Privacy Policy
Last Updated: July 16, 2025
1. Introduction and Scope
This Privacy Policy explains how DonorAssured ("we," "us," or "our") collects, uses, and protects your personal information when you use our SARS IT3(d) submission and Section 18A certificate generation services.
This policy applies to all users of DonorAssured services and covers:
- Personal information we collect
- How we use your information
- Legal basis for processing under POPIA
- Your rights and how to exercise them
- Security measures we implement
- Contact information for privacy inquiries
2. Personal Information We Collect
2.1 Information You Provide
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, phone number, tax practitioner registration details | Account creation and management |
| Donor Information | Donor names, addresses, ID numbers, contact details | SARS submission and certificate generation |
| Financial Data | Donation amounts, dates, tax reference numbers | Compliance calculations and reporting |
| Organizational Data | Client organization details, banking information | Service delivery and integration |
2.2 Information We Collect Automatically
- System logs and usage data
- IP addresses and device information
- Access times and feature usage
- Error logs and performance metrics
2.3 Information from Third Parties
We may receive information when you integrate with:
- Excel and Google Sheets (spreadsheet data)
- Xero (accounting and financial data)
- Other business systems you choose to connect
3. How We Use Personal Information
3.1 Service Delivery
- Format and validate SARS IT3(d) submissions
- Generate Section 18A certificates
- Provide data integration and export functionality
- Maintain audit trails and compliance records
3.2 Account Management
- Create and maintain user accounts
- Provide customer support
- Process payments and billing
- Communicate important service updates
3.3 System Operations
- Monitor system performance and security
- Troubleshoot technical issues
- Backup and disaster recovery
- Improve service functionality
4. Legal Basis for Processing (POPIA)
Under POPIA, we process personal information on the following legal grounds:
4.1 Consent
We obtain your explicit consent for:
- Processing personal information for service delivery
- Storing data on international cloud infrastructure
- Communication about service updates and features
4.2 Contractual Necessity
Processing is necessary to:
- Perform our service agreement with you
- Provide the technical services you requested
- Process payments and manage your account
4.3 Legal Compliance
We may process information to comply with:
- SARS reporting and audit requirements
- Tax practitioner regulatory obligations
- Court orders and legal processes
4.4 Legitimate Interests
Processing may be necessary for:
- System security and fraud prevention
- Service improvement and optimization
- Business operations and administration
5. Data Sharing and Disclosure
5.1 We Do Not Sell Personal Information
We do not sell, rent, or trade your personal information to third parties for commercial purposes.
5.2 Service Providers
We may share information with trusted service providers who assist us in:
- Cloud hosting and infrastructure (AWS)
- Payment processing
- Customer support services
- System monitoring and maintenance
5.3 Legal Requirements
We may disclose information when required by:
- SARS or other regulatory authorities
- Court orders or legal processes
- Law enforcement agencies
- Professional regulatory bodies
6. AWS Infrastructure and Security
Infrastructure Security
DonorAssured leverages Amazon Web Services (AWS) infrastructure, which maintains industry-standard security certifications including SOC 1/2/3, ISO 27001, and PCI DSS compliance.
6.1 Data Protection Measures
- Encryption: All data is encrypted in transit and at rest
- Access Controls: Multi-factor authentication and role-based access
- Monitoring: Comprehensive logging and real-time security monitoring
- Backup: Regular automated backups with disaster recovery procedures
6.2 Data Location
Your data is primarily stored in AWS data centers located in regions that provide appropriate data protection standards. We implement additional safeguards for any international data transfers.
7. International Data Transfers
7.1 Cross-Border Processing
Some processing may occur outside South Africa through our AWS infrastructure. We ensure appropriate safeguards including:
- AWS infrastructure compliance with international standards
- Contractual data protection clauses
- Regular security assessments and audits
- Encryption and access controls
7.2 POPIA Compliance
All international transfers comply with POPIA requirements for cross-border data flows and adequacy determinations.
8. Data Retention and Deletion
8.1 Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of service + 1 year | Account management and support |
| Donation Data | 5 years minimum | SARS audit and compliance requirements |
| System Logs | 2 years | Security monitoring and troubleshooting |
| Financial Records | 5 years | Tax and accounting compliance |
8.2 Data Deletion
We securely delete personal information when:
- The retention period expires
- You request deletion (subject to legal requirements)
- The information is no longer needed for business purposes
- Your account is terminated
9. Your Rights and Controls
Your POPIA Rights
Under POPIA, you have the right to:
- Access: Request copies of your personal information
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your personal information
- Objection: Object to processing in certain circumstances
- Portability: Export your data in a portable format
- Restriction: Restrict processing in certain situations
9.1 Exercising Your Rights
To exercise your rights, please contact us with:
- Clear identification of the right you wish to exercise
- Sufficient information to verify your identity
- Specific details about the information involved
- Your preferred method of response
9.2 Response Times
We will respond to your requests within 30 days as required by POPIA, or inform you if additional time is needed.
10. Cookies and Tracking
10.1 Essential Cookies
We use essential cookies for:
- User authentication and session management
- Security and fraud prevention
- Basic system functionality
10.2 Optional Cookies
With your consent, we may use cookies for:
- Analytics and performance monitoring
- Service improvement and optimization
- User experience enhancement
11. Security Incident Response
11.1 Incident Detection
We maintain 24/7 monitoring systems to detect potential security incidents and data breaches.
11.2 Breach Notification
In the event of a data breach, we will:
- Notify the Information Regulator within 72 hours if required
- Inform affected users without undue delay
- Provide clear information about the incident and response measures
- Offer guidance on protective steps you can take
12. Children's Privacy
DonorAssured is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from minors.
13. Privacy Policy Updates
We may update this Privacy Policy from time to time. Material changes will be communicated through:
- Email notification to registered users
- Prominent notice on our website
- In-app notifications
14. Contact Information and Complaints
Privacy Inquiries
For questions about this Privacy Policy or to exercise your rights:
Email: privacy@donorassured.co.za
Subject Line: Privacy Policy Inquiry
Complaints
If you have concerns about our privacy practices, you may lodge a complaint with:
Information Regulator of South Africa
Email: inforeg@justice.gov.za
Website: www.justice.gov.za/inforeg