Table of Contents
PayMax (Pty) Ltd ("we," "our," or "us") provides software tools for payroll and HRIS management to South African businesses. As a data processor, we process personal information on behalf of our business clients who remain the data controllers responsible for POPIA compliance. This Privacy Policy explains our data processing practices and the respective responsibilities under the Protection of Personal Information Act (POPIA).
1. Information We Collect
Important: Data Controller vs Data Processor
Your Company (the PayMax client) is the data controller - responsible for ensuring POPIA compliance and determining data processing purposes. PayMax is the data processor - we only process data according to your instructions through our software platform.
🔒 Mandatory POPIA Consent System
Consent Requirement: You must provide explicit consent before accessing any part of the PayMax platform. Platform access is completely blocked until consent is given.
Informed Consent Process: Our consent system requires you to:
- Read the complete data processing information
- Scroll through all consent details (progress tracked)
- Actively click "I Consent" to confirm your agreement
- Consent is permanently recorded with timestamp
Technical Implementation: Consent status is stored in your user profile with a timestamp. Once given, consent persists for your account unless administratively revoked.
Data We Process (Stored in 3 Core Tables)
- • User Authentication: Email addresses, encrypted passwords, 2FA codes
- • User Profiles: Names, contact details, role assignments, company associations
- • Employee Records: Personal information, banking details, salary data, tax information (as entered by your company)
Technical Data
- • System logs for security and performance monitoring
- • Session data for platform functionality
- • No cookies for tracking - only essential functional cookies
2. How We Use Information
Software Platform Services
- • Provide payroll calculation tools
- • Generate payslip PDFs (downloadable by individual employees only)
- • Facilitate comprehensive employee data management
- • Enable leave management workflows and tracking
- • Provide workforce analytics and insights
- • Support role-based access control (RBAC)
Data Export & Integration Tools
- • Third-party integrations for payroll and HR data export (e.g., Xero)
- • Generate SARS, UIF, SDL filing documents
- • Create manual journal entries and HR reports
- • Prepare statutory reporting files (companies submit directly)
- • Export employee analytics and workforce insights
Your Company's Responsibilities
PayMax provides software tools only. Your company remains responsible for all statutory submissions, legal compliance, employee consent, data accuracy, and regulatory requirements.
3. Information Sharing and Disclosure
PayMax does not sell, trade, or rent personal information. As a data processor, we do not share data except as follows:
- • No Direct Government Sharing: PayMax does not submit data directly to SARS, UIF, or other agencies - companies download files and submit themselves
- • Third-Party Integrations: When authorized by companies, payroll and HR data may be exported to integrated accounting systems (e.g., Xero)
- • Database Infrastructure: Data stored on our database infrastructure under our data processing agreement
- • Legal Compliance: Only when required by valid legal process (court orders, etc.)
- • Security: To investigate security incidents or protect platform integrity
Important: We Do Not Handle Statutory Submissions
PayMax generates filing documents only. Your company is responsible for submitting all SARS, UIF, SDL, and other statutory filings directly to the relevant authorities.
4. Data Security
Platform Security
- • Database infrastructure with TLS encryption
- • Row Level Security (RLS) on all database tables
- • Required 2FA via email verification (6-digit codes)
- • Next.js 15 framework with security best practices
Access Controls
- • Custom RBAC system with company-level isolation
- • Subscription tier-based feature restrictions
- • User profile access limited by role and company
- • Individual payslip access (employees see only their own)
Infrastructure Security
PayMax utilizes Database infrastructure security, with plans to migrate to South Africa-hosted database for local data residency. All security measures are subject to database's enterprise-grade protections.
5. Data Subject Rights & Responsibilities
Important: Consent Management & Data Controller Responsibilities
Your Consent Status: By using PayMax, you have provided explicit consent through our mandatory consent system. This consent is tracked with a timestamp and enables all HRIS data processing.
Consent Withdrawal: Only company administrators with proper RBAC permissions can revoke user consent by deactivating or deleting employee accounts. Individual users cannot self-withdraw from employer HRIS systems.
