POPIA Compliance

Protection of Personal Information Act, 2013

Last Modified: January 22, 2026

Synthro (Pty) Ltd. ("Synthro," "we," "our," or "us") is committed to full compliance with South Africa's Protection of Personal Information Act, 2013 (POPIA), which regulates how organizations process personal information. This compliance statement details how we meet all 8 Conditions for Lawful Processing of Personal Information as required by POPIA.

Responsible Party: Synthro (Pty) Ltd.
Registration Number: 2025/975079/07
Address: Johannesburg, South Africa
Contact: dpo@synthro.io | privacy@synthro.io
Effective Date: January 22, 2026

POPIA's 8 Conditions for Lawful Processing

Condition 1: Accountability

Synthro appoints an Information Officer, maintains a POPIA Manual, and ensures compliance infrastructure.

Condition 2: Processing Limitation

We process personal information lawfully, minimally, and only with a valid legal basis (consent, contract, legal obligation).

Condition 3: Purpose Specification

Personal information is collected for specific, explicit, and legitimate HR operations purposes only.

Condition 4: Further Processing Limitation

We do not use personal information for purposes incompatible with the original collection purpose.

Condition 5: Information Quality

We ensure personal information is complete, accurate, not misleading, and updated where necessary.

Condition 6: Openness

We maintain transparent privacy practices with accessible Privacy Policy and POPIA Manual.

Condition 7: Security Safeguards

TLS 1.3 encryption, AES-256, MFA, RBAC, firewalls, IDS, and SOC 2 Type II certified vendors protect data.

Condition 8: Data Subject Participation

You have rights to access, correct, delete, object, and request your personal information (30-day response).

Condition 1: Accountability

POPIA Requirement: The Responsible Party must ensure that the conditions for lawful processing are complied with.

How We Comply:

Information Officer Appointed and Registered

We have designated a registered Information Officer responsible for ensuring POPIA compliance:

  • Contact: dpo@synthro.io
  • Registration Number: 2026-000907 (Information Regulator)
  • Registration Status: Registered with the Information Regulator (Section 55 POPIA)
  • Responsibilities: Oversee data protection policies, handle data subject requests, investigate privacy complaints, liaise with the Information Regulator

Verification: You can verify our Information Officer registration at justice.gov.za/inforeg

Data Protection Policies Maintained

We have documented and implemented comprehensive data protection policies, including:

  • Data Protection Policy (master policy covering all POPIA conditions)
  • Data Retention and Deletion Policy
  • Security Incident Response Plan
  • Data Breach Notification Procedure
  • Employee Data Handling Training Manual

Regular Compliance Audits

We conduct regular audits to ensure ongoing POPIA compliance:

  • Quarterly Internal Reviews: Compliance team reviews data processing activities, policy updates, and incident reports
  • Annual Third-Party Audits: Independent external auditors assess POPIA compliance and security posture
  • Continuous Monitoring: Automated systems monitor data access, processing activities, and security events

Documentation of Processing Activities (POPIA Section 51)

We maintain records of all processing activities, including:

  • Categories of Personal Information processed
  • Purposes of processing
  • Recipients or categories of recipients to whom Personal Information is shared
  • Planned international transfers of Personal Information
  • Retention periods for each category of information
  • Security measures implemented to protect Personal Information

Employee Training

All Synthro employees receive mandatory POPIA training:

  • New Hire Training: POPIA fundamentals, data handling best practices, confidentiality obligations
  • Annual Refresher Training: Policy updates, incident case studies, emerging privacy risks
  • Role-Specific Training:
    • Developers: Secure coding, privacy by design, data minimization
    • Support Team: Handling sensitive customer data, identity verification
    • Sales/Marketing: Lawful marketing, consent management, opt-out procedures

Condition 2: Processing Limitation

POPIA Requirement: Personal Information must be processed lawfully, fairly, and in a manner that does not infringe on the privacy of the data subject.

How We Comply:

Lawful Basis for All Processing

We only process Personal Information when we have a valid lawful basis under POPIA Section 11:

Processing ActivityLawful BasisPOPIA Section
Creating your accountConsent (you provide your information voluntarily)Section 11(1)(a)
Providing our Services (HRMS, payroll, NALA AI)Contract performance (necessary to deliver Services you subscribed to)Section 11(1)(b)
Processing payments via PaystackContract performance (necessary to process subscription payments)Section 11(1)(b)
Tax invoices, financial records, B-BBEE complianceLegal obligation (required by SA tax law, Companies Act, B-BBEE regulations)Section 11(1)(c)
Fraud detection, security monitoring, abuse preventionLegitimate interest (protect our systems, prevent fraud, ensure service integrity)Section 11(1)(f)
Marketing emails, product updates, newslettersConsent (explicit opt-in required; you can opt-out anytime)Section 11(1)(a)

Purpose Specification at Collection

We inform you of the purpose for which we are collecting your Personal Information at the time of collection (see Condition 6: Openness below).

