This Privacy Policy explains how GiveShield (Pty) Ltd ("GiveShield") collects, uses, stores, and protects personal information in accordance with the Protection of Personal Information Act, 2013 ("POPIA"). GiveShield is the responsible party for the personal information processed on the platform.
1. Information we collect
We collect only what we need to operate the platform and issue compliant Section 18A receipts:
- Account & contact: name, role, email, phone.
- Donor company: registered legal name, registration number, SARS income-tax reference number, contact details.
- PBO: registered name, PBO number, Section 18A reference, banking details, certificate signatory details.
- Verification (KYC):company/NPO registration documents, an authorised representative's identity document, and a letter of authority or board resolution.
- Transactional: donation amounts, references, proof-of-payment documents, invoices, and issued receipts.
- Technical: log data necessary for security and operation.
2. Why we process it (purpose & lawful basis)
We process personal information to: create and verify accounts; confirm that organisations are legitimate and representatives are authorised; generate invoices and Section 18A receipts in the PBO's name; validate proofs of payment; communicate status updates; and comply with legal obligations (including records supporting SARS IT3(d) reporting). Our lawful bases are the performance of a contract with you, compliance with a legal obligation, our legitimate interests in operating a secure platform, and your consent where required.
3. Data minimisation and consent
We collect only the fields required to issue a compliant certificate and to verify identity. At sign-up you consent to this processing. You may withdraw consent or object to processing, subject to our legal retention duties (withdrawing consent may mean we can no longer provide the service).
4. Who we share it with (operators)
We do not sell personal information. We share it only with operators who process it on our behalf under appropriate safeguards: our cloud database and file storage provider, our email delivery provider, and an automated document-analysis service used to assist verification of proof-of-payment and KYC documents. A donor's certificate details are shared with the relevant PBO as the party in whose name the receipt is issued. Documents may be processed outside South Africa by these operators under contractual safeguards consistent with POPIA's conditions for trans-border transfers.
5. Security
We apply technical and organisational measures to protect personal information, including row-level database access controls that isolate each donor and PBO's data, private document storage accessible only through short-lived authenticated links, encryption in transit, and least-privilege access. No system is perfectly secure, but we work to keep the platform air-tight and review our controls regularly.
6. Retention
We retain personal information only as long as necessary for the purposes above and to meet legal and tax record-keeping obligations (issued receipts and their supporting data are retained for the periods required by SARS and applicable law), after which it is deleted or de-identified.
7. Your rights
Under POPIA you may request access to the personal information we hold about you, request correction or deletion, object to processing, and lodge a complaint. To exercise these rights, contact our Information Officer below. You also have the right to complain to the Information Regulator (South Africa).
8. Information Officer & contact
Information Officer, GiveShield (Pty) Ltd — privacy@giveshield.org. Information Regulator (South Africa): inforegulator.org.za.
9. Changes
We may update this Policy; material changes will be notified and the "last updated" date revised.