This notice is issued by Vault33 (Pty) Ltd ("Vault33", "we", "us") as a responsible party in terms of the Protection of Personal Information Act 4 of 2013 ("POPIA"). It explains what personal information we collect from visitors to vault33.co.za and early-access prospects, how we use it, and the rights you have under POPIA ss 23, 24 and 25.
1. Who we are
Vault33 builds a sovereign personal-data vault for South African organisations. All
production processing takes place in AWS af-south-1 (Cape Town).
- Responsible party: Vault33 (Pty) Ltd, Cape Town, South Africa
- Information Officer: designated under POPIA s 56 (registration with the Information Regulator is in progress); contact via mc@tremly.com
- Deputy Information Officer / DPO: mc@tremly.com
2. What we collect
| Category | Examples | Source |
|---|---|---|
| Contact | Name, work email, organisation | You, via the request-access form |
| Context | Free-text describing your use case | You, voluntarily |
| Technical | IP address, user agent, timestamp | Your browser, on submission |
We do not use third-party analytics, advertising pixels, or cross-site tracking on vault33.co.za. Fonts are self-hosted in af-south-1; no request leaves the page for Google, Meta or similar.
3. Why we process it (lawful basis under POPIA s 11)
- s 11(1)(b) — contract / pre-contract: to evaluate your early-access request and provide the service you asked for.
- s 11(1)(f) — legitimate interest: to understand which industries and use-cases are best served by Vault33, in a non-intrusive, non-marketing way.
4. Who we share it with
We do not sell or rent personal information. We share limited data only with operators acting on our instructions and bound by written data-processing agreements: our hosting provider (Amazon Web Services EMEA SARL, processing within af-south-1), and our transactional email provider (within the EU/UK, under SCCs). No onward cross-border transfer occurs without the s 72 safeguards POPIA requires.
5. How long we keep it
- Lead records: 24 months from last contact, then deleted.
- Customer contract data: for the life of the contract and 5 years thereafter (FIC Act s 23, where the contract triggers CDD obligations).
- Security and audit logs: 12 months, hashed where practical.
6. How we protect it
Vault33 applies to itself the same controls it sells: AWS-KMS envelope encryption at rest, TLS 1.2+ in transit, least-privilege IAM, append-only audit at the database role, and regular penetration testing. Security events are logged and reviewed.
7. Your rights under POPIA
You may, free of charge and at any time:
- s 23 — request confirmation of the personal information we hold about you, and a copy of the record;
- s 24 — request correction or deletion of inaccurate, excessive or unlawfully processed information;
- s 11(3) — object, on reasonable grounds, to processing based on legitimate interest;
- s 69 — where relevant, withdraw consent to direct marketing in writing.
Submit requests to mc@tremly.com. We will respond in writing within the timeframe set by the POPIA Regulations (generally 30 days). If we refuse, we will tell you why and how to complain.
8. Complaints
You may complain to the Information Regulator (South Africa): inforegulator.org.za · complaints.IR@justice.gov.za.
9. Changes
We revise this notice when the law or our processing changes. The date at the top of this page is authoritative. Material changes are announced to existing contacts in writing.