Data Minimization

We collect only the Personal Information that is adequate, relevant, and not excessive for the purposes for which it is processed. For example:

  • We do NOT require your ID number, race, or religion to create an account
  • We collect payment details only when you subscribe to a paid plan
  • We do NOT access the content of employee data stored in your HRMS (NALA AI processes only metadata unless you explicitly share content for assistance)

Collection Directly from Data Subject

We collect Personal Information directly from you whenever possible (e.g., when you register, update your profile, or contact us). We may collect from third parties only with your authorization (e.g., Single Sign-On providers like Google or Microsoft).

Condition 3: Purpose Specification

POPIA Requirement: Personal Information must be collected for a specific, explicitly defined, and lawful purpose.

How We Comply:

Clear Purpose Statements

Our Privacy Policy explicitly states the purpose for each category of Personal Information:

  • Registration Information: Account creation, authentication, service provision
  • Payment Information: Payment processing, invoicing, fraud prevention
  • Usage Data: Service improvement, analytics, troubleshooting
  • NALA Interactions: AI-powered assistance, model training (with consent)
  • Marketing Data: Sending promotional emails (with consent)

No Further Processing Incompatible with Original Purpose

We do not use your Personal Information for purposes incompatible with the original purpose, unless:

  • We obtain your consent for the new purpose; OR
  • The new purpose is required by law.

Example:

  • Allowed: Using your email (collected for account creation) to send service notifications
  • Not Allowed: Using your email (collected for account creation) to send marketing emails without your separate consent

Purpose Change Notifications

If we need to process your Personal Information for a new purpose incompatible with the original purpose, we will:

  1. Notify you of the new purpose
  2. Provide an explanation for why the change is necessary
  3. Obtain your consent (if required by law)
  4. Give you the option to object or withdraw consent

Condition 4: Further Processing Limitation

POPIA Requirement: Personal Information must not be processed for a secondary purpose unless that processing is compatible with the original purpose.

How We Comply:

Compatibility Assessment

Before processing Personal Information for any secondary purpose, we assess compatibility based on:

  • Relationship: Is the new purpose related to the original purpose?
  • Context: Would you reasonably expect this use based on our relationship?
  • Nature: Is the Personal Information sensitive (e.g., health data, biometrics)?
  • Consequences: What is the potential impact on you?
  • Safeguards: Are additional security measures needed?

Examples of Compatible Further Processing

Original PurposeCompatible Secondary PurposeWhy Compatible
Process subscription paymentSend payment receipt via emailDirectly related to payment transaction
Provide HRMS ServicesSend service updates about new featuresRelated to service provision
Customer supportAnalyze support tickets to improve service qualityImproves support experience

Examples Requiring Separate Consent

Original PurposeIncompatible Secondary PurposeWhy Consent Needed
Account creationMarketing emailsNot reasonably expected without consent
Usage analyticsSharing data with third-party advertisersChanges nature and recipient of data
Employee data managementUsing employee data for AI trainingDifferent purpose, requires explicit consent

Archival and Research

We may process Personal Information for historical, statistical, or research purposes if:

  • The data is de-identified or anonymized where possible
  • Adequate safeguards are implemented
  • The processing does not cause harm or adversely affect you

Condition 5: Information Quality

POPIA Requirement: Personal Information must be complete, accurate, not misleading, and updated where necessary.

How We Comply:

Accuracy at Collection

We take reasonable steps to ensure Personal Information is accurate when collected:

  • Email Verification: We send confirmation emails to verify email addresses
  • Data Validation: Forms include validation rules (e.g., correct email format, valid phone numbers)
  • Error Checking: Payment information is validated with payment processors in real-time

Ongoing Accuracy

We enable you to maintain accurate Personal Information:

  • Self-Service Updates: You can update your profile, business information, and preferences at any time through Account Settings
  • Periodic Reviews: For customers on Enterprise plans, we conduct annual data accuracy reviews
  • Correction Requests: You can request corrections by emailing privacy@synthro.io

Minimizing Inaccuracy

We do not use inaccurate or outdated Personal Information to:

  • Make decisions that materially affect you
  • Communicate with you (we remove bounced emails from our systems)
  • Generate reports or analytics (we clean and validate data before processing)

Deletion of Inaccurate Data

If Personal Information cannot be corrected or is no longer needed, we will:

  • Delete the information promptly
  • Notify you of the deletion
  • Cease all processing of that information

Your Responsibility: You are responsible for providing accurate information when registering, updating your information when it changes, and notifying us if you become aware of inaccuracies.

Condition 6: Openness

POPIA Requirement: Data subjects must be notified when their Personal Information is collected, including purpose, recipients, and their rights.

How We Comply:

Privacy Policy

Our comprehensive Privacy Policy is:

  • Publicly available: www.synthro.io/privacy
  • Easy to find: Linked in our footer, registration forms, and app navigation
  • Written in plain language: Avoids legal jargon where possible
  • Detailed: Explains what we collect, why, how we use it, who we share with, and your rights

Just-in-Time Notices

We provide specific notices at the point of data collection:

  • Registration: "We collect your email to create your account and send service notifications"
  • Payment: "Your payment is processed by Paystack. See their privacy policy at [link]"
  • NALA AI: "Your queries are processed by OpenAI. You can opt out of AI training in Settings"
  • Cookies: Cookie banner explains cookie types, purposes, and how to manage preferences

Information Officer Contact

We clearly display contact information for our Information Officer:

  • Email: dpo@synthro.io
  • Purpose: Handle data subject requests, privacy inquiries, and complaints

Notification of Changes

We notify you of material changes to how we process your Personal Information:

  • Email: Sent to your registered email address at least 30 days before changes take effect
  • In-App Notice: Prominent banner in the Services
  • Updated Date: Privacy Policy shows "Last Modified" date

POPIA Manual (Section 18)

We maintain a POPIA Manual (available upon request) that describes:

  • Categories of Personal Information we hold
  • Purpose of processing
  • Categories of data subjects
  • Recipients or categories of recipients
  • Planned international transfers
  • Security measures
  • Objection and complaint procedures

Request our POPIA Manual: Email privacy@synthro.io

Condition 7: Security Safeguards

POPIA Requirement: Appropriate, reasonable technical and organizational measures must secure Personal Information.

How We Comply:

Technical Security Measures

(i) Encryption:

  • Data in Transit: TLS 1.3 encryption for all data transmitted between your browser and our servers
  • Data at Rest: AES-256 encryption for all databases, file storage, and backups
  • End-to-End Encryption: Available for sensitive documents and communications (optional feature)

(ii) Access Controls:

  • Authentication: Password-based authentication with option for Multi-Factor Authentication (MFA)
  • Authorization: Role-Based Access Control (RBAC) ensures users can only access authorized data
  • Session Management: Automatic session timeout after 30 minutes of inactivity
  • Least Privilege: Employees have access only to data necessary for their job functions

(iii) Network Security:

  • Firewalls: Network-level firewalls block unauthorized access
  • Intrusion Detection: Real-time monitoring detects suspicious activity and triggers alerts
  • DDoS Protection: Cloudflare protects against distributed denial-of-service attacks
  • Web Application Firewall (WAF): Blocks common web attacks (SQL injection, XSS, CSRF)

(iv) Application Security:

  • Secure Development: OWASP Top 10 best practices followed throughout development lifecycle
  • Code Reviews: All code changes peer-reviewed for security vulnerabilities
  • Dependency Scanning: Automated tools scan for vulnerable third-party libraries
  • Penetration Testing: Annual third-party security audits and penetration tests

(v) Data Loss Prevention:

  • Automated Backups: Daily encrypted backups stored in multiple geographic locations
  • Disaster Recovery: Recovery Point Objective (RPO) of 24 hours, Recovery Time Objective (RTO) of 4 hours
  • Backup Testing: Quarterly restore drills ensure backups are functional

Organizational Security Measures

(i) Employee Training:

  • Annual POPIA Training: All employees complete data protection training
  • Secure Coding Training: Developers receive specialized security training
  • Phishing Simulations: Quarterly simulated phishing attacks to test awareness

(ii) Confidentiality Agreements:

  • All employees, contractors, and service providers sign confidentiality agreements
  • Agreements include obligations to protect Personal Information and report security incidents

(iii) Background Checks:

  • Criminal background checks conducted for employees with access to Personal Information (where permitted by law)

(iv) Access Logging:

