Privacy Policy

All capitalised terms herein or in any Schedule or attachment will have the meanings ascribed to such terms in this clause 1 or as otherwise defined in this Agreement.
1.1 Affiliate” means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a Party.
1.2 Agreement” means this Data Processing and Privacy Policy Agreement.
1.3 Data Subject” means an individual or juristic entity which is the subject of Personal Data that may be Processed under this Agreement.
1.4 Intellectual Property Rights” means:
1.4.1 all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights and these “intellectual property rights” include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models and rights in designs;
1.4.2 applications for registration, and the right to apply for registration, for any of these rights. and;
1.4.3 all other intellectual property rights and equivalent or similar forms of protection existing anywhere in the world.
1.5 PaySpace Application” means the computer software and related documentation comprising the private labelled payroll processing service marketed by Operator as PaySpace, including but not limited to any modifications or additions provided by Operator during the term of this Agreement and made available by Operator at
1.6 Personnel” means any person employed or contracted by the Parties or their approved sub-contractors relating to the provision of the Services.
1.7 Operator” means a person who processes personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that Responsible Party.  With regards to this agreement, Operator will be:

Where the Local Country of Residence  is South Africa:



Insight IT Solutions Pty Ltd

1st Floor, Block 1

299 Pendoring Street




South Africa


Where the Local Country of Residence is anywhere outside South Africa:



