POPIA Compliance

Last updated: January 2026

POPIA Compliant: Rebill is fully compliant with South Africa's Protection of Personal Information Act (POPIA), which came into effect on 1 July 2021.

1. About POPIA

The Protection of Personal Information Act (POPIA) is South Africa's comprehensive data protection law that regulates how personal information is processed. Similar to the GDPR in Europe, POPIA gives individuals significant rights over their personal information and places strict obligations on organizations that collect, store, or process personal data.

POPIA applies to any organization operating in South Africa that processes personal information — including invoicing software like Rebill. As a business that handles your data and your clients' information, we take POPIA compliance seriously. It's not just a legal requirement; it's the right way to treat your information.

For you as a Rebill user, POPIA also matters because when you enter your clients' information into Rebill, you're acting as a "responsible party" under POPIA. Using a POPIA-compliant invoicing system helps you meet your own compliance obligations.

2. Our Commitment to POPIA

Rebill is committed to full compliance with POPIA — not just the letter of the law, but its spirit. We've built privacy and data protection into our product from the ground up, following the principle of "privacy by design."

What this means in practice:

  • We've implemented comprehensive policies governing how we handle personal information
  • We've built technical safeguards including encryption, access controls, and secure infrastructure
  • We've appointed a Data Protection Officer responsible for POPIA compliance
  • We conduct regular compliance audits to ensure we're meeting our obligations
  • We train our team on data protection best practices
  • We have procedures in place to respond quickly if issues arise

3. POPIA Principles We Follow

Accountability

  • We take responsibility for personal information in our possession
  • We have appointed a Data Protection Officer (DPO)
  • We maintain records of all processing activities
  • We conduct regular compliance audits

Processing Limitation

  • We only process personal information for specific, legitimate purposes
  • Processing is lawful, reasonable, and related to our business function
  • We obtain consent where required
  • We don't process more information than necessary

Purpose Specification

  • We clearly specify why we collect personal information
  • We inform you of the purpose at the time of collection
  • We don't use information for purposes other than specified
  • We obtain additional consent for new purposes

Further Processing Limitation

  • We don't process information for secondary purposes without consent
  • Any further processing is compatible with original purpose
  • We assess compatibility before any new processing

Information Quality

  • We ensure personal information is complete and accurate
  • We provide mechanisms for you to update your information
  • We regularly review and update information where necessary
  • We don't use inaccurate or incomplete information for decisions

Openness

  • We are transparent about our information processing practices
  • Our Privacy Policy is easily accessible
  • We provide clear information about data collection
  • We respond promptly to information requests

Security Safeguards

  • We implement appropriate technical and organizational measures
  • We protect against unauthorized access, modification, or disclosure
  • We use encryption for data transmission and storage
  • We conduct regular security assessments

Data Subject Participation

  • We respect your rights as a data subject
  • We provide mechanisms to exercise your rights
  • We respond to requests within prescribed timeframes
  • We don't charge unreasonable fees for access requests

4. Your Rights Under POPIA

POPIA gives you, as a data subject, significant control over your personal information. These aren't just theoretical rights — we've built features and processes into Rebill to help you exercise them easily. Here's what you can do:

Right to Access

You have the right to know what personal information we hold about you and how we're using it:

  • Request confirmation of whether we process your personal information
  • Access your personal information in our possession — much of this is visible directly in your Rebill dashboard
  • Receive information about our processing activities (this page and our Privacy Policy provide this)
  • Get details about third parties who have access to your information (see our Privacy Policy)
  • Request a copy of your data in a portable format

Right to Correction

  • Request correction of inaccurate personal information
  • Request completion of incomplete personal information
  • Request deletion of information that is no longer needed

Right to Object

  • Object to processing for direct marketing purposes
  • Object to processing that may cause harm or distress
  • Object to automated decision-making

Right to Withdraw Consent

  • Withdraw consent for processing at any time
  • Withdrawal doesn't affect lawfulness of prior processing
  • We'll inform you of consequences of withdrawal

