Prebo Digital (Pty) Ltd - POPIA Compliance Policy

 

Field

Detail

Document owner

Deputy Information Officer

Version

1.0

Effective date

1st January 2026

Review date

1st January 2027

Classification

Public

Applies to

Prebo Digital (Pty) Ltd and all employees, contractors, and third parties processing personal information on our behalf

1. Purpose

This policy sets out how Prebo Digital (Pty) Ltd (“Prebo Digital”, “we”, “us”) complies with the Protection of Personal Information Act, 4 of 2013 (POPIA) and related regulations. It covers our obligations as a responsible party, the rights of data subjects, and the procedures we follow to protect personal information across our digital marketing services and technology platforms (including Straider.ai, Adsynth, ShopRank, and Content Labs).

This policy is intended to be a standalone, referenceable document for clients, partners, regulators, and our team. It supplements – but does not replace – our product-specific Privacy Policies, Terms & Conditions, and Internal Information Security & Acceptable Use Policy (IS&AUP).

2. Organisation details

  

Legal name

Prebo Digital (Pty) Ltd

Registration number

2016/198871/07

Trading as

Prebo Digital

Registered address

Office Park Block A, Unit 17, Van Hoof Street Willowbrook, Ruimsig, Johannesburg, 1709, South Africa

Telephone

087 292 2101

Email

info@prebodigital.co.za

Website

https://prebodigital.co.za

Information Officer registration

Prebo Digital is registered with the Information Regulator (South Africa) as a private organisation.

Role

Name

Appointment date

Deputy Information Officer

Precious Thundu

19 May 2016

Registration number: 2026-060735
Registration date: 1 July 2026

Data protection enquiries and data-subject requests: info@prebodigital.co.za (subject line: “POPIA Request”).

3. Scope

This policy applies to all personal information that Prebo Digital processes in the course of its business, including:

  • Client and prospect contact details
  • Employee and contractor records
  • Website visitors and marketing leads
  • Platform user account data (Straider.ai, Adsynth, ShopRank, and related services)
  • Client campaign, analytics, and connected-platform data processed on behalf of clients
  • Supplier and partner contact information

Where Prebo Digital processes personal information on behalf of a client (as an operator), the client remains the responsible party. That processing is governed by our Data Processing Agreement and product Privacy Policies.

4. Definitions

Term

Meaning

Personal information

Information relating to an identifiable, living natural person or juristic person, as defined in POPIA

Processing

Any operation performed on personal information, including collection, storage, use, disclosure, and deletion

Responsible party

The entity that determines the purpose and means of processing (Prebo Digital, for our own data; our clients, for client campaign data)

Operator

A person who processes personal information on behalf of a responsible party

Data subject

The person to whom personal information relates

Special personal information

Sensitive categories listed in POPIA section 26 (e.g. health, biometric, criminal records) – we do not routinely collect these

5. Lawful processing

We process personal information only where a lawful basis exists under POPIA Condition 2. Our primary bases are:

  1. Consent – where the data subject has given voluntary, specific, and informed consent
  2. Contract – processing necessary to perform a contract with the data subject or to take steps at their request before entering a contract
  3. Legal obligation – processing required by law (e.g. tax, employment, regulatory reporting)
  4. Legitimate interest – where our legitimate business interests are not overridden by the data subject’s rights (e.g. fraud prevention, service improvement, direct marketing where permitted)

We do not process personal information for a purpose incompatible with the purpose for which it was collected, unless the data subject consents or the law permits it.

6. POPIA conditions for lawful processing

We comply with all eight POPIA conditions:

Condition

Our approach

1. Accountability

This policy, our IS&AUP, and assigned IO/Deputy IO ensure compliance is monitored and enforced

2. Processing limitation

We collect only what is necessary; processing is lawful and with consent where required

3. Purpose specification

Purposes are documented in Privacy Policies, contracts, and consent notices

4. Further processing limitation

Secondary use only where compatible or consented

5. Information quality

We take reasonable steps to keep personal information accurate and up to date

6. Openness

This policy and our Privacy Policies are publicly available; data subjects are informed at collection

7. Security safeguards

Technical and organisational measures per IS&AUP (encryption, access control, monitoring)

8. Data subject participation

Rights procedures in Section 8 below

7. Roles and responsibilities

7.1 Information Officer (IO)

The IO is responsible for:

  • Ensuring POPIA compliance across Prebo Digital
  • Receiving and responding to data-subject requests
  • Liaising with the Information Regulator
  • Reporting security compromises (see Section 10)
  • Approving this policy and overseeing annual review
  • Ensuring staff receive data protection training

7.2 Deputy Information Officer

The Deputy IO acts in the IO’s absence and assists with day-to-day compliance, request handling, and breach coordination.

7.3 All staff and contractors

Everyone who handles personal information must:

  • Read and comply with this policy and the IS&AUP
  • Report suspected breaches immediately to the IO
  • Process personal information only for authorised business purposes
  • Complete data protection training as required

8. Data subject rights

Under POPIA, data subjects have the right to:

Right

How to exercise

Be notified that personal information is being collected

Privacy notices at point of collection; this policy

Access their personal information

Email info@prebodigital.co.za with “POPIA Access Request”; we respond within 30 days

Correct or delete inaccurate, irrelevant, or outdated information

Same contact; we action within 30 days where lawful

Object to processing

Email the IO; we assess and respond within 30 days

Withdraw consent

At any time, without affecting prior lawful processing

Complain to the Information Regulator

See Section 12

Platform users of Straider.ai, Adsynth, and related services may also use in-app self-service tools (Privacy & Data settings) where available.

