POPIA Compliance Statement

Version: 3.1.0 | Effective Date: 2026-03-11

1. About This Statement

MyProtektor is a cloud-based security guard management platform operated by Mike Roth, Founder, Michael-Gaismayr-Strasse 52b, 6900 Bregenz, Austria, European Union. We act as a responsible party within the meaning of POPIA when we determine the purpose and means of processing personal information through our platform. In certain contexts, where security firms use our platform to manage data about their employees and clients, we act as an operator processing personal information on behalf of the security firm, which serves as the responsible party.

This POPIA Compliance Statement supplements our Privacy Policy and Security Policy. It specifically addresses our compliance with the eight conditions for lawful processing of personal information as defined in Chapter 3 of POPIA.

2. Personal Information We Process

In the course of providing our security management services, we process the following categories of personal information:

• Identity Information: Full names, email addresses, phone numbers, and profile photographs of security firm owners, administrators, guards, and clients.
• Location Data: Real-time GPS coordinates of on-duty security guards, incident locations, patrol route traces, and property addresses managed within the platform.
• Security Incident Records: Incident descriptions, severity classifications, photographic evidence, timestamps, assigned personnel details, and resolution notes.
• Employment-Related Data: Role assignments, shift schedules, patrol check-in records, and performance metrics for security guards within an organisation.
• Billing Information: Subscription plan details, transaction history, and payment method identifiers (processed securely by Stripe; we do not store full card numbers).
• Technical Data: Device identifiers, IP addresses, browser types, operating system versions, and application usage analytics.

3. The Eight POPIA Conditions and Our Compliance

3.1 Condition 1: Accountability

The accountability condition requires that a responsible party must ensure that all conditions for lawful processing are complied with at the time of determining the purpose and means of processing and during the processing itself.

How we comply: Mike Roth, as founder and operator of MyProtektor, serves as the Information Officer responsible for ensuring POPIA compliance across all platform operations. We maintain documented data processing policies, conduct regular compliance reviews, and have implemented technical and organisational measures to ensure that personal information is processed lawfully at every stage. Our Privacy Policy, Security Policy, and this Compliance Statement form part of our accountability framework and are publicly available on our website.

3.2 Condition 2: Processing Limitation

Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. It may only be processed if a valid justification exists, such as consent, contractual necessity, legal obligation, or legitimate interest.

How we comply: We process personal information only when we have a lawful basis for doing so. For the majority of our processing activities, the lawful basis is contractual necessity: we need to process the information to provide the security management services that our customers have subscribed to. Where consent is required, such as for marketing communications, we obtain clear, informed, and voluntary consent and provide easy mechanisms to withdraw it. We do not collect personal information that is not necessary for the stated purposes of our Service.

3.3 Condition 3: Purpose Specification

Personal information must be collected for a specific, explicitly defined, and lawful purpose. Records of personal information must not be retained for longer than is necessary to achieve that purpose.

How we comply: We clearly state the purposes for which we collect personal information in our Privacy Policy. These purposes include providing security management services, facilitating incident response, enabling patrol verification, processing payments, and communicating with users about their accounts. Data retention periods are defined for each category of information, and we delete or anonymise personal information once the retention period expires or when it is no longer needed for its original purpose.

3.4 Condition 4: Further Processing Limitation

Personal information must not be processed for a purpose that is incompatible with the purpose for which it was originally collected, unless the data subject consents or the further processing is permitted under one of the exemptions in POPIA.

How we comply: We do not repurpose personal information for uses that are incompatible with the original collection purpose. If we need to use personal information for a new purpose that was not originally disclosed, we will notify affected data subjects and, where necessary, obtain fresh consent. Aggregated and anonymised data used for analytics and platform improvement does not constitute further processing of personal information because it cannot be linked back to identifiable individuals.

3.5 Condition 5: Information Quality

A responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading, and updated where necessary.

How we comply: Users can update their own profile information, contact details, and organisational settings through the platform at any time. Organisation administrators can maintain the accuracy of guard and client records under their management. We provide tools for data export and review so that responsible parties using our platform can verify the accuracy of the information they hold. Automated data validation checks are applied during data entry to prevent obviously incorrect information from being recorded.

3.6 Condition 6: Openness

A responsible party must maintain documentation of all processing activities and ensure that data subjects are aware of the collection and processing of their personal information.

How we comply: This POPIA Compliance Statement, our Privacy Policy, and our Security Policy are publicly available on our website. New users are presented with our Privacy Policy during the registration process and must acknowledge it before creating an account. When we make material changes to our data processing practices, we notify existing users by email and update the relevant policy documents. We maintain internal records of our processing activities as required by Section 14 of POPIA.

