Vela The Next Chapter Join waitlist

POPIA

How we handle your rights.

Last updated: May 2026

1. Our Status Under POPIA

Vela Technologies PTY LTD is the Responsible Party under the Protection of Personal Information Act 4 of 2013 (POPIA). As the Responsible Party, we determine the purpose of and means for processing personal information and are accountable for compliance with all eight conditions for lawful processing set out in POPIA Chapter 3.

Our Information Officer has been designated in terms of POPIA Section 55 and registered with the Information Regulator. Contact: privacy@velaguide.co.za.

2. The Eight Conditions for Lawful Processing

Condition 1 — Accountability (Section 8)

We take responsibility for ensuring that POPIA is complied with across all personal information processing activities, including by third-party operators. We maintain internal policies, training, and oversight mechanisms to uphold this accountability.

Condition 2 — Processing Limitation (Section 9)

We collect only the personal information that is adequate, relevant, and not excessive for the purpose of preparing a learner's guidance plan. We do not collect names, ID numbers, or raw WhatsApp messages. Phone numbers are stored only as one-way cryptographic hashes. Raw financial proxy answers are used only for classification and are not retained in readable form in any learner-facing output.

Condition 3 — Purpose Specification (Section 10)

Personal information is collected for a specific, explicitly defined purpose — preparing a personalised guidance plan and delivering associated deadline reminders. The purpose is disclosed in full in the WhatsApp consent message before any data is collected. We do not collect information for vague or undefined future purposes.

Condition 4 — Further Processing Limitation (Section 15)

We do not process personal information for any purpose incompatible with the original purpose of collection. Anonymised, non-identifiable data may be used for aggregate product improvement, which is compatible with the original purpose. We do not sell, license, or commercially exploit personal information.

Condition 5 — Information Quality (Section 16)

We take reasonable steps to ensure that learner-provided information is accurate and complete. The WhatsApp flow includes a full confirmation step for subjects and marks before processing begins. Learners can correct entries using the EDIT command. We do not process records with missing required fields.

Condition 6 — Openness (Section 18)

We notify data subjects of all relevant information before collection begins, including the identity of the Responsible Party, the purpose of collection, whether supply is voluntary or mandatory, the consequences of non-provision, any intended recipients, and data subject rights. This notification is delivered in the WhatsApp consent message. This Privacy Policy and POPIA Compliance Statement are publicly available at velaguide.co.za.

Condition 7 — Security Safeguards (Section 19)

We implement appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised destruction, unlawful access, and unlawful processing. These measures include encryption at rest, TLS in transit, HMAC-SHA256 hashing for phone numbers, least-privilege access, exclusion of PII from error logs, daily backups to a separate location, and formal incident response procedures. We contractually require operators (service providers) to maintain equivalent security standards.

Condition 8 — Data Subject Participation (Sections 23–24)

Data subjects may request access to their personal information, request correction of inaccurate information, and request deletion of information that is no longer required. Requests must be submitted to our Information Officer. We respond within 30 days. Where a request is refused, we will provide written reasons and notify the data subject of their right to complain to the Information Regulator.

3. Special Categories of Personal Information

POPIA Section 35 places enhanced obligations on the processing of special personal information. Where Vela's database includes race-based bursary eligibility criteria (lawful under South African B-BBEE and employment equity legislation), this data is stored securely, used only to evaluate eligibility for named funding opportunities, and never disclosed in any context other than a specific funding match. We do not request or store health, biometric, criminal, religious, or political information.

4. Minors

POPIA Section 34 requires consent from a competent person before processing a child's personal information. Our WhatsApp flow obtains this consent explicitly, requires confirmation of parental or guardian permission for under-18 users, and records the consent timestamp and version before any data collection begins.

5. Data Breach Notification

In accordance with POPIA Section 22, we will notify the Information Regulator and affected data subjects of any security breach as soon as reasonably possible after discovery, where the breach is likely to result in prejudice to the data subject.

6. Information Regulator

The Information Regulator of South Africa is the supervisory authority for POPIA. Data subjects may lodge a complaint with the Information Regulator if they believe their rights under POPIA have been infringed:

7. Annual Compliance Review

We conduct an annual internal review of our POPIA compliance posture before each new season opens. This review covers data retention schedules, consent records, operator agreements, security controls, and data subject request logs. Where gaps are identified, they are remediated before the season opens.

8. Contact

POPIA enquiries and data subject requests: privacy@velaguide.co.za