Privacy Policy
Effective date: 8 April 2026 · Last updated: 8 April 2026
Legal entity: These terms apply to Discipline ComplyApp, a product owned and operated by Gingerforge (Pty) Ltd, registration number 2026/155774/07, a private company registered in South Africa.
Gingerforge (Pty) Ltd ("we", "us", "our") operates Discipline ComplyApp, the workplace discipline management platform available at discipline.complyapp.net (the "Service"). This Privacy Policy explains how we collect, use, store, share and protect personal information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa.
1. Information we collect
1.1 Account information
When you register or are registered as a user, we collect:
- Full name
- Email address
- Username
- Password (stored in hashed form only)
1.2 Client (employer) information
- Company name
- Contact name, email address, phone and mobile numbers
- Payment and subscription status
1.3 Employee discipline data
When a disciplinary case is created, we process:
- Employee full name, employee code and staff number
- Employer name
- Transgression details, dates and descriptions
- Financial loss amounts (where applicable)
- Prior warning history
- Hearing details (date, time, location, chairperson)
1.4 Document and signature data
- Generated discipline documents (PDFs)
- Signer names, email addresses and roles
- Signature status and timestamps
1.5 WhatsApp interaction data
When you interact with our WhatsApp chatbot to report workplace incidents, we collect:
- Your WhatsApp phone number
- Your name and employee code (as provided by you)
- Incident details you submit through the conversation
- Message content exchanged during the reporting flow
1.6 Technical data
- IP address and browser type (server logs)
- Access timestamps
2. How we use your information
| Purpose | Legal basis (POPIA) |
|---|---|
| Providing the discipline management service | Contractual obligation (Section 11(1)(b)) |
| AI-powered analysis of discipline cases to recommend appropriate actions under the Labour Relations Act | Legitimate interest (Section 11(1)(f)) |
| Generating and delivering discipline documents via WhatsApp | Contractual obligation (Section 11(1)(b)) |
| Processing incident reports submitted via WhatsApp | Consent / Contractual obligation |
| Electronic document signing workflows | Contractual obligation (Section 11(1)(b)) |
| User authentication and account security | Legitimate interest (Section 11(1)(f)) |
3. Third-party service providers
We share personal information with the following third-party processors solely to operate the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Meta (WhatsApp Cloud API) | Chatbot messaging, incident reporting, document delivery | Phone numbers, message content, PDF documents |
| Google (Gemini AI) | AI analysis of discipline cases | Employee name, employer, transgression details, warning history (anonymised where possible) |
| OpenAI | AI analysis of discipline cases (alternative provider) | Same as above |
| xAI (Grok) | AI analysis of discipline cases (alternative provider) | Same as above |
| Yoco | Payment processing for subscription billing | Client ID, mobile number, subscription amount (no card data touches our servers) |
These providers process data under their own privacy policies. We only use one AI provider at a time based on system configuration. Data sent to AI providers is used solely for generating disciplinary recommendations and is not used to train AI models where such opt-out mechanisms are available.
4. Data storage and security
- Data is stored on servers located in South Africa.
- Passwords are stored using industry-standard one-way hashing.
- Access to the platform is protected by JWT-based authentication with token expiry.
- Document access tokens are generated using cryptographic UUIDs.
- We implement appropriate technical and organisational measures to protect personal information against unauthorised access, loss or damage.
5. Cross-border data transfers
When AI analysis is performed, discipline case details are transmitted to servers operated by Google, OpenAI or xAI, which may be located outside South Africa. These transfers are conducted in accordance with Section 72 of POPIA, as these providers maintain adequate data protection standards or contractual safeguards.
6. Data retention
- Discipline records and documents: Retained for the duration of the client's subscription and thereafter as required by the Basic Conditions of Employment Act (3 years after termination of employment) or as otherwise required by law.
- Account data: Retained while your account is active. Deleted upon request, subject to legal retention obligations.
- WhatsApp interaction data: Retained for as long as the related incident report exists.
7. Your rights under POPIA
As a data subject, you have the right to:
- Access — Request confirmation of and access to your personal information.
- Correction — Request correction of inaccurate or incomplete information.
- Deletion — Request deletion of your personal information, subject to legal retention requirements.
- Object — Object to the processing of your personal information on reasonable grounds.
- Complain — Lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.
8. Contact us
For any privacy-related enquiries, data-subject access requests, or to exercise any of the rights above, contact us at BUSINESS_EMAIL.