khaya
Get started
Legal

Privacy Policy

Last updated: 7 June 2026

This Privacy Policy explains how Dignita processes personal information in line with the Protection of Personal Information Act, 2013 (POPIA).

Template — not legal advice

Dignita provides this as general information, not legal advice. This document is a template that must be reviewed by a qualified South African legal professional, and finalised with our registered entity details, before it is relied upon.

1. Who is responsible (Responsible Party & Information Officer)

Dignita is operated by [LEGAL ENTITY] (registration number [REG NO]), of [REGISTERED ADDRESS] (“we”, “us”, “our”). For the purposes of POPIA we are the Responsible Party for the personal information described in this policy.

Our Information Officer is [INFORMATION OFFICER]. You can reach the Information Officer about anything in this policy — including data-subject requests and complaints — at [INFORMATION OFFICER EMAIL] or our general support address [SUPPORT EMAIL].

2. Personal information we process

Dignita is a two-sided service: households (employers) manage compliant domestic employment, and domestic workers can sign in to view their own pay and documents. We therefore process information about two groups of people.

Employer / household account holders:

  • Identity & contact details — name, email address, and account credentials.
  • Household details — household name, address, and your UIF and COIDA reference numbers (where you provide them).
  • Billing details — subscription status and payment metadata. Card details are handled by our payment processor, PayFast; we do not store full card numbers.
  • Usage & technical data — device/browser information, log data, and (only with your consent) analytics about how you use the site.

Domestic workers (added by an employer, and/or with their own worker login):

  • Identity details — name and South African ID number.
  • Employment & pay details — job title, pay rate, hours, attendance, payslips, leave, loans and advances for each employer.
  • Contact & account details — email address and credentials, where the worker creates a login.

Special / sensitive personal information — SA ID numbers

A South African ID number is sensitive: it reveals date of birth, and (by its structure) gender and citizenship status, and is a strong unique identifier. We collect ID numbers only because they are required for compliant employment, UIF and statutory documents (for example the UI-19 and Certificate of Service). We protect them with extra care and process them only for those statutory and identity-matching purposes.

3. Why we process it (purposes) and our lawful basis

POPIA requires that we process personal information for a specific, defined and lawful purpose, and that we have a lawful ground for doing so. We process personal information to:

  • Provide the service — create and manage accounts, generate contracts, payslips, UIF and COIDA documents, track attendance, leave and loans, and let workers view their own data (performance of a contract, and our legitimate interest in running the service).
  • Match a worker to their employments — using the normalised SA ID number so one worker can see pay from multiple employers (necessary to provide the worker-side service; worker access to a specific employer is gated on that employer enabling it).
  • Bill and take payment — manage subscriptions, trials and refunds (performance of a contract, and compliance with law).
  • Meet legal obligations — retain employment records and support statutory reporting (compliance with a legal obligation).
  • Communicate with you — send transactional and service emails such as a welcome email or a requested document (performance of a contract / your request).
  • Improve and secure the service — understand usage via analytics and protect against fraud and abuse (your consent for non-essential analytics; our legitimate interest for security).
We do not sell personal information. We do not use your information for automated decision-making that has legal or similarly significant effects on you.

4. Who we share it with (operators & recipients)

We use a small number of trusted service providers (“operators” under POPIA) who process personal information on our behalf, under contract and only on our instructions:

Supabase
Database, authentication and file storage. Stores account, employment, payslip and document data.
Resend
Transactional email delivery (e.g. welcome emails, requested documents).
PayFast
South African payment processing for subscriptions. Handles card data directly; we receive only payment status metadata.
PostHog
Product analytics, loaded only after you give consent to non-essential cookies. Helps us understand and improve how the service is used.

Within the service, an employer can see the data of the workers in their own household, and a worker who signs in can see their own pay and documents for each employer that has enabled their access. We may also disclose personal information where required by law, regulation or a lawful request from a public authority.

5. Cross-border processing

Our primary database and storage (Supabase) are hosted in the European Union (the eu-west-1 region, in Ireland). Some operators (for example email and analytics providers) may also process limited personal information outside South Africa.

POPIA permits cross-border transfers where the recipient is subject to a law, binding rules or contract that upholds principles for lawful processing that are substantially similar to POPIA, or where the transfer is necessary to perform our contract with you. The EU is subject to the GDPR, which provides a comparable level of protection. Where transfers occur, we rely on these grounds and on our contracts with each operator.

6. How long we keep it (retention)

We keep personal information only for as long as necessary for the purposes set out above, or for as long as the law requires. In particular:

  • Employment records (including payslips) are retained in line with South African labour-law record-keeping requirements — generally at least three years.
  • Account information is kept while your account is active, and for a reasonable period afterwards to meet legal, accounting and dispute-resolution needs.
  • Free-tool lead/contact information is kept until you ask us to delete it or it is no longer needed.

When personal information is no longer needed and we are not required to keep it, we delete or de-identify it.

7. Your rights as a data subject

Under POPIA you have the right to:

  • Be told that we hold your personal information, and to request access to it.
  • Request that we correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained.
  • Object, on reasonable grounds, to the processing of your personal information.
  • Object to processing for direct marketing by unsolicited electronic communications.
  • Not have your information processed for direct marketing by means of unsolicited electronic communications except as permitted by law.
  • Withdraw consent where we rely on it (this does not affect processing already carried out).
  • Lodge a complaint with the Information Regulator (see below).

To exercise any of these rights, contact our Information Officer at [INFORMATION OFFICER EMAIL]. We may need to verify your identity before acting on a request. Where the law prescribes a form (such as the Regulator’s prescribed request forms), we will tell you how to use it.

8. How we protect your information (security)

We take appropriate, reasonable technical and organisational measures to safeguard personal information, including:

  • Encryption of data in transit (HTTPS) and access controls on our databases.
  • Row-level security so each employer sees only their household’s data and each worker sees only their own approved employment data.
  • Least-privilege access and secrets kept out of source control.
  • Use of reputable operators who are contractually bound to protect personal information.

If a security compromise affects your personal information, we will notify you and the Information Regulator as required by POPIA.

9. Cookies & analytics

We use a small number of essential cookies that are necessary for the site to work (for example to keep you signed in and to remember your cookie choice). These do not require consent.

We use non-essential analytics cookies (PostHog) only after you give consent through our cookie banner. You can decline, and you can change your choice at any time. Until you consent, no analytics are loaded.

10. Complaints to the Information Regulator

If you are unhappy with how we handle your personal information, please contact our Information Officer first so we can try to resolve it. You also have the right to complain to the Information Regulator:

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 (P.O. Box 31533, Braamfontein, 2017).
General enquiries
enquiries@inforegulator.org.za
POPIA complaints
POPIAComplaints@inforegulator.org.za
Website
https://inforegulator.org.za

11. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of the page shows when it last changed. Material changes will be communicated through the service where appropriate.

Dignita is a compliance tool, not legal advice. Figures are based on current South African legislation; confirm with a labour-law professional for your situation.