Legal & Compliance

POPIA Compliance
Protection of Personal Information

Social Wiiv (Pty) Ltd is committed to full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA). This document sets out how we collect, process, store, and protect personal information, and how data subjects may exercise their rights.

Doc Ref: SW-POPIA-IO
Effective: 3 October 2025
Last Updated: 3 October 2025
Commitment Statement

Our Commitment to Your Privacy

Social Wiiv (Pty) Ltd processes personal information only for lawful, specific, and transparent purposes. We apply the eight POPIA conditions for lawful processing across every platform, product, and internal operation — including SOCIAL-EXP, SOCIAL-CXP, SOCIAL-PROMOTER, SOCIAL-TICKETS, SOCIAL-AFFILIATE, SOCIAL-ACTIVATIONS, SOCIAL-SNAPPER, and SOCIAL-SCREEN.

We do not sell personal information. We do not share personal information with third parties except where required by law, permitted by this notice, or necessary to deliver services you have requested.

This Compliance Notice applies to all personal information processed by Social Wiiv (Pty) Ltd in its capacity as a Responsible Party and, where applicable, as an Operator on behalf of our clients.

Accountability
We take responsibility for compliance and have appointed Information Officers in terms of Section 55 of POPIA.
Minimality
We collect only the minimum personal information adequate and not excessive for the intended purpose.
Data Subject Rights
Data subjects may access, correct, object, or request deletion of their personal information at any time.
Responsible Party

Company Details

Social Wiiv (Pty) Ltd is the Responsible Party as defined in Section 1 of POPIA. As the Responsible Party, we determine the purpose of and means for processing personal information.

Legal Entity
Social Wiiv (Pty) Ltd
Registered Address
292 Surrey Avenue, 1st Floor
Ferndale, Randburg, 2194
South Africa
Website
www.socialwiiv.com
Section 55 — POPIA

Information Officers

In terms of Section 55 of POPIA, Social Wiiv has appointed a designated Information Officer and Deputy Information Officer. These officers are responsible for ensuring compliance with POPIA, handling data subject requests, and liaising with the Information Regulator.

Information Officer
Baron Marshall
Director
Social Wiiv (Pty) Ltd

The Information Officer is responsible for the overall POPIA compliance programme, policy approval, registration with the Information Regulator, and final accountability for data protection decisions.

Deputy Information Officer
Andre du Preez
Chief Technical Officer
Social Wiiv (Pty) Ltd

The Deputy Information Officer assists in implementing POPIA requirements, oversees technical safeguards, manages data processing agreements with operators, and handles day-to-day data subject request processing.

Section 18 Notice

Personal Information We Collect

We collect personal information directly from data subjects, from our clients (as an Operator), and in limited cases from third-party sources where lawfully permitted. We only collect information that is adequate, relevant, and not excessive for the stated purpose.

Identity & Contact
Full name, email address, phone number, physical and postal address, job title, and company name.
Usage & Technical
IP address, browser type, device identifiers, pages visited, session duration, and interaction logs where analytics consent is given.
Event & RSVP Data
Guest lists, RSVP status, attendance records, dietary requirements, and event preferences collected on behalf of our clients.
Transactional
Purchase history, ticket transactions, and payment confirmation details. We do not store full card numbers — payments are processed by PCI-DSS-compliant third parties.
Engagement & Loyalty
Points balances, reward redemptions, gamification scores, challenge completions, and recognition history within Experience platforms.
Security & Access
Authentication credentials (stored as one-way hashes), access logs, QR and NFC scan events, and session tokens.
Conditions for Lawful Processing

Purpose & Lawful Basis

All processing of personal information is grounded in one or more of the conditions for lawful processing set out in Chapter 3 of POPIA. We identify and document the applicable condition for each processing activity.

01
Consent

Where we rely on consent, it is freely given, specific, informed, and unambiguous. You may withdraw consent at any time without detriment, except where processing is necessary for a contractual obligation already undertaken.

02
Contractual Necessity

Processing necessary to perform a contract to which the data subject is a party, or to take pre-contractual steps at the data subject's request — including service delivery, billing, and account management.

03
Legitimate Interest

Processing necessary for our legitimate business interests, including fraud prevention, platform security, service improvement, and communications with existing clients — provided such interests are not overridden by the data subject's rights.

04
Legal Obligation

Processing necessary to comply with a legal obligation imposed by South African law, including tax legislation, financial reporting requirements, and court orders.

05
Operator Processing

Where Social Wiiv acts as an Operator processing personal information on behalf of a client (Responsible Party), processing is governed by a written Operator Agreement and conducted only on documented instructions.

Chapter 2 — POPIA

Your Rights as a Data Subject

POPIA grants data subjects a set of enforceable rights in relation to their personal information. Social Wiiv is committed to honouring all of these rights within the statutory timeframes.

Right of Access

Request confirmation of whether we hold your personal information and obtain a copy of the information we hold about you.

Right to Correction

Request correction or deletion of inaccurate, irrelevant, excessive, outdated, or misleading personal information we hold.

Right to Deletion

Request destruction or deletion of personal information where we are no longer authorised to retain it or where retention is unlawful.

