Last updated: 31 May 2026
Purpose of This Notice
This notice explains how Praxo complies with the Protection of Personal Information Act, 2013 (POPIA) in the processing of personal information through our environmental compliance management platform.
Information Officer
Name: Andile Khumalo
Email: [email protected]
Role: Information Officer (as defined in POPIA Section 1)
Categories of Data Subjects
- Environmental Assessment Practitioners (EAPs): Name, email, organisation, professional registration details
- Environmental Compliance Officers (ECOs): Name, email, organisation
- Specialists: Name, email, area of expertise, project assignments
- Clients: Name, email, organisation, project-related correspondence
- Authority contacts: Public officials' contact details (publicly available information)
Purpose of Processing
| Purpose | Lawful Basis (POPIA Section 11) |
|---|---|
| Account management and authentication | Contract |
| Environmental assessment workflow management | Contract |
| Document generation and storage | Contract |
| Regulatory deadline computation | Contract |
| AI-assisted compliance screening | Consent + Contract |
| Provincial benchmarking (anonymised) | Legitimate interest |
| Billing and payment processing | Contract |
| Security monitoring and fraud prevention | Legitimate interest |
Consent Management
Upon registration, users provide explicit consent to:
- The processing of their personal information as described in our Privacy Policy
- The Terms of Service governing platform use
Consent records are maintained with timestamps and can be withdrawn at any time by contacting [email protected]. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
Data Subject Rights (POPIA Section 23-25)
Data subjects may exercise the following rights by emailing [email protected]:
- Right of access (Section 23): Request confirmation of whether we hold your personal information and obtain a copy
- Right to correction (Section 24): Request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, or misleading information
- Right to deletion (Section 24): Request destruction of personal information that is no longer needed for its collected purpose
- Right to object (Section 11(3)(a)): Object to processing on grounds of legitimate interest
We will respond to all requests within 30 days as required by POPIA.
Data Retention Schedule
| Data Type | Retention Period |
|---|---|
| Account information | Active subscription + 12 months |
| Project data and documents | Active subscription + 90-day grace period |
| AI interaction logs | 24 months |
| Audit logs | 36 months |
| Payment records | As required by SA tax law (5 years) |
| Consent records | Duration of account + 5 years |
Security Measures (POPIA Section 19)
Praxo implements the following security safeguards:
- TLS 1.3 encryption for all network communications
- Server-side encryption for stored documents
- SHA-256 token hashing for authentication tokens
- Role-based access control with principle of least privilege
- Rate limiting on authentication endpoints
- Automated health monitoring with 15-minute check intervals
- Immutable audit logging
Breach Notification (POPIA Section 22)
In the event of a security compromise that may affect personal information:
- The Information Regulator will be notified within 72 hours
- Affected data subjects will be notified as soon as reasonably possible
- Notification will include: nature of the breach, categories of information affected, measures taken, and recommended protective actions
Data Processing Agreement
Organisations that process personal information of third parties through the Praxo platform (e.g., project stakeholder details in EIA documents) may require a Data Processing Agreement. Contact [email protected] to request one.
Information Regulator
Complaints may be directed to:
Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: [email protected]
Tel: 012 406 4818