POPIA Compliance

FinVeil's platform and operating practices are designed around the eight conditions for lawful processing of personal information under POPIA:

1. Accountability — FinVeil (Pty) Ltd (2016/369600/07) is the responsible party
2. Processing limitation — data is collected only for the stated scoring purpose
3. Purpose specification — purposes are documented in the Privacy Policy
4. Further processing limitation — data is not reused for unrelated purposes
5. Information quality — employer customers are responsible for data accuracy; we provide correction tooling
6. Openness — the Privacy Policy and this page describe our processing
7. Security safeguards — AES-256-GCM encryption, audit logs, row-level isolation
8. Data subject participation — right of access, correction, deletion, and objection

Information Officer designated per POPIA Section 55. Registration with the Information Regulator in progress. Contact: privacy@finveil.money. Data subject requests are processed within 30 days.

Cryptographic proofs of events are anchored to the Stellar public ledger as 32-byte Merkle root hashes only. No personal information is published on-chain. The anchor material is verified daily by an automated POPIA canary process that confirms only opaque hash digests are present in on-chain records. Disbursement receipts are cryptographic attestations of events -- they contain no PII, no amounts, and no identifiers.