POPIA & Data Protection
Last updated: July 12, 2026
POPIA & Data Protection
CleverCam (Pty) Ltd ("CleverCam", "we", "us", "our") builds software that South African security businesses rely on every day — AI camera monitoring, alarm and panic-event handling, armed-response dispatch, and the operations, staff and billing tools behind them. That work involves personal information, and protecting it is a core part of our job, not an afterthought.
This page explains, in plain language, how we comply with South Africa's Protection of Personal Information Act, 2013 ("POPIA"), where your data lives, who we share it with, and the rights you have. It sits alongside — and should be read with — our Privacy Policy and Terms of Service.
Note on honesty. We have deliberately written this page to describe what our platform actually does today, not an idealised version of it. Where we say data is protected, hosted or handled a certain way, we mean it. If you find anything here that does not match your experience, please tell our Information Officer.
1. Our role under POPIA: who is responsible for what
POPIA distinguishes between a Responsible Party (the organisation that decides why and how personal information is processed) and an Operator (an organisation that processes personal information on behalf of a Responsible Party). Getting this right matters, because most of the data on our platform is not ours — it belongs to our customers and their communities.
CleverCam as an Operator. For the data your security business puts into the platform — your end-customers and keyholders, camera images and event footage, alarm and panic events, vehicle and responder tracking, your officers' records, and your billing — your business is the Responsible Party and CleverCam is the Operator. We process that information on your instruction and to provide and improve the service. We do not sell it, and we do not use it for our own marketing. We do use camera images to train and improve our own detection AI — for that purpose only — which you can opt out of at any time (see section 8a).
CleverCam as a Responsible Party. For our own relationships — the account holders and administrators at your business who sign up and log in, visitors to this website, and our own sales and billing contacts — CleverCam is the Responsible Party.
The chain of trust. For camera and alarm data there is often a further data subject at the end of the chain — a homeowner, tenant or estate resident. In that chain, the resident is the data subject, your security business is the Responsible Party, and CleverCam is the Operator. We honour that layering in how we handle requests and access.
As an Operator, POPIA (sections 20–21) requires a written agreement between us and each customer covering confidentiality, security and breach notification. Business customers can read and request our Operator Agreement / Data Processing Addendum.
2. Who we are and how to reach us
Responsible Party / Operator: CleverCam (Pty) Ltd Registered address: Den Haag Street, Die Heuwel, eMalahleni (Witbank), Mpumalanga, 1035, South Africa Company registration number: 2024/280446/07 General contact: hello@clevercam.co.za
Information Officer POPIA requires every organisation to appoint an Information Officer, registered with the Information Regulator, who is accountable for our compliance.
- Information Officer: Louw Jacobus Pretorius (Chief Executive & Managing Director)
- Contact for privacy matters: legal@clevercam.co.za
- Response time: we aim to acknowledge privacy and data-subject requests within 7 business days and to resolve them within a reasonable period as required by POPIA.
3. The eight conditions we work to
POPIA sets out eight conditions for the lawful processing of personal information. In practice this means we commit to:
- Accountability — taking responsibility for meeting these conditions across our platform and our suppliers.
- Processing limitation — collecting only what we need, lawfully, and with a valid basis (your consent, a contract, a legal obligation, or a legitimate interest).
- Purpose specification — collecting information for the specific purpose of running your security operations, and telling you what that purpose is.
- Further processing limitation — not repurposing your data for something incompatible with why it was collected.
- Information quality — giving you the tools to keep records accurate and up to date.
- Openness — documenting our processing and being transparent about it (this page is part of that).
- Security safeguards — protecting personal information with appropriate technical and organisational measures (see section 7).
- Data-subject participation — letting people access, correct and delete their information (see section 10).
4. What personal information we process
Depending on how your business uses the platform, we may process:
- Account and identity data — names, email addresses, phone numbers, usernames and securely hashed passwords for the people who log in.
- Customer, contact and keyholder data — the contact details and site information your business captures for the properties it protects.
- Camera images and event footage — snapshots and clips generated when a camera or detector triggers an event.
- Alarm, panic and duress events — signals, timestamps and event metadata from panels, hubs and apps.
- Location and fleet data — vehicle tracking, responder location and unit assignments used for dispatch.
- Officer and staff records — profiles and, where your business records them, PSIRA registration, competency and firearm-competency details, and firearms-register entries.
- Billing and payment data — invoices, and the details needed to process card payments and debit orders (handled by our regulated payment partners — see section 6).
- Communications — the SMS, WhatsApp, email and call records generated when the platform notifies customers or responders.
- Website and device data — information collected when you visit this site or use our apps, such as IP address, device type and analytics.
5. Special personal information and children
Some of the information the platform can hold is treated by POPIA as special personal information (sections 26–27) or relates to children (sections 34–35), and carries stricter rules:
- Camera and surveillance footage of identifiable people, and any biometric processing.
- Firearms-register entries and officer competency / criminal-vetting-adjacent records, which can touch on criminal-behaviour information.
We handle this information only as an Operator, on the instruction of the security business that captures it, and only for the security and response purposes it was collected for. Because your business is the Responsible Party for this data, you are responsible for having a lawful basis to collect and process it (for example, appropriate notices and, where required, consent), and for meeting any prior-authorisation obligations under POPIA. We support you with the access controls and audit trails described below. We do not knowingly collect information from children directly through this website.
6. Where your data is hosted
We believe in being precise about this, because most providers are vague and it matters for cross-border rules.
| Data | Where it is stored |
|---|---|
| Camera images and event footage | South Africa — Amazon Web Services, Cape Town (af-south-1) region |
| Real-time alarm and panic-signal processing | South Africa — Amazon Web Services, Cape Town (af-south-1) region |
| Core application database (accounts, contacts, events metadata, staff and billing records) | European Union — Supabase on Amazon Web Services, Ireland (eu-west-1) region |
| Device updates, message queues and offline sync | European Union — Amazon Web Services, Ireland (eu-west-1) region |
| This marketing website | Served via Vercel's global content-delivery network; server-side rendering runs in Vercel's default region, the United States (Washington, D.C. — iad1) |
Your camera footage and live alarm traffic stay in South Africa. Our core operational database is currently hosted in the European Union (Ireland), which means some personal information is processed outside South Africa.
Cross-border transfers (POPIA section 72). POPIA permits this where the receiving environment offers protection substantially similar to POPIA. The EU's data-protection regime (the GDPR) is widely recognised as meeting that standard, our hosting providers are contractually bound to protect the data, and the transfer is necessary to provide the service you have contracted us for. Where we use suppliers outside South Africa (see below), the same principles apply.
6a. Sub-processors: who else touches the data
We use carefully selected service providers ("Operators" in POPIA terms, or "sub-processors") to deliver parts of the service. Each is bound by contract to protect personal information and to use it only to provide their service to us.
| Provider | What they help us do | Location |
|---|---|---|
| Supabase (on AWS) | Core database, authentication and file storage | EU (Ireland) |
| Amazon Web Services | Camera-image storage; alarm-signal processing; device updates | South Africa (Cape Town) & EU (Ireland) |
| SMSPortal | Sending SMS notifications | South Africa |
| PayFast | Card-payment processing | South Africa |
| Yoco | Card-payment processing | South Africa |
| Netcash | Debit-order collection | South Africa |
| Meta Platforms (WhatsApp Business) | WhatsApp notifications and replies | Outside South Africa |
| Resend | Transactional and account emails | Outside South Africa |
| Anthropic (Claude) | AI assistance — summarising events and understanding customer replies | Outside South Africa |
| Twilio / Vapi | Automated and AI voice calls for dispatch escalation | Outside South Africa |
| Google Maps Platform | Maps, geocoding and directions | Outside South Africa |
| Xero | Optional accounting sync, only if your business connects it | Outside South Africa |
We do not sell personal information to anyone. We do not use your operational or accounting records to train AI models. We do use camera images to train and improve our own detection AI — for that purpose only — as described in section 8a, which you can opt out of at any time.
7. How we secure your data
We apply appropriate, reasonable technical and organisational measures (POPIA section 19), including:
- Encryption in transit — all connections use TLS 1.2 or higher; our services are HTTPS-only.
- Encryption at rest — data stored in our database and object storage is encrypted at rest using AES-256, provided by our hosting infrastructure.
- Tenant isolation and access control — data is separated per control room, and access is enforced in both the application and the database, including row-level security policies on customer-facing data. Sensitive records (such as staff and firearms information) are restricted to authorised managers.
- Authentication — every user authenticates against a dedicated identity service using industry-standard, token-based sessions, scoped to their control room and role.
- Protected storage of sensitive documents — operational documents such as job cards and signed evidence are held in private storage and served through short-lived, signed links.
- Secrets kept server-side — credentials for sensitive integrations (such as debit-order and accounting connections) are never exposed to the browser or mobile app.
- Audit trails — key activity is recorded in append-only logs so actions can be reviewed.
- Backups — databases are backed up automatically on a regular schedule, and backups are encrypted.
No system can be guaranteed 100% secure, and we don't claim otherwise. We work continuously to identify risks and improve our safeguards.
8. Camera footage and event data
Because we are a camera and alarm platform, we treat this data with particular care:
- It belongs to your business (and its customers), not to us. We hold it as an Operator.
- Access requires an authenticated, authorised session in the platform — footage is not openly browsable.
- You can remove an image. On any event snapshot in the app you can remove the image, so that it is no longer visible to other app users or to our control room. Because a security image can itself be evidence, a removed image is not permanently erased — it is taken out of active use and kept in a restricted, access-controlled archive that only an authorised administrator can recover, on a lawful request (for example from the police or a court). A removed image is also excluded from model training, and every removal and recovery is audit-logged.
- Purpose-limited — images and clips are used to detect, verify and respond to security events and to support your operations. We also use images to train and improve our own detection AI (see section 8a). We do not use them for any other purpose, and we never sell them.
- Retention — event media is kept for the period needed for verification, response and dispute resolution, after which it is deleted in the ordinary course. Your business can request specific retention arrangements.
8a. Improving our detection AI (and how to opt out)
CleverCam is an alarm-style detection system: cameras are typically armed to watch a property's perimeter and outdoor areas while it is unoccupied, in order to detect intrusion — not to monitor people going about their day.
To make that detection more reliable, we use images processed on the platform to train and improve our own detection models. The purpose is narrow: to teach the models to tell genuine threats apart from harmless triggers — moving trees, pets, shadows, insects and weather — so we can reduce false alarms. We train the models to recognise what is in a scene (a person, an animal, a vehicle, vegetation), not who anyone is: we do not perform facial recognition, we do not build identity profiles, and we do not sell or share the images.
Opting out. If you would prefer your images not to be used to improve our models, you can opt out at any time by emailing legal@clevercam.co.za, and we will stop using your account's images to train our models.
Opting a single image in. In the app, the Improve AI control on an event snapshot lets you tell us you are happy for that image to help train our detection models, and moves it to the front of the review queue. You can also remove any image — which takes it out of view for other app users and our control room, and out of model training — as described under Camera footage and event data above.
Because you control where your cameras point and when the system is armed, you are responsible for using it for perimeter and unoccupied-area monitoring, and for informing anyone who may be captured. Where camera footage could identify a person, your business is the Responsible Party; our Operator Agreement / Data Processing Addendum records these terms, including the opt-out.
9. How long we keep information
We keep personal information only for as long as necessary for the purpose it was collected for, unless the law requires us to keep it longer (POPIA section 14):
- Operational and event data — for as long as your business is an active customer and the data is needed to run its operations.
- Financial records — retained for the periods required by South African tax and company law (generally around five years), even after an account closes.
- Camera and event media — retained for the shorter verification-and-response period described above.
When information is no longer needed and no law requires us to keep it, we delete or de-identify it.
10. Your rights
Subject to POPIA, you have the right to:
- Access the personal information we hold about you and know how it is processed;
- Correct or update information that is inaccurate or out of date;
- Delete or destroy information we are no longer entitled to keep;
- Object to processing, and to opt out of direct marketing at any time;
- Complain to us and to the Information Regulator.
How to exercise your rights. Because we are usually the Operator, the fastest route for an end-customer or resident is to contact the security business you deal with directly. You can also contact our Information Officer at legal@clevercam.co.za or hello@clevercam.co.za, and we will act on, or route, your request. We may need to verify your identity first. Formal access requests follow the process in our PAIA Manual (see section 11).
11. Access to information (PAIA)
Our PAIA Manual — required under the Promotion of Access to Information Act — describes the records we hold and how to request access to them. You can read it online, or request a copy from our Information Officer.
12. Direct marketing
We only send electronic marketing (email or SMS) where POPIA allows it — with your consent, or to our own existing customers about similar services. Every marketing message includes a way to opt out, and we honour opt-outs promptly. We do not use our customers' end-customer contact lists for our own marketing.
13. Data breaches
If we become aware of a security compromise affecting personal information:
- As your Operator, we will notify your business (the Responsible Party) as soon as reasonably possible so you can meet your notification duties, and we will support your response.
- Where we are the Responsible Party, we will notify the Information Regulator and affected data subjects as soon as reasonably possible after establishing the scope of the incident, as required by POPIA section 22, and tell you what happened, the likely impact, and what to do.
14. How CleverCam helps you meet your POPIA obligations
If you run a security business, you are a Responsible Party — and the platform is built to help you meet that duty:
- Tenant-scoped access and role-based permissions so your team only sees what it should.
- Manager-only controls over sensitive staff and firearms records.
- Audit trails that record who did what.
- Retention controls over operational and event data.
- Signed, access-controlled storage for evidence and documents.
- An Operator Agreement / Data Processing Addendum, so your paperwork is in order.
15. Complaints to the Information Regulator
If you are not satisfied with how we have handled your personal information, you may lodge a complaint with the Information Regulator (South Africa):
The Information Regulator (South Africa) JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 General enquiries: enquiries@inforegulator.org.za POPIA complaints: POPIAComplaints@inforegulator.org.za PAIA complaints: PAIAComplaints@inforegulator.org.za Telephone: 010 023 5200 Website: https://inforegulator.org.za Online complaints portal: https://eservices.inforegulator.org.za
We would always prefer the chance to put things right first, so please do contact our Information Officer before or alongside any complaint.
16. Changes to this page
We may update this page as our platform, our suppliers or the law change. The "last updated" date at the top reflects the most recent revision. For material changes we will take reasonable steps to let customers know.
