POPIA Compliance
Last reviewed: 30 March 2026
1. Compliance Statement
Billdog is committed to full compliance with the Protection of Personal Information Act (No. 4 of 2013) (“POPIA”). We process personal information lawfully, fairly, and transparently in accordance with all eight conditions for lawful processing as set out in POPIA.
2. Information Officer
Name: Jason Thwaits
Email: privacy@billdog.co.za
Organisation: Billdog (Pty Ltd registration pending)
Address: Cape Town, Western Cape, South Africa
Billdog is in the process of registering its Information Officer with the Information Regulator as required by POPIA Section 55.
3. Data Processing Register
The following summarises what personal information we process, why, and for how long:
| Category | Lawful Basis | Retention |
|---|---|---|
| Identity (name, email) | Contract performance | Until account deletion |
| Municipal account details | Contract performance | Until account deletion |
| Bill documents | Contract performance | Deleted after case closure |
| Dispute case data | Contract performance | 5 years after resolution |
| Payment token | Contract performance | Until account deletion |
| Transaction records | Legal obligation (SARS) | 7 years |
| Security logs (IP) | Legitimate interest | 12 months |
| Marketing preferences | Consent | Until withdrawal |
4. Data Processors
We share personal information with the following processors who act on our instructions:
| Processor | Data Category | Purpose | Location |
|---|---|---|---|
| Anthropic | Bill text, account details | AI analysis | US |
| Supabase | All data | Database & storage | EU-West-1 |
| Resend | Email, name | Email delivery | US |
| PayFast | Payment token | Payments | South Africa |
| Voyage AI | Anonymised text | Legislation search | US |
| Railway | Hosting | Infrastructure | US-East |
| Cloudflare | DNS, IP | DNS & security | Global |
5. Security Measures
- End-to-end encryption (HTTPS/TLS) for all data in transit
- Row Level Security on all database tables
- Private file storage with time-limited signed URLs
- Payment card tokenisation via PayFast — no card numbers stored
- Secure, HttpOnly authentication cookies
- Server-side API key management — secrets never exposed to browsers
- Regular dependency auditing
6. How to Request Your Data
You can request a copy of all data Billdog holds about you:
- Log in to your Billdog account
- Go to Settings
- Click Download My Data
- Your data will be exported as a JSON file
Alternatively, email privacy@billdog.co.za and we will respond within 30 days as required by POPIA.
7. How to Delete Your Data
You can request permanent deletion of all your personal data:
- Log in to your Billdog account
- Go to Settings
- Click Delete My Account
- Confirm deletion in the confirmation dialog
- You will receive an email confirming that deletion is scheduled
- After 30 days, all personal data is permanently deleted
- To cancel, simply log back in before the 30-day period ends
Note: SARS requires us to retain anonymised transaction records (fee amounts and dates only, with all personal information removed) for 7 years.
8. PAIA Manual Reference
The Promotion of Access to Information Act (No. 2 of 2000) (“PAIA”) requires that we make available a manual detailing the types of records held and how to request access. Billdog's PAIA manual is available upon request from privacy@billdog.co.za.
9. Information Regulator
Information Regulator (South Africa)
Website: inforegulator.org.za
Email: inforeg@justice.gov.za
Telephone: 010 023 5200
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg
POPIA Compliance Statement — Last reviewed 30 March 2026