POPIA Policy

1. Overview

The Protection of Personal Information Act, 2013 (Act No. 4 of 2013) ("POPIA") regulates the processing of personal information by any person or organisation in South Africa. ShiftHub is committed to full POPIA compliance — in the product itself and in the way we run the business.

This policy explains:

• How we comply with POPIA's 8 conditions in our own processing.
• How we enable you (our customer) to meet your POPIA obligations when you use ShiftHub to manage your workforce.
• How data subjects (your workers, your clients) can exercise their rights.

2. Roles under POPIA

Context	Role	Responsibilities
Your use of shifthub.co.za and the account you create	ShiftHub = Responsible Party	Determine why & how we process your account & billing data
Your workers' personal info inside your workspace	You = Responsible Party ShiftHub = Operator	You decide why & how; we process on your documented instructions

This split matters. As Operator, we never use your workers' data for our own purposes — only to provide the Service you've asked for.

3. The eight conditions for lawful processing

We comply with all eight POPIA conditions (ss8–25):

3.1 Accountability

A named Information Officer is accountable for ShiftHub's compliance. See the Contact section.

3.2 Processing limitation

We collect only the personal information we need to provide the Service. We do not combine your data with third-party sources or enrich it without your instruction.

3.3 Purpose specification

Each category of data has a defined purpose (authenticating users, processing billing, providing features). Purposes are documented in our Privacy Policy.

3.4 Further processing limitation

We don't repurpose data. If we ever wanted to, you'd be notified and given the choice to opt out.

3.5 Information quality

We maintain the accuracy of data subject to your input. You control and can correct your workers' records via the admin panel. Workers can correct their own profile via the PWA.

3.6 Openness

This document and our Privacy Policy explain every category of data, why it's processed, and with whom it's shared. We notify the Information Regulator of changes where required.

3.7 Security safeguards

See Security safeguards below for details.

3.8 Data subject participation

Data subjects have the rights set out in Data subject rights below. We honour them.

4. Processing activities

We process the following categories of personal information:

Category	Who it's about	Why we process
Account data	Tenant admins	Authentication, billing, support, product communications
Personnel records	Workers in tenant workspaces	Provide rostering, clock-in, HR features on tenant's behalf
Location data	Workers during shifts	Geofence-gated clock-in, panic dispatch — on tenant's instruction
Firearm licences	Qualified workers (armed tier)	Audit trail of firearm issue and licence validity
Biometric (optional)	Workers who opt-in to biometric clock-in	Face-ID / fingerprint on-device only — never leaves the worker's phone
Support correspondence	Anyone who emails / chats us	Answer questions, troubleshoot

5. Security safeguards

We take the technical and organisational measures POPIA s19 requires, and more:

• Encryption in transit: TLS 1.3 everywhere, HSTS enforced.
• Encryption at rest: AES-256 for sensitive fields (ID numbers, firearm licence numbers, biometric hashes).
• Access controls: RBAC with per-tenant teams; least-privilege for staff; mandatory 2FA for ShiftHub engineers and tenant privileged roles.
• Audit logging: immutable log of every sensitive action — actor, timestamp, IP, payload delta.
• Separation: tenants are isolated at the database level with every query scoped by tenant_id.
• Backups: encrypted daily backups in a separate region; 30-day retention.
• Penetration testing: annual third-party pen-test.
• Staff training: all staff complete POPIA awareness training on joining and annually.
• Vulnerability management: automated dependency scanning; security patches within SLA of disclosure.

6. Cross-border transfers

Standard tiers host in EU (Ireland) — which POPIA s72(1) recognises as providing adequate protection through its comparable GDPR framework. Enterprise customers may elect ZA-region hosting (Johannesburg / Cape Town) for data residency.

Sub-processors located outside the Republic of South Africa (e.g., Mailgun in the US, Sentry in the EU) operate under:

• EU Standard Contractual Clauses (for EU-based processors).
• Privacy Shield / Data Privacy Framework equivalent commitments (for US-based processors).
• Processor-specific Data Processing Addenda reviewed by our legal team.

7. Data subject rights

Under POPIA ss23–25, data subjects have the right to:

1. Confirmation of whether we hold their information.
2. Access to the information we hold.
3. Correction / deletion of inaccurate or unnecessary information.
4. Objection to processing on grounds set out in s11(3).
5. Complain to the Information Regulator.

7.1 Making a request

If you are:

• A ShiftHub customer (tenant admin) — email legal@shifthub.co.za. We respond within 30 days (usually within 5 business days).
• A worker in someone else's workspace — your employer is the Responsible Party. Direct your request to them. If they use ShiftHub, we give them the tools to fulfil it (export, anonymise, delete). If you cannot reach them and believe ShiftHub holds your data improperly, email us — we will coordinate.

7.2 Form

Requests should include (a) your identity and proof thereof, (b) what you want (access / correct / delete / object), and (c) contact details for a response.

7.3 Fee

We do not charge for the first request in a 12-month period. For excessive or repeated requests, a reasonable fee may be charged as permitted by POPIA regulations.

8. Security breach response

If we discover a security compromise with unauthorised access to personal information, we will:

1. Investigate and contain the breach immediately.
2. Notify the Information Regulator within 72 hours, where the breach is likely to result in harm.
3. Notify affected tenants within 24 hours of confirmed compromise.
4. Support affected tenants in notifying their data subjects, as POPIA s22 requires.
5. Publish a post-incident report to the security email list and our status page.

9. Operator agreement (for tenants)

When you sign up as a ShiftHub tenant, our Terms of Service constitute a written agreement under POPIA s20 — ShiftHub agrees to:

1. Process personal information only with the tenant's knowledge or authorisation.
2. Treat personal information as confidential, including beyond the engagement.
3. Establish and maintain the security safeguards in section 5.
4. Notify the tenant immediately on suspected compromise.

Enterprise customers may additionally execute a standalone Data Processing Agreement — available on request from legal@shifthub.co.za.

10. Retention & deletion

• Active workspaces: data retained while subscription is active.
• Cancelled / expired-trial workspaces: data deleted 30 days after cancellation, except records legally required to retain (e.g., invoicing for 5 years per Tax Administration Act).
• Backups: rolling 30-day retention; deleted data is permanently gone after that.
• Audit logs: retained for the life of the workspace; exported for legal proceedings if requested by the tenant.

11. Information Officer

ShiftHub's Information Officer (per POPIA s56) is reachable at:

Email: legal@shifthub.co.za
Postal: ShiftHub (Pty) Ltd, Information Officer, South Africa

To complain to the Regulator:

Information Regulator of South Africa
Website: inforegulator.org.za
Email: complaints.IR@justice.gov.za