POPIA Compliance Policy

Molo Online (Pty) Ltd

Effective Date: 2025-02-10
Last Updated: 2026-02-29
Version: 3.0

1. Purpose

This policy demonstrates Molo Online's commitment to compliance with the Protection of Personal Information Act (POPIA), Act 4 of 2013, of South Africa.

2. The Four-Party Model and POPIA

POPIA compliance is distributed across four parties. Each party has specific obligations:

Molo (Platform Provider) - Operator

Under POPIA, Molo acts as an Operator processing personal information on behalf of Companies.

Molo's POPIA obligations:

• Process data only as instructed by the Company (Responsible Party)
• Implement appropriate security measures
• Notify Companies of any security compromises
• Assist Companies in responding to data subject requests
• Maintain processing records
• Ensure sub-processors (third parties) meet POPIA requirements

The Company (Molo's Client) - Responsible Party

Under POPIA, Companies using Molo are the Responsible Party for their customers' data.

Company's POPIA obligations:

• Determine purpose and means of processing
• Ensure lawful basis for processing
• Obtain consent where required
• Respond to data subject requests
• Ensure Staff consent for profile display
• Manage Staff data access appropriately
• Remove departed Staff data promptly

Staff (Company's Employees) - Data Subject with Special Provisions

Staff are data subjects with specific rights regarding their profile data.

Staff POPIA rights:

• Right to be informed before public display
• Right to explicit consent (not implied)
• Right to access data held about them
• Right to correction of inaccurate data
• Right to deletion/withdrawal of consent
• Right to timely removal (within 48 hours)

Staff POPIA responsibilities:

• Provide accurate information
• Keep information current
• Notify Company of changes

End User - Data Subject

End Users are data subjects whose data is processed through the platform.

End User POPIA rights:

• Right to know what data is collected
• Right to access their data
• Right to correction
• Right to deletion
• Right to object to processing
• Right to withdraw consent

3. POPIA Conditions for Lawful Processing

We adhere to the following conditions:

Accountability

• Molo takes responsibility for POPIA compliance within its role as Operator
• We have appointed an Information Officer (hello@molo.page)
• We maintain records of processing activities
• We ensure third-party processors meet POPIA requirements
• Companies remain accountable as Responsible Parties for their data

Processing Limitation

• We only collect personal information that is necessary
• We obtain consent where required
• We process information lawfully and in a reasonable manner
• Staff profile display requires explicit consent
• End User chat data is processed only for service delivery

Purpose Specification

• We collect information for specific, explicitly defined purposes
• We inform data subjects of the purpose at collection
• We do not retain information longer than necessary
• Purposes are defined per party:
  • End User data: Service delivery, support, improvement
  • Staff data: Profile display (with consent), platform access
  • Analytics data: Platform improvement (aggregated)

Further Processing Limitation

• Further processing is compatible with the original purpose
• We obtain additional consent when required
• Third-party processors are contractually bound to specified purposes
• Data is not used for purposes beyond what each party consented to

Information Quality

• We take reasonable steps to ensure information is complete and accurate
• Responsibility for accuracy is distributed:
  • Molo: Platform data integrity
  • Company: Knowledge base accuracy
  • Staff: Profile information accuracy
  • End User: Uploaded file accuracy

Openness

• We maintain documentation of all processing operations
• We notify the Information Regulator as required
• We are transparent about our practices
• The KFT transparency system shows End Users where information comes from
• This policy documents the four-party responsibility structure

Security Safeguards

• We implement appropriate technical and organizational measures
• We protect information against loss, damage, and unauthorized access
• We notify affected parties of security compromises within required timeframes
• We use encryption for data in transit and at rest
• Security responsibility per party:
  • Molo: Platform security, infrastructure, encryption
  • Company: Access management, Staff offboarding
  • Staff: Password security, consent decisions
  • End User: Uploaded file security

Data Subject Participation

All data subjects (Staff and End Users) may:

• Request access to their information
• Request correction or deletion
• Withdraw consent

Response timeframes:

• Access requests: Within statutory timeframe
• Correction requests: Promptly upon verification
• Deletion requests: Promptly (End Users) or within 48 hours (Staff profiles)

4. Third-Party Processing

We use third-party services that process personal information:

• Cloud infrastructure providers
• AI service providers
• Analytics services (Google Analytics)
• File processing services

Each third-party processor is selected for enterprise-grade security standards. Molo requires contractual POPIA compliance from all processors. Molo cannot control third-party internal processing but monitors for compliance.

5. Google Analytics

Google Analytics processes website usage data as a third-party service.

• Data collected: Traffic, acquisition, behaviour, technology data
• Data NOT collected: Chat conversations, uploaded files, Staff profiles
• Opt-out available: Browser add-on, cookie settings, privacy mode
• Data use: Aggregate analysis only, not personal identification

6. Staff Profile Data

Staff profile data requires special handling under POPIA:

• Consent: Must be explicit, informed, and recorded
• Display: Only with active consent
• Withdrawal: Must be honoured within 48 hours
• Accuracy: Staff responsible for their own data
• Offboarding: Company responsible for prompt removal

7. Information Officer

Our designated Information Officer:

• Email: hello@molo.page
• Website: molo.page

The Information Officer handles:

• Data subject requests
• POPIA compliance queries
• Breach notifications
• Regulatory communications

8. Complaints

If you believe your POPIA rights have been violated:

• Contact our Information Officer (hello@molo.page)
• If unresolved, lodge a complaint with the Information Regulator of South Africa

9. Data Breach Notification

In the event of a security breach affecting personal information:

• Molo will notify the Information Regulator as required by POPIA
• Molo will notify the affected Company (Responsible Party)
• The Company will notify affected data subjects
• Notification occurs as soon as reasonably possible
• Steps will be taken to mitigate harm

10. Contact Information

• General: hello@molo.page
• Information Officer: hello@molo.page
• Legal queries: pieter@molo.page
• Technical queries: garth@molo.page
• Website: molo.page