Privacy Policy

ProComply (Pty) Ltd ("ProComply", "we", "us", or "our") operates the ProComply software-as-a-service platform available at procomply.co.za. We are registered in the Republic of South Africa.

We are committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and all other applicable South African privacy legislation.

For questions about this policy, contact our Information Officer at: support@procomply.co.za

2.1 Account and Registration Data

When you register for ProComply, we collect:

• Full name and email address
• Company name, industry sector, and physical address
• Job title and role within your organisation
• Password (stored as a cryptographic hash; we never store your plain-text password)

2.2 Compliance and Operational Data

In the course of using our platform, we collect and store the data you submit, including:

• Site details, locations, and associated personnel
• OHS checklist submissions, inspection results, and compliance scores
• Issue reports, incident logs, and corrective action records
• Equipment registers and maintenance records
• Contractor details and induction records
• Attendance and access records generated via QR code check-in
• Employee and user profile information added to the platform

2.3 Usage and Technical Data

We automatically collect certain technical information when you use our platform:

• IP address and approximate geographic location
• Browser type, operating system, and device identifiers
• Pages visited, features used, and time spent on the platform
• Audit log entries (actions performed within the platform)
• Error logs and crash reports

2.4 Payment Data

Subscription payments are processed by Stripe, Inc. We do not store your full card number, CVV, or banking credentials. Stripe provides us with a tokenised reference and high-level billing status only. Stripe's privacy practices are governed by their own Privacy Policy.

We process your personal information only for the following lawful purposes:

• Service delivery: To provide, operate, and maintain the ProComply platform and all features included in your subscription.
• Account management: To create and manage your account, verify your identity, and communicate important service information.
• Billing and payments: To process subscription fees, issue invoices, and manage your billing relationship.
• Support: To respond to queries, resolve technical issues, and provide customer assistance.
• Security and fraud prevention: To detect, investigate, and prevent unauthorised access, misuse, and fraudulent activity.
• Legal compliance: To comply with applicable laws, regulations, court orders, and lawful requests from public authorities.
• Platform improvement: To analyse anonymised usage patterns and improve our product. We do not sell or share individual data for this purpose.
• Communications: To send you product updates, security notices, and (with your consent) marketing communications. You may opt out of marketing emails at any time.

Under POPIA, we process your personal information on the following grounds:

• Contract performance: Processing necessary to provide the services you have subscribed to.
• Legal obligation: Processing required to comply with applicable South African law.
• Legitimate interest: Processing for security, fraud prevention, and platform improvement, where such interests are not overridden by your rights.
• Consent: For optional marketing communications, where you have given explicit consent.

We do not sell your personal information. We share data only in the following limited circumstances:

5.1 Service Providers (Operators)

We use carefully selected third-party service providers who process data on our behalf under written data processing agreements:

• Supabase, Inc. — Database hosting, authentication, and storage. Data is hosted in their cloud infrastructure.
• Stripe, Inc. — Payment processing and subscription management.
• Vercel, Inc. — Application hosting and content delivery.
• Upstash — Rate limiting and caching infrastructure.

5.2 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of ProComply, our users, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our platform before your data is transferred and becomes subject to a different privacy policy.

5.4 Within Your Organisation

Data submitted to ProComply by your organisation is accessible to other authorised users within your organisation's account, in accordance with the role-based access controls you configure.

Our service providers (Supabase, Stripe, Vercel) may store and process data outside the Republic of South Africa, including in the United States and the European Union. Where data is transferred across borders, we take reasonable steps to ensure adequate protection consistent with POPIA Section 72, including reliance on providers who maintain recognised certification frameworks (e.g., SOC 2, ISO 27001) and contractual safeguards.

We retain your personal information for as long as your account remains active and for a reasonable period thereafter to:

• Fulfil the purposes described in this policy
• Comply with our legal obligations (including tax and financial record-keeping requirements under South African law)
• Resolve disputes and enforce our agreements

On account cancellation or termination, we retain your compliance data (checklists, reports, incidents) for a period of 24 months to allow for regulatory audit requirements. After this period, your data is permanently deleted from our systems. You may request earlier deletion subject to our legal retention obligations.

Audit log entries are retained for 36 months to support compliance and fraud investigations.

As a data subject under POPIA, you have the following rights:

• Right of access: You may request a copy of the personal information we hold about you.
• Right to correction: You may request that we correct inaccurate or incomplete personal information.
• Right to deletion: You may request deletion of your personal information, subject to our legal retention obligations.
• Right to object: You may object to processing based on legitimate interest, including direct marketing.
• Right to data portability: You may request your data in a structured, commonly used format.
• Right to lodge a complaint: You have the right to lodge a complaint with the Information Regulator of South Africa if you believe we have processed your personal information unlawfully.

To exercise any of these rights, contact us at support@procomply.co.za. We will respond within 30 days.

The Information Regulator of South Africa can be contacted at: inforegulator.org.za

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, and destruction, including:

• TLS encryption for all data in transit
• AES-256 encryption for data at rest
• Row-level security (RLS) enforced at the database level, ensuring users can only access data belonging to their organisation
• Cryptographic checksumming of compliance submissions to detect tampering
• Multi-factor authentication availability for all accounts
• Access logging and anomaly detection
• Regular security assessments

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. In the event of a data breach that poses a risk to your rights, we will notify you and the Information Regulator as required under POPIA.

We use cookies and similar technologies to operate the platform. These include:

• Essential cookies: Required for authentication, session management, and core platform functionality. These cannot be disabled without breaking the service.
• Analytics cookies: Used to understand how the platform is used and to improve it. We use anonymised, aggregated data only.

The marketing website (procomply.co.za) does not use third-party advertising or tracking cookies. You can control cookie preferences through your browser settings.

ProComply is a business-to-business platform not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. We will notify you of material changes by email and by posting the updated policy on our website at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

For any privacy-related queries, to exercise your rights, or to contact our Information Officer:

ProComply (Pty) Ltd
Information Officer
Email: support@procomply.co.za
Republic of South Africa