POPIA Compliance Statement

Protection of Personal Information Act 4 of 2013

THANDI AI (PTY) LTD | Registration No: 2025/939429/07 | POPIA Reg: 2025-068149

Information Officer: Seelan Govender | hello@thandi.online | privacy@thandi.online | 0781298701

---

1. ACCOUNTABILITY

We take full responsibility for all personal information in our possession and under our control. Our Information Officer is directly accountable to the Information Regulator for POPIA compliance.

2. PROCESSING LIMITATIONS

Lawfulness: All processing is conducted with explicit consent or legitimate educational interest

Minimality: We collect only information necessary for career guidance (subjects, marks, interests)

Purpose: Data is used exclusively for educational and career development purposes

Retention: We do not keep data longer than necessary (see Privacy Policy for specific timelines)

3. PURPOSE SPECIFICATION

Personal information is collected for:

Career pathway recommendations based on academic performance

Higher education program matching with admission requirements

Bursary and financial aid opportunity identification

Educational research and AI system improvement

Secondary use: Only with additional explicit consent from data subjects or schools.

4. FURTHER PROCESSING LIMITATION

We will not process personal information for purposes other than those originally intended without obtaining new consent, except where permitted by POPIA Section 15.

5. INFORMATION QUALITY

We take reasonable steps to ensure personal information is:

Complete and accurate at time of collection

Not misleading to data subjects

Updated when requested by the data subject

Learners/parents can correct data via privacy@thandi.online or hello@thandi.online with subject "Data Correction Request"

6. OPENNESS

This POPIA statement is publicly available on our website

We maintain a register of all processing activities (available to Regulator on request)

Privacy notices provided to all data subjects at collection point

Annual compliance reports submitted to Information Regulator

7. DATA SUBJECT PARTICIPATION

Learners and parents can:

Request access: Receive full copy of personal information within 21 days (free for first request)

Request correction: Update inaccurate information within 21 days

Request deletion: Remove all personal data ("right to be forgotten")

Object to processing: Withdraw consent for specific processing activities

Data portability: Receive data in machine-readable format (CSV, JSON)

Lodge complaints: Directly with Information Regulator at complaints.IR@justice.gov.za

8. SECURITY SAFEGUARDS

Technical Measures:

Encryption: TLS in transit, encryption at rest via Supabase

Access Control: Role-based access control and row-level security policies on all learner data tables

Authentication: JWT-based authentication for school dashboard; custom token verification for learner sessions

Infrastructure: Vercel SOC 2 Type II compliant hosting; Supabase SOC 2 Type II compliant database

Rate Limiting: API rate limiting on all authenticated endpoints via Upstash

Organisational Measures:

Information Officer: Seelan Govender (founder) — directly accountable

Vendor Management: Data processing agreements govern all sub-operator relationships

Security Review: Independent security review completed May 2026 (Pieter Human)

Incident Response: Breach notification within 72 hours to affected schools, per DPA clause 9

9. DATA BREACH NOTIFICATION

In the event of a breach likely to result in serious harm:

Regulator notified: Within 72 hours of discovery

Data subjects notified: Without undue delay (target: within 24 hours)

School partners notified: Within 6 hours (for school-managed accounts)

Remediation report: Full details provided to affected parties within 7 days

10. CROSS-BORDER TRANSFERS

All international data transfers comply with POPIA Section 72.

Thandi uses the following sub-operators, each contractually bound to maintain data security standards consistent with POPIA:

| Sub-operator | Purpose | Data Accessed | Location |

|---|---|---|---|

| Supabase | Database and authentication | All learner data | EU / US |

| Vercel | Platform hosting and delivery | No learner data — delivery only | US |

| Groq | AI career guidance generation | APS score, subjects, career narrative | US |

| Anthropic | AI fallback processing | APS score, subjects, career narrative | US |

| Resend | Transactional email | Learner name, guardian email | US |

| Upstash | Session caching | Session tokens only — no personal data | US |

11. SPECIAL PERSONAL INFORMATION

We do NOT process special personal information (race, health, biometric, trade union membership, etc.) except:

Race: Only when voluntarily provided for B-BBEE bursary matching (explicit consent required)

Age: For grade-level verification and age-appropriate content

Gender: For demographic analytics (optional, anonymized)

All special category data is encrypted and requires additional access controls.

12. DIRECT MARKETING

Opt-in consent required for all marketing communications

Clear opt-out mechanism in every communication

Learners under 18 require parental consent for marketing

School partners: Business communications only with authorized representatives

13. AUTOMATED DECISION-MAKING

Our AI system provides recommendations based on algorithms. You have the right to:

Understand the logic involved (explanation available on request)

Request human review of significant decisions

Contest decisions and request re-evaluation

Important: All recommendations are advisory, not binding. Final decisions rest with learners, parents, and schools.

14. RECORDS RETENTION

Learner data retained for duration of active account or maximum 3 years from last assessment, whichever is earlier.

Full POPIA compliance records maintained for 5 years:

Consent records with timestamps and IP addresses

Data subject access requests and responses

Processing activities log (Article 30 record)

Security incident reports

Staff training records

Vendor due diligence files

15. REGULATORY COOPERATION

We cooperate fully with the South African Information Regulator and will:

Respond promptly to all inquiries (within 7 days)

Permit audits where legally required

Implement regulator recommendations within specified timeframe

Pay all applicable administrative fines promptly

16. COMPLIANCE CERTIFICATION

POPIA Registration: 2025-068149 (issued 09/12/2025)

Next Review: October 2026 or on any official source update

Current Status: Fully compliant with all 8 POPIA conditions

B-BBEE Status: Level 1 Contributor (100% black-owned)

17. COMPLAINTS PROCEDURE

If you believe we have violated POPIA:

Contact us first: privacy@thandi.online or hello@thandi.online with subject "POPIA Complaint"

Response time: We will acknowledge within 2 business days

Investigation: Full investigation within 10 business days

Resolution: Written response with remedial actions

External escalation: If unsatisfied, contact Information Regulator at complaints.IR@justice.gov.za or 012 406 4818

18. CHANGES TO THIS STATEMENT

We will update this statement annually or when significant changes occur. Last updated: 26 May 2026.

---

Contact Information Officer:

Seelan Govender

Thandi AI (PTY) LTD

170 Innes Road, Morningside, Durban, Kwa-Zulu Natal, 4001

Email: hello@thandi.online | privacy@thandi.online

Phone: 0781298701

Information Regulator:

SALU Building, 316 Thabo Sehume Street, Pretoria

www.justice.gov.za/inforeg/ | complaints.IR@justice.gov.za

---

Document Version: 1.2

POPIA Registration: 2025-068149

Last Updated: 26 May 2026