  • All access to Personal Information is logged with timestamps, user IDs, and actions performed
  • Logs are monitored for suspicious activity and retained for 12 months

(v) Incident Response Plan:

We maintain a documented Security Incident Response Plan that includes:

  • Detection: Automated monitoring and employee reporting mechanisms
  • Assessment: Incident severity classification (Critical, High, Medium, Low)
  • Containment: Immediate actions to prevent further unauthorized access
  • Investigation: Root cause analysis and impact assessment
  • Notification: Data subject notification (within 72 hours where feasible) and Information Regulator notification (if required)
  • Remediation: Patches, security enhancements, and lessons learned
  • Documentation: Comprehensive incident reports maintained for regulatory review

Third-Party Security

  • Vendor Assessments: All service providers undergo security assessments before engagement
  • Contractual Obligations: Data Processing Agreements require service providers to implement appropriate security measures
  • Ongoing Monitoring: Annual security reviews of service providers
  • SOC 2 Type II Compliance: Cloud infrastructure providers (AWS, Google Cloud) are SOC 2 Type II certified

Physical Security

  • Data Centers: Tier III+ certified data centers with 24/7 security guards, biometric access controls, surveillance cameras
  • Environmental Controls: Fire suppression, temperature monitoring, redundant power supplies

Data Breach Response

In the event of a data breach affecting your Personal Information, we will:

  1. Investigate: Immediately investigate the breach to determine scope and impact
  2. Contain: Take immediate action to contain the breach and prevent further unauthorized access
  3. Notify You: Send email notification within 72 hours (where feasible) including:
    • Nature of the breach (what happened, when, how)
    • Categories of Personal Information affected
    • Likely consequences of the breach
    • Measures taken to address the breach
    • Recommendations for protecting yourself (e.g., change passwords, monitor accounts)
  4. Notify Information Regulator: Report to the Information Regulator of South Africa (if required under POPIA Section 22)
  5. Remediate: Implement additional security measures to prevent future breaches
  6. Document: Maintain records of the breach and response for regulatory review

Report Security Concerns: security@synthro.io

Condition 8: Data Subject Participation

POPIA Requirement: Data subjects must be able to request confirmation of whether we hold their Personal Information, request access, and request correction or deletion.

Your Rights Under POPIA:

(i) Right to Be Notified (Section 18)

You have the right to be notified when we collect your Personal Information, including purpose, recipients, and your rights.

How to Exercise: We provide notifications automatically (see Condition 6: Openness above).

(ii) Right of Access (Section 23)

You have the right to request:

  • Confirmation of whether we hold your Personal Information
  • A description of the Personal Information held
  • The identity of third parties who have or have had access to the information
  • Information about the source of the information (if not collected directly from you)

How to Exercise:

  • Email privacy@synthro.io with subject line "POPIA Access Request"
  • Provide proof of identity (copy of ID or passport)
  • Specify what information you want to access
  • Response Time: Within 30 days
  • Fee: Free for first request; reasonable fee may apply for subsequent requests (not exceeding prescribed amount)

(iii) Right to Correction (Section 24)

You have the right to request correction, destruction, or deletion of your Personal Information if it is:

  • Inaccurate, irrelevant, excessive, out of date, incomplete, misleading; OR
  • Obtained or processed unlawfully

How to Exercise:

  • Self-Service: Update your profile information through Account Settings
  • Email Request: privacy@synthro.io with details of corrections needed
  • Response Time: We will correct, delete, or destroy the information within a reasonable time or notify you if we refuse (with reasons)

(iv) Right to Object (Section 11(3))

You have the right to object to the processing of your Personal Information on reasonable grounds relating to your particular situation, unless:

  • Processing is required by law; OR
  • Processing is necessary to pursue our or a third party's legitimate interests that override your interests

How to Exercise:

  • Email privacy@synthro.io with subject line "POPIA Objection"
  • Explain the grounds for your objection
  • Response Time: Within 30 days
  • Outcome: We will either cease processing or provide reasons why processing must continue

(v) Right to Object to Direct Marketing (Section 69)

You have the right to object to the processing of your Personal Information for direct marketing purposes (including marketing emails, SMS, calls).

How to Exercise:

  • Click "Unsubscribe" in any marketing email
  • Adjust preferences in Account Settings → Communications
  • Email marketing@synthro.io
  • Response Time: Immediate (within 48 hours)

(vi) Right to Complain (Section 74)

You have the right to lodge a complaint with the Information Regulator if you believe we have violated POPIA.

