Sino Pass SA — Privacy Policy

1. Who We Are

Sino Pass SA is a brand, operated by The San Scribe Pty Ltd, providing a sovereign compliance intelligence platform for agricultural exporters trading with China. We are based in Cape Town, South Africa, and operate in full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA).

For the purposes of POPIA, Sino Pass SA is the Responsible Party for the personal information collected through the Platform.

2. What Personal Information We Collect

2.1 Information You Provide Directly

When you create an account, subscribe to a service, or contact us, we may collect:

• Full name and job title
• Business name, registration number, and business address
• Email address and telephone number
• Billing information (processed securely by PayFast — we do not store full payment card details)
• Export-related documentation you upload to the Platform
• Communications preferences

2.2 Information Generated by Your Use of the Platform

We automatically collect certain information when you use the Platform, including:

• Login timestamps and session duration
• Pages and features accessed
• Evidence registration activity and document metadata
• Compliance audit results and readiness scores
• Subscription status and payment history

2.3 Information From Automated Sources

We may collect technical information automatically, including your IP address, browser type and version, device type, operating system, and usage patterns. This information helps us improve the Platform and diagnose technical issues.

3. How We Use Your Personal Information

3.1 Service Delivery

To create and maintain your account, process subscriptions, provide the Intelligence Dashboard, register evidence, conduct GACC Concierge Audits, and deliver all Platform features.

3.2 Communication

To send service-related communications (account verification, payment receipts, subscription updates, security alerts) and, with your consent, marketing communications about Platform features and industry intelligence.

3.3 Platform Improvement

To analyse usage patterns, identify technical issues, and improve the Platform's functionality, user experience, and intelligence accuracy.

3.4 Legal Compliance

To comply with applicable legal obligations, including POPIA requirements, tax regulations, and lawful requests from regulatory authorities.

4. Legal Basis for Processing (POPIA)

Under POPIA, we process your personal information on the following lawful bases:

• Consent: Where you have given us explicit consent to process your information for a specific purpose.
• Contractual necessity: Where processing is necessary to perform our obligations under the Terms of Service.
• Legal obligation: Where processing is required to comply with applicable laws and regulations.
• Legitimate interest: Where processing is necessary for our legitimate business interests, provided such interests do not override your rights and freedoms.

5. Who We Share Your Information With

5.1 Service Providers

We engage trusted third-party service providers to help us operate the Platform. These include:

• PayFast (South Africa) — Payment processing. PayFast is PCI DSS compliant.
• Zoho CRM (India/USA) — Customer relationship management.
• AWS Africa (Cape Town) — Cloud infrastructure and data hosting.
• Supabase — Database and authentication services.
• Vercel — Application hosting and deployment.

All service providers are contractually bound to process your information only on our instructions and to maintain appropriate security measures.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal requests by public authorities (e.g., a court order or regulatory demand).

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

6. Data Storage and Security

6.1 Where Your Data Is Stored

Your personal information is primarily stored in South Africa (AWS Africa — Cape Town region). Certain data may be processed or stored in the United States and India through our service providers (Zoho, Vercel). Where data is transferred across borders, we ensure appropriate safeguards are in place in compliance with POPIA Section 72.

6.2 How We Protect Your Data

We implement appropriate technical and organisational security measures to protect your personal information, including:

• SHA-256 hashing for document integrity verification
• HMAC-SHA256 authentication for API access
• TLS 1.3 encryption for all data in transit
• Encryption at rest for stored data
• Access controls and authentication protocols
• Regular security audits and penetration testing
• Staff training on data protection and POPIA compliance

6.3 Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. After account closure, we retain your information for a period of 12 months to comply with legal obligations, resolve disputes, and enforce our agreements. After this period, your information will be securely deleted or anonymised.

Evidence registration records and cryptographic hashes may be retained indefinitely for integrity verification purposes, as these constitute immutable audit trails.

7. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

• Right to Access: You may request a copy of the personal information we hold about you.
• Right to Correction: You may request that we correct any inaccurate or incomplete personal information.
• Right to Deletion: You may request that we delete your personal information, subject to legal retention requirements.
• Right to Object: You may object to the processing of your personal information for direct marketing purposes.
• Right to Restrict Processing: You may request that we restrict the processing of your personal information in certain circumstances.
• Right to Data Portability: You may request a structured, commonly used, machine-readable format of your personal information.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time.
• Right to Complain: You have the right to lodge a complaint with the Information Regulator (South Africa) if you believe we have violated your data protection rights.

To exercise any of these rights, please contact us at privacy@sinopass.co.za. We will respond to your request within 30 days as required by POPIA.

8. Cookies and Tracking

The Platform uses essential cookies required for authentication, session management, and security. We may also use analytics cookies to understand how the Platform is used and to improve our service.

You can control cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Platform.

9. International Data Transfers

Where your personal information is transferred outside South Africa, we ensure that:

• The recipient is subject to a law, binding corporate rules, or agreement which provides an adequate level of protection comparable to POPIA; or
• Your consent has been obtained for the specific transfer; or
• The transfer is necessary for the performance of a contract with you.

10. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email and/or a notice on the Platform at least 14 days before the changes take effect. We encourage you to review this Policy periodically.

12. Contact and Complaints

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us: