POPIA Compliance Statement
HomeOps by AMAI Automation Protection of Personal Information Act 4 of 2013 Effective Date: 1 June 2025 Last Updated: 1 June 2025
1. Our Commitment
AMAI Automation, as the operator of HomeOps, is committed to full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) of the Republic of South Africa.
We recognise that the right to privacy is a fundamental right protected by Section 14 of the Constitution of the Republic of South Africa, 1996. POPIA gives effect to this right by regulating how personal information is processed.
This statement explains how HomeOps processes personal information in accordance with POPIA's eight conditions for lawful processing.
2. Who We Are
Responsible Party (as defined by POPIA): AMAI Automation Website: homeops.co.za Email: support@homeops.co.za Country: Republic of South Africa
Information Officer: AMAI Automation Email: support@homeops.co.za
The Information Officer is responsible for ensuring compliance with POPIA within AMAI Automation and for handling all data subject requests.
3. What Personal Information We Process
HomeOps processes the following categories of personal information:
3.1 General Personal Information
- Full names of household members (parents, children, staff)
- Email addresses
- Password hashes (not stored in plain text)
- 4-digit kiosk PIN hashes (not stored in plain text)
- Household name and timezone
- User avatars (illustrated images only — no photographs)
- Device and browser information
- IP addresses
3.2 Special Personal Information
HomeOps may process the following special personal information as defined by POPIA Section 26:
- Financial information — salary details and tax deductions in payslips
- Health-related information — sick leave records may indirectly reference health conditions
During the current onboarding flow, the household administrator accepts the Terms and Conditions and Privacy Policy in onboarding step 1 before account creation. Where payroll or health-related information is later entered for household staff, it is processed only to the extent necessary to provide the household management service, with access limited to the household administrator and authorised users.
3.3 Children's Personal Information
HomeOps allows creation of child profiles for household members under 18. Child profiles are created and managed by the responsible parent or guardian. We do not knowingly collect personal information from children without appropriate parental consent.
4. The Eight Conditions for Lawful Processing
Condition 1 — Accountability
AMAI Automation is the Responsible Party for all personal information processed through HomeOps. We take full responsibility for ensuring processing complies with POPIA and have appointed a designated Information Officer.
Condition 2 — Processing Limitation
We process personal information only:
- For the specific, explicitly defined purposes described in our Privacy Policy
- To the minimum extent necessary (data minimisation)
- With the knowledge and consent of the data subject, or where another lawful basis applies
We do not process personal information for undisclosed purposes or share it with unauthorised third parties.
Condition 3 — Purpose Specification
Personal information collected by HomeOps is collected for the following clearly specified purposes:
| Information | Purpose | |-------------|---------| | Name and email | Account creation, authentication, communications | | Password/PIN hash | Secure authentication | | Household and family data | Delivery of household management services | | Staff data and HR records | Employment administration within the household | | Payslip and salary data | Generating payslip records for household staff | | Calendar and task data | Household scheduling and task management | | Academic assessment data | Tracking children's school results | | Usage and error data | Platform improvement and error resolution |
We will not process your information for any purpose incompatible with these stated purposes without your consent.
Condition 4 — Further Processing Limitation
Personal information collected for one purpose will not be processed further in a manner incompatible with that purpose. We do not:
- Sell your personal information to third parties
- Use your data for advertising or marketing of third-party products
- Share your data beyond what is necessary to provide the service
Condition 5 — Information Quality
We take reasonable steps to ensure that personal information we process is:
- Accurate and up to date (you can update your profile information at any time)
- Complete for the purpose for which it is processed
- Not misleading
You are responsible for ensuring the accuracy of information you enter into HomeOps. You may update your personal information at any time via the My Profile page or Settings.
Condition 6 — Openness and Transparency
We are transparent about our data processing practices through:
- This POPIA Compliance Statement
- Our Privacy Policy
- Our Terms and Conditions
- Our cookie consent banner
- This document being publicly accessible on our Platform
We will notify you of any material changes to how we process your personal information.
