Key Details

Effective date: 27 October 2025 Legal entity: Worksy (Pty) Ltd. Website: www.worksynow.com Postal address: 18 Klaasenbosch Drive, Constantia, Cape Town, South Africa, 7800 Primary contact: Gysbert Kappers — Gys@worksynow.com Data Protection Officer (DPO): Mr. Ferdinand Steenkamp — Ferdi@worksynow.com EU/UK Representative: Not appointed (not required at this time; this page will be updated if that changes).

1) Who We Are and Scope

This Privacy Policy explains how Worksy (Pty) Ltd. (“Worksy”, “we”, “us”, “our”) processes personal information when we provide our Worksy WhatsApp/SAP application and related services (the “Services”), and when you visit www.worksynow.com.

What we do: Worksy relays HR information from SAP to an employee’s personal WhatsApp on their personal mobile phone at the direction of our business customer (the employer). Typical use cases are payslip delivery and leave processing. Worksy does not conduct marketing, advertising, or profiling via the Services, and does not sell or share personal information for cross‑context behavioral advertising.

Role: For HR data we transmit on behalf of an employer, the employer is the Controller/Responsible Party and Worksy is a Processor/Operator under a written data processing agreement. For our website, support, security and service logs, Worksy acts as the Controller/Responsible Party.

2) Quick Summary (No Marketing; No Selling or Sharing)

• No ads, no retargeting, no sale/share of personal information.
• Use limitation: We process personal information only to deliver messages and support employer‑requested HR workflows (e.g., payslips, leave).
• Vendors: We use communications and hosting vendors strictly to provide the Services; they may not use data for their own purposes.
• WhatsApp: Message content is end‑to‑end encrypted in transit within WhatsApp; however, cloud backups are not end‑to‑end encrypted by default unless the user enables end‑to‑end encrypted backups in WhatsApp settings.

3) What Data We Process

Because Worksy processes at the employer’s instruction, exact fields depend on the employer’s SAP configuration and the specific HR workflow. Typical categories include:

• Identifiers & contact: name, mobile number (WhatsApp contact), employee or payroll ID, email (if provided for support).
• Employment & HR records: payslip lines (earnings/deductions/net), employment status, job title, leave balances/requests, dates, supervisor/approver details.
• Message metadata (service logs): timestamps, delivery status, sender/recipient identifiers, error codes.
• Website diagnostics: minimal logs and security telemetry (IP address, user agent) when you visit our site.

We do not intentionally collect precise geolocation, advertising identifiers, behavioral profiles, or unrelated analytics via the Service. We do not record audio/visual content and do not conduct automated decision‑making that produces legal or similarly significant effects.

Special/sensitive data: Payslips or HR updates may include sensitive elements (e.g., government ID, bank account fragments, union dues), provided by the employer. Where such data is present, we process it solely to transmit it as instructed and apply heightened safeguards.

4) Sources

• Employer (Controller) via SAP and HR systems.
• Automatically through our service/application logs to operate, secure and troubleshoot the Services.
• You (end users) if you contact Worksy support directly.

5) Purposes and Legal Bases

Service delivery (core): receive HR payloads from the employer’s SAP and deliver securely to the employee’s WhatsApp, process leave flows, and provide confirmations/status to the employer.

• GDPR legal bases: Performance of a contract (with the employer) and legitimate interests (secure, reliable delivery) as a processor; for our own security logs as controller, legitimate interests and legal obligation.
• POPIA: processing is lawful and minimal to fulfill the employer’s mandate; operators must process with knowledge/authorization and apply appropriate security.

Support, security & compliance: logging, fraud/abuse prevention, incident response, audits, and legal compliance.

• GDPR: legitimate interests; legal obligation.
• POPIA: security safeguard and accountability duties.

No marketing: We do not send marketing via the Service, and we do not run advertising or analytics that profile workers.

6) WhatsApp Delivery — Important Security Notes for Employees

• End‑to‑end encryption: WhatsApp messages are end‑to‑end encrypted; Worksy cannot read message content once handed off to WhatsApp.
• Backups: Cloud backups (iCloud/Google Drive) are not end‑to‑end encrypted by default; users should enable “End‑to‑end encrypted backup” in WhatsApp: Settings → Chats → Chat Backup → End‑to‑end encrypted backup.
• Device practices: set a device screen lock/biometric, keep OS/WhatsApp updated, and avoid forwarding HR messages.

Scope boundary: HR data stored on the employee’s personal device/cloud is outside Worksy’s control. We relay content securely; storage thereafter is governed by the user’s device/app settings and WhatsApp’s policies.

