POPIA Compliance
Our commitment: ChatSched is built from the ground up to comply with the Protection of Personal Information Act (POPIA). As a South African business serving South African SMEs, data sovereignty and privacy are not afterthoughts β they are core to how we operate.
What is POPIA?
The Protection of Personal Information Act (POPIA, Act 4 of 2013) is South Africa's primary data protection legislation. It governs how organisations collect, process, store, share, and destroy personal information about South African data subjects. Non-compliance can result in fines of up to R10 million and/or imprisonment.
POPIA is overseen by the Information Regulator of South Africa β an independent body with authority to investigate complaints, conduct audits, and enforce the Act.
ChatSched's Eight Conditions for Lawful Processing
POPIA requires all Responsible Parties to meet eight conditions for lawful processing. Here is how ChatSched satisfies each one:
Accountability
ChatSched has appointed an Information Officer responsible for overseeing POPIA compliance. Contact: privacy@chatsched.co.za
Processing Limitation
We collect only the minimum personal information necessary to provide the ChatSched service. No data is collected for speculative future use.
Purpose Specification
Personal information is collected for specific, explicitly defined purposes: service delivery, booking management, and business analytics. These purposes are communicated upfront.
Further Processing Limitation
Personal information is not used or shared beyond the original purpose for which it was collected. We do not sell data or use it for third-party marketing.
Information Quality
We take reasonable steps to ensure that personal information we hold is accurate, complete, and up-to-date. Users may correct their information at any time.
Openness
Our Privacy Policy and this POPIA statement are publicly accessible. Data subjects are notified of the collection of their information where required.
Security Safeguards
We implement technical and organisational measures including encryption, access controls, and regular audits to protect personal information against loss, damage, or unauthorised access.
Data Subject Participation
Data subjects may access, correct, or request deletion of their personal information. Requests are responded to within 30 days.
Roles Under POPIA
ChatSched as Responsible Party
When we process the personal information of our subscribers (business owners), ChatSched acts as the Responsible Party β we determine the purpose and means of processing and are accountable for that processing.
ChatSched as Operator
When we process the personal information of your customers on your behalf (i.e., handling WhatsApp conversations and bookings), ChatSched acts as an Operator β we process personal information only on your instructions and under a data processing agreement embedded in our Terms of Service.
You as Responsible Party
As a ChatSched subscriber, you are the Responsible Party for your customers' personal information. This means you are responsible for:
- Ensuring you have a lawful basis for collecting and processing your customers' personal information via WhatsApp.
- Informing your customers that an automated service may handle their enquiries.
- Maintaining your own POPIA compliance as a business operating in South Africa.
- Responding to your customers' rights requests (access, correction, deletion).
Data Subject Rights
POPIA grants South African data subjects the following rights, all of which ChatSched upholds:
- Right to be notified: Data subjects are informed when their personal information is collected and for what purpose.
- Right of access: Data subjects may request confirmation of whether their information is held and obtain a copy.
- Right to correction: Data subjects may request that inaccurate, irrelevant, or outdated information be corrected or deleted.
- Right to object: Data subjects may object to the processing of their information on reasonable grounds.
- Right to complain: Data subjects may lodge a complaint with the Information Regulator of South Africa.
To exercise any right, contact our Information Officer at privacy@chatsched.co.za. We respond within 30 days as required by the Act.
Cross-Border Transfers
Some of ChatSched's infrastructure and third-party service providers are located outside South Africa. Where personal information is transferred across borders, we ensure that:
- The recipient country provides an adequate level of protection, or
- Appropriate contractual safeguards (such as standard data processing agreements) are in place, or
- The data subject has consented to the transfer.
Our primary cloud infrastructure is hosted within South Africa where technically feasible. WhatsApp message processing is subject to Meta's infrastructure, which operates globally.
Security Incident Notification
In the event of a security compromise that is likely to harm data subjects, ChatSched will:
- Notify the Information Regulator as soon as reasonably possible after discovery.
- Notify affected data subjects in writing within a reasonable time.
- Include the nature of the compromise, what information was affected, and steps taken to address it.
Retention and Destruction
We retain personal information only as long as necessary for the purpose it was collected, or as required by law:
- Customer conversation data: 12 months.
- Booking and financial records: 5 years (as required by the Tax Administration Act).
- Account data: 30 days post-cancellation.
Data is destroyed or de-identified in a manner that prevents reconstruction once the retention period expires.
Information Regulator
The Information Regulator of South Africa oversees POPIA compliance. If you are unsatisfied with our handling of your personal information, you have the right to lodge a complaint:
- Website: www.justice.gov.za/inforeg
- Email: inforeg@justice.gov.za
- Tel: 012 406 4818
Contact Our Information Officer
For all POPIA-related requests, questions, or concerns:
- Email: privacy@chatsched.co.za
- WhatsApp: +27 60 000 0000
- Response time: Within 30 days as required by POPIA.