SmartNotice← Back to home
POPIA Compliant

Privacy Policy

SmartNotice is committed to protecting your personal information. This policy explains what we collect, why we collect it, and how we keep it safe — in plain language.

Effective date: 1 January 2026Last updated: 11 May 2026Version 1.1

1. Introduction

SmartNotice is a bylaw-driven revenue enforcement platform developed for South African municipalities. It enables the issuing, tracking, and legally serving of pre-termination of services notices to residents and businesses, supported by GPS verification, photographic evidence, and a complete digital audit trail.

This Privacy Policy explains how SmartNotice ("we", "us", "our") collects, uses, stores, shares, and protects your personal information when you use our platform, whether as a municipal administrator, a field agent, or an end-user whose information appears in a notice.

This policy is issued in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), the Municipal Finance Management Act 56 of 2003 (MFMA), and other applicable South African legislation. By using SmartNotice, you acknowledge that you have read and understood this policy.

2. Responsible Party & Information Officer

SmartNotice acts as both a Responsible Party (for platform-level data) and an Operator (processing personal information on behalf of subscribing municipalities).

Each municipality that subscribes to SmartNotice is independently responsible for the personal information of its residents that is processed through the platform. SmartNotice processes this data solely on the municipality's written instructions.

Information Officer Contact: For all data-related queries, complaints, or rights requests, please contact our designated Information Officer:

• Email: privacy@smartnotice.co.za

  • Postal Address: SmartNotice, South Africa
  • Response time: We aim to respond within 5 business days and resolve requests within 30 days as required by POPIA.

You also have the right to lodge a complaint with the Information Regulator of South Africa:

  • Website: www.inforegulator.org.za
  • Email: POPIAComplaints@inforegulator.org.za

3. Personal Information We Collect

We collect the following categories of personal information through the SmartNotice platform:

3.1 Municipal Administrator & Field Agent Data

  • Full name and surname
  • Work email address and mobile number
  • Employee or agent identification number
  • Role and permission level within the platform
  • Profile photograph (optional)
  • Device information (model, operating system, browser type)
  • IP address and session metadata
  • Login timestamps and activity logs

3.2 Resident / Consumer Data (on behalf of municipalities)

  • Full name and surname of the account holder
  • Physical property address and erf/stand number
  • Municipal account number
  • Outstanding account balance and tariff category
  • Service type subject to pre-termination (water, electricity, refuse, etc.)
  • Contact telephone number and email address (where available in municipal records)

3.3 Notice Execution Data

  • GPS coordinates and address at the time of notice service
  • Timestamp of physical notice delivery or attempted delivery
  • Photographs taken during the service of a notice (property exterior, notice affixed to door, meter reading evidence, etc.)
  • Field agent identifier associated with each notice
  • Witness details (where applicable)
  • Meter readings at the time of service

3.4 Technical & Device Data

  • Browser type and version
  • Device operating system
  • Pages visited and time spent on each page
  • Error logs and diagnostic information
  • Push notification tokens (for PWA functionality)
  • Cached offline data stored on the device via IndexedDB

3.5 Communication Data

  • System-generated email notifications (sent via Resend)
  • In-app notification records
  • Audit log entries associated with your account

4. How We Use Your Personal Information

SmartNotice processes personal information only for lawful, specific, and disclosed purposes. We rely on the following lawful bases under POPIA:

4.1 Contract Performance

  • Providing the SmartNotice platform services to subscribing municipalities
  • Creating and managing user accounts for administrators and field agents
  • Enabling offline-capable mobile workflows for field agents

4.2 Legal Obligation & Legitimate Municipal Function

  • Generating legally valid pre-termination of services notices as required under municipal bylaws and the MFMA
  • Maintaining a tamper-evident audit trail for each notice, as required for legal defensibility
  • Producing exportable compliance reports for internal audit and external oversight bodies (e.g., Auditor-General)

4.3 Legitimate Interest

  • Improving platform performance and reliability through anonymised usage analytics
  • Detecting and preventing fraudulent or unauthorised use of the platform
  • Sending transactional system notifications (notice status updates, sync confirmations, alerts)

4.4 Consent (where applicable)

  • Sending product updates, release notes, or feature announcements to registered administrators who have opted in

We do NOT use your personal information for:

  • Unsolicited marketing to residents
  • Selling or renting data to third parties
  • Automated decision-making that produces legal effects without human review

5. Sharing & Disclosure of Personal Information

SmartNotice does not sell, trade, or rent personal information to any third party. We may share information only in the following limited circumstances:

5.1 Within Your Municipality All notice data collected by field agents is accessible to authorised municipal administrators and supervisors within the same municipal tenant account. Access is role-based and logged.

5.2 Service Providers (Operators) We use a limited set of third-party service providers that process data on our behalf under strict data processing agreements:

• Supabase Inc. — Database hosting, authentication, and real-time data services. Data is stored in their managed PostgreSQL infrastructure.

  • Vercel Inc. — Application hosting and edge delivery (Next.js runtime).
  • Resend Inc. — Transactional email delivery (system notifications only).
  • Vercel Analytics — Anonymised, aggregate usage analytics. No personally identifiable information is shared.

All providers are contractually bound to process data only on our instruction, implement appropriate technical security measures, and not process data for their own purposes.

