POPIA Compliance Notice

This POPIA Compliance Notice ("Notice") describes how GOODSOURCE BOS (PTY) LTD, as a responsible party under POPIA, processes personal information. It is intended to inform data subjects of their rights and our obligations under POPIA.

This Notice must be read together with our Privacy Policy and our PAIA Manual.

Responsible party: GOODSOURCE BOS (PTY) LTD
Registration number: 2026/160970/07
Address: 11 Shaw Road, Blairgowrie, Randburg, Gauteng, 2194
Information Officer: Roberto Madonsela
Email: langamadonsela89@gmail.com
Phone: 0713002691

POPIA requires that personal information be processed on a lawful basis. GOODSOURCE BOS processes personal information on the following bases:

• Section 11(1)(a) — Consent: Where the data subject has given consent to the processing of their personal information, such as for marketing communications.
• Section 11(1)(b) — Contractual necessity: Where processing is necessary for the performance of a contract to which the data subject is a party, being the provision of the GoodSource BOS compliance platform.
• Section 11(1)(c) — Legal obligation: Where processing is required to comply with an obligation imposed by law, including tax legislation and record-keeping requirements.
• Section 11(1)(f) — Legitimate interest: Where processing is necessary for pursuing the legitimate interests of GOODSOURCE BOS or a third party to whom the information is supplied, including platform security and fraud prevention.

GOODSOURCE BOS processes personal information relating to the following categories of data subjects:

• Registered users of the GoodSource BOS platform (natural persons)
• Directors and beneficial owners of registered business entities using the platform
• Employees of business entities whose information may be captured in compliance profiles
• Prospective users who have subscribed to marketing communications

We process the following categories of personal information, all of which are collected for lawful compliance-related purposes:

• Identifiers: Full name, email address, phone number
• Business information: Company name, registration number, entity type, CIPC status, VAT and PAYE registration details
• Financial information: Subscription tier and billing information (payment card details are processed by third-party payment processors; we do not store raw card data)
• Compliance data: Annual return status, beneficial ownership filing status, CIPC gazette appearances, compliance flags
• Technical data: IP address, device type, session logs, usage patterns

We do not intentionally process special personal information as defined in Section 26 of POPIA (such as religious beliefs, health information, sexual orientation, or criminal records) through our platform.

In terms of POPIA, data subjects have the following rights, which they may exercise by contacting our Information Officer:

• Right of access (Section 23): You may request confirmation of whether we hold personal information about you and request access to that information.
• Right to correction (Section 24): You may request that we correct or delete inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained personal information.
• Right to object (Section 11(3)): You may object, on reasonable grounds, to the processing of your personal information. We will then no longer process it unless there are compelling legitimate grounds for the processing which override your rights.
• Right to object to direct marketing (Section 69): You may object at any time to the use of your personal information for direct marketing. We will comply with such objection immediately.
• Right to deletion: Subject to our legal retention obligations, you may request the deletion of your personal information.
• Right to lodge a complaint: You have the right to submit a complaint to the Information Regulator if you believe your rights under POPIA have been infringed.

To exercise any of these rights, submit a written request to: langamadonsela89@gmail.com. We will respond within 30 days.

In terms of Section 72 of POPIA, personal information may only be transferred to a third party in a foreign country if the recipient is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection substantially similar to POPIA's conditions for the lawful processing of personal information.

GOODSOURCE BOS transfers personal information to the following foreign processors:

• Supabase Inc. (United States) — database, authentication, and storage
• Vercel Inc. (United States) — application hosting
• Resend Inc. (United States) — transactional email
• Google LLC (United States) — authentication services

Each of these processors maintains appropriate technical and organisational security measures and is contractually bound to process personal information only as instructed.

In terms of Section 19 of POPIA, GOODSOURCE BOS implements the following technical and organisational security measures:

• All data is encrypted at rest and in transit using industry-standard TLS/SSL encryption
• Authentication is handled by Supabase with secure session token management
• Access to production systems is restricted to authorised personnel only
• Regular security assessments of our platform and third-party processors
• Employees and contractors with access to personal information are bound by confidentiality obligations
• Incident response procedures are documented and maintained

In the event of a data breach that may pose a risk to the rights of data subjects, GOODSOURCE BOS will notify the Information Regulator as soon as reasonably possible and, where applicable, notify affected data subjects of the breach.

Breach notifications will be made in accordance with Section 22 of POPIA and our internal data breach response procedure.

If you believe that GOODSOURCE BOS has violated your rights under POPIA, you may:

• First contact our Information Officer at langamadonsela89@gmail.com to resolve the matter directly
• If unsatisfied, submit a complaint to the Information Regulator of South Africa

Information Regulator of South Africa

Website: www.inforegulator.org.za
Email: inforeg@justice.gov.za
POPIAAct Complaints: PAIAComplaints@inforegulator.org.za
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

We may update this POPIA Compliance Notice from time to time to reflect changes in our practices or applicable law. We will notify registered users of material changes by email and update the effective date at the top of this page.