: The process of removing all identifying markers from a dataset so that the information can no longer be linked back to a specific Data Subject.
KYC (Know Your Customer): The mandatory process of verifying the identity and address of a client as required by FICA before financial services are rendered.
MFA (Multi-Factor Authentication): A security mechanism that requires at least two forms of identification (e.g., a password and a code sent to your phone) before granting
Page updated
Google Sites
Report abuse