5. Lawful Basis for Processing

We process your personal information based on the following lawful grounds:

  • Consent: You have given clear consent for processing
  • Contract: Processing is necessary for contract performance
  • Legal Obligation: Required by South African law
  • Legitimate Interest: For our legitimate business interests
  • Vital Interest: To protect someone's life or health

6. Data Transfers

When transferring personal information outside South Africa:

  • We ensure adequate level of protection
  • We use appropriate safeguards (contracts, certifications)
  • We obtain Information Regulator approval where required
  • We inform you of international transfers

7. Data Breach Response

In case of a data breach:

  • We'll notify the Information Regulator within 72 hours
  • We'll inform affected individuals without delay
  • We'll provide details about the breach and mitigation steps
  • We'll implement measures to prevent future breaches

8. Children's Information

For children's personal information:

  • We don't knowingly process information of children under 18
  • We require parental consent for children's information
  • We take extra care with children's information
  • Parents can request access to their child's information

9. Automated Decision-Making

Regarding automated processing:

  • We inform you of any automated decision-making
  • You have the right to request human intervention
  • You can express your point of view
  • You can contest automated decisions

10. Data Protection Officer

Our Data Protection Officer (DPO) is responsible for:

  • Monitoring POPIA compliance
  • Conducting privacy impact assessments
  • Training staff on data protection
  • Handling data subject requests
  • Liaising with the Information Regulator

Contact our DPO: dpo@rebill.co.za

11. Exercising Your Rights

We've made it easy to exercise your POPIA rights. You don't need to be a legal expert or fill out complicated forms — just get in touch and tell us what you need.

To exercise your POPIA rights:

  1. Email us at privacy@rebill.co.za with your request
  2. Let us know which right you want to exercise (access, correction, deletion, etc.)
  3. Provide sufficient information for us to verify your identity (usually your account email is enough)
  4. We'll acknowledge your request within 7 days
  5. We'll respond fully within 30 days (or inform you if we need more time and why)
  6. We provide this service free of charge for reasonable requests

Many rights can also be exercised directly through your Rebill account settings — you can update your information, export your data, or close your account at any time without needing to contact us.

11a. Your POPIA Obligations as a Rebill User

When you use Rebill to store your clients' personal information (names, email addresses, contact details), you become a "responsible party" under POPIA for that information. This means you have your own compliance obligations. Here's what you should know:

  • Lawful basis: Ensure you have a lawful reason to store your clients' information (usually contract or legitimate interest)
  • Purpose limitation: Only use client information for legitimate business purposes (invoicing, quotes, payment collection)
  • Data minimization: Only collect and store information you actually need
  • Client requests: If your clients ask to see or delete their information, you must comply
  • Security: By using Rebill, you're using a service with strong security — but also protect your login credentials

Using a POPIA-compliant invoicing system like Rebill helps you meet your obligations, but doesn't transfer them to us. If you have questions about your POPIA obligations as a business owner, consider consulting with a legal professional who specializes in data protection.

12. Complaints

If you're not satisfied with how we handle your personal information:

  • Contact our DPO first: dpo@rebill.co.za
  • We'll investigate and respond within reasonable time
  • If unresolved, you can lodge a complaint with the Information Regulator
  • Information Regulator website: inforeg.org.za

13. Regular Reviews

We regularly review our POPIA compliance:

  • Annual compliance audits
  • Regular policy updates
  • Staff training and awareness programs
  • Monitoring of regulatory changes

14. Contact Information

For POPIA-related queries:

  • Privacy Officer: privacy@rebill.co.za
  • Data Protection Officer: dpo@rebill.co.za
  • General Inquiries: hello@rebill.co.za
  • Address: Cape Town, South Africa

Questions About POPIA?

We're committed to transparency about our POPIA compliance. If you have questions about how we protect your personal information, contact our Data Protection Officer.