How to Exercise:

  • Contact Us: We encourage you to contact us first at privacy@synthro.io to resolve concerns
  • Response Time: We will respond within 30 days

No Charge for Exercising Rights

We do not charge a fee for exercising your rights under POPIA, except:

  • Access Requests: Reasonable fee for subsequent requests within a 12-month period (not exceeding prescribed amount under POPIA regulations)
  • Manifestly Unfounded or Excessive Requests: We may charge a reasonable fee or refuse the request (with justification)

Identity Verification

To protect your Personal Information from unauthorized access, we may require you to verify your identity before processing your request. Acceptable forms of identification include:

  • Copy of South African ID card or passport
  • Driver's license
  • Proof of address (if necessary to verify identity)

Response Timeframes

  • Access Requests: 30 days
  • Correction Requests: Reasonable time (typically 30 days)
  • Objection Requests: 30 days
  • Marketing Opt-Out: Immediate (within 48 hours)
  • Complaint Response: 14 days (acknowledgment) + 30 days (resolution)

We will notify you if we need more time (up to 60 days for complex requests) and explain the reason for the delay.

Special Categories of Personal Information

POPIA imposes stricter requirements for processing special Personal Information (Section 26), which includes:

  • Religious or philosophical beliefs
  • Race or ethnic origin
  • Trade union membership
  • Political persuasion
  • Health or sex life
  • Biometric information
  • Criminal behavior or alleged commission of an offense

Synthro's Policy

We Do NOT Collect Special Personal Information unless:

  1. You provide explicit consent for a specific purpose (e.g., health information for leave management related to medical conditions); AND
  2. Processing is necessary for a lawful purpose; AND
  3. Additional safeguards are implemented (enhanced encryption, restricted access, audit logging)

Employment Equity Act (EEA) Compliance

If you enable our B-BBEE or Employment Equity reporting features, we may collect race, gender, and disability information from employees only with their explicit, informed consent and solely for the purpose of:

  • Preparing Employment Equity reports required by the EEA
  • B-BBEE verification and scorecard calculations
  • Compliance with Department of Labour regulations

Safeguards:

  • Employees can refuse to provide this information
  • Information is stored separately with enhanced security
  • Access restricted to authorized users only
  • Information is not used for any other purpose (e.g., hiring, promotion, disciplinary decisions)

Health Information

We do NOT process health information unless:

  • You enable optional features that require health data (e.g., sick leave management, medical aid integration)
  • You obtain explicit consent from employees
  • Processing is necessary for employment law compliance or benefits administration

If we process health information on your behalf (as Operator):

  • You (the customer) are the Responsible Party
  • You must have a lawful basis and employee consent
  • We implement additional security measures (encryption, access logs, data minimization)

International Data Transfers (POPIA Section 72)

Your Personal Information may be transferred to and processed in countries outside South Africa, including:

  • United States: Cloud infrastructure (AWS, Google Cloud), AI providers (OpenAI, Anthropic)
  • European Union: Cloud infrastructure (regional availability zones)
  • Other Countries: Service providers for specific features (see www.synthro.io/subprocessors)

POPIA Requirements for International Transfers

Personal Information may only be transferred outside South Africa if:

  1. The recipient country has adequate data protection laws (as determined by the Information Regulator); OR
  2. The recipient is subject to a binding corporate rule or legally enforceable agreement providing adequate protection; OR
  3. You consent to the transfer after being informed of the risks; OR
  4. The transfer is necessary for the performance of a contract; OR
  5. The transfer is for your benefit and it is not practicable to obtain your consent

How We Comply

Adequacy Assessments:

We assess whether recipient countries provide adequate protection based on:

  • Existence of data protection laws
  • Independent regulatory oversight
  • International commitments (e.g., GDPR adequacy decisions)
  • Legal remedies available to data subjects

Data Processing Agreements:

All international service providers sign Data Processing Agreements that include:

  • Standard Contractual Clauses (SCCs) approved by EU authorities or equivalent protections
  • Obligations to implement appropriate security measures
  • Restrictions on onward transfers
  • Rights to audit and inspect
  • Data subject rights and remedies

Supplementary Measures:

For transfers to countries without adequate protection, we implement supplementary technical and organizational measures:

  • Encryption: Data encrypted in transit and at rest
  • Access Controls: Strict access restrictions limit who can access data
  • Transparency: We disclose all international transfers in our Privacy Policy
  • Government Access: We resist unlawful government data requests and notify you where permitted by law

Your Control:

  • We disclose all international transfers in our Privacy Policy
  • You can object to specific transfers by contacting privacy@synthro.io
  • You can request that your data be stored only in South Africa (Enterprise plans only, additional fees may apply)

List of International Transfers: See our Privacy Policy at www.synthro.io/privacy or request details at privacy@synthro.io

Children's Privacy (POPIA Section 35)

Our Services are NOT intended for children under 18.