3.7 Condition 7: Security Safeguards

A responsible party must secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised access, or unlawful processing.

How we comply: We implement comprehensive technical security measures including AES-256 encryption at rest, TLS 1.2+ encryption in transit, Ed25519 cryptographic signatures for QR patrol verification, role-based access controls enforced at the UI, API, and database layers, multi-factor authentication support, automated security monitoring with real-time alerting, and regular security assessments. Our full security practices are documented in our Security Policy. We have a documented incident response plan and will notify the Information Regulator and affected data subjects within 72 hours of confirming a data breach, as required by Section 22 of POPIA.

3.8 Condition 8: Data Subject Participation

A data subject has the right to request confirmation of whether a responsible party holds their personal information, to request access to that information, to request correction or deletion, and to object to the processing of their information.

How we comply: We respect and facilitate all data subject rights established by POPIA. You may exercise the following rights at any time:

• Right to Access: You may request confirmation of whether we hold your personal information and, if so, request a copy of that information in a commonly used electronic format.
• Right to Correction: You may request the correction or updating of any personal information that is inaccurate, incomplete, misleading, or not up to date.
• Right to Deletion: You may request the deletion of your personal information when it is no longer necessary for the purpose for which it was collected, or when you withdraw your consent (where consent was the basis for processing).
• Right to Object: You may object to the processing of your personal information on reasonable grounds, subject to the lawful processing conditions set out in POPIA.
• Right to Data Portability: Where technically feasible, you may request that your personal information be transmitted to another responsible party in a structured, commonly used, and machine-readable format.

4. Technical Security Measures

In support of Condition 7 (Security Safeguards), we implement the following technical measures to protect personal information:

• Infrastructure: Hosted on enterprise-grade cloud infrastructure with ISO 27001, SOC 2, and PCI DSS certifications.
• Encryption: AES-256 at rest, TLS 1.2+ in transit, Ed25519 for QR code authentication.
• Access Control: Four-tier RBAC system enforced at UI, API, and database levels with support for multi-factor authentication.
• Monitoring: Automated security event logging, anomaly detection, and real-time alerting for suspicious activity.
• Payment Security: All payment processing is handled by PCI DSS Level 1 certified payment processors; we never store full credit card numbers.
• Backup and Recovery: Continuous automated backups with geographically distributed storage and regular restoration testing.

5. International Data Transfers

MyProtektor's infrastructure is hosted on third-party cloud services, which may process and store data in data centres located outside of South Africa. When personal information is transferred to jurisdictions outside of South Africa, we ensure that appropriate safeguards are in place in accordance with Section 72 of POPIA.

These safeguards include:

• Standard Contractual Clauses (SCCs): We rely on contractual clauses and data processing agreements with our subprocessors, which provide contractual guarantees that personal information will be protected to a standard equivalent to that required by POPIA.
• Adequate Jurisdiction: Where data is processed in jurisdictions that have been recognised as providing an adequate level of data protection, the transfer is permitted under POPIA without additional safeguards.
• Consent: Where neither SCCs nor adequacy determinations apply, we obtain explicit consent from the data subject for the cross-border transfer of their personal information.

6. How to Exercise Your Rights

To exercise any of the data subject rights described in this statement, please submit a request using one of the following methods:

• Email: Send your request to info@myprotektor.co.za with the subject line "POPIA Data Subject Request."
• In-App: Navigate to your Account Settings within the MyProtektor platform to access self-service data management tools including profile editing, data export, and account deletion.

When submitting a request, please provide sufficient information for us to verify your identity and locate your personal information. We may request additional verification, such as confirmation of your registered email address, before processing your request.

We will respond to your request within a reasonable time and no later than 30 days from receipt, as required by POPIA. If we are unable to fulfil your request, we will provide a written explanation of the reasons.

7. Information Regulator

If you are not satisfied with our response to your data subject request, or if you believe that we have processed your personal information in a manner that violates POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa:

• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017
• Phone: 010 023 5207
• Email: enquiries@inforegulator.org.za
• Website: https://www.justice.gov.za/inforeg/

8. Updates to This Statement

We may update this POPIA Compliance Statement from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. When material changes are made, we will update the version number and effective date at the top of this page and notify existing users by email. The most current version of this statement is always available on our website.

9. Contact Us

If you have any questions about this POPIA Compliance Statement, wish to exercise your data subject rights, or need to speak with our Information Officer, please contact us: