POPIA Compliance Manual
| Responsible Party | Toothless Holdings (Pty) Ltd |
|---|---|
| Registration | 2026/191148/07 |
| Address | 48 Seekoei Street, Pyramid, Pretoria, 0120 |
| markplain@toothlessholdings.co.za | |
| Information Officer | Sanet Dreyer — info@markplain.co.za |
| Effective Date | 25 April 2026 |
| Version | 1.0 |
1. Introduction and Purpose
This manual has been compiled by Toothless Holdings (Pty) Ltd ("Toothless Holdings"), the registered owner and operator of the Markplain platform, in compliance with Section 51 of the Promotion of Access to Information Act 2 of 2000 (PAIA) and in alignment with the Protection of Personal Information Act 4 of 2013 (POPIA).
The purpose of this manual is to describe how Toothless Holdings, through the Markplain platform, collects, uses, stores, and protects personal information, and to outline the rights of data subjects and how those rights may be exercised.
2. Information Officer
In terms of Section 55 of POPIA, Markplain has designated an Information Officer responsible for ensuring compliance with POPIA.
| Information Officer | To be formally appointed and registered with the Information Regulator |
|---|---|
| Deputy IO | Christo Dreyer |
| Contact Email | markplain@toothlessholdings.co.za |
| Physical Address | 48 Seekoei Street, Pyramid, Pretoria, 0120 |
The Information Officer is registered with the Information Regulator of South Africa as required by POPIA and PAIA. The Information Officer's responsibilities include:
- Ensuring Markplain complies with POPIA
- Dealing with requests from data subjects and third parties
- Working with the Information Regulator on investigations
- Developing and maintaining this POPIA compliance framework
3. Personal Information Processed by Markplain
3.1 Categories of Data Subjects
| Platform Users | All registered individuals using Markplain to buy, sell, or browse |
|---|---|
| Merchants | Businesses and sole traders operating a Markplain Merchant storefront |
| Employees | Markplain staff and contractors |
| Suppliers | Third-party service providers and vendors |
| Advertisers | Businesses purchasing advertising on the Markplain platform |
3.2 Categories of Personal Information
| Identity Information | Name, surname, SA ID number (Gold tier, with consent) |
|---|---|
| Contact Details | Email address, mobile number, physical address |
| Account Information | Username, verification level, account history |
| Financial Information | Payment gateway references (not raw card data — never stored) |
| Communications | Encrypted in-platform messages, support correspondence |
| Technical Data | IP address, device type, browser, cookies, session data |
| Behavioural Data | Search history, listing views, click patterns |
| Business Information | Company name, VAT number, registration number (merchants) |
| Special Categories | We do not intentionally collect special personal information |
4. Lawful Processing Conditions (POPIA Section 9–25)
Markplain processes personal information in compliance with all eight conditions for lawful processing under POPIA:
4.1 Accountability
Markplain, as the responsible party, takes full responsibility for all personal information in its custody and ensures that processing complies with POPIA at all times.
4.2 Processing Limitation
Personal information is collected only for specific, explicitly defined, and lawful purposes. Information is not processed in a manner incompatible with the purpose for which it was collected.
- Purpose: providing the Markplain marketplace and merchant platform service
- We do not collect information beyond what is necessary for these purposes
- We do not retain information for longer than necessary
4.3 Purpose Specification
The purposes for which Markplain processes personal information are set out in our Privacy Policy and this manual. Data subjects are informed of these purposes at the point of collection.
4.4 Further Processing Limitation
Personal information is not processed for a purpose other than that for which it was collected, unless: the data subject consents to further processing; or the further processing is compatible with the original purpose.
4.5 Information Quality
Markplain takes reasonable steps to ensure that personal information is complete, accurate, and not misleading. Users are encouraged to keep their account information up to date.
4.6 Openness
Markplain maintains transparency about its data processing activities through this manual and our Privacy Policy, both of which are publicly available at markplain.co.za.
4.7 Security Safeguards
Markplain implements appropriate technical and organisational measures to secure personal information:
- All data transmitted via HTTPS (TLS 1.2 or higher)
- Sensitive data encrypted at rest using AES-256
- In-platform messages encrypted in the database
- Access controls: staff access to personal data limited to what is necessary for their role
- Regular security assessments and vulnerability scanning
- Incident response plan: data breaches reported to the Information Regulator within 72 hours
- Employee training on POPIA compliance and data handling
- All data stored on South African servers
4.8 Data Subject Participation
Markplain respects the rights of data subjects and provides mechanisms for exercising those rights. See Section 6 of this manual.
5. Data Sharing and Third Parties
Markplain shares personal information with the following categories of third parties, all of which are subject to confidentiality obligations and are required to process data in compliance with POPIA:
| PayFast (Pty) Ltd | Payment processing — buyer payment data transmitted directly to PayFast |
|---|---|
| Ozow (Pty) Ltd | Payment processing — buyer EFT data transmitted directly to Ozow |
| Firebase / Google LLC | Push notification delivery — FCM token and notification content only |
| Africa's Talking | SMS OTP and WhatsApp Business notifications |
| Meilisearch SAS | Search indexing — listing titles and descriptions only |
| Toothless Domains | Domain and email hosting — merchant domain data only |
| Let's Encrypt / ISRG | SSL certificate provisioning — domain name only |
6. Rights of Data Subjects
In terms of POPIA, data subjects have the following rights, which Markplain respects and facilitates:
6.1 Right of Access (Section 23)
Data subjects may request access to the personal information Markplain holds about them. Requests must be made in writing to the Information Officer. Markplain will respond within 30 days. A fee may be charged in accordance with the Promotion of Access to Information Act.
6.2 Right to Correction or Deletion (Section 24)
Data subjects may request the correction of inaccurate personal information or the deletion of personal information that is no longer necessary for the purpose for which it was collected. Deletion may be declined where retention is required by law.
6.3 Right to Object (Section 11(3))
Data subjects may object to the processing of their personal information for purposes of direct marketing. Upon receipt of such objection, Markplain will cease direct marketing communications immediately.
6.4 Right to Lodge a Complaint
Data subjects who believe their rights have been infringed may lodge a complaint with the Information Regulator:
| Information Regulator SA | www.inforeg.org.za |
|---|---|
| inforeg@justice.gov.za | |
| Phone | +27 (0)12 406 4818 |
| Address | JD House, 27 Stiemens Street, Braamfontein, 2001 |
7. How to Exercise Your Rights
To exercise any of the rights described above, submit a request to the Markplain Information Officer:
| Method 1 — Email | markplain@toothlessholdings.co.za |
|---|---|
| Method 2 — Platform | Account → Settings → Privacy → Data Request |
| Method 3 — Post | Toothless Holdings (Pty) Ltd, 48 Seekoei Street, Pyramid, Pretoria, 0120 |
Requests must include: your full name, email address registered with Markplain, description of the information you are requesting, and a copy of your ID document for verification purposes. Markplain will acknowledge receipt within 3 business days and respond fully within 30 days.
8. Retention and Destruction of Personal Information
| Account Data | Retained while account is active + 5 years after closure |
|---|---|
| Transaction Records | 7 years from transaction date (SARS compliance) |
| Communication Logs | 3 years from date of communication |
| Technical/Log Data | 12 months from date of collection |
| Marketing Preferences | Until opt-out + 1 year |
| Verification Documents | Duration of account + 5 years |
| Dispute Records | 5 years from dispute resolution |
Upon expiry of the retention period, personal information is securely destroyed by deletion from all live systems and overwriting of backup media, or anonymisation to a degree that re-identification is impossible.
9. Cross-Border Transfers
Markplain stores all primary personal data on South African servers. Some third-party service providers (e.g. Firebase/Google for push notifications) may process data outside South Africa. In such cases, Markplain ensures:
- The recipient country provides adequate protection for personal information; or
- The recipient is bound by contractual obligations that provide equivalent protections to POPIA; and
- The transfer is subject to appropriate safeguards
10. Special Personal Information
POPIA affords heightened protection to special categories of personal information, including religious beliefs, political views, race, trade union membership, health, sexual orientation, biometric information, and criminal history.
Markplain does not intentionally collect or process special personal information. If any such information is incidentally disclosed by a user, it is not used for any processing purpose and is deleted upon discovery.
11. Children's Personal Information
Markplain does not knowingly collect personal information from persons under the age of 18. Persons under 18 are not permitted to register for a Markplain account. If Markplain becomes aware that it has collected personal information from a minor, it will delete that information promptly.
12. Cookies and Automated Decision-Making
Markplain uses cookies as described in the Privacy Policy. Markplain does not make automated decisions that produce legal effects for data subjects without human review. Our anti-scam engine may flag accounts for review, but all actions (suspension, banning) are reviewed by a human moderator before implementation.
13. Breach Notification Procedure
In the event of a security breach that involves personal information:
- The breach is identified and contained immediately
- The Information Officer is notified within 24 hours
- The breach is investigated and the scope is determined
- The Information Regulator is notified within 72 hours if the breach poses a real risk to data subjects
- Affected data subjects are notified as soon as reasonably practicable
- A post-incident review is conducted to prevent recurrence
14. Review of This Manual
This manual will be reviewed annually or whenever there is a material change in Markplain's data processing activities. The latest version will always be available at markplain.co.za/popia.
15. Contact
| Company | Toothless Holdings (Pty) Ltd |
|---|---|
| Information Officer | info@markplain.co.za |
| Address | 48 Seekoei Street, Pyramid, Pretoria, 0120 |
| Website | www.markplain.co.za |