Privacy Policy
Effective from April 2026 · POPIA-compliant · Responsible Party: Notice Me
⚠ Operator action required before publishing
Replace all [PLACEHOLDER] values with your actual details. You must register your Information Officer with the Information Regulator at inforegulator.org.za before processing personal information commercially. Have a qualified South African attorney verify POPIA compliance before going live.
Notice Me (Registration No. [REGISTRATION NUMBER]), the operator of Notice Me, is the Responsible Party in respect of your personal information as defined in the Protection of Personal Information Act 4 of 2013 ("POPIA"). This Privacy Policy explains how we collect, use, store and protect your personal information, and describes the rights you have as a data subject.
This Policy applies to all personal information we process in connection with the Notice Me platform, including information provided by Vendors, Centre users, and visitors to our website.
Who We Are (Responsible Party)
| Company name | Notice Me |
| Registration number | [REGISTRATION NUMBER] |
| Registered address | [REGISTERED ADDRESS] |
| Information Officer | [INFORMATION OFFICER NAME] |
| Information Officer email | [INFORMATION OFFICER EMAIL] |
| Information Regulator registration | [REGISTRATION REFERENCE — obtained from inforegulator.org.za] |
Under POPIA, every organisation that processes personal information must designate an Information Officer and register that officer with the Information Regulator of South Africa.
Personal Information We Collect
We collect the following categories of personal information:
2.1 Account and Identity Information (Vendors and Centre Users)
·Full name or business name
·Email address
·Password (stored as a one-way cryptographic hash — we cannot recover your plain-text password)
·Account role (vendor or centre user)
·Account creation date and time
2.2 Advertising Content
·Ad title and descriptive text
·Uploaded media files (images, videos, PDF documents)
·Selected Screens, dates and time slots for each Booking
·Ad approval status and any rejection reasons
2.3 Booking and Payment Records
·Booking reference numbers
·Pricing per Booking
·Payment status and payment gateway reference numbers (PayFast)
·Booking creation and expiry dates
2.4 Usage and Performance Data
Ad play counts: we log each time a registered Screen plays an approved Ad, recording the Ad identifier, Screen identifier, and date/time of play. This data is linked to your account for reporting purposes.
2.5 Complaint Records (Centre Users)
·Complaint text submitted by Centre users regarding Ads displayed on their Screens
·Complaint status and resolution outcome
2.6 Technical Data
Session data: We use a digitally signed session token (JWT) stored in a browser cookie to maintain your login session. It contains your account identifier, role and session expiry. It does not contain your password.
IP addresses: Temporarily held in server memory for rate-limiting only. Never written to any database or log file. Discarded automatically within 60 minutes.
Purposes and Legal Basis for Processing
We process your personal information only for the specific, explicitly defined and legitimate purposes below, in accordance with Chapter 3 of POPIA.
| Purpose | Information Used | Legal Basis (POPIA) |
|---|---|---|
| Account creation and authentication | Name, email, password hash | Consent; contract performance |
| Processing and managing Ad Bookings | Ad content, Booking details, Screen selections | Contract performance |
| Payment processing | Booking amount, payment gateway reference | Contract performance; legal obligation |
| Delivering Ads to Screens | Ad media files, Booking schedule | Contract performance |
| Performance reporting (play counts) | Ad play logs | Contract performance; legitimate interest |
| Handling Centre complaints | Complaint text, Ad and Centre identifiers | Legitimate interest; contract performance |
| Security and fraud prevention | IP addresses (in memory), session tokens | Legitimate interest; legal obligation |
| Legal and compliance obligations | Account and transaction records | Legal obligation |
| Service communications (transactional) | Email address | Contract performance |
| Direct marketing (only with consent) | Email address, name | Consent — withdrawable at any time |
How We Use Your Information
We use your personal information only for the purposes listed in clause 3. We do not sell, rent or trade your personal information to any third party. We do not use your personal information for automated decision-making that produces legal or similarly significant effects without your involvement.
