Back to Thandi.ai

POPIA Compliance Statement

Our compliance with South African data protection law

POPIA Compliance Statement

Status: ✅ READY

Protection of Personal Information Act 4 of 2013

THANDI AI (PTY) LTD | Registration No: 2025/939429/07 | POPIA Reg: 2025-068149

Information Officer: Seelan Govender | hello@thandi.online | 0781298701

---

1. ACCOUNTABILITY

We take full responsibility for all personal information in our possession and under our control. Our Information Officer is directly accountable to the Information Regulator for POPIA compliance.

2. PROCESSING LIMITATIONS

  • Lawfulness: All processing is conducted with explicit consent or legitimate educational interest

  • Minimality: We collect only information necessary for career guidance (subjects, marks, interests)

  • Purpose: Data is used exclusively for educational and career development purposes

  • Retention: We do not keep data longer than necessary (see Privacy Policy for specific timelines)

    • 3. PURPOSE SPECIFICATION

    Personal information is collected for:

  • Career pathway recommendations based on academic performance

  • Higher education program matching with admission requirements

  • Bursary and financial aid opportunity identification

  • Educational research and AI system improvement

    • Secondary use: Only with additional explicit consent from data subjects or schools.

    4. FURTHER PROCESSING LIMITATION

    We will not process personal information for purposes other than those originally intended without obtaining new consent, except where permitted by POPIA Section 15.

    5. INFORMATION QUALITY

    We take reasonable steps to ensure personal information is:

  • Complete and accurate at time of collection

  • Not misleading to data subjects

  • Updated when requested by the data subject

    • Students/parents can correct data via hello@thandi.online with subject "Data Correction Request"

    6. OPENNESS

  • This POPIA statement is publicly available on our website

  • We maintain a register of all processing activities (available to Regulator on request)

  • Privacy notices provided to all data subjects at collection point

  • Annual compliance reports submitted to Information Regulator

    • 7. DATA SUBJECT PARTICIPATION

    Students and parents can:

  • Request access: Receive full copy of personal information within 21 days (free for first request)

  • Request correction: Update inaccurate information within 21 days

  • Request deletion: Remove all personal data ("right to be forgotten")

  • Object to processing: Withdraw consent for specific processing activities

  • Data portability: Receive data in machine-readable format (CSV, JSON)

  • Lodge complaints: Directly with Information Regulator at complaints.IR@justice.gov.za

    • 8. SECURITY SAFEGUARDS

    Technical Measures:

  • Encryption: TLS 1.3 in transit, AES-256 at rest

  • Access Control: Multi-factor authentication for all staff

  • Vulnerability Management: Weekly automated scans, quarterly penetration testing

  • Hosting Security: Vercel SOC 2 Type II compliant infrastructure

  • Backup: Encrypted daily backups with 30-day retention

    • Organizational Measures:

  • Staff Training: Annual POPIA certification for all employees

  • Confidentiality: Binding NDAs and data protection agreements with all staff

  • Incident Response: 24-hour security incident response team

  • Vendor Management: Due diligence and DPAs with all processors (Google Analytics, Mixpanel, Vercel)

    • 9. DATA BREACH NOTIFICATION

    In the event of a breach likely to result in serious harm:

  • Regulator notified: Within 72 hours of discovery

  • Data subjects notified: Without undue delay (target: within 24 hours)

  • School partners notified: Within 6 hours (for school-managed accounts)

  • Remediation report: Full details provided to affected parties within 7 days

    • 10. CROSS-BORDER TRANSFERS

    All international data transfers comply with POPIA Section 72:

  • Primary storage: Google Cloud Platform (EU data centers)

  • Legal basis: Standard Contractual Clauses (SCCs) with all processors

  • Data residency: Student data never transferred outside EU/US cloud regions without encryption

  • Onward transfer: Prohibited without explicit consent or legal requirement

    • 11. SPECIAL PERSONAL INFORMATION

    We do NOT process special personal information (race, health, biometric, trade union membership, etc.) except:

  • Race: Only when voluntarily provided for B-BBEE bursary matching (explicit consent required)

  • Age: For grade-level verification and age-appropriate content

  • Gender: For demographic analytics (optional, anonymized)

    • All special category data is encrypted and requires additional access controls.

    12. DIRECT MARKETING

  • Opt-in consent required for all marketing communications

  • Clear opt-out mechanism in every communication

  • Students under 18 require parental consent for marketing

  • Beta users: No marketing emails during beta testing phase

  • School partners: Business communications only with authorized representatives

    • 13. AUTOMATED DECISION-MAKING

    Our AI system provides recommendations based on algorithms. You have the right to:

  • Understand the logic involved (explanation available on request)

  • Request human review of significant decisions

  • Contest decisions and request re-evaluation

    • Important: All recommendations are advisory, not binding. Final decisions rest with students, parents, and schools.

    14. RECORDS RETENTION

    Full POPIA compliance records maintained for 5 years:

  • Consent records with timestamps and IP addresses

  • Data subject access requests and responses

  • Processing activities log (Article 30 record)

  • Security incident reports

  • Staff training records

  • Vendor due diligence files

    • 15. REGULATORY COOPERATION

    We cooperate fully with the South African Information Regulator and will:

  • Respond promptly to all inquiries (within 7 days)

  • Permit audits where legally required

  • Implement regulator recommendations within specified timeframe

  • Pay all applicable administrative fines promptly

    • 16. COMPLIANCE CERTIFICATION

  • POPIA Registration: 2025-068149 (issued 09/12/2025)

  • Next Compliance Audit: Q1 2026

  • Current Status: Fully compliant with all 8 POPIA conditions

  • B-BBEE Status: Level 1 Contributor (100% black-owned)

    • 17. COMPLAINTS PROCEDURE

    If you believe we have violated POPIA:

  • Contact us first: hello@thandi.online with subject "POPIA Complaint"

  • Response time: We will acknowledge within 2 business days

  • Investigation: Full investigation within 10 business days

  • Resolution: Written response with remedial actions

  • External escalation: If unsatisfied, contact Information Regulator at complaints.IR@justice.gov.za or 012 406 4818

    • 18. CHANGES TO THIS STATEMENT

    We will update this statement annually or when significant changes occur. Last updated: 21 December 2025.

    ---

    Contact Information Officer:

    Seelan Govender

    Thandi AI (PTY) LTD

    170 Innes Road, Morningside, Durban, Kwa-Zulu Natal, 4001

    Email: hello@thandi.online

    Phone: 0781298701

    Information Regulator:

    SALU Building, 316 Thabo Sehume Street, Pretoria

    www.justice.gov.za/inforeg/ | complaints.IR@justice.gov.za

    ---

    Document Version: 1.0

    POPIA Registration: 2025-068149

    Issued: 09 December 2025

    Document provided by THANDI AI (PTY) LTD

    POPIA Registration: 2025-068149

    Contact Information Officer