Data Protection

Last updated: 1 June 2026

This document is a professional template aligned to South African law (POPIA). Please have it reviewed and finalised by qualified legal counsel before relying on it in production.

Athena Advisors SA 786 (Pty) Ltd is committed to protecting personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA). This statement summarises how we meet our obligations when operating the Tripi platform, and complements our Privacy Policy.

1. Our roles

In most cases the Client (your employer or the organisation arranging transport) is the Responsible Party, and we act as its Operator, processing personal information only on its documented instructions and for the purposes of providing the service. For platform accounts, billing, security and the operation of the service we may act as a Responsible Party.

2. The eight conditions for lawful processing

We process personal information in line with the eight conditions of POPIA:

Accountability — we take responsibility for compliance and can demonstrate it.
Processing limitation — processing is lawful, minimal, relevant and justified, with consent obtained where required.
Purpose specification — information is collected for defined, explicit, transport-related purposes.
Further processing limitation — we do not use information in ways incompatible with the original purpose.
Information quality — we take reasonable steps to keep information accurate, complete and up to date.
Openness — we are transparent about our processing through this statement and our Privacy Policy.
Security safeguards — we protect information with appropriate technical and organisational measures.
Data subject participation — individuals can access and correct their information and exercise their rights.

3. Special personal information and children

Where the platform processes special personal information, or information relating to children, we do so only where POPIA permits — for example with consent, for the establishment or defence of a right, or to protect a vital interest — and with additional care and safeguards.

4. Privacy by design

Data protection is built into the platform: data minimisation, immutable audit trails, versioning instead of silent overwriting, granular role-based permissions, controlled and audited access to recordings, and configurable retention. New features are assessed for privacy impact before release.

5. Security safeguards (section 19)

We maintain appropriate, risk-based technical and organisational measures, including:

encryption of data in transit and protected storage of sensitive data;
role-based access control and multi-factor authentication for administrators;
comprehensive, immutable audit logging of critical create, update, approve, dispatch, close, view and export actions;
tamper-evidence, checksums and chain-of-custody controls for in-vehicle recordings;
strict logical isolation of each Client's data;
session management, break-glass controls and least-privilege administration; and
regular, tested backups and documented recovery procedures.

6. Processing records

We maintain records of the categories of personal information we process and the purposes for which we process them, to support accountability and to assist Responsible Parties with their own obligations.

7. Operators and sub-processors

Where we engage Operators or sub-processors (such as hosting, mapping, messaging or payment providers) they are bound by written agreements requiring them to process information only on instruction, maintain confidentiality, and apply appropriate security measures, consistent with sections 20 and 21 of POPIA. A current list of material sub-processors is available to Clients on request.

8. Cross-border transfers (section 72)

Any transfer of personal information outside South Africa is carried out only where section 72 of POPIA is satisfied, for example through adequate protection at the recipient, contractual safeguards, necessity for performance, or consent.

9. Data subject requests

Individuals may request access to, or correction or deletion of, their personal information, and may object to certain processing. As Operator we promptly route such requests to the relevant Responsible Party and assist in responding within the timeframes POPIA requires. We may need to verify identity before acting and may apply lawful exceptions where they exist.

10. Breach notification (section 22)

Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we notify the relevant Responsible Party without undue delay and support notification of the Information Regulator (South Africa), via its official channels at inforegulator.org.za and of affected data subjects as required, along with the measures taken to address the incident.

11. Retention and destruction (section 14)

Consistent with section 14 of POPIA, personal information is retained only for as long as necessary for the purposes for which it was collected, or as required by law, contract, audit or dispute, and is then securely destroyed or de-identified, subject to any legal hold.

12. Training and governance

Our personnel are subject to confidentiality obligations and receive guidance on handling personal information. Data protection is overseen by our Information Officer.

13. Information Officer and complaints

Our Information Officer can be reached at privacy@tripi.co.za. You may also lodge a complaint with the Information Regulator (South Africa), via its official channels at inforegulator.org.za, which oversees compliance with POPIA.