5.3 Legal Requirements We may disclose personal information if required to do so by law, court order, or a lawful request by a South African government authority, provided such a request is lawful and proportionate.

5.4 Business Transfers In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the successor entity, subject to equivalent privacy protections.

6. Security Measures

SmartNotice implements a layered security architecture to protect your personal information:

6.1 Encryption

  • All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
  • Sensitive data fields are encrypted at rest within the database.
  • The platform is badged End-to-End Encrypted, meaning notice payload data is protected throughout its lifecycle.

6.2 Authentication & Access Control

  • Multi-factor authentication is available and encouraged for all administrator accounts.
  • Role-based access control (RBAC) ensures users can only access information relevant to their function.
  • Sessions are managed with short-lived JWT tokens and secure, HTTP-only refresh token cookies.

6.3 Audit Trails

  • Every action on the platform — creating, viewing, updating, or exporting a notice — is logged with the user identity, timestamp, and IP address.
  • Audit logs are immutable and cannot be deleted by any user, including administrators.

6.4 Infrastructure Security

  • The platform is hosted on enterprise-grade cloud infrastructure with automatic failover and DDoS protection.
  • Vulnerability scanning and dependency audits are performed regularly.

6.5 Offline Data

  • Data cached on field agent devices for offline use is stored in the browser's IndexedDB and is isolated to the origin domain.
  • Offline cache is automatically cleared upon successful synchronisation.

6.6 Incident Response

  • We maintain an incident response plan. In the event of a breach that poses a risk to your rights, we will notify the Information Regulator and affected parties within the timeframes prescribed by POPIA.

7. Data Retention

We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by law.

7.1 Notice & Audit Records Pre-termination notice records, including GPS data, photographs, and audit logs, are retained for a minimum of 5 years from the date of issue. This period aligns with the general prescription period under South African law and MFMA compliance requirements.

7.2 User Account Data Agent and administrator account data is retained for the duration of the employment or contract relationship, plus 2 years thereafter, to support any post-employment queries or audits.

7.3 System Logs Technical and security logs are retained for 12 months, after which they are purged or anonymised.

7.4 Offline Cache Device-side cached data (IndexedDB) is temporary and is designed to be cleared within 24 hours of synchronisation with the server, or upon the user logging out.

7.5 Deletion Requests Where a legitimate deletion request is received (see Section 8), we will action it within 30 days, subject to any overriding legal retention obligations. Where full deletion is not possible due to legal obligation, we will restrict processing and notify you of the reason.

8. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights in respect of your personal information:

8.1 Right to Access You have the right to request confirmation of whether we hold personal information about you, and to receive a copy of that information.

8.2 Right to Correction You have the right to request the correction or updating of inaccurate, incomplete, or outdated personal information.

8.3 Right to Deletion You have the right to request the deletion or destruction of personal information that we no longer have a lawful basis to process, subject to any legal retention obligations.

8.4 Right to Object You have the right to object to the processing of your personal information on grounds relating to your particular situation, where we rely on legitimate interest as our lawful basis.

8.5 Right to Withdraw Consent Where processing is based on your consent (e.g. marketing communications), you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

8.6 Right to Complain You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your rights have been violated.

8.7 How to Exercise Your Rights Submit a written request to: privacy@smartnotice.co.za

Include your full name, the nature of your request, and (if applicable) your municipal account number or the notice reference number in question. We may request proof of identity before processing your request. We will respond within 30 days.

9. Cookies & Local Storage

SmartNotice uses a minimal set of cookies and browser storage technologies necessary for the platform to function:

9.1 Essential Cookies

  • Session cookies: Used to maintain your authenticated session. These are session-scoped and are deleted when you close your browser.
  • Security cookies: HTTP-only cookies used to store refresh tokens securely. These cannot be accessed by JavaScript.

9.2 Local Storage & IndexedDB

  • Offline data cache: When you use SmartNotice as a Progressive Web App (PWA), notice data and forms are cached locally to enable offline functionality.
  • Preference storage: Your display preferences (such as theme settings) may be stored in local storage.

9.3 Analytics

  • Vercel Analytics collects anonymous, aggregated data about page views and performance metrics. It does not track individual users, set third-party cookies, or use fingerprinting.

We do not use advertising cookies, social media tracking pixels, or any cross-site tracking technologies. You may clear your browser's cookies and local storage at any time through your browser settings; however, doing so may affect offline functionality.

10. Children's Privacy

SmartNotice is a professional B2G (business-to-government) platform intended exclusively for use by municipal employees, contractors, and administrators. It is not directed at, and should not be used by, persons under the age of 18.

We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take immediate steps to delete it.

The personal information of residents that appears in notices may in some cases relate to a household rather than an individual. In no case does the platform target or profile children specifically.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Post an in-app notification to all active administrators
  • Where required, seek fresh consent from affected data subjects

We encourage you to review this policy periodically. Your continued use of the platform after the effective date of any change constitutes your acceptance of the revised policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal information, please contact us:

SmartNotice — Information Officer Email: privacy@smartnotice.co.za

For urgent security or breach matters: Email: security@smartnotice.co.za

Information Regulator of South Africa (external complaints): Website: www.inforegulator.org.za Email: POPIAComplaints@inforegulator.org.za Phone: 010 023 5207

Have a privacy question?

Our Information Officer is here to help with any data-related queries or rights requests.

privacy@smartnotice.co.za