SECTION 01
Our Commitment to POPIA
Leaditio, operated by Kgusiame Group, is committed to the responsible, lawful, and transparent processing of personal information in full compliance with the Protection of Personal Information Act, Act 4 of 2013 (POPIA) and its associated Regulations.
As a lead generation marketplace, we handle personal information of both Consumers (who submit service enquiries) and Buyers (registered businesses who purchase leads). We recognise that trust is the foundation of our business and that the proper handling of personal data is a legal obligation, a commercial necessity, and a moral responsibility.
This POPIA Compliance Statement sets out in detail how Leaditio fulfils its obligations under each of the eight conditions for lawful processing under POPIA:
- Accountability — We have appointed a dedicated Information Officer and maintain documented processing records
- Processing limitation — We collect only the minimum data necessary for the stated purpose
- Purpose specification — We clearly define why we collect each data element
- Further processing limitation — Data is not used for purposes incompatible with the original purpose
- Information quality — We validate data quality through our AI scoring engine
- Openness — Our Privacy Policy and this statement are publicly available
- Security safeguards — We implement technical and organisational security measures
- Data subject participation — We respect and facilitate all POPIA rights requests within prescribed timeframes
SECTION 02
Information Officer
In accordance with Section 55 of POPIA, Leaditio has designated an Information Officer responsible for ensuring compliance with POPIA within the organisation and for handling all data subject requests and enquiries.
ROLE
Leaditio Information Officer
Kgusiame Group
ADDRESS
Johannesburg, Gauteng
South Africa
RESPONSE TIME
Within 10 business days of receiving a valid request
The Information Officer is responsible for: developing and implementing a POPIA compliance framework; receiving and responding to data subject requests; ensuring all staff with access to personal data are adequately trained; managing data processor agreements; and coordinating data breach notifications to the Information Regulator and affected data subjects.
SECTION 03
What Personal Information We Process and Why
The table below describes each category of personal information we process, the purpose, the lawful basis under POPIA Section 11, and the applicable retention period:
| Data Type | Purpose | Lawful Basis (POPIA s.11) | Retention |
|---|---|---|---|
| Consumer name & phone | Lead delivery to matched Buyers; Consumer contact by Buyers | Consent (s.11(1)(a)) — explicit at form submission | 12 months, then anonymised |
| Consumer email address | Consent confirmation; follow-up communication if opted in | Consent (s.11(1)(a)) | 12 months, then anonymised |
| Consumer suburb & city | Geographic matching with relevant Buyers; quality scoring | Consent (s.11(1)(a)) | 12 months, then anonymised |
| Service type & budget | Vertical matching; lead quality assessment | Consent (s.11(1)(a)) | 12 months, then anonymised |
| IP address at submission | Fraud detection; duplicate submission screening; geolocation verification | Legitimate interest (s.11(1)(f)) — fraud prevention | 24 months, then anonymised |
| Consent timestamp & form version | Audit trail; POPIA compliance demonstration | Legal obligation (s.11(1)(c)) | Indefinite — required for compliance |
| Buyer company details | Account creation; business verification; lead routing | Contractual necessity (s.11(1)(b)) | Relationship duration + 5 years |
| Buyer billing information | Subscription billing; invoice generation; payment reconciliation | Contractual necessity (s.11(1)(b)) | 7 years (SARS requirement) |
| Platform interaction logs | System performance monitoring; fraud detection; security audit | Legitimate interest (s.11(1)(f)) | 90 days, then purged |
SECTION 04
How We Protect Your Data
Leaditio implements a layered security architecture to protect personal information against loss, damage, or unlawful access, as required by Section 19 of POPIA:
Technical Security Measures
- Transport layer security: All data transmitted between clients and our servers is encrypted using TLS 1.3 with HSTS enforcement
- Encryption at rest: All database records containing personal information are encrypted using AES-256
- Row-level security: Supabase row-level security (RLS) policies enforce that each Buyer can only access their own lead records — no cross-buyer data exposure is possible at the database layer
- API authentication: All API access requires short-lived JWT tokens; refresh tokens are rotated on each use
- Infrastructure isolation: Lead delivery pipeline is isolated from public-facing infrastructure
- Input validation: All form submissions are validated and sanitised before entering our data pipeline to prevent injection attacks
Organisational Security Measures
- Role-based access controls (RBAC) ensuring staff access only the data necessary for their job function
- All staff with access to personal information are required to sign a confidentiality agreement
- Internal POPIA awareness training conducted annually and for all new staff
- Vendor due diligence process for all new third-party processors before engagement
- Formal data breach response plan with defined roles, escalation paths, and notification timelines
- Annual security audits including penetration testing of public-facing systems
- Documented data destruction procedure for data reaching the end of its retention period
SECTION 05
Third-Party Processors
Leaditio uses the following third-party service providers who process personal data as Operators on our behalf, as defined in POPIA. Each is bound by a Data Processing Agreement (DPA) restricting their use of data to the services provided to Leaditio.
Processor Audits: Leaditio reviews all processor agreements and compliance certifications at least annually. New processors are assessed for POPIA / GDPR compliance before engagement, and existing processors are monitored for material changes to their data processing practices.