PaySpace Global Ltd


Unity Building

The Precinct

M2 Junction

B11 Fond du Sac Road

Grand Baie, Mauritius

1.8 Personal Information” means all information relating to an identifiable, living natural person, including that which Operator (or any of its Affiliates or Personnel) processes in connection with its relationship with Responsible Party (including employees of Responsible Party Affiliates and of its sub-contractors) but excluding information that Operator processes as the Responsible Party.
1.9 Process or Processing” means the collection, use, disclosure, transfer, storage, deletion, combination, regulatory submission to Government Authorities or other use of Personal Information.
1.10 Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
1.11 Previous Agreement/s” means any agreement/s previously concluded between the Parties or Responsible Party’s acceptance of Operator’s Terms and Conditions of Use at
1.12 POPI” means the minimum standard as gazetted by the Republic of South Africa and set out in the Protection of Personal Information Act 4 of 2013 of (as amended).
1.13 Services” mean Operator’s services and Deliverables, as described in Previous Agreements or Operator’s Terms and Conditions of Use.
1.14 Sub-Processor” means a third-party contractor to whom the Processing of Personal Data is subcontracted or outsourced by the Operator in accordance with the any agreements between the Parties.
1.15 Supervisory Authority” means the Information Regulator as established in RSA, pursuant to the POPI Act.
1.16 Territory” means any country where the Operator processes information on behalf of the Responsible Party.
1.17 User or Users” means any Responsible Person and / or its Personnel and / or organisation and / or individual that utilises Operator’s Services.
2.1 Registration. To create an account on the PaySpace Application, User’s must provide Operator with at least its email address and a password and agree to Operator’s Terms and Conditions of Use and this Agreement, which governs how Operator treats User’s information. User will provide additional information during the registration flow (for example, User’s company addresses and contacts, pay structures, journal codes, employee biographical information and salary information) to help User build User’s company and employee profiles and to provide User with Services. User understands that, by creating an account, Operator a will be able to identify User by User’s profile on the PaySpace Application. Operator may also ask for User’s credit card or bank details to retrieve applicable service fees.
2.2 Customer Service. When a User contacts Operator’s customer support services telephonically or through Operator’s online Help Center, Operator will have to access Users’ profile, company information, employee information and other contributions to Operator’s Services and collect the information Operator needs to categorize a User’s question, respond to it, and, if applicable, investigate any breach of Operator’s Terms and Conditions of Use and or this agreement. Operator also use this information to track potential problems and trends and customize Operator’s support responses to better serve Users. Operator does not use this information for advertising.
2.3 Cookies. Operator uses cookies to store a session identifier in order to correctly serve a User its data as well as improve a User’s experience, increase security, measure use and effectiveness of Operator’s Services. A User can control cookies through browser settings and other tools. By visiting Operator’s Services, a User consents to the placement of cookies in User’s browser in accordance with this agreement.
2.4 Information About Users Computer and Mobile Device. When Users visit or leave Operator’s Services (whether as a Member or Visitor) by clicking a hyperlink Operator automatically receives the URL of the site from which a User came or the one to which a User is directed. Also, advertisers receive the URL of the page that a User is on when a User clicks an ad on or through Operator’s Services. Operator also receives the internet protocol (“IP”) address of a User’s computer or the proxy server that a User uses to access the web, a User’s computer operating system details, a User’s type of web browser, a User’s mobile device (including a User’s mobile device identifier provided by User’s mobile device operating system), User’s mobile operating system (if a User is accessing the PaySpace Application using a mobile device), and the name of User’s ISP or User’s mobile carrier. Operator may also receive location data passed to Operator from third-party services or GPS-enabled devices that User have set up, which Operator use to show User’s relevant information.
2.5 PaySpace Communications. Operator communicates with Users through email, notices posted on Operator’s websites or apps and other means available through the Services, including mobile text messages and push notifications. Examples of these communications include:
2.5.1 welcome and engagement communications – informing Users about how to best use Operator’s Services, new features and updates about legislation;
2.5.2 service communications – these will cover service availability, security, and other issues about the functioning of Operator’s Services. and;
2.5.3 promotional communications – these include email and may contain promotional information directly or on behalf of Operator’s partners. These messages will be sent to Users based on User’s profile information and messaging preferences. User’s may change User’s email and contact preferences at any time by signing into User’s account and opting out of receiving emails.
2.5.4 Users cannot opt out of receiving service messages from Operator. User agrees that Operator may provide notices to Users in the following ways: a banner notice on the Service. or;  an email sent to an address User provided. or; through other means including mobile number, telephone, or mail. User agrees to keep User’s contact information up to date.
2.6 Testimonials and Advertisements. If User provides any testimonials about Operator’s goods or services or place advertisements, Operator may post those testimonials and examples of advertisements User placed in connection with Operator’s promotion of these services to third parties. Testimonials and advertisements may include User’s name and other personal information that User has provided.
2.7 External Links. The PaySpace Application is an information portal, it contains links to other Web sites. These sites however do not fall under any control of Operator and therefore Operator cannot be held responsible for the privacy practices or the contents of such other web sites.
2.8 Rights to Access, Correct, or Delete User Information, and Closing User Account. User can change User’s information on the PaySpace Application at any time by editing User’s profile, deleting information that User has posted, or by giving Operator notice of termination. User has a right to:
2.8.1 access, modify, correct, or delete User’s personal information controlled by Operator regarding User’s profile;
2.8.2 change User’s information. and;
2.8.3 close User’s account.
3.1 Responsible Party hereby grants to Operator a non-exclusive licence to copy, reproduce, store, distribute, publish, export, adapt, edit and translate the Personal Information to the extent reasonably required for the performance of Operator’s obligations and the exercise of Operator’s rights under this Agreement.
3.2 Responsible Party also grants to Operator the right to:
3.2.1 sub-license these rights to its hosting, connectivity and telecommunications organisations, subject to any express restrictions elsewhere in this Agreement;
3.2.2 Electronically submit to revenue authorities the necessary monthly, quarterly and annual returns as my be required under the applicable law.
3.3 Responsible Party warrants to Operator that the Personal Information when used by Operator in accordance with this Agreement will not infringe the Intellectual Property Rights or other legal rights of any person.
3.4 Responsible Party hereby confirms that as the Responsible Party they have an appropriate lawful basis to process personal information including transferring same to Operator for purposes of Processing the payroll and other legislative related services on behalf of Responsible Party.
3.5 Operator will comply with POPI and the Data Protection Standards of ISO 27001 in countries without data privacy legislation. If the law related to data protection in the territory conflicts and/or is more onerous than these provisions, Responsible Party shall in writing advise of such conflict and the Service Provider shall revert on the feasibility, if any, to comply with the Data Protection Legislation.
3.6 Without prejudice to the obligations set out in this clause 3, the Parties acknowledge and agree that each Party will remain solely responsible for complying with their respective obligations under POPI with regards to privacy and protection of personal information laws governing Responsible Party’s data in the Territory.
4.1 It is recorded that Service Provider has an ISO/IEC 27001:2013 certification and as such Operator has implemented appropriate safeguards against the unauthorized access to, and destruction, loss, or alteration of, Responsible Party’s Confidential Information and Personal Information which at any time is in Operator’s possession or to which Operator may have access.
4.2 Operator warrants to Responsible Party that it shall maintain such safeguards for so long as it has any of Responsible Party’s Confidential Information in its possession or has access to such information.
5.1 Operator shall procure that each of its Sub-processors and/or Affiliates contractually agree in writing that they will:
5.1.1 comply with this clause 5 and POPI;
5.1.2 not access, use or process Responsible Party’s data and/or personal information except to the extent reasonably necessary in performance of its obligations under this Agreement;
5.1.3 not perform any act that puts Responsible Party at risk of Responsible Party’s data and/or personal information being disclosed;
5.1.4 implement appropriate technical and organisational security measures to preserve the integrity of Responsible Party’s data and/or Personal Information. and;
5.1.5 prevent any unauthorised or unlawful access, accidental or unauthorised destruction, corruption, loss, alteration or disclosure or other prohibited processing of Responsible Party’s data and/or Personal Information.
6.1 Operator shall only allow Responsible Party and its auditors, regulators and other advisers to audit the relevant records of Operator pertaining to this Agreement, and for that reason to have reasonable access to any of Operator’s premises, personnel and relevant records as may be.
6.2 Responsible Party shall provide at least 30 (thirty) Business Days’ notice of its intention to conduct an audit.
6.3 Responsible Party shall use its reasonable endeavours to procure that an audit is completed within 5 (five) Business Days from the date that such audit starts.
6.4 Responsible Party shall bear all Responsible Party and Operator’s costs and expenses incurred in respect of compliance with any audits under this Agreement.
6.5 In the event that the audit identifies substantive findings relating to misrepresentation or a material default (the default must go to the root of this Agreement) by Operator then Operator shall reimburse Responsible Party for all its reasonable costs incurred in the course of, and for, that audit.
6.6 If an audit identifies that Operator has failed to comply with any of its obligations under this Agreement, then, without prejudice to the other rights and remedies of Responsible Party, Operator shall take the necessary steps to comply with its obligations at no additional cost to Responsible Party and Operator will reimburse Responsible Party for its reasonable costs incurred in the audit.
7.1 Operator will notify the Responsible Party, within a reasonable timeframe, after becoming aware of any Personal Information Breach and provide reasonable information in its possession to assist the Responsible Party to meet the Responsible Party‘s obligations to report a Personal Information Breach as required under POPI.
7.2 Operator may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by Operator.
8.1 Subject to clause 8.2 below, legal jurisdictions will dictate how long Responsible Party’s data is retained within the Territory (each respective country), if there is no standard, a default period of 5 (five) years will be used to determine whether data should be destroyed.
8.2 On notice of termination of Responsible Party account, Responsible Party will have 30 days to download or export the data using one of many mechanisms such as reports, web services and business intelligence tools. After that 30-day period, Operator will have no obligation to maintain or provide Responsible Party the data and will thereafter delete or destroy all copies of Responsible Party’s data in Operator’s systems or otherwiseinOperator’spossessionorcontrol,unlesslegallyprohibited.

