Privacy Policy

Last updated: 1 June 2025  |  Effective date: 1 June 2025

1. Introduction

HRShield (“we”, “our”, “us”), a product of Kgusiame Group (Pty) Ltd, is committed to protecting the privacy of our users in accordance with the Protection of Personal Information Act 4 of 2013 (“POPIA”). This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use the HRShield platform (“the Service”).

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please discontinue use of the Service.

2. Information We Collect

2.1 Account Information

When you register, we collect your name, email address, and company details necessary to create and manage your account.

2.2 Employee Data

You may upload or enter personal information about your employees, including names, ID numbers, employment details, salary information, and disciplinary records. You are the Responsible Party for this data under POPIA; HRShield acts as an Operator processing it on your behalf.

2.3 Usage Data

We automatically collect log data such as IP addresses, browser type, pages visited, and timestamps to operate and improve the Service.

2.4 Payment Data

Subscription payments are processed by Paystack. We do not store card numbers or banking details; we receive only payment confirmation tokens and subscription status.

2.5 AI Assistant Interactions

Questions submitted to the AI Legal Assistant are transmitted to Anthropic's API for processing. We log only the character count of questions, not their content, for rate-limiting purposes. Conversation history is not stored in our database.

3. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To process transactions and send related billing information
  • To generate employment documents and compliance reports on your instruction
  • To send account-related notifications and product updates
  • To detect, prevent, and address technical issues and fraud
  • To comply with our legal obligations under South African law

We do not sell your personal information to third parties. We do not use employee data you upload for any purpose other than providing the Service to you.

4. Legal Basis for Processing

We process personal information on the following grounds under POPIA:

  • Contract: processing necessary to deliver the Service you subscribed to
  • Legitimate interest: improving our platform, security monitoring, fraud prevention
  • Legal obligation: complying with South African legislation including the Companies Act and tax laws
  • Consent: where explicitly given for optional communications

5. Data Sharing and Third Parties

We share personal information only with:

  • Supabase: our database and authentication provider, hosted in compliance with applicable data protection laws
  • Paystack: payment processing — governed by Paystack's own privacy policy
  • Anthropic: AI processing for the Legal Assistant feature (Business & Enterprise plans) — governed by Anthropic's privacy policy
  • Vercel: hosting infrastructure provider

We require all third-party processors to maintain appropriate security measures and process data only on our instructions.

6. Data Retention

We retain account and company data for as long as your subscription is active plus 5 years thereafter, to comply with South African record-keeping obligations under the Basic Conditions of Employment Act.

Employee records are retained until deleted by you or for 3 years after your account closure, whichever is earlier. Audit logs are retained for 12 months.

You may request deletion of your data at any time (see Section 8).

7. Security

We implement industry-standard security measures including:

  • TLS encryption in transit for all data
  • Row-level security (RLS) in our database ensuring strict company data isolation
  • Role-based access controls within your company account
  • Regular security audits and dependency updates

No method of electronic storage or transmission is 100% secure. We will notify affected users and the Information Regulator of any data breach within 72 hours of becoming aware of it, as required by POPIA.

8. Your Rights Under POPIA

As a data subject or Responsible Party, you have the right to:

  • Access: request a copy of personal information we hold about you
  • Correction: request correction of inaccurate information
  • Deletion: request deletion of your personal information (subject to our legal retention obligations)
  • Objection: object to processing on grounds of legitimate interest
  • Complaint: lodge a complaint with the Information Regulator of South Africa

To exercise these rights, contact us at: privacy@hrshield.co.za. We will respond within 30 days.

9. Contact Us

For any privacy-related queries, please contact our Information Officer:

Kgusiame Group (Pty) Ltd

Trading as HRShield

Email: privacy@hrshield.co.za

Website: hrshield.co.za