SECTION 06
Your Rights Under POPIA
POPIA grants data subjects the following rights. Leaditio is committed to honouring each of these rights within the prescribed timeframe of 10 business days:
You have the right to request confirmation of whether Leaditio holds personal information about you, and to receive a copy of that information in a readable format. We will respond within 10 business days and may require identity verification before disclosing information to prevent unauthorised access.
You may request that we correct inaccurate or incomplete personal information, or delete your personal information entirely. Deletion requests will be honoured subject to any legal obligations that require us to retain certain records (for example, consent records and financial transaction data). We will notify you of the outcome within 10 business days.
Where Leaditio processes your personal information on the basis of legitimate interest (rather than consent), you have the right to object to that processing. We will cease processing unless we can demonstrate compelling grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of a legal claim.
If you believe that Leaditio has not complied with POPIA in relation to your personal information, you have the right to lodge a complaint with the Information Regulator of South Africa. Contact details for the Information Regulator are provided in Section 10 of this statement. We encourage you to first contact our Information Officer to attempt resolution before escalating to the Regulator.
SECTION 07
How to Exercise Your Rights
To exercise any of your POPIA rights, please send an email to our Information Officer at info@leaditio.com using the template below. You may also call +27 78 894 9331 during business hours (Monday–Friday, 08:00–17:00 SAST).
SUGGESTED EMAIL TEMPLATE
To: info@leaditio.com
Subject: POPIA Rights Request — [Type of Request]
Dear Leaditio Information Officer,
I am writing to exercise my right to [access / correction / deletion / objection] under the Protection of Personal Information Act (POPIA).
My details are as follows:
- Full name: [Your full name]
- Contact number: [Your phone number]
- Email address on record: [Email you used on the platform]
Description of request: [Describe what you would like Leaditio to do with your personal information]
Regards,
[Your name]
Response timeframe: We will acknowledge your request within 2 business days and provide a full response within 10 business days. If we require additional time or information from you to process the request, we will communicate this promptly. There is no charge for exercising your POPIA rights.
To protect your information, we may need to verify your identity before processing your request. We will ask for information that allows us to confirm you are the person whose data you are requesting access to or deletion of. This information will be used solely for identity verification and will not be retained.
SECTION 08
Data Breach Notification
Section 22 of POPIA requires that Leaditio notify the Information Regulator and affected data subjects as soon as reasonably possible when it reasonably believes that the personal information of a data subject has been accessed or acquired by an unauthorised person.
72-Hour Commitment: Leaditio is committed to notifying the Information Regulator within 72 hours of becoming aware of a personal data breach, where it is feasible to do so. Affected data subjects will be notified as promptly as possible, considering the need to implement containment measures first.
Our data breach response process includes:
- Detection: Automated monitoring and alerting systems for anomalous access patterns on all systems containing personal data
- Containment: Immediate isolation of affected systems or data sources to prevent further unauthorised access
- Assessment: Rapid assessment of the scope of the breach, data types affected, number of data subjects, and likely consequences
- Notification: Notification to the Information Regulator within 72 hours where feasible; notification to affected data subjects as soon as reasonably possible
- Remediation: Technical and organisational measures to prevent recurrence; post-incident review and updated risk assessment
Notification to the Information Regulator will include: the nature of the breach; the categories and approximate number of data subjects affected; the categories and approximate number of personal information records affected; the name and contact details of the Information Officer; the likely consequences of the breach; and the measures taken or proposed to address the breach.
SECTION 09
Cross-Border Data Transfers
Section 72 of POPIA restricts the transfer of personal information to third countries that do not provide an adequate level of protection. Leaditio transfers personal data outside South Africa only where the requirements of Section 72 are met.
| Processor | Transfer Country | Mechanism (s.72 Compliance) |
|---|---|---|
| Supabase | EU (Germany) / US | EU data centre selected where possible. Standard Contractual Clauses (SCCs) for US transfers. Supabase is GDPR compliant and operates under the EU–US Data Privacy Framework. |
| Resend | United States | Standard Contractual Clauses (SCCs) in place. Limited to transactional email delivery; email content is not retained after delivery. |
| Twilio | United States | Standard Contractual Clauses (SCCs) in place. ISO 27001 certified. Messages are end-to-end encrypted via WhatsApp Business API and not retained by Twilio after delivery. |
| Paystack | South Africa / Nigeria | South African regulated entity. No cross-border transfer of SA customer data outside the African continent without adequate protections. |
Data minimisation in transfers: Where data is transferred internationally, Leaditio ensures that only the minimum personal data necessary for the specific service is transferred. Lead records transferred to Supabase are limited to the fields required for lead delivery and scoring — no unnecessary data is shared with international processors.
SECTION 10
Complaints Process
If you are not satisfied with how Leaditio has handled your personal information or responded to a POPIA rights request, you have the right to escalate your complaint through the following process:
STEP 1 — FIRST CONTACT
Leaditio Information Officer
STEP 2 — ESCALATION
Information Regulator SA
Leaditio will fully cooperate with any investigation by the Information Regulator and will provide all requested documentation in a timely manner. We view engagement with the Regulator as an important part of the POPIA compliance ecosystem and will not take retaliatory action against any data subject who exercises their rights or lodges a complaint.