Right to Object

Object to the processing of your personal information on grounds relating to your particular situation, including direct marketing.

Right to Withdraw Consent

Where processing is based on consent, withdraw that consent at any time. Withdrawal does not affect the lawfulness of prior processing.

Right to Complain

Lodge a complaint with the Information Regulator if you believe we have violated your rights under POPIA.

Right to Opt Out

Opt out of direct marketing communications at any time via the unsubscribe link in any marketing email or by contacting our Information Officer.

Right to Notification

Be notified if your personal information has been compromised through a security incident, in accordance with Section 22 of POPIA.

PAIA Form 2 / POPIA Request

How to Submit a Request

All data subject requests must be submitted in writing to the Information Officer. We acknowledge receipt within 3 business days and respond substantively within 30 days of receiving a complete request, as required by POPIA.

Download PAIA Manual
30
Business days
statutory response period
1
Prepare Your Request

Include your full name, contact details, a clear description of the personal information concerned, and the specific right you wish to exercise (access, correction, deletion, objection, or other). Where possible, include the relevant date range and system or platform involved.

2
Submit to the Information Officer

Send your written request by email to our Information Officer, Baron Marshall, at

3
Identity Verification

To protect your information, we may request proof of identity before processing your request. Acceptable documentation includes a certified copy of your South African ID, passport, or other government-issued identification. Identity documents are used solely for verification and are not retained beyond this purpose.

4
Acknowledgement & Response

We will acknowledge receipt within 3 business days. A full substantive response will be provided within 30 business days. Where the request is complex or we require an extension, we will notify you within the initial 30-day period and provide a revised timeline, not exceeding an additional 30 days.

5
Outcome & Escalation

If we are unable to fulfill your request, we will provide written reasons. If you are dissatisfied with our response, you have the right to lodge a complaint directly with the Information Regulator. See the Complaints section below for regulator contact details.

Section 14 — POPIA

Retention & Disposal Policy

Personal information is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. On expiry of the retention period, personal information is securely deleted or anonymised.

Information Category
Retention Period
Basis
Financial & billing records
5 years after transaction
Legal obligation (SARS)
Employee / promoter data
Duration of engagement + 3 years
Legal obligation (BCEA)
Marketing contact data
Until opt-out or 3 years inactive
Consent
Section 21 — POPIA

Third-Party Processing

We share personal information with third parties only where necessary, lawful, and subject to appropriate safeguards. We do not sell personal information under any circumstances.

Written Operator Agreements

All third-party service providers who process personal information on our behalf are bound by written Operator Agreements that impose obligations no less onerous than those we accept under POPIA.

Cross-Border Transfers

Where personal information is transferred outside South Africa, we ensure the recipient country provides an adequate level of protection, or we implement binding contractual safeguards as contemplated in Section 72 of POPIA.

Cloud & Infrastructure Providers

We use reputable cloud infrastructure providers with documented security certifications. All data processing agreements include provisions for sub-processing, security standards, breach notification, and audit rights.

Payment Processors

Payment card data is processed directly by PCI-DSS Level 1 certified payment processors. Social Wiiv does not store, transmit, or process raw card numbers at any point in the transaction flow.

We Do Not Sell Your Data

Social Wiiv does not sell, rent, or trade personal information to any third party. Marketing communications are sent only by Social Wiiv or on behalf of clients as part of a contracted service, with appropriate consent.

Section 19 — POPIA

Security Safeguards

In terms of Section 19 of POPIA, Social Wiiv maintains appropriate, reasonable technical and organisational measures to prevent the loss, damage, unauthorised destruction, or unlawful access to personal information.

Our information security programme is documented in our Security & Trust Centre, which provides full detail on encryption standards, access controls, incident response, and our ongoing compliance journey.

View Security & Trust Centre
TLS 1.3 Encryption
AES-256 at Rest
Role-Based Access
24/7 Monitoring
Breach Notification
Staff Training

In the event of a security compromise, Social Wiiv will notify the Information Regulator and affected data subjects in accordance with Section 22 of POPIA and our documented Incident Response Procedure.

Section 74 — POPIA

Complaints to the Regulator

If you are not satisfied with how we have handled your personal information or responded to your request, you have the right to lodge a complaint with the Information Regulator of South Africa in terms of Section 74 of POPIA.

We encourage you to contact our Information Officer first so that we may attempt to resolve the matter directly before you escalate to the Regulator.

Information Regulator (South Africa)
The statutory body established under Section 39 of POPIA to enforce compliance with POPIA and PAIA.
Postal Address
P.O. Box 31533
Braamfontein, Johannesburg, 2017
General Enquiries
inforeg@justice.gov.za
Website
www.inforegulator.org.za
Further Reading

Related Documents

Privacy Policy

Full details of how we collect, use, and protect personal information across all services.

View Document
Security & Trust Centre

Our technical and organisational security measures, infrastructure standards, and compliance roadmap.

View Document
Cookie Preferences

Manage your cookie consent and choose which optional tracking technologies are active.

Manage Preferences
PAIA Manual

Social Wiiv's Promotion of Access to Information Act manual — how to request access to records held by us.

Download PDF