POPIA Compliance Notice

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's primary data protection legislation. It regulates how responsible parties (organisations that collect and process personal information) must handle the personal information of data subjects (natural and juristic persons).

POPIA came into full effect on 1 July 2021. Non-compliance may result in administrative fines of up to R10 million and/or imprisonment for up to 10 years.

LinkDaddy LLC ("we", "us", "our") is the responsible party in terms of POPIA for all personal information collected through linkdaddybuild.com and its associated services.

In terms of section 55 of POPIA, we have appointed an Information Officer who is responsible for ensuring compliance with POPIA and handling data subject requests.

Our Information Officer has been registered with the Information Regulator as required by section 55(1) of POPIA. Data subjects may direct all POPIA-related requests and complaints to the Information Officer at the contact details above.

We process the following categories of personal information in the ordinary course of our business:

We do not process special categories of personal information (as defined in section 26 of POPIA) such as race, health, religious beliefs, or biometric data.

We process personal information only for the following specific, explicitly defined, and lawful purposes:

• To respond to website audit requests and service enquiries.
• To deliver website development, repair, and digital infrastructure services.
• To process payments and manage billing through our payment processor (Stripe).
• To send service-related communications, including project updates and invoices.
• To improve our website and services through anonymised analytics.
• To comply with applicable legal obligations.
• To protect the security and integrity of our systems.

We do not use personal information for automated decision-making or profiling that produces legal or similarly significant effects on data subjects.

In terms of section 11 of POPIA, we process personal information on the following lawful grounds:

• Consent of the data subject (e.g., newsletter sign-up, cookie consent).
• Necessity for the performance of a contract to which the data subject is a party (e.g., service delivery).
• Compliance with a legal obligation (e.g., tax records, anti-money laundering requirements).
• Legitimate interests of the responsible party or a third party (e.g., fraud prevention, website security), where such interests are not overridden by the interests of the data subject.

In terms of POPIA, data subjects have the following rights, which may be exercised by contacting our Information Officer:

To exercise any of the above rights, please submit a written request to our Information Officer at [email protected]. We will respond within 30 days of receiving your request.

LinkDaddy LLC is incorporated in the United States of America. As a result, personal information collected from South African data subjects may be transferred to and processed in the United States, which may not have equivalent data protection laws to South Africa.

In terms of section 72 of POPIA, we transfer personal information outside South Africa only where:

• The recipient is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection substantially similar to POPIA.
• The data subject consents to the transfer.
• The transfer is necessary for the performance of a contract between the data subject and the responsible party.

Our primary third-party processors (including Stripe, AWS, and analytics providers) maintain their own GDPR/POPIA-equivalent compliance programmes and data processing agreements.

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our general retention periods are:

• Client project records: 5 years after project completion (for tax and legal compliance).
• Enquiry and contact records: 2 years from last interaction.
• Analytics data: 26 months (anonymised after 12 months).
• Payment records: 7 years (as required by financial regulations).
• Cookie consent records: 1 year from consent date.

Upon expiry of the applicable retention period, personal information is securely deleted or anonymised in accordance with section 14 of POPIA.

In terms of section 19 of POPIA, we have implemented appropriate technical and organisational measures to secure the integrity and confidentiality of personal information in our possession or under our control. These measures include:

• Encrypted data transmission using HTTPS/TLS 1.3.
• Role-based access controls limiting data access to authorised personnel only.
• Regular security assessments and vulnerability testing.
• Secure cloud infrastructure with SOC 2-compliant providers.
• No storage of payment card data (all payments processed by Stripe).
• Incident response procedures for data breach notification.

In the event of a security compromise that may affect your personal information, we will notify you and the Information Regulator as required by section 22 of POPIA.

If you believe we have infringed your rights under POPIA, you may:

1. Contact our Information Officer first at [email protected] to allow us to address your concern.
2. If unresolved, submit a complaint to the Information Regulator (South Africa) using Form 5 (Complaint Form) available at www.inforegulator.org.za.

In terms of section 51 of the Promotion of Access to Information Act 2 of 2000 (PAIA), private bodies are required to compile a PAIA Manual describing the categories of records held and the procedure for requesting access to those records.

Our PAIA Manual is available on request from our Information Officer at [email protected]. Requests for access to records must be submitted using Form C as prescribed under PAIA.

The South African Human Rights Commission (SAHRC) provides a guide on how to use PAIA, available at www.sahrc.org.za.

The Information Regulator is the independent supervisory authority established under POPIA to enforce data protection rights in South Africa.