Privacy Policy

Last updated: 12 June 2025

1.1 DEFINITIONS

Personal Information: relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including, but not limited to:

• race, gender, sex, pregnancy, marital status, national or ethnic origin, color, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language, and birth of a person.

Special Personal Information: includes any information relating to an individual’s:

• ethnicity, gender, religious or other beliefs, political opinions, membership of a trade union, sexual orientation, medical history, offences committed or alleged to have been committed by that individual, biometric details, and children’s details.

Processing: is any operation or activity, whether or not by automatic means, including:

• collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;
• dissemination by means of transmission, distribution or making available in any form;
• merging, linking, as well as restriction, degradation, erasure or destruction.

Data Subject: the person who will provide Warp or its Operator(s) with Personal Information.

Responsible Party (Controller under GDPR): means Warp, including its directors, management, employees and Operators who need to process a Data Subject’s Personal Information for Warp’s business purposes.

Operator (Processor under GDPR): a natural person or juristic person who processes a Data Subject’s Personal Information on behalf of Warp in terms of a contract or mandate, without coming under the direct authority of Warp.

 

1.2 INTRODUCTION

Warp does on an ongoing basis collect and process Personal Information belonging to Data Subjects in order to carry out and pursue its business and related operational interests. This may include:

• recruitment and employment purposes;
• conducting criminal reference checks;
• conducting credit reference checks;
• confirming, verifying and updating personal details;
• risk assessments, insurance and underwriting purposes;
• financial, audit and record keeping purposes;
• contracts and business transactions;
• providing services to clients to carry out the services requested and to maintain and constantly improve the relationship;
• assessing and processing queries, enquiries and complaints;
• conducting customer satisfaction research;
• promotional, marketing and direct marketing purposes;
• communicating with employees, third parties, customers, suppliers and governmental officials and regulatory agencies.

This policy is intended to provide guidance to comply with the Protection of Personal Information Act of 2013 (POPIA); to protect the privacy rights of Warp employees, clients, suppliers and other individuals; to protect Warp from adverse consequences of a breach of its responsibilities under the Act.

 

1.3 SCOPE

All employees, contractors, vendors and any other 3rd parties entrusted with processing of personal information on behalf of Warp.

 

1.4 DATA PROTECTION PRINCIPLES AND CONDITIONS

Any Employee or Operator who processes Personal Information belonging to a Data Subject on behalf of Warp, shall comply with all the provisions of POPIA, including the 8 data protection conditions set out under section 4 of POPIA, which are as follows:

• Personal Information shall be obtained and processed fairly and lawfully;
• Personal Information shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes, unless specific consent to do so has been obtained;
• Personal Information shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
• Personal Information shall be accurate and, where necessary, kept up to date;
• Personal Information processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes;
• Personal Information shall be processed in accordance with the rights of data subjects under POPIA;
• Appropriate technical and organizational safeguards and measures must be put in place to protect and guard against unauthorized or unlawful processing of Personal Information and against accidental loss or destruction of, or damage to, Personal Information.
• Personal Information shall not be transferred outside South Africa to another country unless:
  • the recipient jurisdiction is deemed to have adequate data protection laws by the Information Regulator;
  • binding corporate rules or standard contractual clauses are in place; or
  • the data subject has provided informed and explicit consent for the transfer.

 

1.5 PERSONAL INFORMATION PROCESSING

Before any Personal Information is processed, the person processing such information on behalf of Warp must bring to the Data Subject’s attention the provisions of the Privacy Notice, contained in the agreement or contract with the Data Subject, which includes:

• the lawful basis for processing under POPIA (e.g., consent, legal obligation, contractual necessity, legitimate interests);
• what Personal Information is required and the purpose for the requirement;
• what will be done with the Personal Information;
• who the Personal Information will be shared with;
• whether the Personal Information will be sent outside the borders of South Africa and what data security measures are in place;
• what will be done with the Personal Information once the purpose for its collection and use has expired.

Consent is only requested where no other lawful basis for processing applies. If consent is withdrawn and no other legal basis exists, Warp will cease processing.

When processing a Data Subject’s Personal Information, the person processing such information must ensure that:

• They only process Personal Information, which is relevant and accurate and only for the purpose for which it is required.
• Special Personal Information will only be processed in line with the provisions set out under POPIA and in accordance with instructions set out by the Information Officer from time to time.

 

1.6 SAFEGUARDING PERSONAL INFORMATION

All Warp employees and where applicable, Operators and persons acting on behalf of Warp must, before processing Personal Information, ensure that the record housing the Personal Information will be kept secure and that appropriate measures and safeguards are in place to prevent any unauthorized access, disclosure and/or loss of such Personal Information.

Removing and downloading Personal Information on to portable devices from workplace equipment, or taking soft copies, paper or hard copies of Personal Information off-site:

• must be authorized in writing by the manager of the relevant department from where the information emanates;
• a copy of such authorisation sent to the Information Officer.

