POPIA notice

Greg Phillips is the designated Information Officer for TouchBasePro (Pty) Ltd trading as Inboxd.agency, as required under section 55 of POPIA. Contact: legal@inboxd.agency.

When Inboxd collects personal information directly from website visitors and enquirers, Inboxd is the Responsible Party and is accountable for how that information is processed.

When Inboxd processes subscriber and contact data on behalf of a client under a signed services agreement, Inboxd acts as the Operator. The client remains the Responsible Party for the personal information of its own subscribers and contacts. Inboxd processes that data only on the client's lawful instructions and will not execute any instruction it reasonably believes to be non-compliant with POPIA.

We process personal information lawfully under one or more of the bases recognised by POPIA: consent, contractual necessity, legal obligation, legitimate interest, and protection of the data subject's legitimate interests. The applicable basis depends on the nature and context of the processing activity.

Our processing complies with the eight conditions in POPIA: accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation.

Inboxd implements appropriate technical and organisational security measures to protect personal information against unauthorised access, disclosure, loss, or destruction. All personnel with access to personal information are bound by appropriate confidentiality obligations. In the event of an actual or suspected personal information breach, affected parties and the Information Regulator will be notified as required by POPIA.

Inboxd designs and executes outreach in accordance with the acceptable use policies, terms of service, and regulatory requirements applicable to each channel and medium used. The consent standard applied to any campaign is determined by the platform's own acceptable use policy, applicable law in the recipient's jurisdiction (including POPIA, the Electronic Communications and Transactions Act, UK GDPR, CAN-SPAM, and CASL as applicable), and the Client's written instructions. Where platform policy and applicable law permit outbound prospecting or go-to-market outreach without prior opt-in consent, Inboxd may execute such campaigns. Inboxd will not execute communications that violate a platform's terms of service, applicable anti-spam law, or a documented Client instruction. All subscriber and contact data managed by Inboxd must meet the consent standards required by the relevant channel, jurisdiction, and applicable legislation.

Where personal information is transferred outside the Republic of South Africa, we rely on the safeguards permitted by section 72 of POPIA, typically a Data Processing Agreement incorporating equivalent protections. Client consent to cross-border transfer is obtained as part of the services engagement where required.

To request access, correction or deletion of personal information we hold about you, email legal@inboxd.agency. We respond within 30 calendar days in accordance with section 57 of POPIA.

You may lodge a complaint with the Information Regulator of South Africa at any time. Contact details and online complaint forms are available at inforegulator.org.za. We would however appreciate the opportunity to address your concern directly first.