FICAFlow

POPIA Privacy Notice

Last updated: April 2026

Who we are

FICAFlow is a South African SaaS provider of a KYC / FICA collection tool. For the information you submit about yourself we act as an Operator (POPIA's equivalent of a data processor) on behalf of the business you forward your pack to, which is the Responsible Party. For our own account data (your email, billing, etc.) we are the Responsible Party.

What we collect

  • Your email and name so you can sign in and we can contact you.
  • Personal information you enter into your FICA pack (identity, address, tax, source of funds, bank details) and the documents you upload.
  • Technical data (IP address, user agent, timestamps) for security and audit logging under POPIA s.17.

Why we process it

  • Contract performance (POPIA s.11(1)(b)): to provide the service you signed up for.
  • Legal obligation (s.11(1)(c)): accountable institutions you forward to are required to keep KYC records under the FIC Act.
  • Legitimate interest (s.11(1)(f)): fraud prevention, audit trails, and keeping our service running safely.

Who sees your data

  • You — at any time, by signing in.
  • Businesses you explicitly forward packs to. They only see the pack content, not your wider account.
  • Our sub-processors: Supabase (database and storage, EU region), Vercel (application hosting), Resend (transactional email) and Paystack (payments). All are bound by data-processing contracts that require POPIA-equivalent protection (POPIA s.72(1)(a)(i)).
  • South African law enforcement where we are legally compelled to disclose.

Cross-border transfers

Your data is stored in a South Africa or EU region by default. Where processing occurs outside SA (e.g. a Vercel edge function), we rely on POPIA s.72(1)(a)(i) — contractual clauses that bind the recipient to a substantially similar level of protection.

How long we keep it

FICA requires accountable institutions to retain KYC records for 5 years after the business relationship ends. That retention duty sits with the receiving Accountable Institution under FIC Act s.22 — it does not sit with FICAFlow.

FICAFlow retains only what you instruct it to, based on the privacy mode you pick when you create a pack:

  • Standard mode — we hold your pack encrypted at rest for as long as your FICAFlow account is active, so you can re-forward it, get expiry reminders, and update once a year.
  • Courier mode — we hold your pack only long enough for the broker to receive it. 48 hours after a successful forward, we irreversibly redact the profile, delete every document blob and replace the submission snapshot with its SHA-256 hash. After that window FICAFlow is technically incapable of reading the document contents — any future request for the data must be directed at the receiving Accountable Institution.

In both modes, if you delete your account or ask us to delete your data, we will do so within 30 days, except where we are legally required to keep it (POPIA s.14(2)).

Your rights

You may at any time:

  • Access the information we hold about you.
  • Correct or update inaccurate information.
  • Delete your account and associated data.
  • Object to specific kinds of processing.
  • Withdraw consent for optional processing (e.g. marketing).
  • Lodge a complaint with the Information Regulator.

Email privacy@ficaflow.co.za to exercise any of these.

Security

  • TLS 1.3 in transit.
  • AES-256 at rest (Supabase-managed keys).
  • Row-level security so each user only sees their own data.
  • Private storage bucket; document access requires a signed URL.
  • Append-only audit log of every access.
  • MFA on all administrative accounts.

Breach notification

In the event of a security compromise that affects your personal information, we will notify the Information Regulator via the eServices Portal (SCN1) as soon as reasonably possible, and notify you unless doing so would prejudice an investigation (POPIA s.22).

Information Officer

Our Information Officer is registered with the Information Regulator. Contact them at io@ficaflow.co.za.