1. Introduction
Webrack (Pty) Ltd ("VerityPay", "we", "us", "our") operates the VerityPay payroll platform at veritypay.co.za. We are committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and all applicable South African data protection legislation.
This Privacy Policy describes what personal information we collect, why we collect it, how we use and protect it, and your rights as a data subject.
2. Information We Collect
2.1 Organisation Account Information
- Organisation name, registration number, and PAYE reference number
- Administrator name, email address, and password (hashed with bcrypt)
- Billing information (processed by Stitch; we store only plan identifiers, not card numbers)
2.2 Employee Information
We process the following employee data on behalf of your organisation as a data processor under POPIA:
- Full name, SA ID number or passport number (AES-256 encrypted at rest)
- Date of birth and gender (required for SARS reporting)
- Contact details: email address, telephone number, physical address
- Employment details: start date, job title, department, remuneration
- Banking details: bank name, account number, account type (AES-256 encrypted at rest)
- Tax information: tax number, PAYE directive number if applicable
- Leave records and payslip history
2.3 Technical Information
- IP addresses and browser information (security logging only)
- Session tokens (stored in secure HttpOnly cookies — not localStorage)
- Anonymised usage logs (pages visited, features used) for product improvement
3. How We Use Your Information
We process personal information only for the following lawful purposes under POPIA:
- Service delivery: Processing payroll, calculating PAYE/UIF/SDL/ETI, generating EMP201 and IRP5 documents, and producing bank EFT files.
- Legal compliance: Meeting our obligations under the Income Tax Act, Basic Conditions of Employment Act, and Unemployment Insurance Act.
- Account management: Creating and managing your subscription, sending product updates, and providing customer support.
- Security: Detecting and preventing fraud, unauthorised access, and misuse of the platform.
- Product improvement: Analysing anonymised usage patterns to improve the product. This data cannot be used to identify individuals.
4. Data Sharing
We do not sell personal information. We share data only with the following parties, and only to the extent necessary:
- Infrastructure: Neon (PostgreSQL hosting, South Africa region), Vercel (application hosting), UploadThing (file storage).
- Communications:Resend (transactional email), Africa's Talking (SMS notifications).
- Payments: Stitch (subscription billing). We do not store card numbers or bank credentials.
- SARS: EMP201 and IRP5 files are generated for you to submit to SARS — we do not submit them on your behalf.
- Legal requirements: Where required by a court order or applicable South African law, we may disclose personal information to the relevant authority.
All sub-processors are contractually bound to protect personal information and may not use it for any purpose other than providing services to VerityPay.
5. Data Retention
- Payroll and tax records: 5 years from date of creation, as required by SARS and the Tax Administration Act.
- Account information: Duration of your subscription plus 90 days after cancellation (to allow re-activation).
- Security logs: 12 months.
After the applicable retention period, data is permanently deleted or irreversibly anonymised. You may request earlier deletion (subject to our legal retention obligations).
6. Your Rights Under POPIA
As a data subject under POPIA, you have the right to:
- Access (Section 23): Request a copy of all personal information we hold about you.
- Correction (Section 24): Request that inaccurate or incomplete information be corrected.
- Deletion (Section 24): Request deletion of your personal information, subject to our legal retention obligations.
- Objection (Section 11): Object to the processing of your personal information where processing is based on legitimate interest.
- Portability: Receive your personal data in a machine-readable format (CSV or JSON).
Employees can exercise these rights directly in the Employee Portal under Privacy & Data. For all other queries, email us at privacy@veritypay.co.za.
You also have the right to lodge a complaint with the Information Regulator of South Africa at www.justice.gov.za/inforeg.
7. Security
We implement industry-standard security measures including:
- AES-256 encryption for all PII fields at the application layer
- TLS 1.3 for all data in transit
- Secure, HttpOnly, SameSite cookies for session management
- Role-based access control — users can only access their own organisation's data
- Two-person approval rule for all payroll runs
- Idempotency keys on all financial operations to prevent duplicate processing
Despite these measures, no system is completely secure. In the event of a data breach that may cause harm to data subjects, we will notify affected users and the Information Regulator as required by POPIA (Section 22).
8. Cookies
VerityPay uses only essential cookies required for authentication and security (session tokens). We do not use advertising cookies, third-party tracking cookies, or any cookies that identify individuals for marketing purposes. Disabling cookies in your browser will prevent you from logging in to the platform.
9. Children
VerityPay is a business service intended for organisations and their employees. We do not knowingly collect personal information from individuals under the age of 18. If you believe a minor's information has been submitted to our platform, please contact us immediately.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email at least 14 days before taking effect. Continued use of VerityPay after the effective date constitutes acceptance of the updated policy. The "Last updated" date at the top of this page reflects the most recent revision.