Regulatory Compliance

POPI Act Privacy Policy

How we collect, process, protect, and manage your personal information in accordance with the Protection of Personal Information Act, Act 4 of 2013 (POPIA) of South Africa.

Last Updated: June 15, 2026

1. Introduction and Scope

Omnisafe ("we", "us", "our") is committed to protecting the privacy and security of the Personal Information we process. This Privacy Policy outlines our practices regarding the processing of Personal Information on our marketing website, application portal (app.omnisafe-risk.co.za), and associated omnichannel interfaces (including our WhatsApp compliance hub).

This policy is aligned with South Africa's Protection of Personal Information Act, No. 4 of 2013 ("POPIA") and the regulations issued thereunder. By accessing our platform, website, or using our compliance consulting services, you acknowledge that your personal information will be processed as set out in this policy.

2. The Responsible Party & Information Officer

Omnisafe is the "Responsible Party" (as defined under POPIA) in respect of the personal information collected directly through our website. For personal information uploaded by our business clients (Tenants) onto the digital SHEQ platform, Omnisafe acts as the "Operator" processing data on the client’s behalf.

For inquiries regarding this policy or to exercise your statutory rights under POPIA, please contact our designated Information Officer:

Omnisafe Information Officer

Email: info@omnisafe-risk.co.za

Phone: +27 76 044 9833

Address: Omnisafe Compliance Office, South Africa

3. Definitions under POPIA

  • "Data Subject" means the person to whom personal information relates (e.g. website users, tenant administrators, employees of tenants, contractors).
  • "Personal Information" means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.
  • "Processing" means any operation or activity, whether or not by automatic means, concerning personal information.
  • "Operator" means a person who processes personal information for a responsible party in terms of a contract or mandate.

4. Types of Personal Information We Process

We process the following categories of Personal Information depending on your interaction with the platform:

Category Examples
Identity Details Full names, national ID/passport numbers, company registration numbers, tax clearance profiles.
Contact Details Email address, physical address, business location, WhatsApp number, telephone number.
OHS & Employment Data Job titles, qualifications, training certificates, employee rosters, equipment logbooks, health and safety audit results.
Sensitive Information Occupational Medical Certificates of Fitness (to verify work readiness) and Voice Biometric Records (captured via the WhatsApp Hub to verify identity and prevent compliance fraud during remote e-learning assessments).
Usage & Device Info IP addresses, browser details, geographical coordinates (when logging hazards in the field), active cookies, and tracking tags.

5. Purpose of Processing Personal Information

We process personal information only for specific, explicitly defined, and lawful purposes related to our business operations:

  • To provide and maintain the Omnisafe digital SHEQ application portal and fulfill our contractual commitments.
  • To enable employers (Tenants) to meet statutory obligations under South Africa's Occupational Health and Safety Act 85 of 1993 (OHSA) and the Compensation for Occupational Injuries and Diseases Act (COIDA).
  • To facilitate zero-data-barrier field compliance via the WhatsApp Hub, including transcription of hazard notes and identity verification through voice biometrics.
  • To deliver SETA-aligned adaptive training and generate fraud-proof training certificates.
  • To send platform notifications, expiry alerts (e.g. for driver PrDPs or medical cards), and security warnings.
  • To comply with directives, audits, and orders from regulatory bodies such as the Department of Employment and Labour (DEL).

6. Lawful Basis for Processing

Under POPIA, we rely on the following lawful grounds for processing personal information:

  • Consent: The Data Subject has provided clear and voluntary consent for processing (e.g., opting in to marketing communications or submitting biometrics for verification).
  • Contractual Obligation: Processing is necessary to execute or perform a contract with you or your organization.
  • Legal Obligation: Processing is required to satisfy OHS statutory and regulatory compliance mandates in South Africa.
  • Legitimate Interests: Processing is necessary to protect your safety, evaluate compliance levels, or maintain our application's security integrity.

7. Information Sharing and Disclosure

We do not sell, rent, or trade personal information. We disclose information only under strict confidentiality terms in the following circumstances:

  • Principal Contractors (Section 37.2): Where subcontractors utilize the platform, data might be compiled and made visible to the client principal contractor as authorized in agreements to check cascading compliance liabilities.
  • Service Providers (Operators): We share information with trusted hosting infrastructure, SMS gateways, and WhatsApp API providers who act strictly as operators under written privacy agreements.
  • Legal and Regulatory Bodies: We disclose information when required by law, court order, or when demanded by inspectors from the Department of Employment and Labour or the Compensation Commissioner.

8. Cross-Border Data Transfers

Some of our systems and cloud databases may be hosted outside South Africa. Whenever we transfer personal information across South African borders, we verify that the destination country offers a level of data protection equivalent to POPIA, or we enter into binding data transfer agreements containing terms that offer adequate protection as required by Section 72 of POPIA.

9. Security Safeguards

We implement appropriate, reasonable technical and organizational measures to secure the integrity and confidentiality of personal information, preventing loss, unauthorized access, destruction, or disclosure.

These safeguards include secure transport layer encryption (SSL/TLS), database-level encryption at rest, secure multi-tenant network partitioning, restricted Role-Based Access Control (RBAC), and continuous threat auditing. We perform security reviews to align our controls with ISO standards.

10. Information Retention (Section 14)

In accordance with Section 14 of POPIA, we retain personal information only for as long as necessary to achieve the original purpose of collection, unless further retention is required by law (e.g. the 40-year retention rule for certain hazardous chemical exposure records under OHSA, or general tax records), or is required under contract. Once retention is no longer justified, we securely destroy, de-identify, or archive the records.

11. Your Statutory Rights

As a Data Subject, POPIA grants you specific rights. You have the right to request:

  • Confirmation of whether we hold personal information about you.
  • Access to or a copy of the personal information we hold.
  • Correction, rectification, or deletion of personal information that is inaccurate, irrelevant, excessive, out-of-date, or obtained unlawfully.
  • Objection, on reasonable grounds, to the processing of your personal information.
  • Withdrawal of previously given consent (where processing relies on consent).

To submit a request regarding these rights, please email our Information Officer at the address provided in Section 2.

12. Lodging a Complaint with the Information Regulator

If you are unsatisfied with how we handle your personal information, or if you believe we have breached our POPIA obligations, you have the right to submit a complaint directly to the South African Information Regulator:

The Information Regulator (South Africa)

Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Postal Address: P.O Box 31533, Braamfontein, Johannesburg, 2017

Website: https://inforegulator.org.za/

Email: POPIAComplaints@inforegulator.org.za / enquiries@inforegulator.org.za

13. Cookies and Tracking Technologies

Our website uses cookies and similar tracking codes (such as Google tag tracking and Google Analytics) to improve user navigation experience, analyze traffic volumes, and track user engagement. You can choose to block or disable cookies within your web browser settings, although some features of our website may not function correctly as a result.

14. Changes to This Privacy Policy

We may update this policy periodically to reflect operational changes or evolving South African legal frameworks. We will notify users of any material changes by updating the policy on this page and updating the "Last Updated" date at the top of this document.