GamHR Privacy Policy

Version 1.0.0 - Effective April 2026

Responsible party: the subscribing employer that controls your tenant data

This Privacy Policy describes how GamHR collects, uses, stores, and protects personal information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA).

1. Information We Collect

GamHR processes the following categories of personal information:

• Identity: Full name, SA ID number/passport, date of birth, gender, nationality
• Contact: Email address, phone number, physical address
• Employment: Job title, department, employment dates, contracts
• Financial: Bank account details, tax reference number, salary information
• Leave & Attendance: Leave balances, clock-in/out records, timesheets
• System Usage: Login timestamps, IP addresses, user agent strings

2. Purpose of Processing

Personal information is processed for the following lawful purposes (POPIA Section 11):

• Contract performance: Administering employment contracts, calculating and paying salaries
• Legal obligation: SARS tax filings (EMP201, EMP501, IRP5), BCEA compliance
• Legitimate interest: Workforce analytics, risk management, audit compliance

3. Data Storage and Security

• Data is stored in Google Cloud Firestore (africa-south1 region) within South Africa
• Application hosted on Azure Container Apps (South Africa North)
• Sensitive fields (SA ID, tax reference, bank account) are encrypted with AES-256-GCM
• Access controlled via Firebase Authentication with MFA on privileged operations
• Hash-chained audit trail ensures tamper-evident record keeping

4. Data Sharing

• SARS: Tax filing data as required by the Income Tax Act
• Service providers: Google Cloud (hosting), Microsoft Azure (hosting) - bound by Data Processing Agreements
• No third-party sale: Personal information is never sold to third parties

5. Your Rights Under POPIA

As a data subject, you have the right to:

• Access your personal information (Section 23)
• Correct inaccurate information (Section 24)
• Object to processing in certain circumstances (Section 11(3))
• Lodge a complaint with the Information Regulator

To exercise these rights, submit a request through the System or contact your employer's HR administrator.

6. Data Retention

• Payroll records: 3 years (BCEA Section 31)
• General employee records: 5 years (POPIA Section 14)
• Audit trail: 7 years
• Data beyond retention periods is anonymised or deleted

7. Breach Notification

In the event of a data breach, we will notify the Information Regulator and affected data subjects within 72 hours as required by POPIA Section 22.

8. Contact

Information Officer: your employer's designated privacy or HR contact
Information Regulator: POPIAComplaints@inforegulator.org.za