POPIA compliance software for South Africa
— without the consulting bill.
Consent ledger, registered Information Officer, retention sweep, subject access exports, deletion execution, breach templates, published PAIA manual. POPIA is not a one-off project — it is an operating posture, and Regalis is built around it.
- POPIA aligned
- PAIA manual published
- Info Officer registered
- Subject access + deletion working
Mechanisms + retention + legal docs + gap-plug — all live and audited internally.
Marketing, TPN, WhatsApp/SMS, DebiCheck, e-signature, cookies, maintenance photos, more.
Every subject access / correction / deletion request is auto-stamped with the POPIA SLA.
POPIA touches every workflow that touches a tenant — which is most of them.
POPIA is not a side-project that lives in a privacy policy PDF. It cuts across the operational workflows of a rental business: capturing an applicant, running a TPN credit check, sending a WhatsApp reminder, storing a maintenance photo, holding a tenant deposit, processing a refund, retaining a lease document, sharing data with a managing agent, contacting an emergency dispatcher. Each of those is processing of personal information, and each has to be defensible.
In practice that means three things. First, you need a clear lawful basis for each processing activity (consent, contract, legal obligation, legitimate interest, vital interest, public interest). Second, you need to be able to prove what was processed, when, on what basis, and on whose authority. Third, you need to honour the rights of the data subject — access, correction, deletion, objection, restriction, opt-out — within 30 days.
Regalis is the operating layer that makes all three deterministic. The consent ledger records every consent and withdrawal. The audit log captures actor + action + diff for sensitive operations. The retention sweep enforces deletion windows. The DSR surface gives subjects a real way to exercise their rights. PAIA is published. The Information Officer is registered.
How POPIA usually goes wrong
- Privacy policy PDF lives on the website but nothing in the platform enforces what it claims.
- Tenant consent is captured on paper at lease signing and never tracked again — the team cannot prove what was agreed when.
- TPN reports sit on hard drives for years past their retention window because nobody implemented an automated sweep.
- A subject access request arrives and the team has 30 days to manually compile data from spreadsheets, emails and screenshots.
- Marketing emails go out to tenants who opted out months ago because the opt-out flag is in the CRM but not in the rent-reminder code.
- A breach happens and the team has to manually draft regulator + data subject notices in the middle of an incident.
How Regalis runs it
- Every consent grant and withdrawal is recorded in the consent ledger, versioned to the disclosure text the subject saw.
- TPN reports expire automatically after 180 days; a legal-hold setting can extend retention for active disputes.
- Subject access requests compile a complete data bundle automatically; deletion anonymises personal information while preserving records you are required to keep.
- Marketing outreach is filtered automatically against the consent ledger — a tenant who withdrew consent is left out without manual effort.
- Breach incidents automatically generate regulator, agency and data-subject notice previews ready to send.
- The PAIA manual is published and the Information Officer is registered (2026-013761); the registration number is shown on the public privacy and PAIA pages.
From collection notice to deletion execution.
Collection notice + consent
Every collection point — apply form, contact form, tenant invite, profile, repair request, signup — mounts the same collection-notice block. When the subject agrees, a consent record is written with timestamp, IP, user agent and the version of the disclosure text.
- Versioned disclosure text
- 12 consent kinds tracked
- Lawful basis stored per record
Retention is enforced automatically
Every sensitive record carries a retention expiry stamped at insert. A daily sweep deletes anything past expiry, blobs first to avoid orphans. A legal-hold flag pauses deletion for records under active dispute.
- Daily retention sweep
- Kind-driven document retention
- Legal-hold opt-out for disputes
Data subject requests
Subjects file requests through the public privacy form, rate-limited against abuse. Each request enters the queue with the statutory 30-day SLA. Access and deletion actions have working execution flows that produce a downloadable bundle or run anonymisation.
- Seven request types
- Identity verification before sensitive actions
- Audit-log entry for every action
Breach response with templates
When an incident is logged with high or critical severity, the platform renders previews of three notices — to the regulator, the agency/insurer, and the data subject — with the Information Officer and incident specifics auto-filled. One click to copy for the regulator email.
- 72h regulator notification SLA
- Three audience templates
- Info Officer auto-interpolated
Every POPIA mechanism the regulation expects.
Consent ledger
Versioned grant and withdrawal records for 12 consent kinds. Stores lawful basis, timestamp, IP and the disclosure-text version the subject saw.
Information Officer surface
Per-organisation Information Officer details, editable from settings. Surfaced on the public privacy centre and the PAIA manual.
PAIA manual
Published PAIA section 51 manual: responsible party, records categories, request procedure, fees, refusal grounds, remedies, oversight by the Information Regulator.
Subject access export
A complete subject-access bundle compiled on demand, identity-verified before execution, uploaded to secure storage and stamped against the request.
Deletion execution
Anonymises personal information on the person/applicant/user records, deletes their documents, blobs, notifications and consents, while retaining lease/payment/ledger rows that have their own legal retention basis.
