Data & Compliance Policy
Effective Date: April 4, 2026 | Last Updated: April 4, 2026
⚠️ Legal Framework: This document outlines Ka-ching Savings's compliance with the Protection of Personal Information Act, 2013 (POPIA), the Consumer Protection Act (CPA), and the Electronic Communications and Transactions Act (ECTA).
1. Legal Compliance Overview
1.1 Applicable Laws
Ka-ching Savings is registered in South Africa and operates under the following legal frameworks:
| Law / Regulation |
Scope |
Compliance Status |
| POPIA (Protection of Personal Information Act, 2013) |
Data protection, privacy rights, information officer registration |
✓ COMPLIANT |
| CPA (Consumer Protection Act, 2008) |
Consumer rights, unfair/unconscionable conduct, liability limits |
✓ COMPLIANT |
| ECTA (Electronic Communications & Transactions Act, 2002) |
E-commerce, digital signatures, electronic documents |
✓ COMPLIANT |
| GDPR (General Data Protection Regulation) |
International user privacy (EU users) |
✓ COMPLIANT |
| CCPA (California Consumer Privacy Act) |
California resident privacy rights |
✓ COMPLIANT |
1.2 Data Protection Principles
Ka-ching Savings adheres to the eight principles of POPIA:
- Lawfulness: We process data only on legal grounds
- Purpose Limitation: Data is used only for stated purposes
- Further Processing: Secondary use is compatible with original purpose
- Information Quality: Data is accurate, complete, and up-to-date
- Openness: We are transparent about data practices
- Security: We protect data from loss, damage, or unauthorized use
- Subject Participation: Users can access, correct, and delete their data
- Accountability: We are responsible for compliance
2. Information Officer
2.1 Appointment
Ka-ching Savings has appointed a Data Protection Officer (Information Officer) as required by POPIA Section 56.
Information Officer Contact
Name: Kyle Hundermark
Title: Information Officer / Data Protection Officer
Email:
infofficer@kachingsavings.co.za
Phone: +27 (to be confirmed)
Address: South Africa
2.2 Responsibilities
The Information Officer is responsible for:
- Monitoring compliance with POPIA and other data protection laws
- Processing data subject requests (access, correction, deletion)
- Investigating and managing data breaches
- Conducting impact assessments for high-risk processing
- Maintaining records of processing activities
- Serving as liaison with the Information Regulator of South Africa
- Handling complaints and inquiries
2.3 Information Regulator Registration
Ka-ching Savings is registered with the Information Regulator of South Africa. Our registration details:
3. Data Processing Activities
3.1 Processing Inventory
Ka-ching Savings maintains a comprehensive record of all data processing activities. Below is a summary:
Activity 1: Analytics (Google Analytics 4)
| Element |
Details |
| Data Controller |
Ka-ching Savings |
| Data Processor |
Google Ireland Limited (under GDPR Data Processing Agreement) |
| Data Type |
Anonymized usage data (pages, time, device, location region, traffic source) |
| Legal Basis |
Legitimate interest (service improvement); Consent (via cookie notice) |
| Retention Period |
14 months (automatic purge by Google) |
| Purpose |
Understand user behavior, improve UX, detect issues |
| Recipients |
Google (EU servers), internal team |
Activity 2: Store Reviews & Ratings
| Element |
Details |
| Data Controller |
Ka-ching Savings |
| Data Type |
Review text, rating (1-5), IP address, timestamp; NO personal identifiers |
| Legal Basis |
Consent (user voluntary submission) |
| Retention Period |
Until user deletion or content removal (max 7 years for legal disputes) |
| Purpose |
Display store feedback, prevent spam/duplicate reviews |
| Recipients |
Public (displayed on platform); internal moderation team |
Activity 3: WhatsApp Subscriber List (If Enabled)
| Element |
Details |
| Data Controller |
Ka-ching Savings |
| Data Type |
WhatsApp phone number (E.164 format), opt-in timestamp, consent status |
| Legal Basis |
Explicit consent (opt-in); ECTA Section 34 (SPAM Act) |
| Retention Period |
Until unsubscribe or account deletion (may retain for 2 years if disputed) |
| Purpose |
Send weekly specials alerts, platform updates, promotional messages |
| Recipients |
WhatsApp BSP (360dialog or equivalent); internal marketing team |
Activity 4: Server Logs
| Element |
Details |
| Data Controller |
Ka-ching Savings |
| Data Type |
IP address, timestamp, HTTP method, status code, user-agent, referrer |
| Legal Basis |
Legitimate interest (security, debugging, DoS prevention) |
| Retention Period |
30 days (automatic rotation) |
| Purpose |
Investigate security incidents, troubleshoot errors, audit access |
| Recipients |
Internal infrastructure team only |
4. Data Subject Rights & Procedures
4.1 Right of Access
POPIA Section 24(1): Data subjects may request what personal data we hold about them.