Sharing of Personal Information
We may share your personal information in the following limited circumstances:
Payment processor
We share Booking and payment information with our payment gateway provider (PayFast) to process transactions. That provider processes information under its own privacy policy and is subject to applicable data protection law.
PiSignage
Ad media files are transmitted to PiSignage digital signage software running on our local network infrastructure to schedule and display Ads on Screens. This transmission occurs within our own controlled infrastructure; PiSignage does not independently receive or store your personal account data.
Centre operators
Centre users can see the title and status of Ads scheduled on their Screens. They do not have access to your account email address, payment details or other personal information.
Legal requirements
We may disclose personal information where required by law, court order, or lawful request by a South African government authority.
Business transfers
In the event of a merger or acquisition, personal information may be transferred to the acquiring entity, subject to equivalent obligations.
International Transfers
We primarily store and process your personal information within the Republic of South Africa. Where personal information is transferred outside the Republic, we will ensure that the recipient is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection, in compliance with section 72 of POPIA.
Retention of Personal Information
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Category | Retention period |
|---|---|
| Account information | Duration of account plus 3 years after closure (legal claims / audit) |
| Ad content and Booking records | Duration of Booking, then 3 years for records purposes |
| Payment records | 5 years (Tax Administration Act 28 of 2011) |
| Ad play logs | Duration of account or 3 years after last activity, whichever is later |
| Complaint records | 3 years after resolution |
| IP addresses (rate limiting) | Maximum 60 minutes — in server memory only; never persisted |
| Session tokens | 8 hours (standard) or 30 days ("Remember me"), then automatically expire |
After the applicable retention period, personal information is securely deleted or anonymised.
Security Safeguards
We implement appropriate technical and organisational measures to protect your personal information in accordance with section 19 of POPIA. These include:
Security Compromise Notification
Direct Marketing
We will only send you direct marketing communications where you have given us prior consent, in accordance with section 69 of POPIA and section 45 of ECTA.
You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting our Information Officer at [INFORMATION OFFICER EMAIL].
Cookies and Browser Storage
We use a minimal set of browser storage mechanisms:
next-auth.session-tokenStrictly necessaryA digitally signed, HttpOnly cookie containing your encrypted session token. Expires automatically based on session duration chosen at login (8 hours or 30 days). Does not contain personal information in readable form.
next-auth.csrf-tokenStrictly necessaryUsed to protect against cross-site request forgery attacks.
We do not use advertising cookies, analytics cookies, tracking pixels or any third-party cookies.
Your Rights as a Data Subject
Under Chapter 2 of POPIA you have the following rights:
Right to be informed
Know what personal information we hold and how we use it (addressed by this Policy).
Right of access
Request a copy of the personal information we hold about you.
Right to correction or deletion
Request that inaccurate, irrelevant, excessive or out-of-date information be corrected or deleted.
Right to object
Object to processing on reasonable grounds. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to object to direct marketing
Object at any time to processing for direct marketing purposes.
Right to complain
Lodge a complaint with the Information Regulator of South Africa.
Submit a written request to our Information Officer at [INFORMATION OFFICER EMAIL]. We will respond within 30 days and may verify your identity first.
Information Regulator
The Information Regulator is the independent statutory body established by POPIA to monitor and enforce data protection law in South Africa. If you are not satisfied with our response, you may contact:
Children's Privacy
The Platform is not directed at persons under the age of 18. We do not knowingly collect personal information from minors. If you are aware that a minor has provided us with personal information without parental consent, please contact our Information Officer immediately and we will take steps to delete that information.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. We will notify you of material changes by email or by prominent notice on the Platform. The updated Policy will take effect 20 business days after notification.
Contact Us
For all privacy-related queries, data subject requests or complaints, please contact our Information Officer:
Legislation referenced: Protection of Personal Information Act 4 of 2013 · Electronic Communications and Transactions Act 25 of 2002 · Tax Administration Act 28 of 2011.