Retention sweep
Daily sweep deletes expired records — 180-day TPN reports, 365-day applicant records, kind-driven document retention. Legal-hold flag pauses for disputes.
Breach templates
Three audience-specific notices — regulator, agency/insurer, data subject — rendered with the Information Officer and incident specifics auto-filled. One-click copy on the incident page.
Cookie banner
Cookie consent prompt across every public page. Records a cookie consent for signed-in users and remembers the choice — structured to align with POPIA direct-marketing requirements.
Marketing guard
Marketing-style outreach is filtered automatically against the consent ledger, so service messages and marketing stay separated — designed to support POPIA direct-marketing rules by default.
Audit log
Every sensitive view (credit-report view, document download, statement download) and change captures who did it, what they did and what changed.
Subprocessor register
A live register of vendor data processors, published for any subject to inspect.
DPA template
Customer-facing data-processing agreement: operator obligations, sub-operators, security measures, breach SLA, 30-day deletion on termination.
Since 2021, PAIA oversight sits with the Information Regulator, not SAHRC.
A common compliance misconception: rental teams still assume PAIA requests get lodged with the South African Human Rights Commission. That changed on 2021-06-30. PAIA oversight transferred to the Information Regulator alongside POPIA. The practical change is small ("publish + keep on file" rather than "lodge with the regulator") but the symbolic shift matters: privacy and access-to-information now have one supervisory authority.
Regalis reflects that in two places. First, the published PAIA manual references the Information Regulator as the oversight body (not SAHRC). Second, the Information Officer registration number — shown on the public privacy centre and PAIA manual — is the regulator-issued registration. For Regalis Property Group the number is 2026-013761, registered on 2026-05-09.
When you set up your own organisation, you can set your own responsible-party name, Information Officer contact details and registration number from your settings. The public privacy and PAIA pages update automatically to reflect the right entity. That keeps the platform usable for both managing agents and landlords managing directly, without forcing every customer to publish a Regalis-branded compliance page.
Continue exploring how Regalis handles the rest of the rental operation.
Tenant screening with TPN
Consent capture, TPN report retention, subject access export — POPIA mechanics applied to applicant data.
Read moreTrust accounting
Financial-records retention complements POPIA — lease and payment data retained for the legal basis.
Read moreRental arrears collection
Arrears outreach respects the consent ledger; service messages and marketing are separated.
Read moreCommon questions about POPIA & PAIA compliance.
Is Regalis designed to support POPIA out of the box?+
Yes. POPIA mechanisms are built into the platform: a versioned consent ledger, retention windows enforced automatically every day, a registered Information Officer profile, subject access export, deletion execution, breach notification templates and a public privacy centre with a working data subject request form. The PAIA manual is published and the Information Officer is registered with the Information Regulator. The platform is designed to support POPIA-aligned consent, retention and data-subject workflows.
What is the consent ledger?+
A record of every grant and withdrawal of consent — for marketing, TPN screening, WhatsApp/SMS messaging, debit-order mandates, electronic signatures, cookies, maintenance photos, applications and more. Each entry stores the timestamp, IP, user agent and the version of the disclosure text — so you can prove what the subject agreed to and when.
How does automatic retention work?+
Regalis checks retention windows every day and removes anything past its limit automatically. TPN credit reports expire after 180 days, applicant records after 365 days, notifications after 180 days, and maintenance records are anonymised. A legal-hold setting pauses deletion for any record under active dispute.
What does a subject access export include?+
A subject access request produces a complete bundle covering the subject's applicant and application history, tenant and lease history, payments and ledger entries, maintenance requests, notifications, consents, documents, security incidents and their activity history. The bundle is saved to secure storage and the request marked complete.
And how does deletion work?+
POPIA deletion is handled carefully. The platform anonymises personal information on the relevant person, applicant and account records (names, emails and phone numbers are replaced with placeholders) but keeps the underlying lease, payment, ledger and audit records that have their own legal retention basis. Documents, notifications and consents tied to the subject are deleted outright.
How are breaches notified?+
When an incident is logged with high or critical severity, the platform renders previews of three notices — to the regulator, your insurer/agency, and the data subject — with the Information Officer details and incident specifics interpolated automatically. One click to copy.
Where is the Information Officer surface?+
Each organisation captures its own Information Officer details — name, email, phone, postal address — editable from settings. The public privacy centre surfaces the registered Information Officer and registration number; the published PAIA manual is automatically updated to match.
Can tenants exercise their POPIA rights through the platform?+
Yes. A public privacy-request form (rate-limited against abuse) lets data subjects file access, correction, deletion, objection, consent-withdrawal, marketing-opt-out and restriction requests. Each request gets the statutory 30-day SLA. Tenants can also withdraw marketing or service-messaging consent directly from their profile without filing a formal request.
See everything built for you — explore the property managers hub
POPIA is not a project.
It is an operating posture.
Walk through the compliance surface — consent ledger, retention sweep, DSR queue, breach templates, PAIA — with someone from the team.