GLOWGO POPIA COMPLIANCE AND PRIVACY POLICY

Company: BIDCRAFT SOLUTIONS (PTY) LTD T/A GlowGo Reg. No.: 2024/076695/07

Effective Date: 2025/11/17

Governing Law: Protection of Personal Information Act (Act 4 of 2013) (POPIA)

 

1. POLICY STATEMENT AND APPOINTMENT

1.1       Commitment to Privacy

GlowGo is committed to protecting the privacy and confidentiality of all personal information (PI) collected from its customers (“Data Subjects”) and employees. We guarantee that all PI will be processed lawfully, securely, and transparently, adhering strictly to the eight (8) conditions for the lawful processing of Personal Information as stipulated in POPIA.

1.2       Information Officer Appointment

The Head of Operations is designated as the primary responsible party for internal POPIA compliance.

Role

Name

Contact Details

Responsibilities

Information Officer (IO)

Simone Prinsloo

 [Simone’s Email] / [Simone’s Phone]

Overseeing compliance, managing data subject requests, and handling data breach notifications.

2. PERSONAL INFORMATION COLLECTED AND PURPOSE

GlowGo only collects Personal Information (PI) that is necessary, relevant, and directly related to providing our mobile car wash services and managing our workforce.

2.1       Customer/End User Information

Type of PI

Source / Collection Method

Purpose of Collection

Full Name

WhatsApp Booking

Identification and personalization of service.

Contact Number

WhatsApp Booking

Essential for scheduling, service updates, and confirmation.

Vehicle Details

WhatsApp Booking / On-site

Necessary for identifying the service vehicle and recording the wash log.

 

Retention: Customer PI is retained only for the duration required for financial record-keeping (typically 5 years, as per tax law) or until the Data Subject formally requests its destruction.

 

2.2       Employee Information

Type of PI

Source / Collection Method

Purpose of Collection

ID Number, Address, Banking Details

Employment Contract, HR Forms

Required for legal employment, remuneration, tax, and UIF compliance.

Training Records

Training Matrix and Record

Mandatory for H&S compliance (OHSA) and proving competence.

Health and Safety Data

Incident Register

Mandatory for reporting accidents and injuries (COIDA compliance).

3. PRINCIPLES OF LAWFUL PROCESSING

3.1       Data Minimisation and Quality

GlowGo shall ensure that PI collected is accurate, complete, and not misleading. We commit to only collecting the minimum amount of PI necessary to fulfil the specified purpose (e.g., we do not collect full financial details from customers, only payment card details via the third-party POS system).

3.2       Security Safeguards

  1. Technical Security: All digital PI (customer schedules, financial reports) is stored on password- protected, encrypted devices or cloud services.
  2. Physical Security: Hard copy employee records and training documents are stored in a locked cabinet at the Company’s base office.
  3. Trolley Data: Customer information on the mobile scheduling device (WhatsApp) is protected by a strong device password, known only to the Operator and the Information Officer.

3.3       Sharing and Third Parties

GlowGo will not sell, rent, or trade any Personal Information. PI is only shared with third parties under the following strict conditions:

  • Legal Obligation: Sharing employee data with SARS (tax) or the Department of Labour (COIDA).
  • Third-Party POS System: Payment data is processed securely by the card reader provider, who acts as an Operator on behalf of GlowGo.

4. DATA SUBJECT RIGHTS

Under POPIA, customers and employees have the right to:

  1. Access: Request access to the PI GlowGo holds about them.
  2. Correction/Deletion: Request the correction or destruction of their PI if it is inaccurate, irrelevant, or excessive.
  3. Object: Object to the processing of their PI on reasonable grounds relating to their particular situation.
  4. Lodge a Complaint: Complain to the Information Regulator if they believe GlowGo has breached POPIA.

All requests regarding these rights must be submitted in writing to the Information Officer, Simone Prinsloo.

5. DATA BREACH MANAGEMENT (INCIDENT REPORTING)

  1. Discovery: Any suspected breach (e.g., loss of a work phone, unauthorized access to the HR folder) must be reported immediately to the Information Officer (Simone Prinsloo).
  2. Action: Simone Prinsloo will investigate the breach and assess the risk of harm to the Data Subjects.
  3. Notification: If the breach creates a real risk of harm, the Information Officer will notify the Information Regulator and the affected Data Subjects as soon as reasonably possible.