Legal
Privacy policy
Effective 2026-05-26 · Last updated 5 June 2026
Who we are
Komply is a product of Auto Alpha Advisory, registered in South Africa. The responsible party for personal information collected via getkomply.co.za is Auto Alpha Advisory, contactable at hello@getkomply.co.za.
What we collect
- Account data: work email, company name, your role within the workspace.
- Workspace data: the public domain you ask us to scan, and the scan results that the audit engine produces against it. For the FSCA module, the fit-and-proper data for your key individuals and representatives (full name, last four digits of ID number, qualification + CPD records). For the B-BBEE module, the workforce composition required to score the scorecard (race and gender breakdowns), processed under the lawful basis provided by the B-BBEE Act and Codes of Good Practice (POPIA s27(1)(b)). For the SARS module, your VAT and payroll figures plus, optionally, Xero OAuth credentials encrypted at the application layer.
- Billing data: handled by PayFast — we receive payment confirmations, never card numbers.
- Operational logs: request identifier, tenant identifier, IP address, browser user-agent, and (for billing events) payment status and amount. We retain these for 12 months for abuse investigation and audit-trail continuity. No tracking cookies; no third-party analytics.
- Waitlist and share-link access logs: When you join our waitlist or someone views a share link you issued, we record the IP address, user-agent, and timestamp to investigate abuse and to give you a view-audit trail. Retention 12 months.
How we use it
To operate your workspace, run scans against the domain you nominate, send transactional email (sign-in links, monthly digest), bill you for the subscription, and meet our legal obligations. We don't sell personal information or share it with advertising networks.
Our lawful basis. We process your account, workspace, billing, and operational data because it is necessary to perform the subscription contract with you (POPIA s11(1)(b)) and to meet legal obligations such as tax-record retention (s11(1)(c)). B-BBEE workforce-composition data is processed under the basis provided by the B-BBEE Act and Codes of Good Practice (s27(1)(b)). LLM-assisted drafting and certificate extraction run only where you opt in (s11(1)(a) consent). Providing this information is voluntary, but it is required to operate your workspace — without it we cannot run the scans. Company-registry details (registration status, director roster) are sourced from CIPC at onboarding using the registration number you provide.
Where you opt in to LLM-assisted drafting (currently used inside the FSCA module for ICMP report and Ombud-response narrative generation), we send a redacted version of the structured data to Anthropic in the United States. Names of individuals are replaced with initials and personal identifiers (ID numbers, contact details) are stripped before transmission. The drafted text is returned for your review and sign-off before any submission.
Where you upload a B-BBEE certificate for automated field extraction, the uploaded document is sent to Anthropic in the United States for processing. The document is your own data and is transmitted unredacted because the document content is required for extraction. No fields are applied to your scorecard without your per-field confirmation.
Direct marketing
The monthly compliance digest we send to subscribers is transactional — it reports on your own workspace and the scans you asked us to run, as part of the service you signed up for, not direct marketing. We don't sell or rent your contact details. If we ever send genuine marketing email (product news or offers), it will be on an opt-in basis and every such message will carry a one-click unsubscribe, in line with POPIA s69. You can opt out of non-essential email at any time via the unsubscribe link or by emailing io@getkomply.co.za.
Where it lives
Application data is stored in Supabase Postgres (eu-west-1, Ireland) with tenant-scoped access controls enforced at the application layer plus Row-Level Security policies as defense in depth. Scan results are mirrored in Komply's database so the dashboard doesn't depend on the audit engine for read traffic. Transactional email is sent via Resend. Billing is handled by PayFast (Pty) Ltd in South Africa. LLM processing is handled by Anthropic in the United States under contractual safeguards and the zero-data-retention tier — redacted prompts for FSCA narrative drafting and uploaded B-BBEE certificate content for field extraction. See the Data Processing Agreement for the full sub-processor list and our cross-border-transfer basis.
Information Officer
POPIA s55 requires every responsible party to designate an Information Officer. Komply's Information Officer is Matt Owen, contactable at io@getkomply.co.za. Registration with the Information Regulator is pending; the registration number will appear here once issued.
How long we keep it
Account data: for the lifetime of the subscription plus 12 months after cancellation, then deleted on request or as part of our monthly retention sweep. Scan data: for the lifetime of the subscription. Billing records: 5 years per SA tax retention rules.
Your rights
Under POPIA you can request access to, correction of, or deletion of your personal information at any time. Email our Information Officer at io@getkomply.co.za; we acknowledge requests within 3 business days and respond in full within 30 days. Complaints can be lodged with the Information Regulator of South Africa at inforegulator.org.za.
Updates
We'll surface material changes in-app and via email at least 14 days before they take effect. The version date at the top of this page reflects the most recent change.