If the Operator or Sub-Processor receives any demand for disclosure of Personal Data by law, the Operator or Sub-Processor will promptly notify the Responsible Party, in writing, of the Legal Request (unless legally prohibited from doing so).



10.1 It is specifically recorded that:
10.1.1  the Operator will perform replication of personal information to a data center in Europe for the purposes of implementing adequate disaster recovery processes and other legitimate processing activities;
10.1.2 Section 72 of POPI allows the transfer of personal information to a Sub-processor in a foreign country in circumstances where amongst others: the Sub-processor is subject to a law, binding corporate rules or a binding agreement that provides an adequate level of protection that are substantially similar to POPI and effectively uphold the principles as set out in POPI. or; data subject consents to the transfer. or; the transfer is necessary for the performance of a contract between the data subject and the Responsible Party or for the performance of a contract concluded in the interest of the data subject between the Responsible Party and a third party. or; the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject to the transfer.
10.2 The data center to be used by the Operator in the United Kingdom will be subject to adequate laws that are substantially similar to POPI and effectively uphold the principles of lawful processing as set out in POPI. Accordingly, the Operator would comply with section 72 of POPI on the basis that the third-party recipient of the information (namely the data centre in the United Kingdom is subject to a law which provides an adequate protection level of protection. It will thus not be necessary for the Operator and/or the Responsible Party to obtain the consent of the data subject to transfer the personal information to the data center.
10.3 Having regard to the above, the parties agree that Operator has taken steps to ensure compliance with its obligations as set out in POPI.
11.1 In the event that there is conflict between any Previous Agreement/s and this Agreement, the conditions of this agreement will apply.
12.1 This Agreement will commence on the effective date and will continue until the termination in accordance with any Previous Agreement/s or specifications as per Operator’s Terms and Conditions of Use.
13.1 The Operator and the Responsible Party as applicable, shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.
14.1 Service Provider contact for any issues in relation to this Agreement:
14.1.1 Risk Officer – Alwyn Stoman.
14.2 Any questions or comments about this Agreement can be directed to Operator by contacting Operator on +27 87 210 3000, through Operator’s online support center or by email.