Prebo Digital (Pty) Ltd - POPIA Compliance Policy
Field | Detail |
|---|---|
Document owner | Deputy Information Officer |
Version | 1.0 |
Effective date | 1st January 2026 |
Review date | 1st January 2027 |
Classification | Public |
Applies to | Prebo Digital (Pty) Ltd and all employees, contractors, and third parties processing personal information on our behalf |
1. Purpose
This policy sets out how Prebo Digital (Pty) Ltd (“Prebo Digital”, “we”, “us”) complies with the Protection of Personal Information Act, 4 of 2013 (POPIA) and related regulations. It covers our obligations as a responsible party, the rights of data subjects, and the procedures we follow to protect personal information across our digital marketing services and technology platforms (including Straider.ai, Adsynth, ShopRank, and Content Labs).
This policy is intended to be a standalone, referenceable document for clients, partners, regulators, and our team. It supplements – but does not replace – our product-specific Privacy Policies, Terms & Conditions, and Internal Information Security & Acceptable Use Policy (IS&AUP).
2. Organisation details
Legal name | Prebo Digital (Pty) Ltd |
Registration number | 2016/198871/07 |
Trading as | Prebo Digital |
Registered address | Office Park Block A, Unit 17, Van Hoof Street Willowbrook, Ruimsig, Johannesburg, 1709, South Africa |
Telephone | 087 292 2101 |
Website |
Information Officer registration
Prebo Digital is registered with the Information Regulator (South Africa) as a private organisation.
Role | Name | Appointment date |
|---|---|---|
Deputy Information Officer | Precious Thundu | 19 May 2016 |
Registration number: 2026-060735
Registration date: 1 July 2026
Data protection enquiries and data-subject requests: info@prebodigital.co.za (subject line: “POPIA Request”).
3. Scope
This policy applies to all personal information that Prebo Digital processes in the course of its business, including:
- Client and prospect contact details
- Employee and contractor records
- Website visitors and marketing leads
- Platform user account data (Straider.ai, Adsynth, ShopRank, and related services)
- Client campaign, analytics, and connected-platform data processed on behalf of clients
- Supplier and partner contact information
Where Prebo Digital processes personal information on behalf of a client (as an operator), the client remains the responsible party. That processing is governed by our Data Processing Agreement and product Privacy Policies.
4. Definitions
Term | Meaning |
|---|---|
Personal information | Information relating to an identifiable, living natural person or juristic person, as defined in POPIA |
Processing | Any operation performed on personal information, including collection, storage, use, disclosure, and deletion |
Responsible party | The entity that determines the purpose and means of processing (Prebo Digital, for our own data; our clients, for client campaign data) |
Operator | A person who processes personal information on behalf of a responsible party |
Data subject | The person to whom personal information relates |
Special personal information | Sensitive categories listed in POPIA section 26 (e.g. health, biometric, criminal records) – we do not routinely collect these |
5. Lawful processing
We process personal information only where a lawful basis exists under POPIA Condition 2. Our primary bases are:
- Consent – where the data subject has given voluntary, specific, and informed consent
- Contract – processing necessary to perform a contract with the data subject or to take steps at their request before entering a contract
- Legal obligation – processing required by law (e.g. tax, employment, regulatory reporting)
- Legitimate interest – where our legitimate business interests are not overridden by the data subject’s rights (e.g. fraud prevention, service improvement, direct marketing where permitted)
We do not process personal information for a purpose incompatible with the purpose for which it was collected, unless the data subject consents or the law permits it.
6. POPIA conditions for lawful processing
We comply with all eight POPIA conditions:
Condition | Our approach |
|---|---|
1. Accountability | This policy, our IS&AUP, and assigned IO/Deputy IO ensure compliance is monitored and enforced |
2. Processing limitation | We collect only what is necessary; processing is lawful and with consent where required |
3. Purpose specification | Purposes are documented in Privacy Policies, contracts, and consent notices |
4. Further processing limitation | Secondary use only where compatible or consented |
5. Information quality | We take reasonable steps to keep personal information accurate and up to date |
6. Openness | This policy and our Privacy Policies are publicly available; data subjects are informed at collection |
7. Security safeguards | Technical and organisational measures per IS&AUP (encryption, access control, monitoring) |
8. Data subject participation | Rights procedures in Section 8 below |
7. Roles and responsibilities
7.1 Information Officer (IO)
The IO is responsible for:
- Ensuring POPIA compliance across Prebo Digital
- Receiving and responding to data-subject requests
- Liaising with the Information Regulator
- Reporting security compromises (see Section 10)
- Approving this policy and overseeing annual review
- Ensuring staff receive data protection training
7.2 Deputy Information Officer
The Deputy IO acts in the IO’s absence and assists with day-to-day compliance, request handling, and breach coordination.
