B
BMS
Legal

POPIA compliance

Last updated: 20 April 2026

BMS operates under the Protection of Personal Information Act, 2013 (POPIA). This page summarises how we comply and what that means for you.

1. Our role under POPIA

When you use BMS to run your business, you are the responsible party for the personal information of your own clients and employees. BMS acts as your operator under POPIA - we process that information only on your lawful instructions, to deliver the service.

Where we collect information about you directly to operate your BMS account, we are the responsible party.

2. Information Officer

Our POPIA Information Officer can be contacted at admin@safetrak.co.za. Queries, complaints, access requests and deletion requests should go to that address.

3. The eight conditions of lawful processing

BMS processes personal information in line with POPIA's eight conditions:

  • Accountability - we take responsibility for lawful processing.
  • Processing limitation - we only collect what we need, for a lawful purpose, with your consent or another lawful basis.
  • Purpose specification - collected for explicit, legitimate purposes disclosed in our Privacy Policy.
  • Further processing limitation - we don't reuse your information for unrelated purposes.
  • Information quality - we keep it accurate; you can correct it at any time.
  • Openness - see our Privacy Policy for what, why and how.
  • Security safeguards - encryption, access control, audit logging and SA-based hosting.
  • Data subject participation - you can access, correct or delete your information.

4. Your rights as a data subject

  • Be told what personal information we hold about you.
  • Ask for incorrect information to be corrected or deleted.
  • Object to the processing of your information for direct marketing.
  • Not be subject to automated decisions that significantly affect you, without human review.
  • Lodge a complaint with the Information Regulator of South Africa.

5. Cross-border transfers

Personal information is stored on cloud infrastructure physically hosted in South Africa. Where a specific third-party service (for example email delivery or payment processing) may process information outside South Africa, we use providers that offer POPIA-equivalent protection or contractual safeguards.

6. Sub-operators we use

We use the following categories of sub-operators under written agreements that commit them to POPIA-equivalent protection:

  • Cloud hosting - SA-based infrastructure.
  • Payment processing - Paystack, PayFast, Ozow.
  • Email and SMS delivery - Resend, BulkSMS.
  • Error monitoring - aggregated, no personal business content.

7. Security

We use encryption in transit (HTTPS), encryption at rest for backups, role-based access control, audit logging and regular security reviews. Access to personal information is strictly need-to-know for BMS staff.

8. Breach notification

If we become aware of a compromise that affects your personal information we will notify you and the Information Regulator as soon as reasonably possible, in line with section 22 of POPIA.

9. Information Regulator

South African Information Regulator:

  • Email - inforeg@justice.gov.za
  • Website - inforegulator.org.za

10. Contact us

For any POPIA-related query or complaint: admin@safetrak.co.za.

See also: Privacy Policy · Terms of Service