- Response Time: 20 business days
- Process: Submit written request to Information Officer
- Format: We will provide data in human-readable format (e.g., PDF, CSV)
- Fee: No charge unless request is manifestly frivolous or excessive
4.2 Right to Correction
POPIA Section 24(1)(c): Data subjects may request correction of inaccurate data.
- Response Time: 20 business days
- Dispute Record: If we disagree, we record the dispute
- Notification: We notify recipients who received the inaccurate data
4.3 Right to Deletion (Right to be Forgotten)
POPIA Section 24(1)(d): Data subjects may request deletion of their data.
- Response Time: 20 business days
- Exceptions: We may retain data if:
- Legally required (e.g., tax records, court orders)
- Necessary for fraud investigation
- Data is anonymized/pseudonymized
- Retention is necessary to fulfill original purpose
- Process: Data is securely deleted or anonymized
4.4 Right to Restrict Processing
POPIA Section 24(2)(f): Data subjects may restrict how we process their data.
- Request we limit processing to storage only (no use)
- Useful if data accuracy is disputed
- We will restrict unless legal obligation requires continued processing
4.5 Right to Data Portability
POPIA Section 24(2)(g): Data subjects may request their data in portable format.
- Format: Structured, commonly-used, machine-readable format (CSV, JSON, XML)
- Transfer: We can transmit directly to another controller if technically feasible
- Applies to: Data you provided directly (reviews, ratings, WhatsApp number)
4.6 Right to Lodge a Complaint
POPIA Section 79: If you believe we violate POPIA, you may file a complaint with the Information Regulator.
4.7 Submitting Requests
To exercise any of the above rights, submit a written request to:
Ka-ching Savings Information Officer
Email:
infofficer@kachingsavings.co.za
Request Should Include:
- Your name or identifier (or how we know you)
- Your email or phone number
- Specific right you're exercising (access, delete, correct, restrict, port)
- Relevant dates or context
- Proof of identity (copy of ID or passport)
5. Data Security & Safeguards
5.1 Technical Safeguards
- Encryption in Transit: TLS 1.3 for all HTTPS connections
- Encryption at Rest: AES-256 for sensitive data storage
- Firewalls: Network firewalls at Hetzner VPS
- Access Controls: Role-based access to data systems
- SSL Certificates: Valid certificates from trusted CAs (Certbot)
- Vulnerability Scanning: Regular security audits and penetration testing
- Intrusion Detection: Monitoring for suspicious activity
5.2 Organizational Safeguards
- Data Processing Agreements: Signed agreements with all processors (Google, Hetzner, etc.)
- Access Restrictions: Limited to employees with legitimate need
- Confidentiality: All staff sign confidentiality agreements
- Training: Annual data protection and privacy training
- Audit Trails: Logging of all data access and modifications
5.3 Physical Safeguards
- Hosting Location: Hetzner data centers (Germany) with physical security
- Backup: Regular off-site backups with encryption
- Recovery Plan: Disaster recovery procedures in place
6. Data Breach Notification
6.1 Breach Definition
A data breach is any unauthorized or accidental access, processing, deletion, loss, or disclosure of personal data that compromises its confidentiality, integrity, or availability.
6.2 Breach Assessment & Notification Timeline
- Detection: Immediate investigation upon discovery
- Assessment: Determine scope and severity within 24 hours
- Notification to Regulator: Within 7 calendar days (POPIA Section 22)
- Notification to Data Subjects: Without undue delay (within 7 days if possible)
- Documentation: Full incident report including cause, impact, remediation
6.3 Notification Content
In case of a breach, we will notify you with:
- Description of the breach
- Categories of data compromised
- Likely consequences
- Measures taken to mitigate harm
- Contact details for our Information Officer
- Recommendations for self-protection
6.4 Breach Register
We maintain a confidential register of all breaches, even minor ones, for audit and compliance purposes.
