POPIA Compliance

The Protection of Personal Information Act, 2013 (POPIA) is South Africa's comprehensive data-protection legislation, modelled after international best practices including the EU GDPR. While BantuziLegal is headquartered in Zambia, we voluntarily align with POPIA standards because many of our users and prospective clients operate across Southern African jurisdictions, and because POPIA represents a robust framework for responsible data handling.

We also comply with the Zambian Data Protection Act, 2021, and other applicable data-protection laws in the jurisdictions where our users operate.

We process personal information under one or more of the following lawful grounds:

Contractual Necessity

Processing is necessary to perform our obligations under your subscription agreement — e.g., maintaining your account, providing platform access, processing payments, and delivering support.

Legitimate Interest

Processing is necessary for our legitimate business interests — e.g., improving platform security, analysing anonymised usage data, and preventing fraud — provided these interests do not override your rights.

Consent

Where you have given explicit consent — e.g., opting in to publish a testimonial or receiving marketing communications. You may withdraw consent at any time.

Legal Obligation

Processing is required to comply with applicable laws — e.g., retaining billing records for tax purposes or responding to valid legal process.

Identity Data

Full name, job title, professional role.

Contact Data

Email address, phone number, firm address.

Financial Data

Billing address, payment method details (processed by our payment gateway — we do not store full card numbers).

Technical Data

IP address, browser type, operating system, session identifiers.

Usage Data

Features accessed, pages visited, timestamps, referral source.

Practice Data

Client records, matter details, documents, time entries, and invoices entered by your Firm. This data may contain personal information of third parties (e.g., your clients). Your Firm is the responsible party for such data; BantuziLegal acts as an operator (processor).

We implement the following measures to protect personal information:

Tenant Isolation

Every Firm receives a logically isolated database workspace. Queries are scoped by tenant identifier at the application layer, ensuring no cross-firm data leakage.

Encryption

All data in transit is encrypted using TLS 1.2 or higher. Sensitive fields at rest are encrypted where technically feasible.

Authentication & Access Control

Passwords are hashed using BCrypt. Authentication uses stateless JWT tokens with short expiry. Role-based access control (RBAC) restricts data access to authorised personnel only.

Audit Logging

All administrative and security-sensitive actions are recorded in an immutable audit log, including the user, action, timestamp, and affected resource.

Secure Development

Our development process includes code review, dependency scanning, and adherence to OWASP security guidelines.

Your data may be processed in jurisdictions outside Zambia where our cloud-infrastructure providers maintain data centres. In all cases, we ensure that adequate protections are in place through contractual data-processing agreements that meet or exceed POPIA's requirements for cross-border transfers under Section 72.

Under POPIA and the Zambian Data Protection Act, you have the right to:

Access

Request confirmation of whether we hold your personal information and obtain a copy of it.

Correction

Request that inaccurate, incomplete, or outdated personal information be corrected or updated.

Deletion

Request deletion of your personal information where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.

Objection

Object to the processing of your personal information on reasonable grounds.

Data Portability

Request an export of your data in a structured, commonly used format.

Complaint

Lodge a complaint with the relevant data-protection authority if you believe your rights have been violated.

To exercise any of these rights, contact our Information Officer at privacy@bantuzilegal.com. We will respond within 30 days.

In the event of a data breach that poses a risk to your rights and freedoms, we will: (a) notify the relevant data-protection authority within 72 hours of becoming aware of the breach; (b) notify affected data subjects without unreasonable delay; and (c) document the breach, its effects, and the remedial actions taken.

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected. Specific retention periods include: active account data (duration of subscription + 90 days); billing records (7 years, as required by tax law); audit logs (3 years); and anonymised analytics data (indefinitely, as it contains no personal information).

BantuziLegal has appointed an Information Officer responsible for ensuring compliance with POPIA, the Zambian Data Protection Act, and these commitments. The Information Officer can be reached at privacy@bantuzilegal.com.

We may update this POPIA Compliance statement to reflect changes in our practices or legal requirements. Material changes will be communicated via email or in-app notification at least 14 days before they take effect.