Data Protection Policy

1. Introduction

Tapnet Solutions (Pty) Ltd (“Tapnet”, “we”, “our”, or “us”) is committed to the lawful, responsible, and transparent processing of personal information. This Data Protection Policy sets out how Tapnet complies with each of the eight conditions for lawful processing prescribed by the Protection of Personal Information Act 4 of 2013 (“POPIA”).

This policy applies to tapnet.co.za and all other websites, applications, and digital services operated by Tapnet Solutions (Pty) Ltd, including but not limited to our core logistics platform, the dedicated driver mobile proof-of-delivery (POD) application, and any related APIs or backend systems.

Scope

This policy governs the processing of personal information of all data subjects who interact with Tapnet’s digital properties, including website visitors, clients, prospective clients, drivers, and any other individuals whose personal information is processed.

Information Officer

Tapnet’s designated Information Officer, responsible for ensuring compliance with POPIA and for handling all data-subject requests, is:

Information Officer: Wynand de Beer

Company: Tapnet Solutions (Pty) Ltd
Registration No: 2023/135522/07
Email: wynand@tapnet.co.za
Phone: 079 174 8357
Address: 594 Bombani Street, Elarduspark, Gauteng, 0181, South Africa

2. Condition 1: Accountability (Section 8)

Tapnet Solutions (Pty) Ltd (Registration No. 2023/135522/07) is the responsible party as defined in Section 1 of POPIA. We accept full accountability for compliance with the conditions for lawful processing and have appointed an Information Officer to give effect to this obligation.

Information Officer Responsibilities

Ensure Tapnet’s compliance with POPIA and related regulations
Receive, process, and respond to data-subject requests (access, correction, deletion, objection)
Manage breach notification procedures in terms of Section 22
Develop and deliver staff training on data protection obligations
Maintain complete, up-to-date records of all processing activities
Liaise with the South African Information Regulator on behalf of Tapnet

Compliance Reviews

Tapnet conducts regular compliance reviews and internal audits to assess ongoing adherence to POPIA. Findings are documented, remediation actions tracked, and the Information Officer reports on compliance status at least annually.

Registration: The Information Officer, Wynand de Beer, is registered with the South African Information Regulator in accordance with Section 55 of POPIA.

3. Condition 2: Processing Limitation (Sections 9–12)

Personal information is processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. Processing is limited to what is adequate, relevant, and not excessive given the purpose.

Legal Grounds for Processing

Tapnet relies on one or more of the following legal grounds each time personal information is processed:

Consent — The data subject has given voluntary, specific, and informed consent
Contractual necessity — Processing is necessary to perform or enter into a contract with the data subject
Legal obligation — Processing is required to comply with a legal obligation
Legitimate interest — Processing is necessary to pursue our legitimate interests, provided those interests do not override the rights of the data subject
Protection of legitimate interest of data subject — Processing is necessary to protect a legitimate interest of the data subject

Consent Requirements

Where consent is the legal basis, it must be voluntary, specific, and informed. For special personal information (as defined in Section 26 of POPIA), explicit consent is obtained. Consent may be withdrawn at any time by contacting the Information Officer; withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

Processing Activities and Legal Basis

Processing Activity	Categories of Personal Information	Legal Basis
Contact form submissions	Name, email, phone, company, message	Consent / Contractual necessity
Booking requests	Name, email, phone, company, service details	Contractual necessity
Quote requests	Name, email, phone, company, shipment details	Contractual necessity
Admin account management	Name, email, hashed password	Contractual necessity / Legitimate interest
Website analytics	Anonymous usage data, device info, IP (anonymised)	Consent (cookie banner)
AI chatbot conversations	Messages, name/email if voluntarily provided	Consent / Legitimate interest
Service delivery (logistics platform)	Name, phone, address, delivery details	Contractual necessity
Legal and regulatory compliance	As required by applicable law	Legal obligation

4. Condition 3: Purpose Specification (Sections 13–14)

Personal information is collected for specific, explicitly defined, and lawful purposes. These purposes are communicated to the data subject at the time of collection via privacy notices displayed on all data-collection forms.