The removal will be subject to the following provisions:

• the person removing the Personal Information must explain and justify the operational need for the removal in relation to the volume and sensitivity of the Personal Information and ensure that the details of the Personal Information being removed is documented and recorded under a “removal register”;
• the Personal Information to be removed must be strongly encrypted/protected from unauthorized access;
• the person removing and using said data should only store the data necessary for their immediate needs and should remove the data as soon as possible once dealt with and such removal should be confirmed by way of an update of the removal record in the removal register;
• to avoid loss of encrypted data, or in case of failure of the encryption software, an unencrypted copy of the data must be held in a secure environment.

Paper or hard copies of Personal Information and portable electronic devices housing Personal Information should be stored in locked units, which must not be left on desks overnight or in view of other employees or third parties.

Personal Information, which is no longer required, should be securely archived and retained, as per Warp’s Data Handling Policy.

Personal Information must not be disclosed unlawfully to any third party.

Where an Operator is to process Personal Information on behalf of Warp, such processing will be subject to a written Operator agreement concluded between Warp and the Operator.

All losses of Personal Information must be reported to the relevant manager, the departmental Data Protection Coordinator, and the Information Officer.

In the event of a data breach involving Personal Information, Warp will notify the Information Regulator and affected data subjects without undue delay, as required under Section 22 of POPIA.

Warp retains Personal Information only for as long as necessary to fulfil the purpose for which it was collected or as required by law. Once the purpose has been fulfilled, data will be securely deleted or anonymized in line with the Data Handling Policy.

Negligent loss or unauthorized disclosure of Personal Information, or failure to report such events, may be treated as a disciplinary matter.

Warp via its Information Security Officer and IT department will continuously review its security controls and processes to ensure that all Personal Information is secure.

 

1.7 ACCESS AND CORRECTION OF PERSONAL INFORMATION

In terms of POPIA, a Data Subject has the right to:

• request access to their Personal Information which Warp holds, provided they follow the “Access to Information Procedure” set out under Warp’s PAIA Manual;
• ask Warp to update, correct or delete any of its Personal Information;
• object to Warp processing their Personal Information by filing a notice of objection.

Requests will be responded to within a reasonable time period, not exceeding 30 days. Warp may charge a reasonable fee for processing access or correction requests, as permitted under PAIA.

 

1.8 INFORMATION OFFICER

Warp has appointed an Information Officer who has been tasked with the primary responsibility for compliance with POPIA. More information is available in the PAIA manual on the Warp website: https://www.warpdevelopment.com

All Warp employees are under a duty to:

• raise any concerns in respect of the processing of Personal Information with the Information Officer;
• promptly pass on to the Information Officer all data subject access requests and requests from third parties for Personal Information;
• report losses or unauthorized disclosures of Personal Information to the Information Officer as soon as such loss or disclosure has been noted; and
• address any queries or concerns about this Policy and/or compliance with POPIA with the Information Officer.

 

1.9 OPERATORS AND SERVICE PROVIDERS

Where any Warp employee requires a Warp service provider, contractor and/or agents (Operator) to process Personal Information for or on behalf of Warp, such employee shall ensure that prior to such processing a standard Warp Operator Agreement is concluded with the Operator in respect of such processing.

Warp recognizes that the use of third-party vendors creates various risks that must be properly managed. Before entering any third-party relationships, we take deliberate steps to assess risk related to the vendor relationship. We take care to understand the compliance, reputational, strategic, operational, and transactional risks relating to a particular vendor before entering into a contractual relationship.

Any vendor who has access to Warp data classified as Personal Data or higher are expected to demonstrate their security policies, processes, and procedures and prove that they are able to provide adequate protection of such data, including against misuse or compromise.

 

1.10 RESPONSIBILITIES

Responsibility for reviewing the specific sets of controls to support this policy lies with the Director – Warp IT as part of the Information Security Framework Annual Review, taking account of changes in the internal and external environments and Warp’s risk appetite.

Heads of Departments are responsible for ensuring that Department purchases meet the relevant specifications as set out in the policy. Where this is not acceptable for valid business reasons then Heads are responsible for signing off exceptions with the Director. Heads of Department are also responsible to ensure that staff are aware of the need to adhere to this policy and report non-compliance via the defined and approved channels.

Individual employees are responsible for adhering to the information security framework policies and following the Warp Data Handling Policy. Where the policy requirements are reliant on individual employees taking steps to secure the information they are handling, the individual will be personally accountable and liable for failing to follow the required policy, procedure or process. Individual employees are responsible for ensuring that any shortfalls in cryptographic controls are reported promptly to their line manager.

 

1.11 COMPLIANCE

Breaches of this policy may be treated as a disciplinary matter dealt with under Warp’s staff disciplinary policies as appropriate. Where third parties are involved, breach of this policy may also constitute breach of contract.

 

1.12 COOKIES AND TRACKING

Warp may use cookies and similar tracking technologies to enhance user experience and analyze website traffic. Information collected through these technologies may include IP address, device type, browser version, and usage patterns.

This data is collected to improve functionality and performance. Visitors can manage or disable cookies via their browser settings. Cookie usage complies with this Privacy Policy and the conditions set out in POPIA.