Privacy Policy

This Privacy Policy explains how Blackwood Summit ("we", "us", "our") collects, uses, stores, and protects your personal information when you visit www.popiacompliancecheck.co.za (the "Website") and use the POPIA Compliance Audit Tool (the "Tool").

We are committed to processing your personal information lawfully, transparently, and in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and all applicable South African data protection legislation.

By using this Website and Tool, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please discontinue use of the Website.

Who We Are (Responsible Party)

In terms of POPIA, the Responsible Party — the entity that determines the purpose and means of processing your personal information — is:

Our designated Information Officer is responsible for ensuring compliance with POPIA and can be contacted at info@popiacompliancecheck.co.za.

Information We Collect

We collect only the minimum personal information necessary to provide the audit service. The categories of information we collect are:

2.1 Information You Provide Directly

• Email address — required to deliver your compliance audit report.
• Website URL — the URL of the website you wish to audit.
• Self-assessment responses — your answers to the 7 compliance questions in the Tool (these relate to your organisation's data practices, not your personal details).

2.2 Information Collected Automatically

• IP address — collected by our hosting infrastructure (Google Cloud Platform) for security and abuse prevention purposes.
• Browser and device information — basic technical data (browser type, operating system) collected via standard server logs.
• Usage data — pages visited, time spent on the Website, and interactions with the Tool, collected via analytics tools (where applicable).

2.3 Information We Do NOT Collect

• We do not collect payment or financial information.
• We do not collect special personal information (race, health, biometric data, etc.) as defined in POPIA Section 26.
• We do not knowingly collect personal information from children under 18.
• We do not store the content of the websites you submit for auditing beyond the duration of the audit process.

How We Use Your Information

We process your personal information for the following specific purposes:

1. Delivering your audit report — your email address is used solely to send you the POPIA compliance report generated by the Tool.
2. Internal lead management — a copy of your audit summary (including your email address and website URL) is sent to Blackwood Summit to enable us to follow up with relevant compliance services. You consent to this when submitting the audit form.
3. Improving the Tool — aggregated, anonymised usage data may be used to improve the accuracy and functionality of the audit checks.
4. Security and fraud prevention — IP addresses and server logs are used to detect and prevent abuse of the Tool.
5. Legal compliance — we may process your information to comply with applicable laws, regulations, or court orders.

Legal Basis for Processing (POPIA Conditions)

In terms of POPIA, we rely on the following lawful grounds (conditions for processing) when handling your personal information:

• Consent (Section 11(1)(a)): By submitting the audit form, you provide voluntary, specific, and informed consent for us to process your email address and website URL to generate and deliver your compliance report, and to send a copy to Blackwood Summit.
• Legitimate interest (Section 11(1)(f)): We process server logs and IP addresses based on our legitimate interest in maintaining the security and integrity of the Website and Tool.
• Legal obligation (Section 11(1)(c)): We may process personal information where required to comply with a legal obligation applicable to us.

You may withdraw your consent at any time by contacting us at info@popiacompliancecheck.co.za. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal.

Email Reports & Communications

When you complete an audit, the following emails are generated:

• User report email: A detailed POPIA compliance report is sent to the email address you provided. This email contains your compliance score, categorised findings, and actionable recommendations.
• Internal notification email: A summary of your audit (including your email address, website URL, compliance score, and key findings) is sent to Blackwood Summit at info@popiacompliancecheck.co.za for lead management purposes.

Email delivery is facilitated via SMTP. Your email address is used only for the purposes described above and is not added to any marketing list without your separate consent.

Third-Party Services & Operators

We use the following third-party service providers (Operators, as defined in POPIA) to deliver this Website and Tool. These providers process personal information on our behalf and are contractually bound to protect it:

6.1 Google Cloud Platform (GCP)

The audit Tool backend is hosted on Google Cloud Functions (Gen 2) in the us-central1 region. Google processes server requests, IP addresses, and audit data on our behalf. Google Cloud is subject to robust data protection standards. For more information, see Google Cloud Privacy.

6.2 Web Hosting (cPanel)

The Website frontend is hosted via a cPanel-based hosting provider. Standard server logs (including IP addresses) are maintained by the hosting provider for security purposes.

6.3 Google Fonts

This Website uses Google Fonts to render typography. When you visit the Website, your browser may make a request to Google's servers to load font files. This may involve the transfer of your IP address to Google. See Google's Privacy Policy.

We do not sell, rent, or trade your personal information to any third party for their own marketing purposes.