Purposes of Processing

Respond to contact inquiries and provide requested information
Process bookings and manage service delivery
Generate quotes for logistics and automation services
Provide and improve our core platform and driver application
Improve website functionality and user experience
Analyse website usage through anonymised analytics
Comply with applicable laws, regulations, and legal processes

Data Retention

Records are not retained longer than is necessary for the purpose for which they were collected, unless retention is required by law or reasonably necessary for a lawful purpose. Specific retention periods are documented in our Data Retention Policy.

5. Condition 4: Further Processing Limitation (Section 15)

Tapnet does not process personal information for purposes incompatible with the purpose for which it was originally collected. When assessing compatibility, we consider:

The relationship between the original purpose and the proposed further purpose
The nature and sensitivity of the information
The consequences of the intended further processing for the data subject
The manner in which the information was collected
Any contractual rights and obligations between the parties
Whether adequate safeguards (contractual or otherwise) exist

No selling or sharing: Tapnet does not sell, trade, or share personal information with third parties for purposes unrelated to the original collection purpose.

6. Condition 5: Information Quality (Section 16)

Tapnet takes reasonable, practicable steps to ensure that personal information is complete, accurate, not misleading, and updated where necessary, having regard to the purpose for which it was collected or further processed.

Data subjects may request the correction or updating of their personal information at any time by contacting the Information Officer
Regular data quality reviews are performed on stored records
Inaccurate or outdated information is corrected or deleted in a reasonable timeframe

7. Condition 6: Openness (Sections 17–18)

Tapnet maintains transparency about its processing of personal information through multiple channels:

Published Policies

This Data Protection Policy is published and freely accessible on our website
Our Privacy Policy provides detailed information to data subjects about how their information is handled
Our PAIA Manual is available in terms of Section 51 of the Promotion of Access to Information Act

Section 18 Notification

At the point of collection, privacy notices on all data-collection forms include the following information as required by Section 18 of POPIA:

The identity and contact details of the Information Officer
The purpose of the collection
Whether the provision of information is voluntary or mandatory
The consequences of failing to provide the information
Any third-party recipients or categories of recipients of the information
Whether the information will be transferred to a country outside the Republic
The data subject’s rights regarding the information

8. Condition 7: Security Safeguards (Sections 19–22)

Tapnet implements appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction, or unlawful access to personal information.

Technical Measures

Measure	Description
HTTPS / TLS Encryption	All data in transit is encrypted using TLS
bcrypt Password Hashing	Passwords are hashed using bcrypt with a cost factor; plaintext passwords are never stored
JWT Authentication	Secure, stateless authentication tokens for API and admin access
Rate Limiting	API and form endpoints are rate-limited to prevent abuse
Input Validation	All user inputs are validated and sanitised server-side
SQL Injection Prevention	Prisma ORM with parameterised queries prevents SQL injection
XSS Prevention	DOMPurify sanitisation of user-generated content prevents cross-site scripting
CSRF Protection	Cross-site request forgery tokens applied to state-changing requests
Security Headers	Helmet middleware enforces strict security headers (CSP, HSTS, X-Frame-Options, etc.)

Organisational Measures

Role-based access controls restricting access to personal information on a need-to-know basis
Information Officer oversight of all data processing activities
Documented incident response plan for handling security breaches
Staff and contractor training on data protection obligations

Operator Requirements (Section 21)

All third-party processors (operators) with whom Tapnet shares personal information are bound by written agreements that require them to:

Process personal information only on Tapnet’s documented instructions
Implement and maintain adequate security measures
Not engage sub-processors without Tapnet’s written authorisation
Notify Tapnet of any security compromises without unreasonable delay

Breach Notification (Section 22)

In the event of a security compromise involving personal information, Tapnet will notify the Information Regulator and affected data subjects as soon as reasonably possible, in accordance with Section 22 of POPIA. Our full breach notification procedures are documented in our Breach Response Plan.

For full details on our security posture, see our Security Policy.

9. Condition 8: Data Subject Participation (Sections 23–25)

Data subjects have the following rights in relation to their personal information held by Tapnet:

Your Rights

Right of access — Request confirmation of whether Tapnet holds your personal information and obtain a copy
Right to correction — Request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, or misleading information
Right to deletion — Request the destruction or deletion of personal information that is no longer needed for the purpose it was collected
Right to object — Object to the processing of your personal information on reasonable grounds
Right to data portability — Request your personal information in a structured, commonly used, and machine-readable format
Right to withdraw consent — Withdraw previously given consent at any time
Right to restrict processing — Request that processing be restricted in certain circumstances

How to Exercise Your Rights

To exercise any of the above rights, please email the Information Officer at wynand@tapnet.co.za. We will respond to your request within 30 days of receipt. Requests are processed free of charge, unless a request is manifestly unfounded or excessive, in which case a reasonable fee may be charged.

