POPIA Compliant

POPIA Compliance

Last updated: March 2026

What is POPIA?

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's data privacy law, which came into full effect on 1 July 2021. POPIA requires organisations that collect, store, or process personal information of South African individuals to do so lawfully, transparently, and with appropriate security measures. As an invoicing platform that handles your clients' personal information, Rebill is committed to full POPIA compliance.

Our Role Under POPIA

Tora Technologies (Pty) Ltd acts as both a responsible party (when processing data about our own users) and as an operator (when processing your clients' data on your behalf). In both roles, we apply the eight conditions for lawful processing of personal information as set out in POPIA.

The Eight POPIA Conditions and How We Apply Them

1. Accountability

Tora Technologies (Pty) Ltd is the responsible party for personal information processed through Rebill. We have designated a person responsible for data privacy compliance.

2. Processing Limitation

We collect only the personal information necessary to provide the invoicing service. We do not process data for purposes beyond those disclosed in our Privacy Policy.

3. Purpose Specification

Personal information is collected for specific, explicitly defined purposes: providing the invoicing service, processing payments, and complying with legal obligations.

4. Further Processing Limitation

Personal information is not used for purposes incompatible with the original collection purpose. We do not sell your data or your clients' data to third parties.

5. Information Quality

We provide tools for you to keep your account and client information accurate and up to date. We rely on you to ensure the accuracy of information you enter.

6. Openness

We are transparent about our data processing practices through this policy and our Privacy Policy. We notify you of any material changes to how we process your data.

7. Security Safeguards

Data is encrypted in transit (TLS) and at rest. Access controls restrict who can access production data. We conduct regular security reviews and have an incident response plan.

8. Data Subject Participation

Users and their clients can request access to, correction of, or deletion of their personal information by contacting us at [email protected].

Data We Process

As an invoicing platform, Rebill processes the following categories of personal information:

  • Your personal and business information (name, email, business address, VAT number)
  • Your clients' contact details (name, email, phone, address) that you enter into the system
  • Invoice and financial transaction data
  • Payment information (processed by PCI-DSS compliant gateways)

Data Retention

Invoice and financial data is retained for 5 years as required by SARS for tax record-keeping purposes. This aligns with POPIA's requirement that data not be retained longer than necessary, balanced against statutory record-keeping obligations.

Your Rights as a Data Subject

Under POPIA, you have the right to:

  • Be notified that your personal information is being collected
  • Access the personal information we hold about you
  • Request correction or deletion of your information
  • Object to the processing of your information
  • Submit a complaint to the Information Regulator of South Africa

To exercise any of these rights, email [email protected]. We will respond within 30 days.

Information Regulator Contact

If you are not satisfied with how we handle your personal information, you may contact the Information Regulator of South Africa:

Information Regulator (South Africa)
Website: inforegulator.org.za
Email: [email protected]

Contact Us

For POPIA-related queries: [email protected]
Tora Technologies (Pty) Ltd, Cape Town, South Africa.