Lets Comply Privacy Policy

In Terms of the Protection of Personal Information Act 4 of 2013 (POPIA)

1. Introduction

1.1. Lets Comply (Pty) Ltd ("Lets Comply", "we", "us", or "our") is a compliance firm with a clear and unwavering purpose: to turn compliance into a catalyst for business growth rather than a hurdle. We believe that when done right, compliance empowers businesses to operate with confidence, resilience, and integrity.

1.2. We are committed to protecting your privacy and handling your personal information responsibly, transparently, and in full compliance with the Protection of Personal Information Act 4 of 2013 ('POPIA' or 'the Act'). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you interact with us as a client, prospective client, supplier, or visitor to our website.

1.3. By engaging with Lets Comply, accessing our website, or providing your personal information to us, you acknowledge that you have read and understood this Privacy Policy. We encourage you to read this document carefully. If you have any questions or concerns, please contact our Information Officer using the details set out in Section 4 below.

2. Definitions

In this Privacy Policy, the following terms shall have the meanings ascribed to them below:

• "Competent Person" means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
• "Consent" means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
• "Data Subject" means the natural or juristic person to whom personal information relates.
• "Information Officer" means the head of Lets Comply or any duly authorised person responsible for ensuring compliance with POPIA, and registered with the Information Regulator.
• "Operator" means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of the responsible party.
• "Personal Information" has the meaning ascribed to it in POPIA and includes any information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including but not limited to name, identity number, contact details, financial information, and location information.
• "POPIA" or "the Act" means the Protection of Personal Information Act 4 of 2013, as amended from time to time.
• "Processing" means any operation or activity, automated or not, concerning personal information, including collection, receipt, recording, organisation, storage, updating, modification, retrieval, alteration, consultation, use, dissemination, distribution, merging, linking, restriction, degradation, erasure, or destruction of information.
• "Responsible Party" means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. Lets Comply is the Responsible Party in respect of personal information processed under this Policy.
• "Special Personal Information" means personal information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour.
• "Third Party" means any person other than the Data Subject, the Responsible Party, or the Operator.
• "Website" means the Lets Comply website accessible at https://letscomply.africa/.

3. Purpose of this Privacy Policy

3.1. The purpose of this Privacy Policy is to:

1. Inform you of your rights as a Data Subject in terms of POPIA;
2. Explain why and how Lets Comply collects and processes your personal information;
3. Describe the safeguards we have put in place to protect your personal information;
4. Set out the conditions under which we may share your personal information with third parties;
5. Explain how long we retain your personal information and the procedures for its deletion or destruction;
6. Provide you with the contact details of our Information Officer should you wish to exercise your rights or lodge a complaint.

3.2. Lets Comply is committed to the lawful, fair, and transparent processing of personal information. We collect and process personal information only for specific, explicitly defined, and lawful purposes, and we do not process personal information in a manner that is incompatible with those purposes.

4. Contact Details

4.1. Lets Comply has appointed a dedicated Information Officer who is responsible for ensuring compliance with POPIA and for addressing any queries, requests, or complaints related to personal information. A full description of the Information Officer's duties and responsibilities can be found in Annexure F of this Policy.

4.2. If you wish to contact us regarding any privacy matter, please use the following details:

4.3. The Information Regulator of South Africa may also be contacted for any concerns that cannot be resolved directly with Lets Comply:

5. Scope

This Privacy Policy applies to:

• All personal information collected and processed by Lets Comply in connection with the services it provides;
• All natural and juristic persons whose personal information is processed by Lets Comply, including clients, prospective clients, suppliers, service providers, and website visitors;
• All processing activities carried out by Lets Comply whether through manual, electronic, or automated means;
• All operators and third parties who process personal information on behalf of Lets Comply pursuant to a written agreement.

This Policy must be read in conjunction with any specific data processing agreements, consent forms, or other agreements entered into between Lets Comply and any Data Subject.

