This notice sets out how [FICAVault legal entity name] ("FICAVault") complies with the Protection of Personal Information Act, 4 of 2013 ("POPIA"). It should be read together with our Privacy Policy.
1. Information Officer
[Information Officer name]
privacy@ficavault.app
Physical address: [Registered address]
The Information Officer is registered with the Information Regulator (South Africa) and is responsible for POPIA compliance, handling data-subject requests, and dealing with the Regulator.
2. The eight conditions for lawful processing
- Accountability: the Information Officer is responsible for compliance.
- Processing limitation: we process minimum data, lawfully and with your consent or another lawful basis.
- Purpose specification: we collect for the specific purposes explained in the Privacy Policy.
- Further processing limitation: further use must be compatible with the original purpose.
- Information quality: we take reasonable steps to keep data accurate and current.
- Openness: this notice and the Privacy Policy make our processing transparent.
- Security safeguards: encryption, access control, OTP-based sharing, monitoring and breach response.
- Data subject participation: you may access, correct, delete or object as described below.
3. Special personal information
The documents you upload may contain special personal information (e.g. identity numbers, biometric-like images on ID documents, financial information). We rely on your explicit consent to process this information for compliance-passport purposes, and on the exemption in section 27 of POPIA where processing is necessary for the establishment, exercise or defence of a right or obligation in law.
4. Consent and OTP-based sharing
FICAVault never shares your documents with a third party until you explicitly approve the request. Approval is captured through an OTP (one-time password) sent to your verified mobile number or email, or through a signed and time-limited share link that you generate. Every approval, denial and access event is written to an immutable audit log.
5. Data-subject rights
You have the right to:
- be told what personal information we hold about you;
- request access to and a copy of that information;
- request correction or deletion of inaccurate, outdated or unlawfully processed information;
- object to processing;
- withdraw consent for future consent-based processing;
- complain to the Information Regulator.
Requests should be sent to privacy@ficavault.app. We aim to respond within 30 days. We may charge a reasonable fee for repeated or excessive requests as permitted by POPIA.
6. PAIA manual
Our manual under the Promotion of Access to Information Act, 2 of 2000 ("PAIA") is available on request from privacy@ficavault.app.
7. Sub-processors and cross-border transfers
We use vetted operators (cloud hosting, email delivery, analytics, payment processing, support tooling). Where personal information is transferred outside South Africa, we rely on the safeguards described in the Privacy Policy.
8. Security incidents
If we become aware of a compromise that materially affects personal information, we will notify the affected data subjects and the Information Regulator as soon as reasonably possible, in line with section 22 of POPIA.
9. Information Regulator
The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg
inforegulator.org.za

