POPIA Compliance Statement

1. Responsible Party

EchelonPulse, a sole proprietorship operated by Byron Stone Moss, is the Responsible Party as defined in Section 1 of POPIA. We determine the purpose and means of processing personal information collected via echelonpulse.co.za and in connection with our service delivery.

2. Information Officer

Our designated Information Officer is responsible for ensuring POPIA compliance across all processing activities:

Information Officer: EchelonPulse Compliance Team
Email: privacy@echelonpulse.co.za
Data Subject Access Requests: echelonpulse.co.za/dsar

3. Lawful Basis for Processing

We process personal information on the following lawful grounds under POPIA Section 11:

• Contractual necessity: Processing required to deliver services you have contracted for.
• Legitimate interest: Service improvement, fraud prevention, security monitoring — where we have assessed this does not override your rights.
• Consent: Marketing emails, analytics cookies, and any processing not covered by the above — you may withdraw consent at any time.
• Legal obligation: Retention of financial records for SARS compliance, breach notification obligations.

4. Personal Information We Process

We process the minimum personal information necessary for each stated purpose. Categories of personal information processed include: names, email addresses, phone numbers, company names, IP addresses, website URLs submitted for auditing, billing references, and service usage data.

We do not process special personal information (POPIA Section 26) including race, political views, health information, biometric data, or criminal records.

Retention: Personal information is retained for the duration of the service relationship plus 5 years for legal and tax compliance obligations, after which it is securely deleted.

5. Your Rights as a Data Subject

Under POPIA, you have the following rights regarding your personal information:

• Right of access: Request a copy of the personal information we hold about you.
• Right to correction: Request correction of inaccurate or incomplete personal information.
• Right to deletion: Request deletion of your personal information (subject to our legal retention obligations).
• Right to object: Object to the processing of your personal information for specific purposes.
• Right to withdraw consent: Withdraw consent for consent-based processing at any time.
• Right to complain: Lodge a complaint with the Information Regulator of South Africa.

Submit requests via echelonpulse.co.za/dsar or email privacy@echelonpulse.co.za. We respond within 30 days as required by POPIA.

6. Cross-Border Transfers

EchelonPulse stores all client data on South African servers (JNB-01, Johannesburg). We do not transfer personal information outside South Africa except where:

• The recipient country has adequate POPIA-equivalent data protection laws, or
• The transfer is covered by binding data processing agreements that meet POPIA Section 72 requirements, or
• You have explicitly consented to the transfer.

Google Analytics data is transferred to Google LLC under standard contractual clauses. All IP addresses are anonymised before transmission.

7. Data Breach Protocol

In the event of a data breach involving personal information, EchelonPulse will:

• Notify the Information Regulator of South Africa within 72 hours of becoming aware of the breach.
• Notify affected data subjects as soon as reasonably possible if the breach creates a real risk of harm.
• Document the breach, its scope, and remediation actions taken.
• Implement immediate containment measures to prevent further exposure.

To report a potential security incident: security@echelonpulse.co.za

8. Complaints

If you believe EchelonPulse has infringed your POPIA rights, you may:

• Contact our Information Officer at privacy@echelonpulse.co.za — we will respond within 30 days.
• Lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za or via email at inforeg@justice.gov.za.