1. Information Officer

In accordance with POPIA, our designated Information Officer is:

Sonda (Pty) Ltd
Email: privacy@sonda.co.za
Website: sonda.co.za

2. What Personal Information We Collect

We collect the following categories of personal information:

Identity Information: Full name, ID number (for will drafting), date of birth, gender.

Contact Information: Email address, phone number, physical address.

Financial Information: Asset details (for will drafting), payment card details (processed by Paystack — we do not store card numbers), transaction history.

Documents: Files uploaded to your vault (wills, IDs, certificates, policies).

Health Information: Only if voluntarily provided in health records or will provisions relating to medical directives.

Biometric Information: Facial verification data for provider KYC (processed by SmileID — stored only for verification purposes).

Usage Data: Check-in history, Legacy Score, platform interactions, device type, IP address.

Nominee Information: Names, phone numbers, and email addresses of people you designate as nominees or heirs.

3. Purpose of Processing (POPIA Section 13)

We process your personal information for the following specific purposes:

a) To provide our services: Will drafting, document storage, heir management, marketplace bookings.

b) To communicate with you: WhatsApp notifications, check-in reminders, booking confirmations, service updates.

c) To process payments: Subscription billing, service provider payments, escrow management.

d) To verify identity: KYC for service providers, nominee verification.

e) To improve our platform: Analytics, error monitoring, feature usage tracking.

f) To fulfil legal obligations: FICA compliance, fraud prevention, dispute resolution.

4. Legal Basis for Processing (POPIA Section 11)

We process your information based on:

Consent: You consent to processing when you create an account and accept these terms. You may withdraw consent at any time by contacting us or deleting your account.

Contract: Processing necessary to fulfil our service agreement with you.

Legitimate Interest: Platform security, fraud prevention, and service improvement.

Legal Obligation: Where required by South African law (FICA, tax reporting).

5. Data Storage and Security

Your data is stored on servers operated by Supabase (cloud infrastructure). Documents in your vault are encrypted at rest using AES-256 encryption. Payment information is processed and stored by Paystack, a PCI DSS Level 1 certified payment processor — we never store your full card number. All data transmission uses TLS 1.3 encryption.

6. Third-Party Data Sharing

We share personal information with the following third parties, only as necessary to provide our services:

Supabase: Database and authentication hosting.

Paystack: Payment processing.

OpenAI: AI will drafting and document analysis (anonymised where possible).

Meta (WhatsApp): Message delivery for notifications.

SmileID: Biometric KYC verification for providers.

Service Providers: When you book a service, your name and contact details are shared with the provider to fulfil the booking.

We do not sell your personal information to any third party.

7. Cross-Border Data Transfers

Some of our service providers (Supabase, Paystack, OpenAI) store data outside South Africa. In accordance with POPIA Section 72, we ensure these providers maintain adequate data protection measures equivalent to or exceeding POPIA requirements.

8. Your Rights Under POPIA

You have the right to:

a) Access: Request a copy of your personal information we hold.

b) Correction: Request correction of inaccurate information.

c) Deletion: Request deletion of your personal information (subject to legal retention requirements).

d) Object: Object to the processing of your information for direct marketing.

e) Data Portability: Request your data in a machine-readable format via Settings → Data Export.

f) Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email privacy@sonda.co.za. We will respond within 30 days as required by POPIA.

9. Data Retention

We retain your personal information for as long as your account is active. Upon account deletion, we permanently delete your data within 30 days, except where retention is required by law (e.g., financial records for 5 years per the Tax Administration Act). Vault documents are deleted immediately upon your request.

10. Digital Heir and Nominee Data

When you designate nominees or digital heirs, we collect their contact information to notify them if triggered by your check-in system. Nominees are informed of their designation and can opt out. Upon heir release, nominees gain access only to documents and information you have explicitly shared.

11. Cookies and Tracking

We use essential cookies for authentication and session management. We use analytics tools to understand platform usage. You can disable non-essential cookies in your browser settings.

12. Children's Privacy

Sonda is not intended for children under 18. We do not knowingly collect personal information from minors. If we learn we have collected information from a child, we will delete it promptly.

13. Complaints

If you believe your privacy rights have been violated, you may lodge a complaint with the Information Regulator of South Africa:

Email: complaints.IR@justice.gov.za
Tel: 012 406 4818
Website: inforegulator.org.za

14. Contact

For privacy-related enquiries: privacy@sonda.co.za

For general support: support@sonda.co.za