POPIA compliance

How SkySignal complies with the Protection of Personal Information Act, No. 4 of 2013, and what that means for you and your audience.

Last updated: 21/05/2026 · Effective: 21/05/2026

1. Our role under POPIA

When you use SkySignal, two distinct relationships apply under POPIA:

• You as Responsible Party: for the personal information of your recipients (the audiences you import and send to). You determine the purpose and means of processing their data.
• SkySignal as Operator: we process that personal information on your behalf under your instructions, in accordance with section 21 of POPIA.

For your own account data (your name, email, billing information), SkySignal is the Responsible Party. See the Privacy Policy for details.

2. Operator obligations we honour

• Section 20: we process personal information only with your knowledge and authorisation.
• Section 21: we treat the personal information you import as confidential and do not disclose it except as required by law.
• Section 19: we maintain appropriate technical and organisational security measures.
• Section 22: we notify you without undue delay if we become aware of a security compromise affecting your data.

3. Consent & the eight conditions

POPIA's eight conditions for lawful processing are baked into SkySignal's default behaviour:

1. Accountability: we maintain audit logs of all imports, consent capture, and send activity.
2. Processing limitation: contacts must have a lawful basis (consent, contract, legitimate interest, etc.) before you can send to them.
3. Purpose specification: you declare the purpose of each campaign; recipients can see it on the unsubscribe page.
4. Further processing limitation: we don't reuse your contact data for any purpose other than sending your campaigns.
5. Information quality: our deduplication and validation tools help keep your data accurate.
6. Openness: every email includes an unsubscribe link and identifies the sender clearly.
7. Security safeguards: encryption in transit (TLS) and at rest, role-based access controls, audit trails.
8. Data subject participation: recipients can unsubscribe at any time; you can export, edit, or delete their record on request.

4. Data residency

SkySignal application servers and databases are hosted in South Africa. Cross-border transfers (e.g. for sub-processors) are disclosed in the Privacy Policy and comply with section 72 of POPIA.

5. Data subject rights

The recipients of your emails (data subjects) have the right to:

• Be informed that their personal information is being processed.
• Request access to the personal information held about them.
• Request correction or deletion.
• Object to processing, including direct marketing.
• Lodge a complaint with the Information Regulator.

If you receive such a request and need help fulfilling it, contact privacy@skysignal.co.za.

6. Your responsibilities

As Responsible Party for your audience data, you must:

• Ensure you have a lawful basis to contact every recipient on your list.
• Keep a record of how and when each contact gave consent (SkySignal stores this on import).
• Honour unsubscribe requests and access/deletion requests promptly.
• Register as a Responsible Party with the Information Regulator if required by your processing activities.

7. Information Officer

SkySignal's designated Information Officer is Michael Beuster. You can reach them at privacy@skysignal.co.za.

8. Filing a complaint

If you believe SkySignal has processed your personal information unlawfully, contact us first so we can put it right. You may also complain to the Information Regulator of South Africa:

The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg
inforegulator.org.za · enquiries@inforegulator.org.za