6. Why We Process Your Personal Information

6.1. Lets Comply processes personal information for specific, lawful, and legitimate purposes. We will only process your personal information if there is a lawful basis for doing so, including where:

1. Providing compliance consulting, advisory, and related professional services to clients;
2. Managing and administering client relationships, including onboarding, contract management, and service delivery;
3. Sending clients information about annual regulatory returns, compliance reviews, regulatory deadlines, legislative updates, and other compliance-related matters for which we have obtained consent;
4. Conducting direct marketing activities in accordance POPIA and only where we have obtained the required consent (see Section 15 below)
5. Processing payments, quotes, invoicing, and financial record-keeping;
6. Complying with legal and regulatory obligations, including tax, audit, and anti-money laundering requirements;
7. Responding to queries, complaints, and requests from Data Subjects;
8. Improving our services, website, and client experience through analytics;
9. Managing and securing our IT infrastructure;
10. Preventing, detecting, and investigating fraud, cybercrime, and other unlawful activities.

7. What Personal Information We Process

The categories of personal information we collect and process will depend on the nature of your relationship with Lets Comply. We collect only the minimum information necessary to fulfil the purposes described in this Policy.

7.1 Specific Personal Information Processed

Depending on your engagement with Lets Comply, we may process the following specific categories of personal information:

7.1.1. Clients and Prospective Clients

1. Full name, title, and identity number or registration number;
2. Contact details including email address, telephone number, and physical/postal address;
3. Company name, registration number, VAT number, and industry sector;
4. Financial information required for quoting, billing, invoicing, or payment processing;
5. Regulatory and compliance information provided in the course of service delivery;
6. Communication records including emails, meeting notes, and correspondence;
7. Documentation provided in connection with compliance mandates.

7.1.2. Suppliers and Service Providers

1. Company name and registration details;
2. Contact person name and contact details;
3. Banking details for payment processing;
4. Tax compliance documentation.

7.1.3. Website Visitors

1. IP address and device information;
2. Browser type, language, and settings;
3. Pages visited, time spent, and navigation patterns;
4. Query or contact form submissions;
5. Cookie and tracking data (see Section 7.3 below).

7.2 Information Automatically Collected

7.2.1. When you visit our website or interact with our digital platforms, certain information is automatically collected through technical means. This may include:

1. Internet Protocol (IP) address and approximate geographic location;
2. Device type, operating system, and browser information;
3. Referring URLs and search terms;
4. Pages viewed, links clicked, and time spent on pages;
5. Session identifiers and unique device identifiers.

7.2.2. This information is collected primarily through cookies and similar tracking technologies. It helps us understand how our website is used, identify technical issues, and improve user experience. Where required by law, we will obtain your consent before placing non-essential cookies on your device.

7.3 Information Collected Through Online Advertising

7.3.1. Lets Comply may use online advertising platforms such as Google Ads, LinkedIn Ads, and similar services to promote our compliance services. Through these platforms, certain data about your interactions with our advertisements may be collected, including:

1. Ad impressions, clicks, and conversions;
2. Remarketing audience data based on prior website visits;
3. Aggregated demographic and interest data provided by advertising platforms.

7.3.2. Such data is typically processed by the advertising platforms on our behalf as operators. We do not use online advertising to collect Special Personal Information. Where we use pixels, tracking codes, or similar technologies, this will be disclosed in our Cookie Policy available on our website. You may opt out of interest-based advertising at any time through the advertising platform's settings or through industry opt-out tools.

8. Who Do We Share Your Personal Information With?

Lets Comply does not sell, rent, or trade your personal information to third parties. We may share your personal information only in the following circumstances and with the following categories of recipients:

8.1 Operators

We engage third-party service providers who process personal information on our behalf as operators, including:

• Cloud hosting and IT infrastructure providers;
• Accounting, invoicing, and payment processing service providers/platforms;
• Email and communication platform providers;

All operators are required to enter into written operator agreements with Lets Comply and are contractually obligated to process personal information only on our instructions and in accordance with POPIA.

8.2 Regulatory and Legal Authorities

We may disclose personal information to regulatory authorities, bargaining councils, Ombud Schemes, law enforcement agencies, or courts if required to do so by law, court order, or regulatory directive, or where we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of Lets Comply, our clients, or the public.

