Privacy Policy

Effective date: 27 February 2026 · Last updated: 5 April 2026

This Privacy Policy explains how NHM Global Advisory (Pty) Ltd (Registration No. 2026/175933/07), trading as ClearComply ("we", "us", "our"), collects, uses, stores, and protects your personal information when you use our website at www.clearcomply.co.za and related services (collectively, the "Platform").

We are committed to complying with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Electronic Communications and Transactions Act 25 of 2002 ("ECTA"), and all other applicable South African data protection legislation.

1. Information We Collect

1.1 Information you provide directly

• Account information: name, surname, email address, phone number, and password when you register.
• Company information: company name, CIPC registration number, entity type, province, sector, number of employees, annual turnover range, and financial year end.
• Compliance data: VAT registration status, B-BBEE status, operational flags (e.g. whether you process personal data, import/export goods, employ foreign nationals), and any documents you upload.
• Payment information: billing details processed by our third-party payment provider. We do not store your credit card or bank account numbers on our servers.
• Communications: feedback, support requests, and any other information you send us.

1.2 Information collected automatically

• Usage data: pages visited, features used, time spent on the Platform, and actions taken.
• Device and browser data: IP address, browser type and version, operating system, device type, and screen resolution.
• Cookies and similar technologies: we use essential cookies to keep you logged in and remember your preferences. We also use Google Analytics 4 to collect anonymised usage data (see Section 8 below).

1.3 Information from third parties

• CIPC public records: we access publicly available data from the Companies and Intellectual Property Commission, including Beneficial Ownership non-compliance lists and Gazette publications, to provide compliance checking services.
• Government Gazette: we access publicly available deregistration and business rescue notices published in the Government Gazette.
• Enrichment providers: for our Lead Intelligence add-on, we source business contact details (email addresses, phone numbers, websites, and registered addresses) from commercial data enrichment providers using publicly available business directory information.
• Google Sign-In: if you sign in with Google, we receive your name, email address, and profile picture from Google. We do not access your Google contacts, calendar, or other data.

2. Purpose of Processing

We process your personal information for the following purposes, as permitted under Section 11 of POPIA:

• Service delivery: to provide compliance monitoring, deadline tracking, diagnostic reports, and fix guides.
• Account management: to create and manage your account, authenticate your identity, and process payments.
• Communications: to send you compliance deadline reminders, platform notifications, service updates, and transactional emails (e.g. account confirmation, password reset).
• Improvement: to analyse usage patterns and improve the Platform's features, performance, and user experience.
• Legal compliance: to comply with applicable laws, regulations, and lawful requests from authorities.
• AI-assisted analysis: to generate compliance summaries and recommendations using artificial intelligence. Your data is sent to our AI provider solely for this purpose and is not used to train AI models.
• Lead Intelligence: to provide Enterprise subscribers with enriched contact details and compliance classifications for CIPC-flagged companies, for the purpose of legitimate business development. Lead data is sourced from publicly available records and commercial enrichment providers.

3. Legal Basis for Processing

We process your personal information on the following legal grounds under POPIA:

• Consent (Section 11(1)(a)): you consent to processing when you create an account and accept this Privacy Policy.
• Contract (Section 11(1)(b)): processing is necessary to perform our obligations under our Terms of Service.
• Legitimate interest (Section 11(1)(f)): processing is necessary for our legitimate interests in improving the Platform and preventing fraud, provided these interests do not override your rights.
• Legal obligation (Section 11(1)(c)): processing is required to comply with applicable laws.

4. Sharing of Personal Information

We do not sell, rent, or trade your personal information. We share your data only with:

• Supabase Inc. — database hosting and user authentication (servers in the EU).
• Vercel Inc. — website hosting and delivery.
• Payment provider — payment processing (PCI-DSS Level 1 compliant).
• Resend Inc. — transactional email delivery.
• Anthropic PBC — AI-powered compliance analysis.
• Google LLC — Google Sign-In for authentication and Google Analytics 4 for anonymised website usage analytics.

Each provider processes data only on our instructions and is bound by data processing agreements. We require all providers to implement appropriate security measures.

4.1 Cross-border transfers

Some of our service providers are located outside South Africa (primarily in the United States and the European Union). In accordance with Section 72 of POPIA, we ensure that these providers are subject to laws or binding agreements that provide an adequate level of protection for your personal information.

5. Data Retention

• Account data: retained for as long as your account is active, plus 12 months after account deletion to comply with legal and accounting requirements.
• Compliance records: retained for as long as your account is active. You may export your data at any time.
• Payment records: retained for 5 years as required by the Tax Administration Act and other financial legislation.
• Usage logs: retained for 12 months, then anonymised or deleted.

6. Your Rights Under POPIA

As a data subject, you have the right to:

• Access: request confirmation of whether we hold your personal information and request a copy of it.
• Correction: request that we correct or update inaccurate or incomplete personal information.
• Deletion: request that we delete your personal information, subject to legal retention requirements.
• Object: object to the processing of your personal information on reasonable grounds.
• Restriction: request that we restrict processing in certain circumstances.
• Data portability: request your data in a structured, machine-readable format.
• Withdraw consent: withdraw your consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.
• Complain: lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, contact us at privacy@clearcomply.co.za. We will respond within 30 days as required by POPIA.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal information, including:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256).
• Secure authentication with password hashing and optional multi-factor authentication.
• Role-based access controls limiting employee access to personal information on a need-to-know basis.
• Regular security assessments and monitoring.
• Secure hosting infrastructure with automated backups.

While we take all reasonable steps to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Cookies & Analytics

We use essential cookies required for the Platform to function (e.g. session management, authentication tokens). We also use Google Analytics 4 to understand how visitors use our website. Google Analytics collects anonymised data such as pages visited, time on site, approximate location (country/city level), device type, and referral source. This data is used solely to improve the Platform and is not linked to your personal account.

Google Analytics may set cookies (e.g. _ga, _ga_*) on your device. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. You can also configure your browser to reject non-essential cookies. We do not use advertising or retargeting cookies.

9. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will take steps to delete it promptly.

10. Lead Intelligence and Third-Party Business Data

Our Lead Intelligence add-on (available to Enterprise subscribers) provides contact details and compliance classifications for companies flagged by CIPC. This section explains how this data is collected, processed, and your obligations when using it.

10.1 Sources of Lead Intelligence data

Lead Intelligence data is compiled from:

• Publicly available CIPC company registration records, including Beneficial Ownership non-compliance lists.
• Government Gazette publications (deregistration notices, annual return defaults).
• Commercial business directory and enrichment services that source data from publicly available information.

10.2 Legal basis for processing

We process Lead Intelligence data under Section 11(1)(f) of POPIA (legitimate interest). The contact details relate to companies flagged for non-compliance with statutory obligations, and the purpose of processing is to enable accountants and compliance professionals to offer remediation services to those companies — a legitimate business interest that does not override the data subjects' rights.

10.3 Your obligations as a Lead Intelligence user

When you use Lead Intelligence data, you become a responsible party under POPIA for any outreach you conduct. You must:

• Use Lead Intelligence data only for legitimate business development purposes.
• Comply with Section 69 of POPIA (direct marketing) and the CPA when contacting leads.
• Honour any opt-out or objection requests from companies you contact.
• Not resell, redistribute, or share Lead Intelligence data with third parties.
• Not use Lead Intelligence data for unsolicited bulk communications or spam.

10.4 Opt-out and data subject rights

Companies listed in Lead Intelligence may request removal by contacting us at privacy@clearcomply.co.za. We honour all opt-out requests within 5 business days. If a company objects to their data being processed under Section 11(3) of POPIA, we will remove their data from the Lead Intelligence pool.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Platform at least 14 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

12. Information Officer

Our designated Information Officer, as required by POPIA, can be contacted at:

• Email: privacy@clearcomply.co.za
• Post: NHM Global Advisory (Pty) Ltd, First Floor, 61 Katherine Street, Sandton, 2196

13. Information Regulator

If you are not satisfied with how we handle your personal information, you have the right to lodge a complaint with the Information Regulator of South Africa:

• Website: inforegulator.org.za
• Email: complaints.IR@justice.gov.za
• Tel: 012 406 4818