POPIA statement (South Africa)

POPIA compliance.

Last updated: April 2026

This page is our compliance statement under South Africa's Protection of Personal Information Act, 2013 (POPIA). It covers our role as a Responsible Party, your rights as a Data Subject, and how we meet POPIA's eight conditions for lawful processing.

The short version: We are registered with the Information Regulator. We collect only what we need. We don't sell or share your data. You can request access, correction, or deletion at any time.

Information Officer

Floris Olivier · memories@MHSRIP.com · Cape Town, South Africa.

Your POPIA rights

To know what personal information we hold about you.
To request correction of inaccurate or outdated information.
To request deletion (the right to be forgotten).
To object to processing for direct marketing.
To lodge a complaint with the Information Regulator if you believe we've acted improperly.

The eight POPIA conditions — how we meet them

1. Accountability

The Information Officer named above is responsible for compliance and is the contact point for all data-subject requests.

2. Processing limitation

We collect personal information lawfully, with consent, and only what is reasonably necessary for the service.

3. Purpose specification

We collect personal information for clearly stated purposes only: providing the memorial-garden service, sending operational emails, processing payments, and improving the platform.

4. Further processing limitation

We don't use personal information for purposes beyond what we originally collected it for, unless you give explicit additional consent.

5. Information quality

We take reasonable steps to ensure personal information is accurate, complete, and up to date. You can correct your information from your profile at any time.

6. Openness

This page, plus our Privacy statement, document how we handle your information. We notify you of material changes by email at least 30 days in advance.

7. Security safeguards

HTTPS / TLS on every connection.
Email-OTP authentication (no passwords to leak).
Hashed OTP codes with a short expiry window.
Daily off-site database backups.
Access controls within the team on a need-to-know basis.
Annual penetration test (from late 2026, as we scale).

If a security incident affects your data, we will notify you and the Information Regulator within 72 hours of becoming aware.

8. Data subject participation

You can exercise any of your POPIA rights by emailing memories@MHSRIP.com. We'll respond within 30 days. Most requests (download, correction, deletion) can be handled directly from your profile page.

Cross-border transfers

Some service providers (Stripe for payments, our SMTP host, Replicate for opt-in AI features) may process data outside South Africa. Where they do, we ensure they are bound by adequate data-protection commitments.

Lodge a complaint

If you believe we have acted improperly, you may complain to the Information Regulator (South Africa) — inforegulator.org.za.