Data protection guidelines
VerityPay is a product operated by Webrack (Pty) Ltd. We specialise in payroll management solutions for South African businesses. We are committed to protecting your privacy and handling your information transparently in accordance with POPIA (Protection of Personal Information Act 4 of 2013).
Last updated: 1 April 2025
1. Introduction
This Privacy Policy describes what personal information we collect, why we collect it, how we use and protect it, and your rights as a data subject under POPIA.
2. Personal information we collect
When you use VerityPay, we collect the following categories of information:
- Organisation account information — Organisation name, registration number, PAYE reference, administrator name, email, and hashed password.
- Employee information — Full name, SA ID or passport number (AES-256 encrypted), date of birth, contact details, employment details, banking details (AES-256 encrypted), tax number, leave records, and payslip history.
- Technical information — IP addresses (security logging only), session tokens in HttpOnly cookies, and anonymised usage logs for product improvement.
3. How we use your personal information
We process personal information only for the following lawful purposes under POPIA:
- Service delivery: Processing payroll, calculating PAYE/UIF/SDL/ETI, generating EMP201 and IRP5 documents, and producing bank EFT files.
- Legal compliance: Meeting obligations under the Income Tax Act, Basic Conditions of Employment Act, and Unemployment Insurance Act.
- Account management: Creating and managing your subscription, sending product updates, and providing customer support.
- Security: Detecting and preventing fraud, unauthorised access, and misuse of the platform.
- Product improvement: Analysing anonymised usage patterns. This data cannot be used to identify individuals.
4. Data sharing
We do not sell personal information. We share data only with:
- Infrastructure: Neon (PostgreSQL hosting, South Africa region), Vercel (application hosting), UploadThing (file storage).
- Communications: Resend (transactional email), Africa's Talking (SMS notifications).
- Payments: Stitch (subscription billing). We do not store card numbers or bank credentials.
- SARS: EMP201 and IRP5 files are generated for you to submit — we do not submit on your behalf.
- Legal requirements: Where required by a South African court order or applicable law.
5. Data retention
- Payroll and tax records: 5 years (required by SARS and the Tax Administration Act).
- Account information: Duration of subscription plus 90 days after cancellation.
- Security logs: 12 months.
6. Your rights under POPIA
As a data subject under POPIA, you have the right to:
- Access (Section 23): Request a copy of all personal information we hold about you.
- Correction (Section 24): Request that inaccurate or incomplete information be corrected.
- Deletion (Section 24): Request deletion of your personal information, subject to our legal retention obligations.
- Objection (Section 11): Object to the processing of your personal information.
- Portability: Receive your personal data in CSV or JSON format.
Employees can exercise these rights directly in the Employee Portal under Privacy & Data. For all other queries, email us at privacy@veritypay.co.za.
7. Security
- AES-256 encryption for all PII fields at the application layer
- TLS 1.3 for all data in transit
- Secure HttpOnly SameSite cookies for session management
- Role-based access control — users can only access their own organisation's data
- Two-person approval rule for all payroll runs
- Idempotency keys on all financial operations
8. Cookies
VerityPay uses only essential cookies required for authentication and security. We do not use advertising cookies, third-party tracking cookies, or any cookies that identify individuals for marketing purposes.