POPIA prohibits processing Personal Information of children (under 18) without consent of a parent or guardian, except where:

  • The child is above 13 and has the competence to understand the risks and benefits; AND
  • Processing is for educational, artistic, cultural, or recreational purposes

Synthro's Policy

No Collection from Children:

  • We do not knowingly collect Personal Information from children under 18
  • Our Terms of Service require users to be 18 or older
  • We do not target marketing to children

Discovery of Child Data:

If we learn that we have collected Personal Information from a child under 18 without parental consent, we will:

  1. Delete the information within 7 days
  2. Notify the parent or guardian (if contact information is available)
  3. Close the account
  4. Investigate how the collection occurred and implement preventive measures

Parent/Guardian Rights:

If you are a parent or guardian and believe your child has provided Personal Information to us:

  • Contact us immediately at privacy@synthro.io
  • Provide proof of parental relationship
  • We will delete the information and close the account

Automated Decision-Making (POPIA Section 71)

POPIA requires that automated decisions significantly affecting you must:

  • Not be based solely on automated processing of Personal Information to assess behavior, creditworthiness, reliability, location, health, or personal preferences
  • Provide you with the right to request human intervention and review

Synthro's Policy

Limited Automated Decision-Making:

We use automated systems for:

  • Fraud Detection: Automated analysis of payment patterns to detect fraudulent transactions
  • Spam Filtering: Automated detection of spam or abusive content
  • System Security: Automated blocking of suspicious login attempts

These automated decisions are made for security and fraud prevention purposes and do not significantly affect you in a way that requires human intervention.

NALA AI Assistance:

  • NALA provides AI-generated suggestions for HR management
  • IMPORTANT: NALA's suggestions are informational only and do not constitute automated decisions
  • Human Review Required: You must review, verify, and approve all NALA suggestions before implementing them
  • No Binding Decisions: NALA cannot make binding employment decisions (hiring, firing, discipline, promotions) on your behalf

Your Rights:

If you believe an automated decision has significantly affected you:

  • You can request human review of the decision
  • You can challenge the decision and provide additional information
  • You can request an explanation of how the decision was made

Request Human Review: privacy@synthro.io with subject line "Automated Decision Review Request"

POPIA Compliance Summary

POPIA ConditionSynthro's ComplianceEvidence
1. AccountabilityInformation Officer appointed, policies documented, regular auditswww.synthro.io/privacy, DPO contact: dpo@synthro.io
2. Processing LimitationLawful bases identified, purpose specified at collection, data minimizationPrivacy Policy Section 1
3. Purpose SpecificationClear purpose statements, no incompatible further processingPrivacy Policy Section 1, Terms of Service
4. Further Processing LimitationCompatibility assessments, consent obtained for incompatible usesPrivacy Policy Section 1
5. Information QualityAccuracy at collection, self-service updates, correction proceduresAccount Settings, Privacy Policy Section 3
6. OpennessPrivacy Policy, just-in-time notices, POPIA Manual availablewww.synthro.io/privacy, privacy@synthro.io
7. Security SafeguardsEncryption, access controls, incident response, annual auditsPrivacy Policy Section 5, Security Documentation
8. Data Subject ParticipationAccess, correction, objection, deletion procedures documentedPrivacy Policy Section 3, privacy@synthro.io

Contact Our Information Officer

For questions, concerns, or requests related to POPIA compliance or your Personal Information:

Information Officer (Registered)

  • Email: dpo@synthro.io
  • Registration Number: 2026-000907 (Information Regulator)
  • Subject Line: [Your specific request, e.g., "POPIA Access Request", "Correction Request", "Objection"]

Other Privacy Contacts

  • General Privacy Inquiries: privacy@synthro.io
  • Security Issues: security@synthro.io
  • Data Breach Reports: security@synthro.io

Physical Address

Synthro (Pty) Ltd.
Johannesburg, South Africa

By using our Services, you acknowledge that you have read, understood, and agree to our POPIA-compliant processing of your Personal Information as described in this disclosure and our Privacy Policy.

Last Updated: January 22, 2026