POPIA Compliance
Statement

EchelonPulse ("EchelonPulse", "we", "us", "our") is the Responsible Party in terms of POPIA. We are a sole proprietorship operated by Byron Stone Moss, based in the Republic of South Africa, operating the website echelonpulse.co.za and providing web hosting, performance optimisation, and digital services.

We collect personal information only where necessary to provide our services or comply with legal obligations. The categories of information we may collect include:

• Identity information: Full name, company name, job title
• Contact information: Email address, telephone number, physical or postal address
• Technical information: IP address, browser type, operating system, website URL submitted for audit
• Financial information: Billing address, payment reference numbers (we do not store card numbers — payments are processed by PayFast)
• Usage information: Pages visited, time on site, interaction data collected via analytics
• Communications: Content of emails, support tickets, or enquiry forms submitted to us

We do not collect special personal information (as defined in POPIA Section 26) and do not process information about children under 18 years of age without appropriate parental consent.

We process your personal information on the following lawful bases under POPIA:

• Contract performance: Providing hosting services, running site audits, billing and account management
• Legitimate interest: Improving our services, fraud prevention, security monitoring
• Consent: Marketing communications, newsletter subscriptions (you may withdraw consent at any time)
• Legal obligation: Compliance with South African law, including POPIA, the Electronic Communications Act, and tax legislation

We will never sell, rent, or trade your personal information to third parties for their marketing purposes.

We share personal information only with trusted operators acting under our instruction and subject to written data processing agreements:

• PayFast (Pty) Ltd: For payment processing — subject to their own POPIA-compliant privacy policy
• Google LLC: Analytics (GA4) — configured to anonymise IP addresses; governed by standard contractual clauses
• Email service providers: For transactional and marketing emails, under data processing agreements
• Legal authorities: Where required by South African law, court order, or to protect the rights of EchelonPulse or others

We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by law:

• Active client data: Duration of the service agreement + 5 years (for tax and legal compliance)
• Audit enquiries (no contract): 12 months from the date of submission
• Marketing consent records: Until consent is withdrawn + 3 years
• Server access logs: 90 days for security monitoring purposes
• Financial records: 5 years from date of transaction (SARS requirement)

Upon expiry of the retention period, personal information is securely deleted or anonymised.

We implement appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, disclosure, or destruction. These include:

• SSL/TLS encryption on all data transmission
• Encrypted storage of sensitive data at rest
• Access controls and role-based permissions for all staff
• Regular security audits and vulnerability scanning
• Automated malware scanning on all managed infrastructure
• Physical security controls at JNB-01 data centre
• Staff training on data protection obligations

As a data subject under POPIA, you have the following rights, which you may exercise at any time by contacting our Information Officer:

• Right to access: Request confirmation of whether we hold your personal information and receive a copy
• Right to correction: Request correction of inaccurate, incomplete, or outdated personal information
• Right to deletion: Request deletion of personal information where no longer necessary or where consent has been withdrawn
• Right to object: Object to the processing of your personal information for direct marketing purposes
• Right to withdraw consent: Withdraw marketing consent at any time without affecting the lawfulness of prior processing
• Right to complain: Lodge a complaint with the Information Regulator of South Africa

We use cookies and similar tracking technologies on our website. You will be presented with a POPIA-compliant cookie consent banner upon your first visit. You may accept, decline, or customise cookie categories:

• Strictly necessary cookies: Required for the website to function. Cannot be disabled.
• Analytics cookies: Google Analytics 4 (IP anonymised). Require consent.
• Marketing cookies: Used for retargeting campaigns. Require consent.
• Preference cookies: Remember your settings and preferences. Require consent.

You may withdraw or modify your cookie consent at any time by clicking the "Cookie Settings" link in the footer.

EchelonPulse's primary infrastructure is located in Johannesburg, South Africa. All client website data is hosted on South African servers and does not leave South African jurisdiction unless explicitly requested by the client.

Where third-party services process data outside South Africa, we ensure compliance with POPIA Section 72 through standard contractual clauses or confirmation that the recipient country provides adequate protection equivalent to POPIA.

In the event of a security breach that involves personal information and poses a risk of harm to data subjects, EchelonPulse will:

• Notify the Information Regulator of South Africa within 72 hours of becoming aware of the breach
• Notify affected data subjects as soon as reasonably possible
• Provide details of the nature of the breach, the information affected, and remedial steps taken
• Maintain a breach register as required by POPIA

To report a suspected security breach or incident, contact: security@echelonpulse.co.za

EchelonPulse has designated an Information Officer as required by POPIA Section 55. The Information Officer is responsible for overseeing compliance with POPIA and handling data subject requests.

We review and update this POPIA Statement at least annually, or whenever there are material changes to how we process personal information, changes in South African law, or significant changes to our business operations.

The "Last Updated" date at the top of this document reflects the date of the most recent revision. Where changes are material, we will notify registered clients via email and display a notice on our website for 30 days following the update.

Continued use of EchelonPulse's services following notification of changes constitutes acceptance of the updated Policy.