Cross-Border Data Transfers

Our audit Tool backend is hosted on Google Cloud Platform in the United States (us-central1 region). This means that when you submit an audit request, your email address and website URL are processed on servers located outside the Republic of South Africa.

In terms of POPIA Section 72, we may only transfer personal information to a foreign country if that country has adequate data protection laws, or if appropriate safeguards are in place. Google Cloud Platform maintains internationally recognised data protection standards, including compliance with applicable data protection frameworks.

By using the Tool, you consent to this cross-border transfer of your personal information to the extent required by POPIA Section 72(1)(a).

Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Audit request data (email, URL, responses): Processed in-memory during the audit and not stored in a persistent database. Once the audit is complete and the report is delivered, this data is not retained by the Tool.
• Email records: Copies of audit report emails sent to users and to Blackwood Summit are retained in the respective email inboxes for a period of 3 years, after which they are deleted.
• Server logs (IP addresses, access logs): Retained for a maximum of 90 days for security and abuse prevention purposes, then automatically deleted.
• Lead management records: Contact details retained by Blackwood Summit for business purposes for a period of 3 years from the date of the audit, unless you request earlier deletion.

When personal information is no longer required, it is securely deleted or anonymised in accordance with our internal data retention procedures.

Security Measures

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction, or disclosure, in accordance with POPIA Section 19. These measures include:

• HTTPS encryption — all data transmitted between your browser and our Website is encrypted using TLS/SSL.
• Secure cloud infrastructure — the Tool backend is hosted on Google Cloud Platform, which maintains enterprise-grade physical and logical security controls.
• Environment variable protection — sensitive credentials (such as SMTP passwords) are stored as encrypted environment variables and never hardcoded or exposed in source code.
• No persistent storage of audit data — audit inputs are processed in-memory and not written to a database, minimising the risk of data exposure.
• Access controls — access to internal systems and email accounts is restricted to authorised Blackwood Summit personnel only.

While we take all reasonable precautions, no method of electronic transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Regulator as required by POPIA Section 22.

Your Rights as a Data Subject

As a data subject under POPIA, you have the following rights in respect of your personal information:

• Right to be notified (Section 18): You have the right to be informed when your personal information is collected. This Privacy Policy fulfils that obligation.
• Right of access (Section 23): You may request confirmation of whether we hold your personal information and request a copy of that information.
• Right to correction or deletion (Section 24): You may request that we correct inaccurate, incomplete, or outdated personal information, or delete personal information that we are no longer lawfully entitled to retain.
• Right to object (Section 11(3)): You may object to the processing of your personal information on reasonable grounds. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint (Section 74): You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your personal information has been processed in violation of POPIA.

How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to:

We will respond to your request within 30 days of receipt. We may require you to verify your identity before processing your request.

Information Regulator Contact Details

If you are not satisfied with our response, you may contact the Information Regulator of South Africa:

Cookies & Tracking Technologies

This Website may use cookies and similar tracking technologies to enhance your browsing experience and analyse Website usage.

Types of Cookies We Use

• Strictly necessary cookies: Essential for the Website to function correctly. These cannot be disabled.
• Analytics cookies: Used to understand how visitors interact with the Website (e.g., pages visited, time on site). These are only set with your consent.
• Preference cookies: Used to remember your settings and preferences.

Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing cookies. Please note that disabling certain cookies may affect the functionality of the Website.

Where we use non-essential cookies, we will request your consent via a cookie consent banner before setting them, in accordance with POPIA.

Children's Privacy

This Website and Tool are intended for use by adults and business representatives only. We do not knowingly collect personal information from individuals under the age of 18.

In terms of POPIA Section 34, the processing of personal information of children requires the prior consent of a competent person (parent or guardian). As our Tool is not directed at children, we do not seek or process children's personal information.

If you believe that a child under 18 has submitted personal information through our Website, please contact us immediately at info@popiacompliancecheck.co.za and we will take steps to delete such information promptly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Tool's functionality, or applicable legislation. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Post a notice on the Website homepage where appropriate.

We encourage you to review this Privacy Policy periodically. Your continued use of the Website after any changes constitutes your acceptance of the updated Policy.

If changes are significant and affect how we process your personal information, we will seek fresh consent where required by POPIA.

Contact Us & Complaints

If you have any questions, concerns, or complaints about this Privacy Policy or the way we handle your personal information, please contact our Information Officer:

We are committed to resolving complaints promptly and fairly. If you are not satisfied with our response, you have the right to escalate your complaint to the Information Regulator of South Africa (see Section 10 above).