POPIA Notice (Protection of Personal Information Act)

Last updated: TODO (e.g., 2026-02-19)

This notice explains how AMAI Automation (“AMAI”) approaches lawful processing of personal information in line with the Protection of Personal Information Act 4 of 2013 (“POPIA”). This document is provided for transparency and operational clarity.

1. Responsible Party / Operator Roles

Depending on the context, AMAI may act as:

1.1 Responsible Party

Where AMAI collects and processes personal information for its own business operations (e.g., handling website enquiries), AMAI is the Responsible Party.

1.2 Operator

Where AMAI processes personal information on behalf of a Client (e.g., implementing workflows, dashboards, messaging automation), AMAI may act as an Operator, and the Client is typically the Responsible Party.

Where needed, the parties may enter into a Data Processing Agreement (DPA) to define responsibilities, security measures, and processing instructions.

2. What Personal Information We May Process

Depending on the project and engagement, information may include:

• contact details (names, email addresses, phone numbers),
• operational records (bookings, approvals, workflow history),
• communication logs (message templates, timestamps, delivery status),
• system identifiers (user IDs, account references),
• analytics data related to performance or usage.

We aim to minimise data collection to what is necessary for the intended purpose.

3. Lawful Processing Conditions

AMAI supports processing aligned to POPIA’s core conditions:

• Accountability: clear responsibility and governance,
• Processing limitation: minimal, relevant processing,
• Purpose specification: defined reason for collection,
• Further processing limitation: compatible use only,
• Information quality: reasonable steps to keep data accurate,
• Openness: transparency in how data is handled,
• Security safeguards: appropriate technical and organisational controls,
• Data subject participation: support for lawful requests.

4. Purpose of Processing

Personal information may be processed to:

• deliver contracted automation/internal systems,
• configure integrations and access control,
• maintain audit trails and operational visibility,
• support incident resolution and troubleshooting,
• measure outcomes (e.g., time saved, response speed, reliability).

5. Security Safeguards

Security measures vary by project but may include:

• role-based access control and least privilege,
• secure credential handling and secret rotation where feasible,
• encryption in transit (HTTPS/TLS),
• logging and auditability for workflow execution,
• environment separation (dev/staging/prod) where appropriate.

Client responsibility: Clients are responsible for user access policies, device security, and ensuring authorised use of systems.

6. Retention & Deletion

• AMAI retains personal information only as long as necessary for the stated purpose and legal obligations.
• For Client projects where AMAI is the Operator, retention and deletion instructions should be provided by the Client (Responsible Party).

7. Cross-Border Processing

Some tools or hosting services may involve processing outside South Africa. Where this applies, AMAI will take reasonable steps to ensure appropriate safeguards are in place.

8. Data Subject Rights

Data subjects may have the right to:

• request access to personal information,
• request correction or deletion,
• object to certain processing,
• lodge a complaint with the Information Regulator (South Africa).

Where AMAI is acting as an Operator, requests may need to be routed via the Responsible Party (Client).

9. Contact Details

Information Officer / Contact: TODO
Email: TODO
Phone: TODO
Address: TODO

10. Information Regulator (South Africa)

For POPIA guidance and complaints, data subjects may contact the Information Regulator (South Africa).
(We recommend verifying the latest contact details from the regulator’s official website.)