Legal
Privacy Policy
Effective date: [DATE] — Last updated: [DATE]
1. Who We Are
LETHA Group Industries (Pty) Ltd (“LETHA”, “we”, “us”) is a South African company registered under number 2023/197493/07, with its principal place of business in Johannesburg, Gauteng.
We operate LETHA Intelligence, a B-BBEE scorecard tracking and ESD programme intelligence platform for South African corporations (“the Platform”).
For the purposes of the Protection of Personal Information Act 4 of 2013 (“POPIA”), LETHA Group Industries (Pty) Ltd is the Responsible Party for personal information collected directly from you. Where we process personal information on behalf of our clients, we act as an Operator under their instruction.
2. Information Officer
Our designated Information Officer is:
LETHA Group Industries (Pty) Ltd
Email: gabriel@lethagroup.co.za
WhatsApp: 081 300 6484
Direct any privacy queries, access requests, or complaints to the Information Officer.
3. What Personal Information We Collect
3.1 Account and User Information
When your organisation registers on the Platform:
- Full name and email address (via Clerk, our authentication provider)
- Job role and organisational affiliation
- Contact telephone number (optional)
- Authentication credentials (managed by Clerk — we do not store passwords)
3.2 Supplier and Certificate Data
In the course of providing the service, we process:
- Supplier company names and CIPC registration numbers
- B-BBEE contributor level and ownership percentages
- Director or proprietor full names
- Supplier physical addresses
- Certificate expiry and issue dates
- Verification body names
- Certificate documents (PDFs stored in Cloudflare R2)
Some of this information constitutes personal information under POPIA and is processed accordingly.
3.3 Usage and Technical Data
- Login timestamps and session activity
- Upload activity logs (anonymised)
- IP addresses and browser type (collected by Clerk and Vercel)
4. Why We Process Personal Information
| Purpose | Lawful basis (POPIA) |
|---|---|
| Providing the Platform | Performance of a contract (s.11(1)(b)) |
| Certificate expiry alerts | Performance of a contract; legitimate interest |
| AI-assisted certificate extraction | Performance of a contract; consent of the responsible party |
| Security and fraud prevention | Legitimate interest (s.11(1)(f)) |
| Legal compliance | Legal obligation (s.11(1)(c)) |
| Anonymised product analytics | Legitimate interest — data de-identified before use |
5. Sub-Operators and Third Parties
We share personal information with the following sub-operators, subject to contractual data protection obligations:
| Provider | Purpose | Location |
|---|---|---|
| Clerk | User authentication | United States |
| Convex | Database and backend | United States |
| Cloudflare R2 | Secure file storage | Global |
| Anthropic | AI certificate extraction | United States |
| Resend | Transactional email | United States |
| Vercel | Application hosting | Global |
We do not sell personal information. We do not share it with third parties for their own marketing.
6. Retention
| Category | Retention period |
|---|---|
| User account data | Subscription term plus 12 months after termination |
| Supplier and certificate records | Subscription term plus 12 months, or earlier on request |
| Certificate PDFs | Subscription term plus 12 months after termination |
| Usage logs | Rolling 90 days |
| Contact and enquiry data | 24 months from last contact |
7. Your Rights Under POPIA
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that inaccurate or incomplete information be corrected.
- Deletion: Request deletion, subject to legal or contractual retention obligations.
- Objection: Object to processing on grounds of legitimate interest.
- Restriction: Request restricted processing while a complaint or correction is pending.
- Complaint: Lodge a complaint with the Information Regulator.
Contact the Information Officer at gabriel@lethagroup.co.za. We respond within 30 days.
8. Data Breach Notification
In the event of a security compromise involving personal information, we will notify the South African Information Regulator within 72 hours and affected data subjects as soon as reasonably practicable, consistent with POPIA Section 22.
9. Security
Technical and organisational measures include:
- All data in transit encrypted via TLS/HTTPS
- Certificate files stored in private Cloudflare R2 (no public URLs)
- Authenticated sessions via Clerk; organisation-level data isolation enforced on every request
- HTTP security headers on all responses (CSP, HSTS, X-Frame-Options)
- Access to production infrastructure restricted to authorised personnel
To report a vulnerability, contact gabriel@lethagroup.co.za.
10. Contact and Complaints
If you are not satisfied with our response, you may contact the South African Information Regulator:
JD House, 27 Stiemens Street, Braamfontein, 2001
Email: inforeg@justice.gov.za — Tel: 010 023 5207