Privacy Policy

1. Introduction

This Privacy Policy outlines how we collect, use, disclose, and protect your personal information in compliance with the Protection of Personal Information Act 4 of 2013 & 2021 (POPIA) in South Africa, as our primary legal framework. Additionally, this Policy incorporates elements to ensure secondary compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 for data subjects in the European Union or where applicable. We are committed to safeguarding your privacy and processing personal information lawfully, transparently, and responsibly.

For the purposes of this Policy, "personal information" shall have the meaning ascribed to it under POPIA, which includes any information relating to an identifiable natural or juristic person, such as name, contact details, identification numbers, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Under GDPR, this aligns with the definition of "personal data."

We act as the responsible party (under POPIA) or data controller (under GDPR) in respect of your personal information.

2. Information We Collect

We may collect the following types of personal information:

• Automatically Collected Information: When you access our website or applications, we may automatically collect data such as IP addresses, browser type, device information, operating system, access times, and pages viewed. This may include data from public accessible means, such as logs of public interactions or analytics tools.
• Information Provided by You: Data you voluntarily provide through our website or applications, including but not limited to name, email address, telephone number, postal address, identification details, payment information (if applicable), and any other details submitted via forms, registrations, inquiries, or account creation.
• Sensitive or Special Personal Information: We do not routinely collect sensitive information (e.g., private services sites, racial or ethnic origins, political opinions, religious beliefs, health data, or criminal records) unless it is necessary for a specific purpose and with your explicit consent, or as permitted by law.

We limit collection to what is necessary for our legitimate purposes and obtain it directly from you, with your express authorisation where possible.

3. How We Collect Information

Personal information is collected through:

• Direct submissions via website forms, applications, or communications.
• Automated technologies, such as cookies, web beacons, OAuth logins or tracking pixels, which may collect usage data. For details on cookies, refer to our Cookies Policy [if applicable, hyperlink or reference].
• Publicly available sources, to the extent lawful and relevant.

Under GDPR, we ensure that automated processing does not lead to decisions producing legal effects or similarly significant impacts without human intervention, unless consented to or necessary.

4. Purposes and Legal Basis for Processing

We process personal information for the following purposes:

• To provide, maintain, and improve our services, website, and applications.
• To respond to inquiries, process transactions, or fulfil requests.
• To communicate with you, including sending newsletters, updates, or marketing materials (with your consent where required).
• For internal operations, such as analytics, auditing, fraud prevention, and compliance.
• To comply with legal obligations, resolve disputes, or enforce agreements.
• Application functionalities you utilise.

Under POPIA, processing is justified based on consent, contractual necessity, legal obligations, or legitimate interests (balanced against your rights).

Under GDPR, the legal bases include:

• Consent (e.g., for marketing).
• Performance of a contract (e.g., service delivery).
• Legitimate interests (e.g., website security).
• Legal obligations (e.g., regulatory reporting).

We will not process information for incompatible purposes without further notice or consent.

5. Sharing and Disclosure of Information

We may share personal information with:

• Service providers, such as hosting companies, payment processors, or analytics firms, bound by confidentiality and data protection agreements.
• Affiliates or business partners, where necessary for service provision.
• Regulatory authorities, law enforcement, or courts, as required by law.
• In the event of a merger, acquisition, or asset sale, with notice to you.

We do not sell personal information. Sharing is limited to what is necessary, and we ensure recipients comply with POPIA and, where applicable, GDPR. For EU data subjects, we use standard contractual clauses or other approved mechanisms for transfers outside the EEA.

6. International Transfers

As a South African entity, data is primarily processed in South Africa. However, we may transfer information to service providers in other countries, including the EU or elsewhere. We ensure adequate safeguards, such as binding corporate rules or standard data protection clauses, to protect transfers in line with POPIA (Section 72) and GDPR (Chapter V). We store EU based user information on EU based servers only.

7. Data Security

We implement reasonable technical, organizational, and administrative measures to protect personal information from unauthorized access, loss, misuse, alteration, or destruction. These include encryption, access controls, firewalls, and regular security assessments. However, no system is entirely secure, and we cannot guarantee absolute security.

In the event of a data breach, we will notify affected individuals and relevant authorities as required under POPIA (via the Information Regulator) and GDPR (via supervisory authorities and data subjects where high risk).

8. Data Retention

We retain personal information only as long as necessary for the purposes outlined, or as required by law (e.g., tax or accounting obligations). Thereafter, it is securely deleted or anonymized. Retention periods vary by data type; for example, transaction data may be kept for 7 years under South African tax laws.

9. Your Rights

Under POPIA and GDPR, you have the following rights regarding your personal information:

• Access: Request confirmation of processing and access to your data.
• Rectification: Correct inaccurate or incomplete information.
• Erasure (Right to be Forgotten): Request deletion where no longer necessary or consent is withdrawn, subject to legal exceptions.
• Restriction: Limit processing in certain circumstances.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Data Portability: Receive your data in a structured, machine-readable format.
• Withdraw Consent: At any time, without affecting prior processing.
• Lodge a Complaint: With the Information Regulator in South Africa (details: inforeg@justice.gov.za) or your local GDPR supervisory authority.

To exercise these rights, contact us at support@loopworks.io. We will respond within a reasonable timeframe (typically 30 days under GDPR, or as per POPIA). Verification of identity may be required.

10. Children's Information

Our services are not directed at children under 16. We do not knowingly collect personal information from minors without parental consent. If we become aware of such collection, we will delete it promptly.

11. Changes to This Policy

We may update this Policy to reflect changes in practices or legal requirements. Updates will be posted on our website with the effective date. Continued use constitutes acceptance. For material changes, we will provide prominent notice.

12. Contact Us

For questions, complaints, or to exercise rights, contact our Information Officer/Data Protection Officer at:

Loopworks PTY Ltd, Email: support@loopworks.io

Effective Date: 12-10-2021