1. POPIA Compliance Statement
RideBox (Pty) Ltd ("the Responsible Party") processes your personal information in full compliance with the Protection of Personal Information Act, 2013 (POPIA), as administered by the South African Information Regulator.
2. Collection and Processing
We collect personal information only with your consent or where lawful basis exists. Information is collected for specified, explicit, and legitimate purposes only:
- Service provision (bookings, payments, trip management)
- Safety and security (identity verification, fraud prevention)
- Regulatory compliance (taxation, licensing, accident reporting)
- Operational support (customer service, dispute resolution)
3. Lawful Basis for Processing
We process your information based on:
- Your explicit consent (for account creation and service use)
- Contractual obligation (to fulfill booking and payment agreements)
- Legal requirement (tax, transport, and safety regulations)
- Legitimate interest (fraud prevention, safety improvement, platform optimization)
4. Data Minimization
We collect only the personal information necessary to fulfill our specified purposes. We do not retain information longer than required. Contact form data is deleted after 12 months. Facial biometric data is encrypted and never shared.
5. Your Rights as a Data Subject
Under POPIA, you have the right to:
- Access: Request confirmation of your personal information and obtain copies
- Correction: Request correction of inaccurate or incomplete data
- Erasure: Request deletion of your data where lawfully permissible
- Objection: Opt out of direct marketing and processing for certain purposes
- Complaint: Lodge a formal complaint with the Information Regulator
6. Data Security Measures
RideBox implements appropriate technical and organizational security measures including:
- End-to-end encryption for sensitive data
- Secure server protocols and firewalls
- Regular security audits and vulnerability assessments
- Access controls and staff training
- Incident response procedures
7. Data Retention
We retain personal information for as long as necessary to fulfill the purposes for which it was collected. Generally:
- Rider/Driver accounts: Retained during active use and for 3 years after deletion
- Trip records: Retained for 7 years for audit and safety purposes
- Contact forms: Retained for 12 months then securely deleted
- Legal records: Retained as required by South African law
8. International Data Transfers
RideBox primarily stores data in South Africa. Any international data transfers comply with POPIA requirements and occur only where equivalent data protection measures exist.
9. Data Processing Agreement
All third-party service providers processing personal information on our behalf operate under strict Data Processing Agreements that ensure POPIA compliance and confidentiality.
10. Breach Notification
In the event of a data breach that poses a risk to your personal information, we will notify you and the South African Information Regulator in accordance with POPIA within the required timeframe.
11. Information Regulator Contact
You may lodge a complaint with the South African Information Regulator:
Email: complaints.IR@justice.gov.za
Website: www.justice.gov.za/inforeg/
12. Data Protection Officer
For POPIA-related inquiries or to exercise your data subject rights, contact our Data Protection Officer:
Email: dpo@rideboxapp.com
Response time: 30 days from receipt of request