Privacy Policy

1. Introduction

SitePass (PTY) Ltd ("SitePass", "we", "us" or "our") operates the SitePass contractor compliance platform accessible at sitepass.co.za (the "Platform"). We are the Responsible Party as defined in the Protection of Personal Information Act, 4 of 2013 ("POPIA") for the personal information described in this policy.

Our registered address is 103 Dunkley House, 32 Barnet Street, Gardens, Cape Town, 8001, South Africa.

This policy explains what personal information we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have under POPIA. By using the Platform, signing a contract with us, or otherwise providing personal information to us, you confirm that you have read and understood this policy.

2. Information Officer

Our Information Officer, appointed in terms of section 55 of POPIA, is Jeremy Mitchell. You can contact the Information Officer about anything in this policy or about any personal information we hold about you at:

• Email: privacy@sitepass.co.za
• Post: The Information Officer, SitePass (PTY) Ltd, 103 Dunkley House, 32 Barnet Street, Gardens, Cape Town, 8001
• Through our contact form at sitepass.co.za/contact

3. Information We Collect

The personal information we process depends on how you interact with the Platform. Categories include:

Account & identity information

• Name, email address, mobile or landline number
• Password (stored as a one-way cryptographic hash)
• Organisation or trading name, role, and the account you belong to
• Profile photograph, where you upload one

Contractor compliance data (uploaded to the Vault)

• Employee records: full names, South African ID or passport numbers, job titles, photographs
• Medical certificates of fitness and related occupational health records
• Training records and competency certificates (e.g. working at heights, first aid)
• Letters of Good Standing from the Compensation Fund or a licensed COID administrator
• Public liability and other insurance documents
• Equipment registers, service certificates and inspection records
• Company registration, BBBEE, tax clearance and supporting compliance documents

Project & site information

• Project names, site addresses and descriptions
• Risk assessments, method statements, toolbox talks, fall protection plans, safety files
• Names and contact details of principal contractors, clients and consultants you interact with

Service requests & messages

• Messages submitted through service requests, the AI Copilot and contact forms
• Files and attachments you send to consultants or principal contractors via share links
• Notifications and audit-trail entries we generate on your behalf

Usage, device & technical information

• IP address, browser type, device type, operating system and approximate location
• Pages visited, links clicked, actions taken in the Platform, and timestamps
• Diagnostic data and error reports
• Cookies and similar technologies — see section 13 below

4. How We Collect Personal Information

• Directly from you when you create an account, fill in a form, upload a document, or contact us
• From your employer or the account holder who has listed you as an employee, contractor employee or site worker
• Automatically through your use of the Platform (cookies, log files and analytics tools)
• From third-party services you connect to your account or that share information with us in the ordinary course of providing the Platform (e.g. email, payment and AI providers)

5. Purpose & Lawful Basis for Processing

We process personal information in accordance with section 11 of POPIA on one or more of the following grounds:

• To conclude and perform our contract with you or your organisation
• To comply with our legal obligations, and to help you meet yours under the Occupational Health & Safety Act, 85 of 1993, the Construction Regulations, 2014, the Mine Health & Safety Act, 29 of 1996, and related legislation
• To pursue our legitimate interests in operating, securing, supporting and improving the Platform, provided those interests are not overridden by your rights
• With your consent, for example for direct marketing to new prospects or for optional features you opt in to
• To protect a legitimate interest of you or another person, such as preventing harm on a construction site

6. Special Personal Information & Children

Some of the documents you upload — particularly medical certificates of fitness and certain training records — constitute "special personal information" under section 26 of POPIA. We process this information under section 27(1)(b) because it is necessary for the establishment, exercise or defence of a right or obligation in law, including occupational health and safety obligations placed on employers and contractors.

The Platform is not intended for children under the age of 18 and we do not knowingly collect personal information of children. If you believe we have inadvertently done so, contact the Information Officer and we will delete the information.

7. Sharing & Operators

We share personal information only where necessary and in accordance with POPIA. Recipients may include:

• Other Platform users you authorise — for example consultants, principal contractors or clients you grant access to via a share link, safety file export or service request.
• Operators (section 21) who process personal information on our behalf under written contracts and confidentiality obligations. These include our cloud hosting and database provider, email delivery provider, analytics providers, error monitoring provider, and AI language-model providers used to power features such as the AI Copilot, document intake, risk assessment, method statement and toolbox talk generation.
• Professional advisors such as our auditors, lawyers and insurers, where reasonably required.
• Regulators, courts and law enforcement where we are legally required to do so.
• A successor in the event of a merger, acquisition or sale of business assets, subject to equivalent privacy protections.

We do not sell your personal information.

8. Cross-Border Transfers

Some of our operators process personal information outside the Republic of South Africa. In accordance with section 72 of POPIA, we only transfer personal information to a foreign country where:

• The recipient is bound by laws, binding corporate rules or a binding agreement that provide a level of protection substantially similar to POPIA;
• You have consented to the transfer; or
• The transfer is necessary to perform our contract with you or for your benefit.

9. Retention

We retain personal information only for as long as is necessary to fulfil the purpose for which it was collected, or for as long as the law requires us to keep it. Specific retention periods are informed by, among others:

• The Occupational Health & Safety Act and Construction Regulations (typically up to 3 years for site records)
• The Basic Conditions of Employment Act, 75 of 1997 (employment records — at least 3 years)
• The Tax Administration Act, 28 of 2011 (records for tax purposes — generally 5 years)
• The Companies Act, 71 of 2008 (statutory records — 7 years)

When you close your account, we delete or de-identify your personal information within a reasonable period, except where we are required or permitted by law to retain it for longer.

10. Security Safeguards

In accordance with section 19 of POPIA we take appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of personal information, including:

• Transport-layer encryption (HTTPS/TLS) for data in transit
• Encryption at rest for files stored in the Vault
• Role-based access controls and row-level security at the database layer
• Password hashing and protected session management
• Audit logging of sensitive actions and document access
• Regular review of our security posture and that of our operators

No system is perfectly secure. You play an important role too — keep your password confidential, use multi-factor authentication where available, and notify us immediately if you suspect unauthorised access to your account.

11. Your Rights

As a data subject under POPIA you have the right to:

• Be notified that we are collecting, or have accessed or acquired, your personal information
• Request access to the personal information we hold about you (sections 23–24)
• Request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained (section 24)
• Object, on reasonable grounds, to the processing of your personal information (section 11(3))
• Withdraw consent previously given, without affecting the lawfulness of processing before withdrawal
• Submit a complaint to the Information Regulator
• Institute civil proceedings regarding alleged interference with the protection of your personal information

To exercise any of these rights, email privacy@sitepass.co.za. Access requests may be made using Form 2 prescribed under the Promotion of Access to Information Act, 2 of 2000 (PAIA).

12. Direct Marketing

We may use your contact details to send you information about SitePass products, services and offers. In accordance with section 69 of POPIA, marketing to prospective customers by electronic means is sent only with consent. You can opt out of direct marketing at any time by clicking the unsubscribe link in any marketing email or by emailing the Information Officer.

13. Cookies & Similar Technologies

We and our service providers use cookies, pixels and similar technologies to make the Platform work, to remember your session, to understand how the Platform is used, and to measure the performance of our marketing. Categories include:

• Strictly necessary — authentication, security and load-balancing cookies the Platform needs to operate.
• Analytics — Google Analytics, which helps us understand which pages and features are used.
• Marketing — the Meta (Facebook) Pixel, which helps us measure the effectiveness of our advertising.

You can control cookies through your browser settings. Blocking strictly-necessary cookies may prevent parts of the Platform from working.

14. Breach Notification

If there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and the affected data subjects as soon as reasonably possible, in accordance with section 22 of POPIA.

15. Changes to this Policy

We may update this policy from time to time. The "Last updated" date at the top of the page reflects the most recent revision. Material changes will be communicated by email or via an in-app notice before they take effect. Continued use of the Platform after a change constitutes acceptance of the updated policy.

16. Contact Us

For any questions, requests or complaints relating to this policy or your personal information, contact our Information Officer:

• Jeremy Mitchell — Information Officer, SitePass (PTY) Ltd
• Email: privacy@sitepass.co.za
• Post: 103 Dunkley House, 32 Barnet Street, Gardens, Cape Town, 8001

If you are not satisfied with how we have handled your personal information, you may lodge a complaint with the Information Regulator (South Africa):

• JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• General enquiries: enquiries@inforegulator.org.za
• POPIA complaints: POPIAComplaints@inforegulator.org.za
• Website: inforegulator.org.za