POPIA Requests: Contact your company's HR department first. Your employer is the data controller and must handle most POPIA rights directly.
What You Can Do Directly in PayMax
- • Access: View your personal profile and payslips
- • Rectification: Request profile changes via the platform (manager approval required)
- • Export: Download your individual payslips as PDFs
- • Deletion: Account deletion removes user profile, auth data, and employee record
What Your Company Must Handle
- • Employee Onboarding: Ensuring employees understand the mandatory consent requirement during platform signup
- • Consent Oversight: Managing employee consent status through RBAC permissions (company admins only)
- • Purpose Limitation: Ensuring data is used only for HRIS purposes (payroll, leave management, analytics, insights)
- • Data Accuracy: Keeping employee information current and correct
- • Legal Basis: Having lawful basis for processing personal information under POPIA
- • Account Management: Handling employee account deactivation/deletion when consent is withdrawn
6. Consent Tracking & Technology Implementation
🔧 Technical Consent Implementation
Database Storage: Consent status is stored in the user_profiles table with two fields:
consent_given(boolean): Tracks whether explicit consent has been providedconsent_given_at(timestamp): Records exactly when consent was granted
Platform Enforcement: Our system enforces consent through:
- Complete platform access blocking until consent is given
- Mandatory scroll-through of all consent information
- Progress tracking to ensure full document review
- Explicit "I Consent" button activation only after complete review
Audit Trail: Every consent action is logged with:
- User ID and email address
- Precise timestamp of consent
- IP address and session information
- Platform version and consent document version
🛡️ Consent Security & Integrity
Data Integrity: Consent records are protected by database constraints and cannot be accidentally modified.
Access Control: Only authorized company administrators with proper RBAC permissions can view consent status.
Immutable Records: Consent timestamps are permanent and provide a complete audit trail for compliance.
POPIA Compliance: Our consent system meets all POPIA requirements for explicit, informed, and specific consent.
6. Data Retention & Deletion
Minimal Data Retention Policy
PayMax operates a minimal data retention policy. When data is deleted, it is permanently removed from our systems. We do not maintain historical records or backups of deleted information.
Immediate Deletion Policy
- • User Deletion: Removes all data from auth.users, user_profiles, and employees tables
- • Payslips: Generated PDFs are user's responsibility to download and retain
- • No Historical Backups: We do not maintain deleted data for any period
- • Employee Records: Deleted when user is removed (no post-termination retention)
Your Responsibility for Record Keeping
- • Download Payslips: Employees must download their payslips each month
- • Use Integrations: Export to accounting systems (Xero, etc.) for long-term record keeping
- • SARS Compliance: Companies must maintain their own 5-year records
- • Employee Records: HR departments must backup employee data externally
Important Legal Disclaimer
PayMax (Pty) Ltd operates as a software tool provider only. By creating an account and using our platform, you automatically consent to data processing and accept full responsibility for:
- • Informed Consent: You understand this Privacy Policy and consent to all data processing described herein
- • POPIA Compliance: Your company is the data controller and must ensure all POPIA requirements are met
- • Employee Onboarding: Your company ensures employees understand platform consent during signup
- • Data Accuracy: Ensuring all information entered into the system is accurate and current
- • Record Keeping: Maintaining statutory records as required by South African law
- • Statutory Submissions: Filing all SARS, UIF, SDL, and other government returns directly
- • Legal Compliance: Meeting all employment law, tax law, and regulatory requirements
PayMax provides software tools only and accepts no liability for compliance failures, data breaches at client level, or legal non-compliance by platform users. Your use of the platform constitutes informed consent to all data processing activities.
9. Contact Information
If you have questions about this Privacy Policy or wish to exercise your rights under POPIA, please contact us:
PayMax Support
For platform-related privacy questions or technical support regarding data access/deletion.
Information Regulator (POPIA Complaints)
For POPIA compliance issues with your employer (the data controller), you can lodge a complaint with the Information Regulator of South Africa.
Visit Information Regulator website →