POPIA Compliance Statement

Effective date: 1 March 2026 Last updated: 1 March 2026 Version: 1.0

LegalDominio is committed to protecting personal information in accordance with the Protection of Personal Information Act (POPIA), Act 4 of 2013. This document outlines how our platform is built and operated with POPIA compliance in mind.

1. Our Role Under POPIA

LegalDominio operates in two capacities depending on context:

Data Processor — when we process personal information on behalf of our subscriber organisations (law firms and legal teams who use the platform)
Responsible Party — when we directly collect information through our public website, bot, and lead forms (e.g. prospective clients enquiring about the product)

Our full obligations as a data processor are set out in our Data Processing Agreement, which is entered into with every subscriber.

2. Lawfulness of Processing

We process personal information under the following lawful bases:

Consent — users provide explicit consent when submitting information via our website or bot widget
Contractual necessity — processing required to provide the Service to subscribers
Legal obligation — compliance with applicable laws and regulations
Legitimate interest — service improvement, security, and fraud prevention

3. Purpose Specification

Personal information is collected only for specific, explicitly defined purposes. Data collected through the website and bot is used to:

Respond to and follow up on enquiries
Schedule demos and onboarding consultations
Provide the requested AI assistant service
Measure and improve platform performance (aggregate, anonymised)

Data collected through the platform (subscriber use) is used solely to provide the case management, lead capture, document management, and AI features that subscribers have contracted for.

We do not use data for purposes beyond those specified at collection without obtaining fresh consent.

4. Data Minimisation

We collect only what is necessary for the stated purpose:

Only email is required in lead capture forms — name and phone are optional
No sensitive personal information is collected (race, health, religion, etc.) unless voluntarily provided
No government-issued ID numbers are collected

5. Security Safeguards (POPIA Section 19)

Technical Safeguards

Encryption in transit: TLS 1.2+ for all communications
Encryption at rest: AES-256 via Azure default database encryption (enabled by default, cannot be disabled)
Access controls: Role-based access control (RBAC) — users access only data relevant to their role
Audit logs: All data access and changes are logged and retained
Multi-tenant isolation: Each subscriber organisation operates in an isolated database environment

Organisational Safeguards

Confidentiality obligations for all team members with system access
Vendor management — Data Processing Agreements with all sub-processors
Incident response procedures for breach detection and notification

6. Data Breach Notification

In the event of a personal information breach:

Internal assessment within 24 hours of detection
Notification to the Information Regulator within 72 hours (where required)
Immediate notification to affected individuals if there is a high risk to their rights
Immediate containment and corrective action

7. Data Retention

Data Category	Retention Period	Basis
Lead contact information	3 years from last interaction	Legitimate interest
Subscriber account data	Duration of contract + 5 years	Tax and legal requirements
Conversation logs	2 years from conversation date	Service improvement, compliance
Audit logs	7 years	Legal and regulatory requirements

Data is securely deleted after its retention period using cryptographic erasure. Backup copies are purged within 90 days of deletion.

8. Cross-Border Data Transfers (POPIA Section 72)

Primary data storage uses Microsoft Azure cloud infrastructure. Some processing involves transfers outside South Africa:

Provider	Purpose	Location	Safeguards
Microsoft Azure	Cloud hosting & database	South Africa	DPA, ISO 27001, SOC 2
OpenAI	AI language model processing	United States	DPA, Standard Contractual Clauses
Twilio	WhatsApp & SMS notifications	United States	DPA, GDPR-compliant

All international transfers are conducted under appropriate safeguards including Data Processing Agreements and Standard Contractual Clauses.

9. Automated Decision-Making

The platform uses AI-assisted processing in the following areas:

Lead auto-assignment — workload-balanced routing assigns new leads to the handler with the fewest active leads
Intent classification — AI categorises the nature of a lead's enquiry
AI summaries — conversations are automatically summarised to assist follow-up

No solely automated decisions with legal or significant effects are made. Human review is available for all AI-assisted outputs.

10. Data Subject Rights

Individuals whose personal information we process have the following rights under POPIA:

Access (Section 23) — request a copy of your information (response within 30 days)
Correction (Section 24) — request correction of inaccurate information (response within 14 days)
Deletion (Section 25) — request deletion subject to legal retention obligations (response within 30 days)
Objection — object to processing for direct marketing or legitimate interest purposes
Portability — request your data in a machine-readable format

To exercise any right: privacy@legaldominio.com

11. Information Officer

Email: privacy@legaldominio.com
Organisation: LegalDominio

12. Complaints

If you are dissatisfied with how we handle your personal information, you may contact the Information Regulator:

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za
Phone: +27 (0)10 023 5200
inforegulator.org.za