A focused notice on your rights as a data subject under the Protection of Personal Information Act, 4 of 2013 — and how to exercise them with Sitect.
POPIA gives you specific rights over your personal information. This notice tells you what those are, what we do with your information, and how to get us to change, share or delete what we hold.
The Protection of Personal Information Act, 4 of 2013 (POPIA) is South Africa's data-protection law. It came into full effect on 1 July 2021 and is enforced by the Information Regulator of South Africa. It gives every data subject (you) specific rights over how organisations collect, use, store, share and dispose of personal information about you.
This notice should be read together with our Privacy Policy and Cookie Policy. Where any of these conflict, the most protective interpretation in your favour applies.
Sitect is fully committed to POPIA compliance. In practical terms this means:
Under POPIA section 56, every responsible party must designate an Information Officer. Our Information Officer is registered with the Information Regulator and is contactable for any POPIA-related matter:
POPIA section 5 gives every data subject the following rights. Each link below jumps to the section of this notice explaining how to exercise that right:
| Category | Examples | Source |
|---|---|---|
| Identity | Name, ID/passport, role, company | From you / public sources |
| Contact | Email, phone, address | From you |
| Financial | VAT number, banking, billing | From you |
| Technical | IP, browser, device, cookies | Automatic |
| Behavioural | Page views, clicks, search queries | Automatic |
| Project | Business info, NDAs, deliverables | From you |
| Communication | Emails, chat, support tickets | From you |
| Marketing | Newsletter status, marketing consent | From you |
We do not deliberately collect special personal information (race, ethnicity, religion, biometrics, health, sexual orientation, political views) under POPIA section 26. If this is required for an engagement, we obtain explicit consent first.
POPIA permits processing only on specific lawful bases. We rely on:
| Lawful basis | Used for |
|---|---|
| Consent (s.11(1)(a)) | Newsletter, marketing, optional cookies, special PI |
| Contract performance (s.11(1)(b)) | Delivering services you've engaged us for |
| Legal obligation (s.11(1)(c)) | Tax records, regulatory reporting |
| Public interest (s.11(1)(d)) | Rare — where law specifically authorises |
| Legitimate interest (s.11(1)(f)) | Security, fraud prevention, business operation |
You have the right to confirm whether Sitect holds personal information about you, and to receive a copy. Under POPIA section 23:
Under POPIA section 24, you may ask us to correct or delete personal information that is:
Send your request to info-officer@sitect.co.za, specifying clearly what should be changed or deleted. We will action it within 30 days. Where deletion is not possible (e.g. SARS retention requirements), we explain why and propose an alternative (such as restriction or anonymisation).
Under POPIA section 11(3), you have the absolute right to object to:
You may also object to automated decision-making (POPIA s.71) where the decision has a significant effect on you. We currently do not make such fully-automated decisions without human review. If this changes, you will be notified.
POPIA defines "operators" as third parties who process personal information on our behalf under our instructions. Every operator we use signs a written agreement requiring:
A current list of our operators is in section 6 of our Privacy Policy.
Where we rely on consent (e.g. marketing), it must be:
Every consent is recorded with timestamp, IP and basis. You may withdraw consent at any time with no penalty.
Under POPIA section 72, your personal information may be transferred outside South Africa only where:
Our default cloud region is AWS Cape Town (af-south-1) — meaning the bulk of your operational data stays inside South African borders. Cross-border transfers are limited to specific service providers (analytics, email delivery, AI providers) and are governed by standard contractual clauses.
If a security compromise occurs where personal information has been (or is reasonably believed to have been) accessed or acquired by an unauthorised person, POPIA section 22 requires us to notify both the Information Regulator and affected data subjects.
Our breach response timeline:
If you believe Sitect has not handled your personal information in line with POPIA, you may complain to:
Contact our Information Officer at info-officer@sitect.co.za. We will investigate and respond within 30 days. Most issues are resolved at this stage.
If you are not satisfied with our response, lodge a complaint with the Information Regulator:
The Regulator's complaint form is on its website.
You also have a right under POPIA s.99 to institute civil proceedings for damages — separate from any complaint to the Regulator.
For any POPIA-related matter:
If you want to know what we hold, correct it, delete it, or just have a conversation about how we handle your information, our Information Officer is the person to ask.