POPIA Compliance

1. What Is POPIA?

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's primary data protection legislation. It came into full effect on 1 July 2021. POPIA regulates how organisations collect, use, store, share, and dispose of personal information about individuals and juristic persons.

POPIA establishes eight conditions for lawful processing of personal information:

2. Responsible Party (Information Officer)

Under POPIA, X3WEB (Pty) Ltd is the Responsible Party for the personal information we collect and process. We have appointed an Information Officer as required by POPIA.

3. Personal Information We Process

We process personal information only to the extent necessary for our legitimate business purposes. The types of personal information we process include:

• Contact information: Name, email address, phone number, business name, province/city
• Business information: Business type, monthly turnover range, marketing budget, services required
• Communication records: Messages, enquiries, support requests, and related correspondence
• Technical information: IP address, device type, browser type, pages visited (collected automatically via cookies and analytics)
• Financial information: Invoice and payment records (for clients)
• Account information: Login credentials and account details (for admin users)

We do not process special personal information (as defined in Section 26 of POPIA) unless strictly necessary and with appropriate safeguards.

4. Lawful Grounds for Processing

Under POPIA, we process personal information on one or more of the following lawful grounds:

• Consent: Where you have given us specific consent to process your personal information (e.g., subscribing to marketing communications)
• Contract: Where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract
• Legal obligation: Where processing is necessary to comply with a legal obligation (e.g., tax and accounting records)
• Legitimate interests: Where processing is necessary for our legitimate business interests, provided these are not overridden by your rights (e.g., responding to enquiries, improving our services, website security)
• Vital interests: Where processing is necessary to protect your vital interests or those of another person

5. How We Use Personal Information

We use personal information for the following purposes:

• Responding to enquiries, booking requests, and contact form submissions
• Providing, managing, and improving our services
• Sending invoices, statements, and service-related communications
• Sending marketing communications (only where you have consented or where permitted by law)
• Maintaining business records as required by law
• Improving our website and services through analytics
• Protecting the security of our website and systems
• Complying with legal obligations

We will not use your personal information for any purpose that is incompatible with the purpose for which it was originally collected without your consent.

6. Sharing of Personal Information

We do not sell your personal information.

We may share personal information with:

• Service providers (operators): Third-party providers who assist us in delivering our services, such as hosting providers, email platforms, analytics providers, and payment processors. These providers are bound by confidentiality obligations and may only process personal information on our instructions.
• Advertising platforms: Where you have consented, we may share certain data with Meta and Google for advertising and remarketing purposes.
• Legal and regulatory authorities: Where required by law, court order, or lawful request from a government authority.
• Professional advisors: Lawyers, accountants, and auditors, subject to confidentiality obligations.

Where we share personal information with third parties outside South Africa, we take reasonable steps to ensure that the recipient provides an adequate level of protection for the personal information.

7. Retention of Personal Information

We retain personal information only for as long as necessary for the purpose for which it was collected, or as required by law. Our typical retention periods are:

• Enquiry and contact form submissions: Up to 24 months after last interaction
• Client records (contracts, invoices, billing): 5–7 years as required for accounting, tax, and legal compliance
• Support communications: Up to 24 months after issue resolution
• Marketing consent records: While you remain subscribed, plus a reasonable period to maintain suppression lists
• Website analytics data: As configured in Google Analytics (typically 14 months)

When personal information is no longer required, we will securely delete or anonymise it.

8. Security Safeguards

We implement appropriate technical and organisational security measures to protect personal information against loss, damage, unauthorised access, disclosure, or destruction. Our security measures include:

• HTTPS encryption for all data transmitted through our website
• CSRF (Cross-Site Request Forgery) protection on all forms
• Brute-force protection and rate limiting on login and form submission endpoints
• Secure session management
• Input validation and sanitisation to prevent injection attacks
• Access controls limiting who can access personal information within our organisation
• Regular security reviews and updates

In the event of a security breach that poses a risk to your personal information, we will notify the Information Regulator and affected data subjects as required by POPIA.

9. Your Rights as a Data Subject

Under POPIA, you have the following rights regarding your personal information:

To exercise any of these rights, please contact our Information Officer at Support@x3web.co.za. We will respond to your request within a reasonable time and in accordance with POPIA. We may need to verify your identity before processing your request.

10. Direct Marketing

We may send you direct marketing communications (such as newsletters, promotions, or service updates) only where:

• You have given us your consent to receive such communications; or
• You are an existing client and the communication relates to similar services (in accordance with Section 69 of POPIA)

You can opt out of direct marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Emailing Support@x3web.co.za with your opt-out request

11. PAIA Manual (Promotion of Access to Information Act)

As required by the Promotion of Access to Information Act 2 of 2000 (PAIA), X3WEB has a PAIA Manual (Section 51 Manual) that describes the records we hold and how to request access to them.

To request a copy of our PAIA Manual or to submit a formal request for access to records, please contact our Information Officer:

Email: Support@x3web.co.za
Phone: +27 64 725 0842
Address: 4 Edmonton Alley, Northcliff, Johannesburg, South Africa

12. Complaints and the Information Regulator

If you believe that we have not handled your personal information in accordance with POPIA, you have the right to lodge a complaint with us first. Please contact our Information Officer at Support@x3web.co.za. We will investigate your complaint and respond within a reasonable time.

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa:

13. Updates to This Page

We will update this POPIA Compliance page as our practices evolve or as required by changes in legislation. We encourage you to review this page periodically. For full details of how we process personal information, please refer to our Privacy Policy.

14. Contact Our Information Officer

For any POPIA-related queries, requests, or concerns, please contact our Information Officer:

X3WEB (Pty) Ltd
4 Edmonton Alley, Northcliff, Johannesburg, South Africa
Email: Support@x3web.co.za
Phone: +27 64 725 0842