Our Commitment to POPIA
AdmicoHub is operated by WebconstructGlobal (Pty) Ltd, a company incorporated and registered in South Africa. We are fully committed to complying with the Protection of Personal Information Act, 2013 (Act 4 of 2013) — commonly referred to as POPIA — which came into full effect on 1 July 2021.
POPIA establishes eight conditions for lawful processing of personal information. We have structured our data practices, internal policies, and third-party agreements around these conditions to ensure that your personal information is collected, held, used, and disposed of responsibly.
We continuously review and update our privacy practices as the regulatory landscape evolves. If you believe our practices do not align with POPIA or this notice, we encourage you to contact us directly before lodging a complaint with the Information Regulator.
Who Is Responsible for Your Information
The responsible party (as defined in POPIA) for the personal information collected through the AdmicoHub platform is:
| Detail | Information |
|---|---|
| Legal Entity | WebconstructGlobal (Pty) Ltd |
| Registration | Registered in South Africa |
| Trading As | AdmicoHub |
| Information Officer | Designated under Section 55 of POPIA |
| Contact Email | hello@admicohub.com |
| Platform URL | admicohub.com |
Where we engage third-party service providers (operators) who process personal information on our behalf, we enter into written operator agreements that bind those parties to POPIA-equivalent obligations, as required under Section 22 of POPIA.
Personal Information We Hold
We collect and process the minimum personal information necessary to deliver the AdmicoHub service. The categories of personal information we hold include:
| Category | Examples | Source | Legal Basis (POPIA Condition) |
|---|---|---|---|
| Identity Information | Full name, email address, phone number | Provided by you at registration | Condition 3 — Purpose Specification; Condition 4 — Further Processing Limitation |
| Business Information | Company name, VAT number, industry type, billing address | Provided by you during onboarding | Condition 3 — Purpose Specification |
| Financial Information | Invoice totals, payment status, bank statement references (not full account numbers) | Generated within platform or imported by you | Condition 2 — Processing Limitation; Condition 8 — Data Subject Participation |
| Usage Data | IP address, browser type, session timestamps, feature interactions | Automatically collected via server logs | Condition 1 — Accountability; Condition 3 — Purpose Specification |
| Third-Party Records | Client names, supplier names, subcontractor details you add to the platform | Entered by your users on behalf of your business | Condition 2 — Processing Limitation; your business is the responsible party for this data |
We do not collect special personal information (as defined in Section 26 of POPIA) such as race, religion, health records, or biometric data, and we have no intention of doing so.
How We Use Your Personal Information
We use personal information only for the specific purposes for which it was collected. These purposes include:
- Service delivery: Creating and maintaining your account, providing access to platform features, storing your business data, and generating documents such as invoices, quotes, and payment certificates.
- Billing and subscription management: Processing subscription payments via Payfast, issuing receipts, managing plan upgrades and cancellations, and sending billing notifications.
- Communications: Sending transactional emails (invoice delivery, payment confirmations, receipt PDFs), system alerts, and — only where you have opted in — product updates or announcements.
- Security and fraud prevention: Monitoring authentication attempts, detecting anomalous usage patterns, and protecting your data and ours from unauthorised access.
- Legal and regulatory obligations: Retaining records as required by South African law, including the Companies Act, Income Tax Act, and VAT Act, and cooperating with lawful requests from SARS or other authorities.
- Platform improvement: Analysing aggregated, anonymised usage patterns to improve features, fix bugs, and plan product development. We do not sell individual usage data to third parties.
We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects without your knowledge.
Sharing & Cross-Border Transfers
We share personal information only where necessary and with parties bound by equivalent data protection obligations. Our current third-party processors and sub-processors are:
| Processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Payfast (DPO PayGate) | Subscription payments, invoice pay links, ITN callbacks | South Africa | SA-based — no cross-border transfer; POPIA directly applies |
| SMTP / Email Provider | Transactional email delivery (invoices, receipts, notifications) | Varies by provider | Data Processing Agreement (DPA) in place; encryption in transit (TLS) |
| MongoDB Atlas | Primary database hosting for all platform data | United States (AWS) | MongoDB's Standard Contractual Clauses (SCCs) + POPIA Section 72 adequacy assessment; Atlas encrypts data at rest and in transit |
Cross-border transfers (Section 72 of POPIA): Where personal information is transferred to a country outside South Africa, we satisfy ourselves that the recipient country, or the specific recipient, provides an adequate level of protection equivalent to POPIA. For MongoDB Atlas (US), we rely on MongoDB's Standard Contractual Clauses and their certification under applicable data protection frameworks.
Your Rights as a Data Subject
Under POPIA (Part 3, Sections 23–25 and Chapter 3 generally), you have the following rights as a data subject:
- Right to access (Section 23): You may request confirmation of whether we hold your personal information, and obtain a description of the information and the categories of third parties who have had access to it.
- Right to correction or deletion (Section 24): You may request that we correct, destroy, or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
- Right to object (Section 11(3)): Where we rely on legitimate interests as our processing ground, you may object to that processing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Right to opt out of direct marketing (Section 69): You may at any time opt out of receiving electronic direct marketing communications from us. Every marketing email we send includes an unsubscribe link.
- Right to lodge a complaint (Section 74): If you believe we have violated your rights under POPIA, you may lodge a complaint with the Information Regulator of South Africa (see below).
We take all rights requests seriously and will not discriminate against you for exercising any of these rights.
How to Exercise Your Rights
To exercise any of your POPIA rights, please submit a written request to our Information Officer:
Subject line: POPIA Data Subject Request — [Your Name]
Response SLA: We will acknowledge your request within 3 business days and provide a substantive response within 30 days of receipt, as required under POPIA.
To protect you from fraudulent requests, we will ask you to verify your identity before actioning any request. Acceptable verification includes:
- A copy of your South African ID document or passport (first and photo pages only — we do not require the full document).
- Confirmation of the email address registered to your AdmicoHub account.
- For requests on behalf of a third party, a signed letter of authority and the representative's ID.
Where a request is complex or involves a large volume of information, we may extend the response period by a further 30 days. We will notify you within the initial 30 days if an extension is required, explaining the reason.
There is no fee for submitting a POPIA request. However, where requests are manifestly unfounded or excessive (including repetitive requests), we may charge a reasonable administrative fee or refuse to act — we will inform you of either decision in writing.
Data Breach Notification
In the event of a security compromise — unauthorised access, loss, disclosure, or destruction of personal information — we take immediate action in line with Section 22 of POPIA:
- Internal containment: We contain the breach as rapidly as possible, revoke compromised credentials, isolate affected systems, and initiate a forensic assessment.
- Notification to the Information Regulator: We notify the Information Regulator as soon as reasonably possible after becoming aware of a breach, providing the nature of the compromise, the categories and approximate number of data subjects affected, and our remediation steps.
- Notification to affected data subjects: Where the breach is likely to result in serious adverse consequences for data subjects, we notify those individuals directly — via email to the address on record — as soon as reasonably possible. Notifications include a description of what occurred, what information was involved, and the steps we are taking to protect you.
- Post-breach review: Following any notifiable breach, we conduct a root-cause analysis and implement additional safeguards to prevent recurrence. A summary of the outcome is provided to the Information Regulator.
We maintain an internal breach register as required by our POPIA compliance framework, regardless of whether a breach meets the threshold for external notification.
To report a suspected security vulnerability or breach involving your AdmicoHub data, please contact us immediately at hello@admicohub.com with the subject line "Security Incident Report".