7. Data Protection Impact Assessment (DPIA)
7.1 High-Risk Processing
For any processing that poses a high risk to data subject rights (e.g., automated profiling, large-scale tracking), we conduct a formal Data Protection Impact Assessment including:
- Description of processing activities
- Assessment of risks and impacts
- Mitigation measures
- Consultation with Data Protection Officer
- Documentation for Regulator
7.2 Current Assessment
Ka-ching Savings's current processing (analytics, reviews, WhatsApp) is classified as LOW RISK because:
- Minimal personal data collection (no names, emails, financial data)
- Transparent and voluntary data submission
- Users can opt-out easily
- No automated decision-making or profiling
- No special category data processed
8. Compliance Certifications
8.1 Current Status
| Certification / Standard |
Status |
Notes |
| POPIA Compliance |
✓ COMPLIANT |
Information Officer appointed, registered with Regulator |
| GDPR Compliance (EU Users) |
✓ COMPLIANT |
Data processing agreement with processors, legitimate basis documented |
| CPA Compliance (Consumer Protection) |
✓ COMPLIANT |
Terms of Use include liability limits as per CPA exemptions |
| ECTA Compliance (E-commerce) |
✓ COMPLIANT |
Terms & Privacy Policy satisfy electronic disclosure requirements |
| ISO 27001 (Information Security) |
~ IN PROGRESS |
Full certification planned Q3 2026 |
| SOC 2 Audit |
~ PLANNED |
Planned for 2026 as platform scales |
8.2 Future Certifications
As Ka-ching Savings grows, we plan to obtain:
- ISO 27001: Information security management certification
- SOC 2 Type II: Service organization control audit
- POPIA Audit: Third-party POPIA compliance audit
9. Third-Party Data Processors
9.1 Approved Processors
| Processor |
Service |
Data Shared |
DPA in Place |
| Google Ireland Limited |
Analytics (Google Analytics 4) |
Anonymized usage data |
✓ Yes (Google Standard DPA) |
| Hetzner Online |
Web hosting (VPS server) |
Server logs, backups |
✓ Yes (EU data processors) |
| 360dialog (or WhatsApp BSP) |
WhatsApp Business messaging |
Phone numbers, messages |
✓ Yes (under review) |
9.2 Sub-Processor Policy
Ka-ching Savings requires all processors to:
- Sign written Data Processing Agreements (DPA)
- Implement equivalent security measures
- Notify us of any sub-processors they use
- Comply with POPIA, GDPR, and other applicable laws
- Assist with data subject requests and breach investigations
- Provide audit evidence upon request
10. International Data Transfers
10.1 Transfer Mechanism
Ka-ching Savings operates from South Africa but uses EU-based infrastructure (Hetzner, Germany). This involves international data transfer governed by:
- POPIA Section 72: Permits transfer to adequate protection countries
- GDPR Chapter 5: EU transfer framework
- Standard Contractual Clauses (SCCs): Signed with processors
10.2 Adequacy Determination
The EU has determined South Africa provides adequate data protection under POPIA. Germany (host country) is within the EU and is fully GDPR-compliant.
10.3 Safeguards for EU Users
For users in the EU, we ensure:
- Explicit consent for processing (beyond legitimate interest)
- Right to object to processing
- GDPR right of erasure (within 30 days)
- Data protection officer contact
11. Records of Processing Activities
11.1 Documentation
Ka-ching Savings maintains a Records of Processing Activities (RPA) document including:
- All processing activities (listed in Section 3)
- Purposes and legal basis for each
- Categories of data and data subjects
- Processors and sub-processors
- Transfer mechanisms and safeguards
- Retention schedules
- Security measures
11.2 Availability
The Information Regulator may request to inspect our RPA at any time. We maintain updated records for audit purposes.
12. Policy Review & Updates
12.1 Annual Review
This Policy is reviewed at least annually and updated as needed to reflect:
- Changes in applicable laws
- New processing activities
- Identified risks or breaches
- Feedback from data subjects
- Technology improvements
12.2 Changes & Notice
Significant changes to this Policy will be communicated to users via email (if subscribed) or a prominent notice on our website.
13. Contact Information
For data protection and compliance inquiries:
© 2026 Ka-ching Savings. All rights reserved.
Last Updated: April 4, 2026