Right to Complain

If you are not satisfied with how your request has been handled, you have the right to lodge a complaint with the South African Information Regulator:

South African Information Regulator:

Email: enquiries@inforegulator.org.za
Website: https://inforegulator.org.za
Complaints: complaints.IR@justice.gov.za

10. Consent Management

Tapnet manages consent carefully and maintains records of all consents obtained.

How Consent Is Obtained

Context	Consent Mechanism
Website analytics (Google Analytics)	Cookie consent banner — analytics cookies are only set after the user accepts
Contact / booking / quote forms	Implied consent for processing the specific inquiry; privacy notice displayed on form
Marketing communications	Explicit, opt-in consent obtained before any marketing is sent
AI chatbot interactions	Notice displayed before use; continued use constitutes consent

Withdrawal of Consent

Contact the Information Officer at wynand@tapnet.co.za to withdraw consent for any processing activity
Use the cookie settings in the website footer to manage analytics cookie preferences
Withdrawal of consent does not affect the lawfulness of processing that occurred prior to withdrawal

11. Cross-Border Transfers

In the course of providing our services, certain personal information is transferred to and processed in countries outside the Republic of South Africa.

Transfer Destinations

Operator	Purpose	Location
Vercel	Hosts the website and serves pages	United States
Neon	PostgreSQL database — stores contact submissions, bookings, quotes, admin accounts	United States / European Union
Google Analytics	Processes anonymous analytics data	United States
OpenAI	Processes AI chatbot conversations	United States

Legal Basis for Transfers (Section 72)

Cross-border transfers are conducted in accordance with Section 72 of POPIA, relying on:

Consent — Data subjects are informed of and consent to cross-border transfers where applicable
Binding corporate rules — Recipients maintain binding corporate rules or comparable internal policies ensuring adequate data protection
Adequate protection — Recipients operate in countries or under frameworks offering adequate levels of data protection

Safeguards

Contractual obligations requiring operators to protect personal information to standards equivalent to POPIA
Industry-standard security certifications maintained by each operator (e.g., SOC 2, ISO 27001)
Regular review of operator security posture and compliance

12. Operator Management

Tapnet engages the following third-party operators (processors) to assist in providing our services:

Operator	Service	Data Processed	Location
Vercel	Website hosting	HTTP request data, IP addresses	US
Neon	PostgreSQL database	Contact submissions, bookings, quotes, admin accounts	US / EU
Google Analytics	Website analytics	Anonymous usage and analytics data	US
OpenAI	AI chatbot	Chatbot conversation content	US

Operator Obligations

All operators are subject to written agreements in terms of Section 21 of POPIA. These agreements require operators to:

Process personal information solely on Tapnet’s instructions and only for the agreed purpose
Maintain security measures that meet or exceed the requirements of Section 19
Notify Tapnet without delay of any actual or suspected security compromise
Delete or return personal information upon termination of the agreement

Ongoing Monitoring

Tapnet regularly reviews operator compliance, including security certifications, data processing activities, and adherence to contractual terms. Full operator details and agreements are documented at Operator Agreements.

13. Review and Updates

This Data Protection Policy is reviewed at least annually, or sooner when significant changes occur to our processing activities, applicable legislation, or organisational structure.

The “Last Updated” date at the top of this policy reflects the most recent revision
Material changes are communicated to staff and contractors
Continued use of Tapnet’s services after an update constitutes acceptance of the revised policy

Contact Us

For any questions, concerns, or requests relating to this Data Protection Policy or Tapnet’s processing of personal information, please contact:

Information Officer: Wynand de Beer

Company: Tapnet Solutions (Pty) Ltd
Registration No: 2023/135522/07
Email: wynand@tapnet.co.za
Phone: 079 174 8357
Address: 594 Bombani Street, Elarduspark, Gauteng, 0181, South Africa

You may also lodge a complaint with the Information Regulator:

South African Information Regulator:

Email: enquiries@inforegulator.org.za
Website: https://inforegulator.org.za
Complaints: complaints.IR@justice.gov.za