8.3 Professional Advisors

We may share personal information with our auditors, legal counsel, insurers, and other professional advisors as reasonably necessary to obtain their advice and services, subject to obligations of confidentiality.

8.4 With Your Consent

We may share your personal information with other third parties where you have provided your explicit consent to such sharing.

9. Information Security

Lets Comply takes the security of your personal information seriously and implements appropriate, reasonable technical and organisational measures to protect personal information against loss, damage, unauthorised access, disclosure, interference, and destruction, as required by POPIA. The security safeguards we deploy include, but are not limited to, the following:

9.1 Technical Safeguards

1. Secure, firewalled servers and network infrastructure hosted with reputable, POPIA-compliant cloud service providers;
2. Two-factor authentication
3. Password protection access.

9.2 Organisational Safeguards

1. A formally adopted Privacy Policy governing the management of personal information;
2. Mandatory information security and POPIA awareness training for all staff and Directors who handle personal information;
3. A dedicated Information Officer to oversee POPIA compliance;
4. Formal data breach response procedures including incident identification, containment, assessment, and notification protocols as set out in the Privacy Policy;

9.2 Physical Safeguards

1. Paperless environment with no physical records;
2. Clean desk and clear screen protocols.

While Lets Comply implements reasonable security measures, no electronic transmission or storage system can be guaranteed to be 100% secure. If you believe your personal information has been compromised, please contact our Information Officer immediately using the details in Section 4.

10. Planned Transborder Flows of Information

10.1. Lets Comply may need to transfer personal information to recipients located outside of South Africa in certain circumstances, including where we use cloud service providers, software platforms, or professional advisors that are based or operate internationally.

10.2. In accordance with POPIA, we will only transfer personal information to a foreign jurisdiction if:

1. The recipient country is subject to a law that upholds principles for reasonable processing of personal information that are substantially similar to those under POPIA;
2. The recipient has agreed to be bound by data protection obligations substantially equivalent to those imposed by POPIA, including through binding contractual clauses or an operator agreement;
3. The Data Subject has consented to the transfer;
4. The transfer is necessary for the performance of a contract between Lets Comply and the Data Subject, or the implementation of pre-contractual measures taken at the Data Subject's request;
5. The transfer is in the public interest or is required by law.

10.3. Where personal information is transferred internationally, Lets Comply takes reasonable steps to ensure that such transfers comply with POPIA and that appropriate safeguards are in place to protect your personal information.

11. Duration for Which Personal Information Will Be Kept

11.1. Lets Comply will retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting obligations.

11.2. After the applicable retention period has expired, personal information will be deleted or de-identified in accordance with our records management and deletion procedures, unless we are required by law to retain it for a longer period.

12. Deletion or Destruction of Personal Information

12.1. When personal information is no longer required for the purposes for which it was collected, or when the applicable retention period has expired, Lets Comply will take reasonable steps to ensure that such personal information is:

1. Permanently deleted from electronic systems and storage media using secure deletion methods that prevent recovery;
2. Physically destroyed in a secure manner where held in hard copy format (e.g., cross-cut shredding or certified destruction);
3. De-identified or anonymised where appropriate, such that the information can no longer be linked to an identifiable individual.

12.2. Where personal information is held by operators or third-party service providers, Lets Comply will require such parties to delete or destroy the information in accordance with agreed data retention schedules and contractual obligations.

13. Notification of Data Breaches

13.1. In the event of a security compromise that reasonably results in, or is likely to result in, the unlawful access to or acquisition of personal information, Lets Comply will:

1. Identify and contain the breach as quickly as possible upon becoming aware of the incident;
2. Assess the nature, scope, and likely impact of the breach on affected Data Subjects;
3. Notify the Information Regulator of South Africa as soon as reasonably possible, using the prescribed form;
4. Notify affected Data Subjects as soon as reasonably possible after taking steps to determine the scope of the compromise, unless the Information Regulator directs otherwise;
5. Document the breach, the steps taken to address it, and lessons learned, and retain such records for the minimum prescribed period.

