Legal

Privacy Policy

POPIA-compliant policy · Last updated December 2025

Skembee (Pty) Ltd respects your privacy and complies with the Protection of Personal Information Act 4 of 2013 ("POPIA"). This policy explains what personal information we collect, why we collect it, how we keep it safe, and the rights of the people whose information we hold.

1.Who we are

Skembee (Pty) Ltd is the responsible party for personal information collected through this website, the Skembee platform, and our marketing channels. For personal information uploaded by a customer (such as employee records inside the Skembee modules), we act as an operator on behalf of the customer, who remains the responsible party for that data.

Information Officer: admin@skembee.co.za

2.What we collect

2.1 Information you give us at signup

Your name, work email, and contact number
The legal name, registration number, sector, province, and headcount band of your company
The modules you select

2.2 Customer-uploaded data (we are the operator)

Employee personal information (names, IDs, demographics, contact details, pay)
Compliance documents (EE plans, WSP/ATR submissions, certificates, audit evidence)
Training, recruitment, and other module-specific records the customer captures

2.3 Information we collect automatically

Browser and device metadata (IP address, user-agent string)
Audit-log entries of actions taken inside the platform (who did what, when)
Multi-factor authentication enrolment metadata

3.Why we collect it

Purpose	Lawful basis (POPIA s11)
Providing the platform and customer support	Performance of a contract
Account creation, billing, and account management	Performance of a contract
Audit logging and security monitoring	Legitimate interest (security)
Sending service announcements and statutory notices	Performance of a contract
Compliance with legal obligations (tax, POPIA, EE Act)	Legal obligation

4.Special personal information

Health information (employee disability status), race, and trade-union affiliation are special personal information under POPIA s26. Customers should only capture this information with the employee's voluntary written consent (typically via an EEA1 declaration) and may not compel disclosure. Skembee stores special personal information encrypted in transit and at rest, with role-based access restricted to the customer's authorised users.

5.How we keep it safe

Encryption in transit (TLS) and at rest (database and storage)
Multi-factor authentication required for all accounts
Role-based access controls and tenant isolation via row-level security
Daily off-site backups retained for thirty (30) days
Audit logging of administrative actions
POPIA breach notification to affected customers within seventy-two (72) hours of confirmation

6.Who we share it with (sub-processors)

To provide the platform we engage the following operators. Each is bound by a written agreement that imposes equivalent confidentiality and security obligations.

Provider	Service	Region
Supabase Inc.	Database, authentication, file storage, edge functions	EU (Frankfurt)
Cloudflare, Inc.	Off-site backup storage (R2)	Global
Resend Inc.	Transactional email delivery	USA
Microsoft Corporation	Skembee staff mailbox (Microsoft 365)	South Africa
Netlify, Inc.	Public website hosting	Global CDN

Cross-border transfer of personal information is subject to POPIA s72 — every sub-processor above operates in a jurisdiction with substantially similar data protection laws or under contractual safeguards.

7.How long we keep it

Customer account and billing data: for the duration of the contract plus seven (7) years to meet tax-record obligations.
Customer-uploaded data: retained while the account is active; deleted within sixty (60) days of contract termination unless the customer requests earlier deletion.
Audit logs: retained for two (2) years for security and incident-response purposes.
Backups: overwritten on a thirty (30)-day rolling cycle.

8.Your rights under POPIA

You have the right to:

Be told what personal information of yours we hold (access)
Have inaccurate information corrected
Have your personal information deleted, subject to our legal retention obligations
Object to processing on legitimate-interest grounds
Withdraw consent where consent is the lawful basis
Lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za

If you are an employee of a Skembee customer and want to exercise these rights over data your employer has uploaded, please contact your employer first — they are the responsible party. We will assist them in responding.

9.Cookies and tracking

This website uses only strictly necessary cookies for authentication session management. We do not use third-party advertising trackers, marketing pixels, or behavioural analytics.

10.Changes to this policy

We may update this policy from time to time. Material changes will be notified to active customers by email at least thirty (30) days before they take effect. The "Last updated" date at the top of this page reflects the most recent change.

11.Contact us

Information Officer · Skembee (Pty) Ltd · admin@skembee.co.za

Skembee (Pty) Ltd · Republic of South Africa