We verify identity before acting on a request. We may refuse requests where permitted by law (e.g. legal privilege, ongoing investigation) and will explain the reason.

9. Direct marketing

We send direct marketing (email, SMS, or similar) only where:

  • The data subject has opted in, or
  • The data subject is an existing customer for similar products/services and has been given a reasonable opportunity to opt out

Every marketing communication includes a clear unsubscribe or opt-out mechanism. We honour opt-outs within 48 hours and maintain a suppression list.

10. Security safeguards

Personal information is protected through measures described in our Internal Information Security & Acceptable Use Policy (IS&AUP), including:

  • Encryption in transit (TLS 1.2+) and at rest (provider-managed)
  • Role-based access control and least-privilege principles
  • Hashed credentials; no plain-text password storage
  • Google Workspace security controls for internal systems
  • Cloud-hosted infrastructure with SOC 2-aligned providers (e.g. Vercel, Railway)
  • Employee security awareness and phishing simulations
  • Four-tier information classification scheme

Full technical detail is in the IS&AUP (internal). A summary is available on request from the IO.

11. Security compromises (data breaches)

11.1 Definition

A security compromise is any incident where personal information is accessed, acquired, or disclosed without authorisation, or is lost, in a manner that creates a real risk of harm to data subjects.

11.2 Internal response

  1. Report immediately to the IO (info@prebodigital.co.za) and Deputy IO
  2. Contain the incident – isolate affected systems, revoke credentials
  3. Assess scope, data categories, and number of affected data subjects
  4. Document in the incident register (per IS&AUP Section 11)
  5. Remediate root cause and implement preventive controls

11.3 Notification

Recipient

Timeframe

Information Regulator

As soon as reasonably possible after discovery; target 72 hours where feasible

Affected data subjects

As soon as reasonably possible after discovery, where required by POPIA section 22

Affected clients (where we are operator)

Without undue delay; target 72 hours

Notifications include: nature of the compromise, categories of data affected, likely consequences, and measures taken or proposed.

12. Cross-border transfers

Personal information may be processed in South Africa and in other countries where our service providers operate (including the United States and the European Union). Transfers are made only where:

  • The recipient country has adequate protection, or
  • Appropriate safeguards are in place (e.g. standard contractual clauses, binding corporate rules, or consent)

Our sub-processor register (see Third-Party Risk Management Procedure) documents provider locations and transfer mechanisms.

13. Operator processing (client data)

When Prebo Digital processes personal information on behalf of clients:

  • We act as operator; the client is responsible party
  • Processing follows the client’s documented instructions (contracts, DPA, platform configuration)
  • We do not use client data to train our own foundational AI models
  • We assist clients with data-subject requests and breach notification
  • On contract termination, client data is returned or deleted per our Data Retention & Disposal Policy

14. Training and awareness

  • All new employees and contractors receive data protection orientation within 30 days of start
  • Annual refresher training covers POPIA, phishing awareness, and this policy
  • Role-specific training for staff handling client data, platform administration, or HR records
  • Training completion is recorded

15. Compliance monitoring

The IO reviews compliance annually, including:

  • Records of Processing Activities (ROPA) – see Compliance Evidence Templates
  • Data-subject request log and response times
  • Security incident and breach register
  • Sub-processor register currency
  • Policy and Privacy Policy version alignment
  • Training completion rates
  • Results of internal risk assessments

Findings are reported to management and remediated within agreed timeframes.

16. Related documents

Document

Relationship

Straider.ai / Adsynth Privacy Policy

Product-specific processing detail

Data Retention & Disposal Policy

Retention periods and secure destruction

Third-Party Risk Management Procedure

Vendor vetting and sub-processor register

Internal IS&AUP

Security controls and incident response

Data Processing Agreement

Operator obligations for client data

Compliance Evidence Templates

ROPA, DSAR, PIA, vendor, training, and incident registers

17. Complaints

If you believe we have not handled your personal information lawfully:

  1. Contact us first: info@prebodigital.co.za (Information Officer)
  2. If unresolved, lodge a complaint with the Information Regulator (South Africa):

18. Policy review

This policy is reviewed annually or sooner if there is a material change in law, business activity, or processing practices. Changes are approved by the Information Officer and communicated to staff. Material changes affecting data subjects are published on our website.

Approved by:

  

Name

Precious Thundu

Title

Deputy Information Officer, Prebo Digital (Pty) Ltd

Date

2 July 2026

Scroll to Top
Scam Alert!

Protect Yourself from Fraudulent Job Offers

It has come to our attention that scammers are impersonating Prebo Digital and fraudulently offering jobs to individuals on WhatsApp groups. These scammers may use our company logo, names of our employees, or even create fake websites to appear legitimate.

  • Unsolicited Job Offers: Be wary of unexpected job offers, especially those that seem too good to be true.
  • WhatsApp Communication: We primarily use official email addresses (@prebodigital.co.za) for recruitment purposes. We rarely conduct interviews or make job offers through WhatsApp.
  • Upfront Payment Requests: We never ask for money or personal financial information from job applicants.
  • Unprofessional Communication: Be suspicious of messages with grammatical errors, typos, or informal language.
  • Verify the Source: If you receive a suspicious job offer, contact us directly through our official website (www.prebodigital.co.za) or email (info@prebodigital.co.za) to confirm its legitimacy.
  • Do Your Research: Check our official website and social media pages for legitimate job postings.
  • Never Share Personal Information: Avoid sharing sensitive information like your bank details or social security number with unverified individuals.
  • Report Suspicious Activity: If you encounter a scam, report it to us and the relevant authorities.

Remember

We are committed to ethical recruitment practices and will never ask for payment to secure a job.
Stay vigilant and protect yourself from these fraudulent activities.