13.2. Notifications to Data Subjects will include, at minimum:

1. A description of the possible consequences of the security compromise;
2. A description of the measures taken or proposed to address the compromise;
3. A recommendation regarding the steps to be taken by the Data Subject to mitigate the possible adverse effects of the compromise;

13.3. If you believe that your personal information held by Lets Comply has been compromised, please contact our Information Officer immediately using the contact details set out in Section 4.

14. Information Quality

14.1. Lets Comply takes reasonable steps to ensure that personal information we collect and process is complete, accurate, not misleading, and updated where necessary, having regard to the purpose for which it is collected and further processed.

14.2. You play an important role in ensuring the accuracy of your personal information. We request that you:

1. Provide accurate, complete, and up-to-date personal information when engaging with Lets Comply;
2. Notify us promptly if any of your personal information changes or becomes inaccurate;
3. Use the contact details in Section 4 to request corrections to any inaccurate or incomplete personal information we hold about you.

14.3. Lets Comply will not be responsible for decisions made based on inaccurate personal information provided by or on behalf of the Data Subject.

15. Direct Marketing and Marketing Consent

Lets Comply may wish to send you information about our compliance services, products, regulatory updates, annual regulatory returns, legislative changes, compliance reviews, and other compliance-related matters that may be of benefit to your business.

15.1 Obtaining Consent

In accordance with POPIA, Lets Comply will only send you electronic direct marketing communications if you have provided your explicit, informed, and freely given consent to receive such communications. We will:

1. Request your consent through a clear and unambiguous opt-in mechanism, such as a consent form, checkbox, or written agreement;
2. Clearly describe the type of communications you are consenting to receive at the time of obtaining consent;
3. Record the date, method, and scope of your consent and retain this record for as long as required;
4. Never pre-tick consent boxes or use default consent mechanisms.

15.2 What We May Send You

Where you have provided your consent, we may send you communications including:

1. Reminders about annual regulatory return deadlines and filing obligations applicable to your industry;
2. Updates on legislative or regulatory changes that may affect your compliance obligations;
3. Invitations to compliance reviews, audits, or assessments offered by Lets Comply;
4. Information about new compliance services, tools, or resources;
5. Compliance tips and newsletters;
6. Event invitations, webinars, and training opportunities;
7. Other compliance-related information relevant to your business sector.

16. Rights of Data Subjects

POPIA grants Data Subjects specific rights in relation to their personal information. Lets Comply is committed to upholding these rights and facilitating their exercise. The rights available to you are described below:

16.1 The Right to Access Personal Information

16.1.1. You have the right to request confirmation of whether Lets Comply holds personal information about you, and to request access to that information. Specifically, you are entitled to:

1. Be informed whether Lets Comply holds personal information about you;
2. Request a description of the personal information held and the categories thereof;
3. Obtain a copy of the personal information held about you;
4. Be informed of the identity of all third parties who have or have had access to your personal information.

16.1.2. Requests for access to personal information must be made in accordance with the procedure set out in Section 17 below and will be addressed within the time frames prescribed by the Promotion of Access to Information Act 2 of 2000 (PAIA).

16.2 The Right to Object to the Processing of Personal Information

16.2.1. You have the right to object to the processing of your personal information free of charge and on reasonable grounds, if you have a compelling legitimate interest overriding our grounds for processing. You may object to processing in the following circumstances:

1. Where the processing is based on Lets Comply's legitimate interests, and your interests, rights, and freedoms override those interests;
2. Where the processing is for direct marketing purposes;
3. Where processing is carried out for the purposes of research or statistical analysis.

16.2.2. If you wish to object to processing of your personal information, you must complete Annexure B and submit to the Lets Comply Information Officer whose details can be found in Section 4 of this Policy.

16.2.3. Where you object to processing, Lets Comply will review your objection and cease processing unless we have compelling legitimate grounds for the processing that override your rights, or the processing is necessary for the exercise or defence of legal claims.

