Legal
POPIA & GDPR Compliance
How Magnifyr handles personal information under POPIA (South Africa) and GDPR (EU/UK). Encryption, consent tracking, retention, and your right to be forgotten — all in one place.
Last updated 2026-05-14
1. What POPIA is, and why it applies here
The Protection of Personal Information Act, 4 of 2013 (POPIA) is the South African law that governs how personal information is processed. Magnifyr is operated by Agilus (Pty) Ltd, a South African company, and our data is hosted in the Azure South Africa North region. POPIA applies to every account, every lead, every audit log entry.
Where your end users are in the European Union or the United Kingdom, the General Data Protection Regulation (GDPR) also applies. POPIA was modelled on GDPR; the practical obligations are very similar and we have built Magnifyr to satisfy the stricter of the two for each rule.
2. Who is the responsible party (controller)?
POPIA distinguishes between the responsible party (GDPR calls this the controller) and the operator (GDPR: processor).
- Account holder data — your name, email, password hash, OAuth tokens, billing records. Magnifyr is the responsible party.
- Lead records inside your tenant — captured via your landing pages, forms, and tracking pixel. You are the responsible party; we are your operator.
You agree to have a lawful basis under POPIA for every lead you capture through Magnifyr. The platform helps you record that basis (the ConsentSource field on every Lead) and prove it on demand.
3. Lawful bases we rely on
Magnifyr processes personal information on the following lawful bases under section 11 of POPIA and Article 6 of GDPR:
- Performance of a contract — most account-holder processing happens because we must deliver the service you signed up for: scheduling posts, storing leads, sending transactional email.
- Legitimate interest — security logging, anti-abuse measures, internal aggregate usage analytics.
- Consent — for marketing and product-update emails. You can opt out from any of those emails.
- Legal obligation — for tax, accounting, and audit obligations under South African company law.
4. The eight POPIA conditions — how we comply
4.1 Accountability
Agilus (Pty) Ltd is accountable as the responsible party for account-holder data. We maintain an internal record of processing activities and audit log entries for every material data mutation.
4.2 Processing limitation
We collect the minimum personal information needed to deliver the service. We do not collect government identification numbers, biometric data, or financial account details (until Stripe billing launches — Stripe handles card data; we do not see or store it).
4.3 Purpose specification
We process data only for the purposes stated in our Privacy Policy. Marketing emails are separately opted-in.
4.4 Further processing limitation
We do not repurpose your data for new uses without notifying you and, where required, getting fresh consent.
4.5 Information quality
You can update your account information from inside the application at any time. For lead records, you control the data model and can correct entries via the lead detail sheet.
4.6 Openness
This page, the Privacy Policy, and the Terms of Service together describe our practices. Material changes are emailed to active account holders at least 14 days before they take effect.
4.7 Security safeguards
Magnifyr applies multiple layers of security:
- Lead email addresses and phone numbers are encrypted at the application level using
AES-256-GCMwith per-tenant encryption keys managed in Azure Key Vault. Encryption is applied before the data hits the database, so it is not readable in database backups, query logs, or replication streams. - Social OAuth tokens are encrypted at rest in Azure Key Vault. Refresh tokens are rotated proactively before expiry.
- Webhook signing secrets are encrypted with the same AES-256-GCM scheme; only a salted HMAC-SHA256 hash is used for fast lookup.
- Public API keys are HMAC-SHA256-hashed with a Key Vault-managed salt; the full key is shown to the user exactly once at creation.
- Tenant isolation is enforced at the ORM level by global query filters on every tenant-scoped table. Cross-tenant data access is impossible by construction.
- Database-level — Azure SQL Database with Transparent Data Encryption (TDE) is enabled, and the network layer enforces TLS 1.2+.
- Audit logging — every database mutation writes an immutable, append-only AuditLog entry recording entity, action, user, tenant, timestamp, and before/after values.
4.8 Data subject participation
You and your contacts have the right to access, correct, and delete the personal information we hold. See §6 below.
5. Cross-border data transfers
Magnifyr data is stored in the Azure South Africa North region. Cross-border transfers happen only when:
- We invoke a third-party AI provider (Anthropic Claude in the United States; OpenAI in the United States) for content drafting that you initiated. The prompt you submit is the only data forwarded.
- We invoke a social platform's publishing API to send a post you scheduled.
- We invoke Stripe for billing (once paid tiers launch).
Each of these third parties has its own data-processing terms and its own GDPR/POPIA posture. We rely on their published commitments (standard contractual clauses where applicable).
6. Your rights
Under POPIA section 23 and GDPR Articles 15–22 you can:
- Access — request a copy of all personal data we hold about you.
- Rectify — correct any inaccurate or out-of-date data.
- Erase (be forgotten) — request hard-deletion of your account and all lead records you control. We satisfy this via an in-app erasure endpoint that hard-deletes the lead, its activity timeline, and writes a single audit log entry confirming the deletion. The audit log entry retains no personally identifying data — only the tenant ID and timestamp.
- Restrict — limit how we process your data while an objection is being assessed.
- Port — receive a machine-readable export of your tenant data. CSV export is in-app today; a full JSON export is on the roadmap.
- Object — to processing based on legitimate interest.
- Complain — to the South African Information Regulator if you believe we have breached POPIA. Their contact details are at inforegulator.org.za.
To exercise any of these rights, email sivi@magnifyr.co.za. We aim to respond within 7 business days; the regulatory deadline is 30 days for most requests.
7. Data retention
- Active accounts — data is retained while the account is active.
- Lead records — leads with no activity for 24 months are flagged for review. You decide whether to archive or hard-delete. We do not silently expire data.
- Closed accounts — tenant data is hard-deleted within 30 days of account closure.
- Audit logs — retained for 12 months as a compliance record. They contain no personally identifying data after erasure has been exercised.
- Backups — encrypted, retained for 30 days.
8. Breach notification
If we become aware of a personal information breach that is likely to result in a risk to the rights or freedoms of natural persons, we will:
- Notify the South African Information Regulator within 72 hours of becoming aware of the breach.
- Notify affected account holders by email without undue delay.
- Publish a brief post-mortem on a public status page once the breach is contained.
9. Information Officer
The Information Officer (POPIA) for Magnifyr is the responsible party at Agilus (Pty) Ltd. Until a formal designation is registered with the Information Regulator, contact:
Agilus (Pty) Ltd
Cape Town, South Africa
Email: sivi@magnifyr.co.za
For GDPR-specific requests where you are based in the EU or UK, please use the same email and mention “GDPR” in the subject so we route it correctly.
10. Updates
This page tracks our current practices, not our aspirations. When we add new sub-processors, change retention periods, or update our encryption stack, this page is updated and active account holders are emailed.