Processing Register
Register of personal information processing activities under the Protection of Personal Information Act (POPIA)
Responsible Party: NHM Global Advisory (Pty) Ltd, trading as ClearComply
Information Officer: Nathan Mukoma — privacy@clearcomply.co.za
Last Updated: 20 March 2026
Information Officer: Nathan Mukoma — privacy@clearcomply.co.za
Last Updated: 20 March 2026
1. Compliance Check (Free)
| Purpose | Allow visitors to check their company's CIPC compliance status against published non-compliance lists |
| Data Subjects | Website visitors (company directors/owners) |
| Personal Data Processed | Company registration number (input), compliance findings (output). No personal data collected. |
| Lawful Basis | Legitimate interest (Section 11(1)(f)) — providing a public-interest compliance lookup |
| Source of Data | User-provided registration number; CIPC published compliance lists (public records) |
| Recipients / Third Parties | None — results shown only to the user |
| Retention Period | Search queries not stored. CIPC data refreshed periodically when CIPC publishes updates. |
| Cross-Border Transfers | Data processed on Vercel (US-hosted) and Neon (US-hosted) servers. CIPC data is publicly available and not personal information. |
| Security Safeguards | TLS encryption in transit, encrypted at rest |
2. User Account & Platform
| Purpose | Provide compliance dashboard, deadline tracking, document vault, and AI compliance guidance to registered users |
| Data Subjects | Registered users (company directors/owners/compliance officers) |
| Personal Data Processed | Name, email address, company name, company registration number, subscription tier, compliance documents uploaded to vault |
| Lawful Basis | Contract (Section 11(1)(b)) — necessary to deliver the subscribed service |
| Source of Data | Directly from the user during registration and account setup |
| Recipients / Third Parties | Resend (transactional email), Stripe (payment processing), OpenAI (AI compliance assistant, no PII sent) |
| Retention Period | Active accounts: retained while subscription is active. Cancelled accounts: data retained for 12 months, then purged. Users may request deletion at any time. |
| Cross-Border Transfers | US (Vercel hosting, Neon database, Resend email, Stripe payments, OpenAI). Appropriate safeguards in place via processor agreements. |
| Security Safeguards | Bank-level encryption (TLS 1.3 in transit, AES-256 at rest), PCI-DSS Level 1 payment processing (Stripe), role-based access controls, no card data stored |
3. Outreach Communications
| Purpose | Inform non-compliant companies about their CIPC compliance issues and offer compliance management tools |
| Data Subjects | Directors/owners of companies appearing on CIPC non-compliance lists |
| Personal Data Processed | Company name, registration number, publicly available contact email, phone number, website URL, compliance status |
| Lawful Basis | Legitimate interest (Section 11(1)(f)) — notifying companies of regulatory non-compliance that may result in penalties or deregistration |
| Source of Data | CIPC published non-compliance lists (public records); company contact details from Google Places API and company websites (publicly available) |
| Recipients / Third Parties | Resend (email delivery). Email addresses are not shared with any other third party. |
| Retention Period | 6 months from last email sent. If no engagement (no opens, clicks, or replies) after 6 months, all outreach records including contact details are purged and the email is permanently suppressed. |
| Cross-Border Transfers | US (Resend email delivery). Company contact information sourced from publicly available South African business directories. |
| Security Safeguards | Email-to-company domain validation (similarity scoring), TLD blocking, aggregator filtering, instant unsubscribe mechanism, global suppression list, bounce-rate circuit breaker |
4. Email Engagement Tracking
| Purpose | Monitor email deliverability and engagement to maintain sender reputation and comply with anti-spam obligations |
| Data Subjects | Recipients of outreach and transactional emails |
| Personal Data Processed | Email open events, click events, bounce events, unsubscribe events (metadata only — no email content tracked) |
| Lawful Basis | Legitimate interest (Section 11(1)(f)) — maintaining email deliverability and preventing unwanted communications |
| Source of Data | Resend webhook events (automated delivery notifications) |
| Recipients / Third Parties | None — used internally for campaign management only |
| Retention Period | Engagement metadata retained for 12 months for deliverability analysis, then aggregated into anonymised statistics. |
| Cross-Border Transfers | US (Resend webhook processing) |
| Security Safeguards | Svix webhook signature verification, HTTPS-only endpoints |
5. Email Suppression List
| Purpose | Permanently prevent sending emails to addresses that have unsubscribed, bounced, or been identified as mismatched |
| Data Subjects | Email addresses that must never receive future communications |
| Personal Data Processed | Email address, suppression reason, date added |
| Lawful Basis | Legal obligation (Section 11(1)(c)) — POPIA requires honouring opt-out requests; CAN-SPAM compliance |
| Source of Data | Unsubscribe requests, bounce events, data quality audits, data retention purges |
| Recipients / Third Parties | None — internal use only |
| Retention Period | Permanent — suppression records are never deleted to prevent accidental re-contact |
| Cross-Border Transfers | US (Neon database) |
| Security Safeguards | Checked before every email send, cannot be overridden by campaign settings |
6. Document Vault
| Purpose | Secure storage of compliance-related documents (CIPC certificates, tax clearances, B-BBEE affidavits, etc.) |
| Data Subjects | Registered users (Pro plan and above) |
| Personal Data Processed | PDF, Word, and Excel files uploaded by the user. Maximum 3GB per account, 15MB per file. |
| Lawful Basis | Contract (Section 11(1)(b)) — document storage is a subscribed feature |
| Source of Data | Directly uploaded by the user |
| Recipients / Third Parties | None — documents accessible only to the uploading user |
| Retention Period | Retained while account is active. Deleted within 30 days of account cancellation or upon user request. |
| Cross-Border Transfers | US (cloud storage) |
| Security Safeguards | Encrypted at rest (AES-256), access-controlled per user, file type validation (PDF/Word/Excel only) |
7. Website Analytics
| Purpose | Understand website usage patterns to improve the product |
| Data Subjects | Website visitors |
| Personal Data Processed | Page views, session duration, referral source, device type (via Google Analytics). No PII collected. |
| Lawful Basis | Legitimate interest (Section 11(1)(f)) — improving the service |
| Source of Data | Automated collection via Google Analytics tracking code |
| Recipients / Third Parties | Google (Analytics data processor) |
| Retention Period | Google Analytics default retention (14 months), then auto-deleted by Google. |
| Cross-Border Transfers | US (Google servers) |
| Security Safeguards | IP anonymisation enabled, no personally identifiable information collected, cookie consent respected |
Your Rights Under POPIA
As a data subject, you have the right to:
- Access — Request a copy of the personal information we hold about you
- Correction — Request that inaccurate information be corrected
- Deletion — Request that your personal information be deleted (subject to legal retention requirements)
- Object — Object to the processing of your personal information for direct marketing
- Complaint — Lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, email privacy@clearcomply.co.za with your company name and registration number. We will respond within 30 days.
Information Regulator (South Africa) — inforegulator.org.za — complaints.IR@justice.gov.za