POPIA Compliance

Buslyft Metaride (Pty) Ltd, a subsidiary of Kavod Technologies (Pty) Ltd, is fully committed to complying with the Protection of Personal Information Act 4 of 2013 ("POPIA"). This document outlines how we meet our obligations under POPIA and ensure the responsible processing of personal information.

1. Our Commitment

We recognise the right to privacy enshrined in Section 14 of the Constitution of the Republic of South Africa. We are committed to processing personal information in a manner that is lawful, reasonable, and does not infringe on the privacy rights of data subjects. We adhere to the eight conditions for lawful processing as set out in Chapter 3 of POPIA.

2. Conditions for Lawful Processing

2.1 Accountability

We take responsibility for complying with POPIA. Our designated Information Officer ensures that all processing activities comply with the law, and we have implemented internal policies, procedures, and training programmes to maintain compliance.

2.2 Processing Limitation

We process personal information only when there is a lawful basis to do so. We rely on the following grounds for processing:

• Consent: You provide consent when creating an account and opting into marketing communications
• Contractual necessity: Processing is necessary to perform our services (ride bookings, payments, delivery)
• Legal obligation: We are required by law to retain certain records (e.g., financial records under the Tax Administration Act)
• Legitimate interest: We process data for fraud prevention, platform security, and service improvement where this does not override your rights

2.3 Purpose Specification

We collect personal information for specific, explicitly defined, and lawful purposes as described in our Privacy Policy. We do not process personal information for purposes incompatible with those for which it was originally collected.

2.4 Further Processing Limitation

We do not process personal information for a secondary purpose unless that processing is compatible with the original purpose, you have provided consent, or processing is required or permitted by law.

2.5 Information Quality

We take reasonable steps to ensure that personal information is complete, accurate, not misleading, and updated where necessary. Users can review and update their information through their account settings at any time.

2.6 Openness

We are transparent about how we process personal information. This POPIA Compliance page, our Privacy Policy, and our Cookie Policy provide comprehensive details about our data processing practices. We have registered with the Information Regulator as required.

2.7 Security Safeguards

We implement appropriate technical and organisational measures to protect personal information, including:

• Encryption of data in transit and at rest
• Access controls based on the principle of least privilege
• Regular security assessments and penetration testing
• Employee training on data protection
• Incident response and breach notification procedures
• Physical security measures for data centre access

2.8 Data Subject Participation

We respect your rights as a data subject and have implemented processes to facilitate the exercise of these rights, including access, correction, and deletion requests.

3. Information Officer

In terms of Section 55 of POPIA, we have appointed an Information Officer who is responsible for:

• Encouraging compliance with POPIA within the organisation
• Dealing with requests made to the organisation in terms of POPIA
• Working with the Information Regulator in relation to investigations
• Ensuring compliance with the conditions for lawful processing
• Conducting personal information impact assessments

4. Data Subject Rights

Under POPIA, you have the right to:

• Be notified that your personal information is being collected, or where it has been accessed or acquired by an unauthorised person (Section 18)
• Request access to your personal information that we hold (Section 23)
• Request correction or deletion of your personal information (Section 24)
• Object to the processing of your personal information on reasonable grounds (Section 11(3))
• Object to direct marketing by means of unsolicited electronic communications (Section 69)
• Not be subject to a decision based solely on automated processing (Section 71)
• Submit a complaint to the Information Regulator (Section 74)

How to Exercise Your Rights

You may exercise your rights by:

• Using the privacy settings in your Buslyft account
• Emailing our Information Officer at privacy@buslyft.com
• Submitting a request through our support page

We will respond to valid requests within 30 days. We may need to verify your identity before processing your request. In certain circumstances, we may be unable to comply with your request where processing is required by law or for the establishment, exercise, or defence of a legal claim.

5. Special Personal Information

POPIA defines certain categories of personal information as "special personal information" (Section 26), including information about race, religion, health, biometric data, and criminal behaviour. We process special personal information only where:

• You have provided explicit consent
• Processing is necessary for establishing, exercising, or defending a right in law
• Processing is required by law (e.g., criminal background checks for drivers as required by transport regulations)
• Processing is for statistical or research purposes with appropriate safeguards

6. Cross-Border Transfers

Where personal information is transferred outside South Africa, we comply with Section 72 of POPIA by ensuring that the recipient country has adequate data protection laws, or that appropriate safeguards are in place (such as binding corporate rules or standard contractual clauses).

7. Data Breach Notification

In accordance with Sections 21 and 22 of POPIA, if we become aware of a security compromise that may affect your personal information, we will:

• Notify the Information Regulator as soon as reasonably possible
• Notify affected data subjects unless the identity of such data subjects cannot be established
• Provide sufficient information to allow data subjects to take protective measures
• Provide details of the nature of the compromise, the information potentially affected, and our recommended actions

8. Direct Marketing

In compliance with Section 69 of POPIA, we only send direct marketing communications where you have given consent or where you are an existing customer and the marketing relates to similar services. Every marketing communication includes an unsubscribe option. You can also manage your marketing preferences in your account settings.

9. Automated Decision-Making

In certain circumstances, we use automated systems for decisions such as fare calculation, fraud detection, and safety scoring. In accordance with Section 71 of POPIA, you have the right not to be subject to a decision based solely on automated processing that significantly affects you. You may request human review of any such decision by contacting our support team.

10. Complaints

If you believe we have processed your personal information unlawfully or have not adequately addressed your concerns, you have the right to lodge a complaint with the Information Regulator: