All systems operational
View Categories

POPIA — how we handle your data

3 min read

Quick answer #

POPIA (the Protection of Personal Information Act) is South Africa’s data protection law. Pay@ Gateway is registered as a Responsible Party under POPIA, meaning we’re legally accountable for how we collect, use, store, and share personal information. We collect only what’s needed to process payments, never sell data to third parties, and let you and your customers exercise the rights POPIA gives them — including data access, correction, and deletion requests.

What POPIA covers #

POPIA came fully into force in July 2021 and applies to every business in South Africa that processes personal information — which is virtually every business. The law gives South Africans rights over their personal data and creates obligations on the businesses that hold it.

Personal information under POPIA includes obvious things like names, addresses, and ID numbers, but also less obvious things: IP addresses, transaction history, behaviour patterns, and any data that could identify a person directly or in combination with other data.

For Pay@ Gateway, the personal information we process falls into three categories:

  • Merchant data — your business details, your team members’ names and contact details, your banking information
  • Customer data — your customers’ names, emails, billing addresses, card tokens, transaction history
  • System data — IP addresses, device fingerprints, behaviour patterns used for fraud detection

Our roles under POPIA #

POPIA defines two key roles:

  • Responsible Party — the entity that decides what personal information to collect and why
  • Operator — an entity that processes personal information on behalf of a Responsible Party

For your business’s relationship with your customers, you are the Responsible Party and Pay@ Gateway is your Operator. We process customer payment data on your behalf, under your instructions, for the purposes you’ve established.

For your business’s data (your team’s logins, your banking details, etc.), Pay@ Gateway is the Responsible Party.

This dual relationship means we both have obligations under POPIA. Our [PH-036] sets out the specific terms of our operator agreement with you — worth reading once, especially the data retention sections.

What data we collect and why #

We collect the minimum data needed to provide our service. Specifically:

From merchants #

  • Business name, registration number, and trading address (FICA requirement)
  • Director names and ID numbers (FICA requirement)
  • Business bank account details (for settlement)
  • Email and contact details (for communication)
  • Logged actions in your dashboard (for audit and security)

From customers (on your behalf) #

  • Name as entered at checkout
  • Email address (for the receipt)
  • Billing address (if collected at checkout)
  • A tokenised reference to the card used (never the full card number)
  • The transaction amount and time
  • IP address and device fingerprint (for fraud detection only)

We do not collect more than this. We do not track customers across other websites, build advertising profiles, or share data with third parties for marketing.

How long we keep data #

Different types of data have different retention periods, set either by law or by operational need:

  • Transaction records — 5 years (required by SARB and FICA)
  • FICA documents — 5 years from when our merchant relationship ends
  • Audit logs — 7 years (required for financial services)
  • Customer payment tokens — until the merchant deletes them or the customer requests deletion
  • System logs — 90 days for operational logs, longer if part of a security investigation

After retention periods expire, data is permanently deleted from our systems.

Your rights under POPIA — and your customers’ rights #

POPIA gives every data subject (you, your team members, your customers) the following rights:

  • Access — request a copy of the personal information we hold about you
  • Correction — ask us to correct information that’s wrong or outdated
  • Deletion — request deletion of personal information we no longer need
  • Objection — object to specific processing of your data
  • Withdrawal of consent — for processing that’s based on consent rather than legal obligation

To exercise any of these rights, [PH-028]. We’ll respond within the 30-day window POPIA specifies, or sooner where practical.

What happens if there’s a data breach #

POPIA requires us to notify the Information Regulator and any affected individuals “as soon as reasonably possible” after a security compromise that exposes personal information. We take this obligation seriously.

If a breach occurs that affects your data or your customers’ data, you’ll receive an email from our Information Officer with:

  • A description of what happened
  • What data was affected
  • The steps we’re taking in response
  • What you should do (if anything)

We’ve never had a breach incident affecting customer payment data. Our PCI DSS Level 1 certification, segmented network architecture, and 24/7 monitoring are designed to prevent one.

Contacting our Information Officer #

POPIA requires every Responsible Party to appoint an Information Officer. Our Information Officer is contactable via [PH-028] for any privacy concern, complaint, or data-subject request.

You can also lodge a complaint with the Information Regulator directly: inforeg@justice.gov.za or 012 406 4818. We’d encourage you to come to us first — most concerns resolve faster that way.

Related articles #

Was this helpful? 👍 Yes / 👎 No
Still stuck? Chat to us on WhatsApp.

Updated on May 12, 2026

What are your Feelings

  • Happy
  • Normal
  • Sad