7.3 All staff and contractors
Everyone who handles personal information must:
- Read and comply with this policy and the IS&AUP
- Report suspected breaches immediately to the IO
- Process personal information only for authorised business purposes
- Complete data protection training as required
8. Data subject rights
Under POPIA, data subjects have the right to:
Right | How to exercise |
|---|---|
Be notified that personal information is being collected | Privacy notices at point of collection; this policy |
Access their personal information | Email info@prebodigital.co.za with “POPIA Access Request”; we respond within 30 days |
Correct or delete inaccurate, irrelevant, or outdated information | Same contact; we action within 30 days where lawful |
Object to processing | Email the IO; we assess and respond within 30 days |
Withdraw consent | At any time, without affecting prior lawful processing |
Complain to the Information Regulator | See Section 12 |
Platform users of Straider.ai, Adsynth, and related services may also use in-app self-service tools (Privacy & Data settings) where available.
We verify identity before acting on a request. We may refuse requests where permitted by law (e.g. legal privilege, ongoing investigation) and will explain the reason.
9. Direct marketing
We send direct marketing (email, SMS, or similar) only where:
- The data subject has opted in, or
- The data subject is an existing customer for similar products/services and has been given a reasonable opportunity to opt out
Every marketing communication includes a clear unsubscribe or opt-out mechanism. We honour opt-outs within 48 hours and maintain a suppression list.
10. Security safeguards
Personal information is protected through measures described in our Internal Information Security & Acceptable Use Policy (IS&AUP), including:
- Encryption in transit (TLS 1.2+) and at rest (provider-managed)
- Role-based access control and least-privilege principles
- Hashed credentials; no plain-text password storage
- Google Workspace security controls for internal systems
- Cloud-hosted infrastructure with SOC 2-aligned providers (e.g. Vercel, Railway)
- Employee security awareness and phishing simulations
- Four-tier information classification scheme
Full technical detail is in the IS&AUP (internal). A summary is available on request from the IO.
11. Security compromises (data breaches)
11.1 Definition
A security compromise is any incident where personal information is accessed, acquired, or disclosed without authorisation, or is lost, in a manner that creates a real risk of harm to data subjects.
11.2 Internal response
- Report immediately to the IO (info@prebodigital.co.za) and Deputy IO
- Contain the incident – isolate affected systems, revoke credentials
- Assess scope, data categories, and number of affected data subjects
- Document in the incident register (per IS&AUP Section 11)
- Remediate root cause and implement preventive controls
11.3 Notification
Recipient | Timeframe |
|---|---|
Information Regulator | As soon as reasonably possible after discovery; target 72 hours where feasible |
Affected data subjects | As soon as reasonably possible after discovery, where required by POPIA section 22 |
Affected clients (where we are operator) | Without undue delay; target 72 hours |
Notifications include: nature of the compromise, categories of data affected, likely consequences, and measures taken or proposed.
12. Cross-border transfers
Personal information may be processed in South Africa and in other countries where our service providers operate (including the United States and the European Union). Transfers are made only where:
- The recipient country has adequate protection, or
- Appropriate safeguards are in place (e.g. standard contractual clauses, binding corporate rules, or consent)
Our sub-processor register (see Third-Party Risk Management Procedure) documents provider locations and transfer mechanisms.
13. Operator processing (client data)
When Prebo Digital processes personal information on behalf of clients:
- We act as operator; the client is responsible party
- Processing follows the client’s documented instructions (contracts, DPA, platform configuration)
- We do not use client data to train our own foundational AI models
- We assist clients with data-subject requests and breach notification
- On contract termination, client data is returned or deleted per our Data Retention & Disposal Policy
14. Training and awareness
- All new employees and contractors receive data protection orientation within 30 days of start
- Annual refresher training covers POPIA, phishing awareness, and this policy
- Role-specific training for staff handling client data, platform administration, or HR records
- Training completion is recorded
15. Compliance monitoring
The IO reviews compliance annually, including:
- Records of Processing Activities (ROPA) – see Compliance Evidence Templates
- Data-subject request log and response times
- Security incident and breach register
- Sub-processor register currency
- Policy and Privacy Policy version alignment
- Training completion rates
- Results of internal risk assessments
Findings are reported to management and remediated within agreed timeframes.
16. Related documents
Document | Relationship |
|---|---|
Straider.ai / Adsynth Privacy Policy | Product-specific processing detail |
Data Retention & Disposal Policy | Retention periods and secure destruction |
Third-Party Risk Management Procedure | Vendor vetting and sub-processor register |
Internal IS&AUP | Security controls and incident response |
Data Processing Agreement | Operator obligations for client data |
Compliance Evidence Templates | ROPA, DSAR, PIA, vendor, training, and incident registers |
17. Complaints
If you believe we have not handled your personal information lawfully:
- Contact us first: info@prebodigital.co.za (Information Officer)
- If unresolved, lodge a complaint with the Information Regulator (South Africa):
- Website: https://inforegulator.org.za
- Email: POPIAComplaints@inforegulator.org.za
18. Policy review
This policy is reviewed annually or sooner if there is a material change in law, business activity, or processing practices. Changes are approved by the Information Officer and communicated to staff. Material changes affecting data subjects are published on our website.
Approved by:
Name | Precious Thundu |
Title | Deputy Information Officer, Prebo Digital (Pty) Ltd |
Date | 2 July 2026 |
