1. Our Commitment to POPIA
Prism AI Agency is committed to full compliance with the Protection of Personal Information Act, 4 of 2013 (POPIA), as administered by the Information Regulator of South Africa. This document outlines how we meet our obligations under POPIA and the rights you have as a data subject.
All AI automation systems we build for clients are designed with POPIA compliance as a foundational requirement, not an afterthought.
2. Conditions for Lawful Processing
We process personal information only in accordance with POPIA's eight conditions for lawful processing:
- Accountability: We accept responsibility for ensuring that personal information is processed in accordance with POPIA.
- Processing limitation: We collect personal information only for a specific, explicitly defined and lawful purpose related to our business activities.
- Purpose specification: We inform data subjects of the purpose for which their information is collected before or at the time of collection.
- Further processing limitation: Personal information is not processed in a manner incompatible with the purpose for which it was collected.
- Information quality: We take reasonable steps to ensure information is complete, accurate and not misleading.
- Openness: We maintain this documentation and notify data subjects of our processing activities.
- Security safeguards: We implement appropriate technical and organisational security measures to protect personal information.
- Data subject participation: We respect and facilitate the rights of data subjects to access, correct and delete their information.
3. Types of Personal Information Processed
In the course of operating our business, Prism AI Agency may process the following categories of personal information:
- Contact details (name, email address, phone number)
- Business information (company name, role, industry)
- Communication records (emails, enquiry messages)
- Financial information (invoicing and payment records)
- Technical data (website usage, browser information)
When building AI systems for clients, we may process client data solely on behalf of our clients as an operator under POPIA. In such cases, a data processing agreement is in place.
4. Purpose of Processing
Personal information is processed for the following purposes:
- Responding to business enquiries and providing our services
- Managing client relationships and project delivery
- Invoicing and financial record-keeping
- Marketing communications (with consent)
- Legal and regulatory compliance
5. Security Safeguards
We implement the following security measures to protect personal information:
Encrypted Communications
All client communications and data transfers use industry-standard encryption protocols.
Access Controls
Access to personal information is restricted to authorised personnel on a need-to-know basis.
No Permanent AI Storage
Client data processed through AI tools is not permanently stored in third-party AI platforms.
Regular Reviews
We conduct regular reviews of our data handling practices and update them as required.
6. Data Subject Rights
As a data subject under POPIA, you have the following rights:
- Right to access: You may request confirmation of whether we hold personal information about you and access to that information.
- Right to correction: You may request correction or deletion of inaccurate, irrelevant or excessive information.
- Right to object: You may object to the processing of personal information where the processing is based on legitimate interests.
- Right to complain: You have the right to lodge a complaint with the Information Regulator of South Africa.
To exercise any of these rights, submit a written request to info@prismaiagency.com. We will respond within 30 days as required by POPIA.
7. Data Retention
We retain personal information only for as long as necessary for the purpose it was collected or as required by law:
- Client project records: 5 years from project completion
- Financial and invoicing records: 7 years (as required by tax law)
- Marketing contact records: 3 years or until opt-out, whichever is earlier
- Website inquiry records: 2 years
8. Third-Party Operators
Where we engage third-party service providers who process personal information on our behalf (operators), we ensure they are contractually bound to process information only as instructed, implement appropriate security measures and comply with POPIA requirements.
9. Cross-Border Transfers
As we serve clients internationally and may use cloud-based services, personal information may be transferred outside South Africa. We ensure that any cross-border transfers comply with Section 72 of POPIA, ensuring recipients provide adequate levels of protection.
10. Complaints
If you believe we have processed your personal information in violation of POPIA, you may:
- Contact us directly at info@prismaiagency.com
- Lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za
11. Updates to This Document
This POPIA Compliance document is reviewed and updated at least annually or whenever material changes occur to our processing activities. The current version supersedes all previous versions.