Protection of Personal Information
How Burmain Holdings processes, protects, and respects your personal information under the Protection of Personal Information Act 4 of 2013 (POPIA).
POPIA grants every person the right to privacy and the protection of their personal information. As a responsible party operating in South Africa, Burmain Holdings is committed to full compliance with all eight conditions for lawful processing.
1. About POPIA
What POPIA Is
The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa’s primary data protection legislation. POPIA came into full effect on 1 July 2021 and regulates how personal information of natural and juristic persons may be processed by public and private bodies operating within the Republic of South Africa.
Who It Applies To
POPIA applies to any person or entity — referred to as a “responsible party” — that processes personal information of data subjects in South Africa. Processing includes collecting, storing, using, sharing, or deleting personal information, regardless of whether this takes place through automated or manual means.
Our Role
Burmain Holdings (Pty) Ltd is the Responsible Party as defined under POPIA. We determine the purpose and means of processing personal information collected through our platforms and business operations. Our Information Officer has been formally appointed and registered with the Information Regulator of South Africa, and is responsible for ensuring ongoing compliance across all divisions and platforms.
2. The Eight Conditions for Lawful Processing
POPIA establishes eight conditions that must be met for personal information to be processed lawfully. We apply all eight conditions across all our platforms and operations.
Accountability
The responsible party is accountable for ensuring POPIA is complied with. We have appointed a dedicated Information Officer registered with the Information Regulator of South Africa, who oversees compliance across all business units and ensures this statement remains current and accurate.
Processing Limitation
Personal information may only be processed if the data subject consents, or if processing is necessary for a lawful purpose related to a function or activity of the responsible party. We collect only what is needed — nothing more — and we do not retain information beyond its useful purpose.
Purpose Specification
Personal information must be collected for a specific, explicitly defined, and lawful purpose. We state our purposes clearly before or at the time of collection, and we only retain personal information for as long as is necessary to fulfil that stated purpose.
Further Processing Limitation
Personal information may not be processed in a way that is incompatible with the purpose for which it was originally collected. We do not sell your personal information to third parties, and we do not use your data for secondary purposes without obtaining fresh consent where required.
Information Quality
We take reasonable steps to ensure that the personal information we hold is complete, accurate, not misleading, and updated where necessary. We provide data subjects with mechanisms to review and correct their information at any time.
Openness
We maintain a POPIA manual and notify data subjects about what information we collect and how we use it. This document forms part of that commitment to transparency. Our POPIA manual is available on request from our Information Officer.
Security Safeguards
We implement appropriate technical and organisational measures to secure personal information against loss, damage, unauthorised destruction, and unlawful access or processing. These safeguards are regularly reviewed and updated in line with evolving best practices and threats.
Data Subject Participation
Data subjects have the right to access their personal information held by us and to request corrections where that information is inaccurate or outdated. We provide simple, accessible mechanisms for exercising these rights and respond to all valid requests within the timeframes prescribed by POPIA.
3. What Personal Information We Collect
We collect personal information only when necessary and with a clear lawful basis. The categories of personal information we may process include:
- Identity information: name, surname, ID number where required by law or contract
- Contact details: email address, phone number, physical or postal address
- Professional information: job title, company name, industry sector
- Platform usage data: login times, feature usage patterns, session duration, and in-app activity
- Technical data: IP address, device type, browser type, operating system, and referring URLs
- Payment information: transaction amounts and billing references — card details are processed securely via certified third-party payment processors and are never stored on our systems
- Special personal information: only collected with your explicit consent and where strictly necessary for a clearly defined purpose
4. Lawful Basis for Processing
We process your personal information on one or more of the following lawful grounds as defined under POPIA:
- Consent — You have given clear, informed, and voluntary consent for us to process your personal information for a specific and stated purpose. You may withdraw consent at any time.
- Contractual necessity — Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.
- Legal obligation — Processing is necessary to comply with a legal or regulatory obligation to which Burmain Holdings is subject, including obligations under South African law.
- Legitimate interest — Processing is necessary for the legitimate interests of Burmain Holdings or a third party, provided those interests are not overridden by your fundamental rights and freedoms as a data subject.
- Vital interests — In rare and exceptional circumstances, processing may be necessary to protect your vital interests or those of another person where consent cannot reasonably be obtained.
5. Your Rights as a Data Subject
POPIA grants you the following rights in relation to your personal information:
Right to Access
You may request a record of the personal information we hold about you. We will respond within 30 days.
Right to Correction
You may request that we correct or update inaccurate personal information.
Right to Deletion
You may request that we delete your personal information where there is no longer a lawful basis for processing.
Right to Object
You may object to the processing of your personal information in certain circumstances, including for direct marketing.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect processing prior to withdrawal.
Right to Complain
You have the right to lodge a complaint with the Information Regulator if you believe we have violated your rights under POPIA.
Right to Data Portability
You may request your personal information in a structured, commonly used format where technically feasible.
Right Not to Be Subject to Automated Decisions
You have the right not to be subject to decisions based solely on automated processing that significantly affect you.
6. Cross-Border Transfers
We may transfer personal information to recipients in other countries, including the United Kingdom and the European Union, where our platforms operate.
Transfer Safeguards
- We only transfer to countries that have adequate data protection laws, or
- We implement standard contractual clauses or binding corporate rules, or
- The data subject has consented to the transfer after being informed of the risks, or
- The transfer is necessary for the performance of a contract with the data subject
7. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
- Account data — retained for the duration of the account plus 5 years after closure
- Transaction records — 7 years (as required by South African tax legislation)
- Marketing data — until you withdraw consent or unsubscribe
- Support records — 3 years from resolution
- System logs — 90 days
After the applicable retention period, personal information is securely deleted or anonymised so it can no longer be attributed to any individual.
8. Security Safeguards
We implement appropriate technical and organisational measures to protect personal information against loss, damage, destruction, or unlawful access.
Our Security Measures Include:
- Encryption at rest and in transit (TLS 1.3+, AES-256)
- Role-based access control — only authorised personnel access personal data
- Regular penetration testing and vulnerability assessments
- Secure development practices and code reviews
- Incident response procedures with defined notification timelines
- Employee training on data protection and security awareness
Data Breach Notification
In the event of a data breach that poses a risk to data subjects, we will notify the Information Regulator and affected individuals within 72 hours of becoming aware of the breach, in accordance with Section 22 of POPIA.
9. Information Officer
Burmain Holdings (Pty) Ltd has appointed a dedicated Information Officer as required by Section 55 of POPIA. The Information Officer is registered with the Information Regulator of South Africa and is responsible for overseeing our compliance with POPIA.
Information Officer
Contact via: privacy@burmain.com
For PAIA requests (access to records), POPIA complaints, and data subject rights requests.
Information Regulator
The Information Regulator of South Africa
Website: www.justice.gov.za/inforeg/
Email: inforeg@justice.gov.za
Phone: 012 406 4818
10. Contact & Updates
How to Exercise Your Rights
Send a written request to privacy@burmain.com with: your full name, a description of the right you wish to exercise, and any supporting information. We will respond within 30 days.
Changes to This Notice
We may update this POPIA compliance statement from time to time. Changes will be posted on this page with an updated effective date. Continued use of our platforms after changes constitutes acceptance.