16.3 The Right to Have Personal Information Corrected or Deleted

16.3.1. You have the right to request that Lets Comply correct, update, or delete your personal information free of charge in the following circumstances:

1. The personal information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully;
2. Lets Comply is no longer authorised to retain the personal information;
3. The processing of the personal information for the relevant purpose is no longer necessary;
4. You withdraw your consent and there is no other lawful basis for processing.

16.3.2. If you wish to request a correction or deletion of your personal information or the destruction or deletion of a record of your personal information, you must complete Annexure C and submit to the Lets Comply Information Officer whose details can be found in Section 4 of this Policy.

16.3.3. Lets Comply will, within a reasonable time but no later than 30 days after receiving a correction or deletion request, correct, destroy, or delete the information as appropriate and, where the information has been shared with third parties, take reasonable steps to inform them of the correction or deletion.

16.4 The Right to Change Your Marketing Preferences

16.4.1. You have the right to withdraw your consent to receive direct marketing communications from Lets Comply at any time, free of charge and without providing a reason, by:

1. Sending a written request to our Information Officer at Hello@letscomply.africa;
2. Contacting us by telephone using the details set out in Section 4.

16.4.2. Upon receipt of your opt-out request, Lets Comply will process your request as soon as reasonably practicable and within the timeframe required by law. Please note that if you opt out of marketing communications, you may still receive transactional or service-related communications that are necessary for the performance of our contractual obligations to you.

17. Request Access to Personal Information Procedure

17.1. To exercise your right of access to personal information held by Lets Comply, please follow the procedure below:

1. Complete a Request for Access to Personal Information Form (Annexure A).
2. Submit the completed form to the Information Officer using the contact details set out in Section 4.
3. Include sufficient information to enable us to identify you and locate the relevant personal information.
4. Where legislation allows, we may charge an administrative fee, but we will always inform you of any cost before performing your request.
5. Lets Comply will acknowledge receipt of your request and respond within 30 days of receiving the request, or such extended period as may be permitted by PAIA.
6. We may ask you to provide proof of identity before processing your request to protect against unauthorised disclosure.

17.2. Please note that Lets Comply may decline to provide access to personal information in certain circumstances permitted by PAIA, including where disclosure would:

1. Unreasonably disclose personal information of a third party;
2. Reveal information that is subject to legal professional privilege;
3. Prejudice commercial confidentiality;
4. Be contrary to any law or court order.

Where access is refused, Lets Comply will provide written reasons for the refusal and inform you of your right to appeal or seek review of the decision.

18. Complaints

18.1. If you believe that Lets Comply has infringed your rights under POPIA or has otherwise failed to process your personal information in accordance with this Privacy Policy, you may submit a complaint by:

1. Completing Annexure D and submitting it to our Information Officer on Hello@letscomply.africa;
2. We will acknowledge your complaint within 5 business days of receipt and will endeavour to investigate and resolve it within 30 business days, or such extended period as may be required depending on the complexity of the matter. We will keep you informed of the progress of the investigation.

18.2. If you are not satisfied with our response to your complaint, or if you believe your complaint has not been adequately addressed, you have the right to lodge a complaint directly with the Information Regulator of South Africa by:

1. Completing Annexure E and submitting it to the Information Regulator on complaints.IR@justice.gov.za

18.3. Alternatively, you may approach a court of competent jurisdiction for relief. We encourage you to contact us in the first instance to allow us the opportunity to address your concerns.

19. Conclusion

Lets Comply is committed to the responsible, transparent, and lawful processing of personal information. The protection of your privacy is not simply a legal obligation for us — it is a reflection of our core values and our commitment to operating with integrity in all that we do.

We will continue to review and update this Privacy Policy to reflect changes in the law, our business practices, and technological developments.

By engaging with Lets Comply, you confirm that you have read and understood this Privacy Policy and that you are aware of your rights as a Data Subject. If you have any questions about how we handle your personal information, please do not hesitate to contact our Information Officer using the contact details provided in Section 4.

20. Policy Review

This policy will be reviewed at least annually or on an ad hoc basis where there are regularly or operational business changes.