POPIA came into full effect on 1 July 2021. TeboaTech (Pty) Ltd, as a South African company processing personal information, is legally required to comply with its provisions. We take this responsibility seriously and have built our platform with privacy by design.
1. About POPIA
The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's primary data protection legislation. It regulates how organisations collect, use, store, and share personal information about individuals (data subjects).
POPIA is enforced by the Information Regulator of South Africa. Non-compliance can result in administrative fines of up to R10 million or imprisonment of up to 10 years for serious offences.
POPIA aligns with international data protection standards including the EU's General Data Protection Regulation (GDPR), which means our compliance approach meets both South African and international requirements.
2. Responsible Party
Under POPIA, the entity that determines the purpose and means of processing personal information is called the "responsible party". TeboaTech (Pty) Ltd is the responsible party for all personal information processed through the Teboa platform and teboatech.com.
Company: TeboaTech (Pty) Ltd
Registration Number: 2025/516299/07
Country of Registration: Republic of South Africa
Contact Email: privacy@teboatech.com
3. Information Officer
POPIA requires every responsible party to designate an Information Officer responsible for ensuring compliance. Our Information Officer oversees all personal information processing activities, handles data subject requests, and liaises with the Information Regulator.
Information Officer Details
4. The Eight Conditions for Lawful Processing
POPIA sets out eight conditions that must be met for personal information to be processed lawfully. Here is how TeboaTech meets each condition:
1. Accountability
TeboaTech takes full responsibility for the personal information it processes. Our Information Officer oversees all compliance activities.
2. Processing Limitation
We only collect personal information that is necessary to provide the Teboa platform. We do not collect information beyond what is needed for the stated purpose.
3. Purpose Specification
Personal information is collected for specific, clearly defined, and lawful purposes. We do not process information in ways incompatible with those original purposes.
4. Further Processing Limitation
We do not use personal information for purposes other than those for which it was originally collected without obtaining fresh consent or legal justification.
5. Information Quality
We take reasonable steps to ensure that the personal information we hold is accurate, complete, and up to date. Users can update their information at any time.
6. Openness
We are transparent about our data practices through this notice, our Privacy Policy, and our Terms of Service. We maintain a PAIA Manual as required by law.
7. Security Safeguards
We implement appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, or unlawful processing.
8. Data Subject Participation
We respect and facilitate data subjects' rights to access, correct, and delete their personal information. All requests are responded to within 30 days.
5. Personal Information We Process
TeboaTech processes the following categories of personal information:
5.1 Platform Users (Teboa Account Holders)
- Name and surname
- Email address
- Business name and Shopify store URL
- Subscription and billing details (processed through our payment provider)
- Platform usage data and interaction logs
- IP address and device information
- AI agent conversation content
5.2 Shopify Store Customers (Third-Party Data Subjects)
When you connect your Shopify store to Teboa, we access and process personal information about your customers solely for the purpose of providing our service to you. This includes:
- Customer names and email addresses
- Order history and purchase data
- Delivery addresses (for order management purposes)
As the store owner, you are the responsible party for your customers' personal information. TeboaTech acts as an operator processing this data on your behalf. You are responsible for ensuring you have the lawful basis to share your customers' data with our platform and that your own privacy policy informs your customers of this.
5.3 Website Visitors (teboatech.com)
- Contact form submissions (name, email, message)
- Analytics data collected via Google Analytics (anonymised)
- Cookie data as described in our Privacy Policy
6. Lawful Basis for Processing
Under POPIA, we process personal information on the following lawful grounds:
- Contract performance: Processing necessary to deliver the Teboa platform to subscribed users
- Consent: Where you have explicitly agreed to processing, such as signing up for the platform or subscribing to communications
- Legitimate interest: Processing for platform security, fraud prevention, and service improvement where your interests do not override ours
- Legal obligation: Processing required to comply with South African law, including tax and regulatory obligations
7. Your Rights as a Data Subject
Under POPIA, you have the following rights regarding your personal information. We will respond to all requests within 30 days at no charge.
To exercise any of these rights, email our Information Officer at privacy@teboatech.com with your name, email address, and a clear description of your request.
8. Cross-Border Transfers of Personal Information
POPIA restricts the transfer of personal information to countries outside South Africa unless adequate protection is in place. TeboaTech uses third-party providers based outside South Africa, including Google (Firebase), Anthropic, and Vercel, which may involve cross-border transfers.
We ensure these transfers are lawful by:
- Entering into Data Processing Agreements (DPAs) with each provider that include POPIA-aligned data protection requirements
- Confirming that recipient countries or providers offer an adequate level of protection comparable to POPIA
- Using Standard Contractual Clauses (SCCs) where required
9. Security Safeguards
Section 19 of POPIA requires us to implement appropriate, reasonable technical and organisational measures to prevent loss, damage, or unauthorised destruction, access, or processing of personal information. Our measures include:
- TLS encryption for all data transmitted between users and the platform
- Firebase's built-in encryption for data stored at rest
- Complete workspace isolation. no data is shared between different business accounts
- Role-based access controls limiting who within TeboaTech can access production data
- Regular security reviews and vulnerability assessments
- Incident response procedures for data breaches
Breach Notification
In the event of a data breach that is likely to harm data subjects, TeboaTech will notify the Information Regulator and affected data subjects as soon as reasonably possible, and in any event within 72 hours of becoming aware of the breach, as required by POPIA Section 22.
10. Retention and Destruction of Personal Information
We retain personal information only for as long as necessary for the purpose for which it was collected, or as required by law. Our retention schedule is:
- Active account data: Retained for the duration of the subscription
- Cancelled account data: Retained for 30 days post-cancellation to allow account recovery, then securely deleted
- Shopify store data: Deleted within 30 days of store disconnection
- Contact form data: Retained for up to 12 months for support purposes
- Financial records: Retained for 5 years as required by South African tax law
When personal information is no longer required, it is securely deleted from our systems and, where applicable, we instruct our third-party processors to do the same.
11. PAIA Manual
In addition to POPIA, TeboaTech complies with the Promotion of Access to Information Act 2 of 2000 (PAIA), which grants individuals the right to request access to records held by private bodies.
Our PAIA Manual is available upon request by contacting our Information Officer at privacy@teboatech.com. This manual describes the records we hold, the procedures for requesting access, and the fees applicable to information requests.
12. Lodging a Complaint
If you believe that TeboaTech has processed your personal information in violation of POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa.
Information Regulator of South Africa
Website: inforegulator.org.za
Email: inforeg@justice.gov.za
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
We encourage you to contact us first at privacy@teboatech.com so that we can resolve your concern directly. We are committed to handling all complaints promptly and fairly.
Contact Our Information Officer
For any POPIA-related queries, access requests, or complaints, contact us directly.
Email: privacy@teboatech.com
Company: TeboaTech (Pty) Ltd, Reg No: 2025/516299/07
Information Officer: Xabiso Ngece
We will acknowledge your request within 3 business days and respond in full within 30 days as required by POPIA.