POPIA compliance, in plain language.

In line with section 55 of POPIA and Regulation 4, our Information Officer has been designated, registered with the Information Regulator, and is contactable at privacy@flowuity.com.

The Information Officer is responsible for ensuring our compliance with POPIA, dealing with requests made to Flowuity in terms of the Act, working with the Information Regulator in relation to investigations, and otherwise ensuring that our processing complies with the conditions for lawful processing.

Prospective clients, founders, investors, channel partners, M&A counterparties, and government or institutional contacts who engage us through our website, progressive web application, or by direct introduction.

Existing clients and their named representatives.

Subscribers to our written publications.

Employees, contractors, and applicants for positions at Flowuity (handled under our internal Employee Privacy Notice, available on request).

Suppliers and the named representatives of supplier organisations.

Identification — name, role, organisation.

Contact — business email address, business telephone number, business postal address.

Engagement — meeting notes, contracts, invoices, project deliverables.

Technical — IP address (truncated), device and browser metadata.

We do not process special personal information unless explicitly required for an engagement and with documented consent.

To respond to enquiries, scope work, and prepare meetings.

To deliver, manage, and bill contracted engagements.

To meet legal, accounting, and tax obligations.

To operate, secure, and improve the Flowuity website and progressive web application.

To send subscribed written publications.

Internal — Flowuity staff on a need-to-know basis.

Operators — vetted sub-processors that provide infrastructure (calendar, email, storage, accounting, source control). A current list is available to clients on request.

Professional advisors — accountants, auditors, lawyers, when relevant.

Regulators or courts — where legally compelled.

Some processing is performed by sub-processors located outside the Republic of South Africa, including in the European Union, the United Kingdom, and the United States. Each sub-processor is bound by contractual provisions that require a level of protection substantially similar to that required by POPIA, as contemplated in section 72.

Technical — TLS in transit; encryption at rest; multi-factor authentication on all administrative systems; documented backup and recovery; role-based access; audit logging; vulnerability scanning.

Organisational — written information security policy; staff confidentiality undertakings; sub-processor due diligence; periodic review; documented incident response and breach notification procedure.

In the event of a compromise affecting personal information, the Information Officer will notify the Information Regulator and affected data subjects in line with section 22.

Requests for access to records held by Flowuity may be made under the Promotion of Access to Information Act, 2000 (PAIA). The applicable PAIA Manual, prescribed forms, and fees are available on request to privacy@flowuity.com.

Requests under POPIA — to access, correct, or delete personal information, or to object to processing — may be sent to the same address. We will respond within thirty calendar days.

You may, at any time, complain to the Information Regulator of South Africa, JD House, 27 Stiemens Street, Braamfontein, Johannesburg, or by email to inforeg@justice.gov.za. The Information Regulator is the supervisory authority for POPIA.

This manual and our Privacy Notice are reviewed at least annually, and after any material change to our practice, our sub-processors, or applicable law. The "Last updated" line at the top of this page reflects the most recent review.