Condition 7 — Security Safeguards
We implement appropriate technical and organisational measures to protect personal information against:
- Unauthorised access, disclosure, or use
- Loss, damage, or destruction
- Unlawful processing
Technical safeguards in place:
| Safeguard | Implementation | |-----------|---------------| | Encryption in transit | HTTPS / TLS enforced across all Platform surfaces | | Password security | bcrypt hashing via Supabase Auth | | PIN security | 4-digit PINs must use a password/PIN KDF such as bcrypt, Argon2, scrypt, or PBKDF2-HMAC-SHA256 with a high iteration count and per-PIN salt; the implementation must be updated accordingly. | | Database access control | Row Level Security (RLS) on all tables | | Authentication | Supabase Auth with secure session cookies | | Secret management | Service role keys server-side only, never exposed to clients | | Backups | Regular automated database backups | | Error monitoring | Sentry for detecting security-related errors |
Organisational safeguards:
- Access to production systems is restricted to authorised personnel only
- Third-party service providers are contractually bound to protect personal information
- We review security practices regularly
Data breach notification: In the event of a data breach that poses a risk to data subjects, we will:
- Notify the Information Regulator as soon as reasonably possible
- Notify affected data subjects if the breach is likely to cause harm
- Take immediate steps to contain and remediate the breach
Condition 8 — Data Subject Participation
You have the following rights under POPIA, which we are committed to honouring:
Right of access (Section 23) You have the right to request confirmation of whether we hold your personal information and to request a copy of that information.
Right to correction (Section 24) You have the right to request correction, deletion, or destruction of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
Right to object (Section 11(3)) You have the right to object to the processing of your personal information for legitimate interest purposes.
Right to complain (Section 74) You have the right to lodge a complaint with the Information Regulator of South Africa.
5. Lawful Basis for Processing
We rely on the following lawful bases for processing personal information under POPIA Section 11:
| Processing Activity | Lawful Basis | |--------------------|-------------| | Account creation and management | Contractual necessity | | Delivering household management features | Contractual necessity | | Generating payslips and HR records | Contractual necessity | | Sending transactional emails | Contractual necessity | | Platform analytics and improvement | Legitimate interest / Consent | | Error monitoring and security | Legitimate interest | | Legal compliance | Legal obligation |
6. Third-Party Operators
HomeOps uses the following third-party operators who process personal information on our behalf. All are bound by data processing agreements:
| Operator | Role | Data Processed | |----------|------|---------------| | Supabase Inc. | Database, auth, storage | All user and household data | | Stripe Inc. | Payment processing | Billing and payment data | | Vercel Inc. | Hosting | Request logs, server data | | Google LLC | Analytics (with consent) | Usage and behaviour data | | Microsoft Corporation | Session recording (with consent) | Usage and behaviour data | | Functional Software (Sentry) | Error monitoring | Error and crash data |
7. Trans-Border Information Flows
Some of our service providers are located outside South Africa. Under POPIA Section 72, we transfer personal information internationally only when:
- The recipient country has adequate data protection laws, OR
- The recipient has agreed to be bound by data protection provisions that provide adequate protection, OR
- The data subject has consented to the transfer
All international transfers are governed by contractual agreements that ensure appropriate protection.
8. Retention and Deletion
| Data Category | Retention Period | |--------------|-----------------| | Active account data | Retained while account is active | | Data after cancellation | 12 months, then deleted | | Payslips and HR records | 5 years (employment law compliance) | | Server and error logs | 90 days | | Archived household data | 12 months after archiving |
You may request deletion of your data at any time by emailing support@homeops.co.za. We will action deletion requests within 30 days, subject to any legal retention obligations.
9. Submitting a Data Subject Request
To exercise any of your POPIA rights, please contact our Information Officer:
Email: support@homeops.co.za Subject line: POPIA Data Subject Request
Please include:
- Your full name and email address registered with HomeOps
- The nature of your request (access, correction, deletion, objection)
- Any relevant details to help us locate your information
We will acknowledge your request within 3 business days and respond within 30 days as required by POPIA.
10. Complaints
If you believe we have not complied with POPIA in our handling of your personal information, you may:
- Contact our Information Officer at support@homeops.co.za
- Lodge a complaint with the Information Regulator of South Africa
Information Regulator of South Africa Website: www.inforegulator.org.za Email: inforeg@justice.gov.za Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
11. Updates to This Statement
We review this POPIA Compliance Statement regularly and will update it to reflect changes in our practices or applicable law. Material changes will be communicated to you via email or a prominent notice on the Platform.
This POPIA Compliance Statement was last updated on 1 June 2025.