Last updated: May 2026
Privacy Policy (POPIA)
This Privacy Policy describes how KomplyZA (Pty) Ltd ("KomplyZA", "we", "us") processes personal information when you use komplyza.com and related services ("the Service"), in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA").
1. Responsible party
The responsible party for personal information collected through the Service is:
- Legal name: KomplyZA (Pty) Ltd
- Registration: [Company registration number]
- Registered / physical address: [Registered office address, South Africa]
2. Information Officer
POPIA requires that certain organisations designate an Information Officer (and Deputy where applicable). Our Information Officer oversees KomplyZA's compliance with POPIA and may be contacted at:
- Name: [Information Officer full name]
- Email: privacy@komplyza.com
General security reports unrelated to data subject rights should be sent to security@komplyza.com.
3. What personal information we collect
Depending on how you use the Service, we may process:
- Account data: name, email address, authentication identifiers (for example Supabase Auth user ID).
- Organisational data: company name, sector, onboarding responses, compliance scores, risks, policies, breach records, and similar content you choose to store.
- Technical data: IP address, device/browser type, logs required for security and debugging, and cookies or similar technologies as described below.
- Billing data: where you subscribe to paid plans, payment-related metadata processed by Paystack (we do not store full card numbers on KomplyZA servers).
4. Purpose and lawful basis
We process personal information to:
- Provide, operate, and secure the Service;
- Authenticate users and manage organisations and subscriptions;
- Generate AI-assisted outputs where you request them (processed server-side only);
- Send transactional emails (for example verification and account notices) via Resend;
- Meet legal obligations and respond to lawful requests;
- Improve reliability and security (monitoring, abuse prevention).
Where POPIA applies, we rely on appropriate lawful grounds including consent (where required), performance of a contract, legitimate interests balanced against your rights, and legal obligation.
5. Hosting and cross-border transfer
Primary hosting for application data is Supabase (PostgreSQL, Auth, Storage) in the European Union (Frankfurt) region. The EU is recognised as offering adequate protection under POPIA for transfers subject to appropriate safeguards and transparency.
Some sub-processors may process data in other regions according to their terms (for example AI or email). We use contractual measures and vendor diligence aligned with POPIA.
See also our Security & trust page for an overview of sub-processors.
6. Operators and your instructions
Where you use KomplyZA to process personal information about your own customers or employees, you are typically the responsible party for that information and KomplyZA acts as your operator only to the extent we process personal information on your documented instructions through the Service features you enable.
7. Retention
We retain personal information only as long as needed for the purposes above, including legal, accounting, and dispute resolution requirements. You may request deletion of your account subject to lawful retention (for example audit logs where applicable).
8. Security
We implement reasonable technical and organisational measures, including encryption in transit (HTTPS), access controls, separation of privileged credentials from the browser environment, and auditing of sensitive actions where implemented in product design.
9. Your rights (POPIA)
Subject to POPIA, you may have the right to:
- Request access to personal information we hold about you;
- Request correction or deletion where applicable;
- Object to processing in prescribed circumstances;
- Lodge a complaint with the Information Regulator of South Africa.
Contact us at privacy@komplyza.com. You may also contact the Information Regulator at complaints.IR@inforegulator.org.za.
10. Cookies
We use strictly necessary cookies and similar technologies required for authentication and session security. Analytics or non-essential cookies, if introduced, will be described here and, where required, gated behind consent.
11. Changes
We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by email where appropriate.