CalmCash

Be Relevant (Pty) Ltd is committed to processing personal information responsibly and in full compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA").

Our Role as Responsible Party

Be Relevant (Pty) Ltd acts as the Responsible Party for all personal information processed through CalmCash. We determine the purpose and means of processing your personal information in accordance with POPIA's eight conditions for lawful processing.

Lawful Basis for Processing

We process your personal information on the following lawful bases as defined in POPIA Section 11:

Contractual necessity: to provide the services you have subscribed to and generate your financial reports.
Legitimate interest: to improve the Platform, prevent fraud, and ensure security.
Legal obligation: to comply with South African law including tax legislation.
Consent: for marketing communications (you may withdraw consent at any time).

Information Officer

Our Information Officer is responsible for ensuring POPIA compliance and handling data subject requests. Contact our Information Officer at [email protected]. We will respond to all requests within 30 days as required by POPIA.

Your Rights Under POPIA

Right	Description	How to Exercise
Right of Access (Section 23)	Request a copy of all personal information we hold about you	Email [email protected]
Right to Correction (Section 24)	Request correction of inaccurate or incomplete information	Email [email protected]
Right to Deletion (Section 24)	Request deletion of your personal information (subject to legal retention requirements)	Email [email protected]
Right to Object (Section 11(3))	Object to the processing of your personal information for direct marketing	Email [email protected]
Right to Complain (Section 74)	Lodge a complaint with the Information Regulator of South Africa	www.inforeg.org.za

Data Retention Schedule

Data Category	Retention Period	Basis
Account information	Subscription duration + 12 months	Contractual necessity
Financial intake data	Subscription duration + 12 months	Contractual necessity
Uploaded documents	Until deleted by user or account closure	User consent
Usage analytics	24 months (anonymised)	Legitimate interest
Payment records	5 years	Tax Administration Act requirement

Cross-Border Data Transfers

Where personal information is transferred outside South Africa (e.g., to AI processing services and cloud storage), we ensure adequate protection is in place through contractual safeguards consistent with POPIA Section 72. Specifically:

Google (AI processing): governed by Google's Data Processing Addendum, which provides GDPR-equivalent protections.
Amazon Web Services (document storage): governed by AWS's Data Processing Addendum with encryption at rest and in transit.

Security Measures

We implement the following technical and organisational measures to protect your personal information in accordance with POPIA Section 19:

TLS 1.3 encryption for all data in transit
AES-256 encryption for documents stored in S3
Role-based access controls limiting data access to authorised personnel
Regular security reviews and access audits
Incident response procedures for data breaches

Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Regulator within 72 hours of becoming aware of the breach, as required by POPIA Section 22. Notification will include the nature of the breach, the categories of data affected, and the measures taken to address it.

Contact the Information Regulator

If you believe your rights under POPIA have been violated and we have not adequately addressed your complaint, you may contact the Information Regulator of South Africa:

Website: www.inforeg.org.za
Email: [email protected]
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

POPIA Compliance