Data Protection Policy

This policy applies to tradejournal.co.za and all other websites, applications, and digital services operated by Tapnet Solutions (Pty) Ltd.

This Data Protection Policy sets out how Tapnet Solutions (Pty) Ltd, trading as TradeJournal, complies with the Protection of Personal Information Act 4 of 2013 (POPIA) and its eight conditions for lawful processing of personal information.

Tapnet Solutions (Pty) Ltd is the responsible party as defined in POPIA. We are accountable for ensuring that all processing of personal information complies with the conditions set out in this policy and in POPIA.

The designated Information Officer responsible for ensuring compliance is:

The Information Officer is responsible for encouraging compliance, handling data subject requests, working with the Information Regulator, and ensuring that a compliance framework is in place.

We only collect personal information that is necessary for the purposes directly related to our services. All processing must have a lawful basis, which includes one or more of the following:

• The data subject has consented to the processing
• Processing is necessary to carry out actions for the conclusion or performance of a contract
• Processing complies with an obligation imposed by law
• Processing protects a legitimate interest of the data subject
• Processing is necessary for pursuing the legitimate interests of the responsible party or a third party

We do not collect personal information by unlawful means, and we do not process personal information of children (persons under the age of 18) unless consent has been given by a competent person.

Personal information is collected for specific, explicitly defined, and legitimate purposes, including:

• Service delivery: Creating and managing user accounts, providing access to the trading journal platform, and delivering subscribed features
• Legal compliance: Meeting our obligations under POPIA, the Companies Act, the Income Tax Act, and other applicable legislation
• Communication: Sending account-related notifications, service updates, security alerts, and responding to enquiries
• Platform improvement: Analysing usage patterns to improve features and user experience
• Security: Detecting and preventing fraud, unauthorised access, and other security threats

Personal information will not be retained for longer than is necessary to achieve the purpose for which it was collected, unless retention is required by law or for a legitimate purpose. Our Data Retention Policy sets out specific retention periods for each category of data.

We do not process personal information for purposes that are incompatible with the purpose for which it was originally collected, unless:

• The data subject has consented to the further processing
• The information is available in a public record or has been made public by the data subject
• Further processing is necessary for the prevention, detection, investigation, prosecution, or punishment of an offence
• Further processing is necessary to comply with a legal obligation

We do not sell, rent, or trade personal information to third parties for marketing purposes.

We take reasonable steps to ensure that personal information is complete, accurate, not misleading, and updated where necessary, having regard to the purpose for which it was collected or further processed.

Data subjects may update their personal information at any time through their account settings or by contacting the Information Officer. We encourage users to keep their information accurate and up to date.

In accordance with the openness condition, we have taken the following steps to ensure transparency:

• This Data Protection Policy is publicly available on our website
• Our Privacy Policy provides detailed information about what data we collect, how we use it, and with whom we share it
• Our PAIA Manual is available as required by the Promotion of Access to Information Act
• Data subjects are notified at the point of collection about the purpose of processing
• Cookie consent mechanisms are in place to inform users about tracking technologies

We implement appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised destruction, and unlawful access. These measures include:

• Encryption: TLS 1.2+ for all data in transit; SSL/TLS for database connections with channel binding enabled; HTTPS enforced via HSTS
• Access controls: Role-based access control, principle of least privilege, strong password requirements, and multi-factor authentication for administrative access
• Monitoring: Server-side logging, access monitoring, and anomaly detection
• Infrastructure: Managed hosting with DDoS protection, security headers (CSP, X-Frame-Options, X-Content-Type-Options, HSTS), and automated backups
• Application security: Input validation using Zod schema validation, parameterised database queries via Prisma ORM, and Content Security Policy headers

Full details of our security measures are set out in our Information Security Policy.

In the event of a data breach, our Data Breach Response Plan will be activated immediately.

Data subjects have the right to:

• Access: Request confirmation of whether we hold personal information about them and request access to that information
• Correction: Request the correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully
• Deletion: Request the destruction or deletion of personal information that is no longer needed for the purpose for which it was collected
• Objection: Object to the processing of personal information on reasonable grounds

To exercise any of these rights, data subjects may contact the Information Officer at wynand@tapnet.co.za. We will respond to requests within a reasonable period, and in any event within 30 days, as required by POPIA.

The following roles and responsibilities apply to data protection within Tapnet Solutions (Pty) Ltd:

• Information Officer (Wynand de Beer): Overall responsibility for data protection compliance, handling data subject requests, and liaising with the Information Regulator
• Development team: Implementing technical security measures, privacy by design, and data protection features in the platform
• All personnel: Adhering to this policy, reporting potential breaches, and handling personal information responsibly

All individuals with access to personal information processed by Tapnet Solutions (Pty) Ltd are made aware of their obligations under POPIA and this policy. Training and awareness measures include:

• Onboarding briefing on data protection responsibilities
• Periodic review of this policy and related policies
• Communication of policy updates and new requirements

Compliance with this policy is monitored through:

• Regular review of data processing activities
• Monitoring of data subject requests and response times
• Annual review and update of this policy and related policies
• Incident tracking and post-incident reviews

For any questions about this policy or to exercise your data protection rights, please contact: