Privacy statement · POPIA + GDPR aligned

Your privacy, in plain English.

Last updated: 29 April 2026 (v2.0)

This statement explains what personal information MHSRIP collects, why, what we do with it, and the choices you have. It is written to satisfy our obligations under the Protection of Personal Information Act, 2013 (POPIA), and — where applicable to you — the EU/UK General Data Protection Regulation (GDPR).

The short version: We collect only what we need to run the platform — your email, the memorial content you choose to upload, and minimal operational data. We never sell your data. You can export everything we hold about you, or delete your account, at any time. Most cookies are off by default.

1. Who we are

MHSRIP (Pty) Ltd is the responsible party (POPIA) and the controller (GDPR) for the data described here.

Information Officer / DPO (acting): Floris Olivier — privacy@mhsrip.cleva-ai.co.za
EU representative: Not appointed at present (no establishment in the EU). Will be appointed if our regular EU-resident user base reaches the threshold under GDPR Article 27.
Public registers: Our Records of Processing Activities are published at /strategy/ropa.html. Our sub-processor list is at /legal/SUB-PROCESSORS.md.

2. What we collect, why, and on what lawful basis

The full per-activity breakdown is in the Records of Processing Activities. Summary:

Category	What it includes	Lawful basis	Retention
Account	Email address, name, optional profile photo	Performance of contract	Until deletion + 30 days
Memorial content	Photos, posts, biographical detail you upload to a garden	Legitimate interest (memorialisation), with administrator consent on creation	Indefinite (this is what we exist for); deletable on request
Authentication (OTP)	Email + hashed one-time code	Performance of contract	10 minutes per code
Visitor "Garden Key"	Email + pseudonymous cookie token	Consent + legitimate interest	30 days from last interaction
Tribute payments	Stripe-tokenised card identifier (no PAN), email, transaction amount	Performance of contract	7 years (financial obligations)
RSVP memory messages	Free-text message, optional name + email, IP for rate-limit only	Consent	Until administrator deletes
Audit log	Administrative actions, IP, user-agent, timestamp	Legal obligation (accountability)	7 years on-line; archived thereafter
Region detection	Inferred country code from IP (offline lookup)	Legitimate interest	90-day cookie
Backups	Encrypted database snapshots	Legitimate interest (operational integrity)	Daily 14d / weekly 8w / monthly 12m

3. Who we share it with (sub-processors)

We share data with a limited set of trusted sub-processors, each under a written agreement. The canonical list is at /legal/SUB-PROCESSORS.md. In summary:

Cleva AI SMTP — outbound email delivery (ZA, domestic).
Cloudflare — CDN, DDoS protection, TLS, Turnstile CAPTCHA, GeoIP. Transfer mechanism: EU SCCs + UK Addendum.
Hetzner — application server hosting (ZA, domestic).
Stripe (when payments are live) — payment processing. Transfer mechanism: EU SCCs + Data Privacy Framework certification.
geoip-lite (offline DB) — local IP-to-country lookup. No data leaves our infrastructure.

We do not sell your data, ever, to anyone, for any purpose.

4. International transfers

Most of our processing is domestic (Republic of South Africa). When data does cross borders — for example, payment processing through Stripe — we rely on adequacy decisions, the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or the Data Privacy Framework, depending on the destination. The transfer mechanism for each sub-processor is listed in the sub-processor register.

5. Your rights

Under POPIA (sections 23–25) and GDPR (Articles 15–22) you have the following rights. We honour all of them.

Access — request a JSON export of everything we hold about you. Submit via the in-product DSAR control or POST /privacy/dsar (signed-in users).
Correction — fix inaccurate information via in-product profile edit, or email privacy@mhsrip.cleva-ai.co.za.
Deletion — delete your account via DELETE /privacy/dsar/account or the in-product control. We anonymise immediately; backup copies are purged within 30 days. Some financial records are retained for 7 years to meet legal obligations.
Portability — the DSAR export is a structured JSON that you can import into another service.
Restriction / objection — limit how we use your data, or object to processing based on legitimate interest. Email us.
Withdraw consent — at any time, without affecting the lawfulness of processing before the withdrawal.
Lodge a complaint — Information Regulator (South Africa): inforegulator.org.za. EEA Data Subjects: contact your local supervisory authority.

6. Cookies

We use the smallest set of cookies that lets the platform work. The choices are surfaced in a banner the first time you visit:

Essential — session cookie, gate-key cookie, region cookie. Required to operate the platform; cannot be disabled.
Analytics — off by default. If enabled, we set an anonymised PostHog cookie for product analytics.
Marketing — off by default. We do not currently use marketing cookies; the toggle is reserved for future use and will require a fresh banner before any tracking activates.

You can change your choices at any time by clearing the mhsrip_cookie_consent cookie or by emailing us.

7. Security

The technical and organisational measures protecting your data are detailed in DPA — Schedule 2. In summary:

TLS 1.2+ for every page; HSTS preload.
Email-OTP authentication — no passwords on the platform.
At-rest disk encryption on the application server.
Append-only audit log of every administrative action.
Rate limiting on public endpoints.
Daily backups, weekly restore-test, off-site copies.
Sub-processors vetted and bound by written DPAs.

8. Children

MHSRIP is intended for adults (18+) and for the parents or legal guardians of minors. We do not knowingly collect data directly from children. If you believe a child has supplied us data without verifiable parental consent, contact us and we will delete it.

9. Changes to this policy

We will post any change to this policy on this page and, if the change is material, we will email all administrators 14 days before it takes effect. The effective date below is updated whenever the page changes.

10. Contact

For any privacy question or data-subject request, email privacy@mhsrip.cleva-ai.co.za. We respond to valid requests within 30 days (POPIA) or 1 month (GDPR), whichever is shorter.

Effective date: 2026-04-29 · Version 2.0 · Supersedes the prior privacy statement of April 2026.