7) Disclosures of Personal Information

• Employers (Controllers): to provide status, confirmations, and audit evidence they request.
• Vendors/Processors: secure hosting, logging/monitoring, and communications providers (e.g., messaging platforms and telecommunications carriers) strictly for message delivery; contractual terms prohibit use for independent purposes.
• Legal & safety: if required by law or to protect rights, safety, and integrity of the Services.

We do not sell or share personal information for cross‑context behavioral advertising.

8) International Transfers

Under POPIA (South Africa): If personal information is transferred outside South Africa, Worksy (as operator) supports the employer (responsible party) to ensure a lawful mechanism under POPIA s72 (e.g., adequate protection in the recipient country, contractual safeguards, or data subject consent).

Under GDPR/UK GDPR: Where EU/UK data are processed in or accessed from South Africa or the United States, Worksy uses the European Commission Standard Contractual Clauses (SCCs) (and the UK Addendum/IDTA) plus appropriate supplementary measures.

9) Retention

• Message payloads (content): retained only transiently for delivery/retries and troubleshooting, then automatically deleted within 72 hours (configurable per customer contract).
• Delivery metadata & security logs: retained for 12 months to evidence delivery, defend legal claims, and ensure service stability.
• Website logs: 30 days unless needed longer for security.

Where law requires longer retention (e.g., tax/audit) we keep only what’s necessary, then delete or properly anonymize.

10) Security

We implement administrative, technical, and physical safeguards appropriate to the risks, including encryption in transit, hardened infrastructure, access controls (least privilege), monitoring, and employee training. No method is 100% secure; customers should maintain appropriate HR security policies and employee guidance (e.g., WhatsApp backup encryption, device locks).

11) Cookies and Site Analytics

Our Service (WhatsApp workflows) does not use advertising cookies. Our website may use strictly necessary and limited analytics cookies to operate and understand site performance. Where required by law (e.g., EU/UK), we obtain consent through a cookie banner before setting non‑essential cookies.

12) Your Privacy Rights

South Africa (POPIA): Data subjects have rights to be informed, access, correct, object to processing, and request deletion (subject to legal limitations). You may also lodge a complaint with the Information Regulator (South Africa):

Information Regulator (South Africa)

Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191

General enquiries: enquiries@inforegulator.org.za | 010 023 5200 POPIA complaints: POPIAComplaints@inforegulator.org.za EEA/UK (GDPR/UK GDPR): Depending on your location, you may have rights to access, rectify, erase, restrict, port, and object, and withdraw consent where processing is based on consent. You may lodge a complaint with your local supervisory authority.

United States (state privacy laws): If/when Worksy becomes subject to relevant U.S. state privacy laws, residents may have rights to access, delete, correct, and opt out of certain processing. We do not sell or share personal information, and we do not use personal information for targeted advertising.

How to exercise rights (all regions): Email Ferdi@worksynow.com (DPO) or Gys@worksynow.com with your request. If your request pertains to data that your employer controls, we will notify and assist your employer, who will respond as the Controller/Responsible Party.

13) Children

The Services are for workplace communications with employed individuals and are not directed to children.

14) Our Role as Processor/Operator (Customer Data)

When Worksy receives HR data from an employer’s SAP environment (“Customer Data”), we act solely on written instructions under our Data Processing Addendum (DPA) and customer agreement. The employer is responsible for the lawful basis, notices to employees, and data subject rights. Worksy:

• processes Customer Data only to provide and support the Services;
• does not combine Customer Data with other datasets for unrelated purposes;
• imposes confidentiality and security obligations on personnel and subprocessors;
• assists with data subject requests and incident response as required by law/contract.

15) Subprocessors & Third‑Party Services

Worksy uses vetted vendors (hosting, logging, and communications providers such as messaging platforms/carriers) that act as processors/service providers under written terms. A current list of subprocessors is available from our DPO upon request. We require contractual SCCs/UK Addendum or equivalent safeguards for international transfers, where applicable.

WhatsApp note: WhatsApp provides end‑to‑end encrypted message delivery, but users should enable end‑to‑end encrypted backups to protect cloud backups.

16) International Data Subject Requests and GPC

For website visitors in jurisdictions recognizing Global Privacy Control (GPC) signals, we treat a valid GPC signal as an opt‑out of sale/share/targeted advertising (we don’t do these, but we honor the signal for compatibility).

17) Changes to This Policy

We may update this Policy to reflect changes to our Services or legal requirements. We will post updates here and revise the Effective date above. If changes materially affect how we process your information, we will provide additional notice.

18) Contact Us

Worksy (Pty) Ltd. 18 Klaasenbosch Drive, Constantia, Cape Town, South Africa, 7800 Primary contact: Gysbert Kappers — Gys@worksynow.com DPO: Mr. Ferdinand Steenkamp — Ferdi@worksynow.com

To complain in South Africa: Contact the Information Regulator (SA), Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191; POPIAComplaints@inforegulator.org.za; 010 023 5200.