Contact / Demo
Effective Date: 27 October 2025
Legal Entity: Worksy (Pty) Ltd.
Website: www.worksynow.com
Postal Address: 18 Klaasenbosch Drive, Constantia,
Cape Town, South Africa, 7800
Primary Contact: Gysbert Kappers -
gys@worksynow.com
Data Protection Officer: Ferdinand Steenkamp -
ferdi@worksynow.com
EU / UK Representative: Not appointed (not required
at this time; this page will be updated if that
changes).
We process personal information only to deliver messages and support employer requested HR workflows (e.g., payslips, leave).
We use communications and hosting vendors strictly to provide the Services; they may not use data for their own purposes.
Message content is end-to-end encrypted in transit within WhatsApp; however, cloud backups are not end-to-end encrypted by default unless the user enables encrypted backups in WhatsApp settings.
Because Worksy processes at the employer’s instruction, exact fields depend on the employer’s SAP configuration and the specific HR workflow.
Name, mobile number (WhatsApp contact), employee or payroll ID, email (if provided for support).
Payslip lines (earnings/deductions/net), employment status, job title, leave balances/requests, dates, supervisor/approver details.
Timestamps, delivery status, sender/recipient identifiers, error codes.
Minimal logs and security telemetry (IP address, user agent) when you visit our site.
We do not intentionally collect precise geolocation,
advertising identifiers, behavioral profiles, or
unrelated analytics via the Service. We do not
record audio/visual content and do not conduct
automated decision‑making that produces legal or
similarly significant effects.
Special/sensitive data: Payslips or HR updates may
include sensitive elements (e.g., government ID,
bank account fragments, union dues), provided by the
employer. Where such data is present, we process it
solely to transmit it as instructed and apply
heightened safeguards.
No marketing: We do not send marketing via the
Service, and we do not run advertising
or analytics that profile workers.
Service delivery (core): receive HR payloads from the employer’s SAP and deliver securely to the employee’s WhatsApp, process leave flows, and provide confirmations/status to the employer.
Performance of a contract (with the employer) and legitimate interests (secure, reliable delivery) as a processor; for our own security logs as controller, legitimate interests and legal obligation.
Processing is lawful and minimal to fulfill the employer’s mandate; operators must process with knowledge/authorization and apply appropriate security.
Support, security & compliance: logging, fraud/abuse prevention, incident response, audits, and legal compliance.
Legitimate interests; legal obligation.
Security safeguard and accountability duties.
We do not sell or share personal information for cross‑context behavioral advertising.
To provide status, confirmations, and audit evidence they request.
Secure hosting, logging/monitoring, and communications providers (e.g., messaging platforms and telecommunications carriers) strictly for message delivery; contractual terms prohibit use for independent purposes.
If required by law or to protect rights, safety, and integrity of the Services.
Under POPIA (South Africa): If personal information
is transferred outside South Africa, Worksy (as
operator) supports the employer (responsible party)
to ensure a lawful mechanism under POPIA s72 (e.g.,
adequate protection in the recipient country,
contractual safeguards, or data subject consent).
Under GDPR/UK GDPR: Where EU/UK data are processed
in or accessed from South Africa or the United
States, Worksy uses the European Commission Standard
Contractual Clauses (SCCs) (and the UK
Addendum/IDTA) plus appropriate supplementary
measures.
Message payloads (content): retained only transiently for delivery/retries and troubleshooting, then automatically deleted within 72 hours (configurable per customer contract).
Delivery metadata & security logs: retained for 12 months to evidence delivery, defend legal claims, and ensure service stability.
Website logs: 30 days unless needed longer for security.
Where law requires longer retention (e.g., tax/audit) we keep only what’s necessary, then delete or properly anonymize.
We implement administrative, technical, and physical
safeguards appropriate to the risks, including
encryption in transit, hardened infrastructure,
access controls (least privilege), monitoring, and
employee training.
No method is 100% secure; customers should maintain
appropriate HR security policies and employee
guidance (e.g., WhatsApp backup encryption, device
locks).
Our Service (WhatsApp workflows) does not use advertising cookies. Our website may use strictly necessary and limited analytics cookies to operate and understand site performance. Where required by law (e.g., EU/UK), we obtain consent through a cookie banner before setting non‑essential cookies.
South Africa (POPIA): Data subjects have rights to
be informed, access, correct, object to processing,
and request deletion (subject to legal limitations).
You may also lodge a complaint with the Information
Regulator (South Africa):
Information Regulator (South Africa)
Woodmead North Office Park, 54 Maxwell Drive,
Woodmead, Johannesburg, 2191
General enquiries: enquiries@inforegulator.org.za |
010 023 5200 POPIA
complaints: POPIAComplaints@inforegulator.org.za EEA/UK
(GDPR/UK GDPR): Depending on your location, you may
have rights to access, rectify, erase, restrict,
port, and object, and withdraw consent where
processing is based on consent. You may lodge a
complaint with your local supervisory authority.
United States (state privacy laws): If/when Worksy
becomes subject to relevant U.S. state privacy laws,
residents may have rights to access, delete,
correct, and opt out of certain processing. We do
not sell or share personal information, and we do
not use personal information for targeted
advertising.
How to exercise rights (all regions):
Email Ferdi@worksynow.com (DPO)
or Gys@worksynow.com with your request. If your
request pertains to data that your employer
controls, we will notify and assist your employer,
who will respond as the Controller/Responsible
Party.
When Worksy receives HR data from an employer’s SAP environment (“Customer Data”), we act solely on written instructions under our Data Processing Addendum (DPA) and customer agreement. The employer is responsible for the lawful basis, notices to employees, and data subject rights.
Worksy uses vetted vendors (hosting, logging, and
communications providers such as messaging
platforms/carriers) that act as processors/service
providers under written terms. A current list of
subprocessors is available from our DPO upon
request. We require contractual SCCs/UK Addendum or
equivalent safeguards for international transfers,
where applicable.
WhatsApp note: WhatsApp provides end‑to‑end
encrypted message delivery, but users should enable
end‑to‑end encrypted backups to protect cloud
backups.
For website visitors in jurisdictions recognizing Global Privacy Control (GPC) signals, we treat a valid GPC signal as an opt‑out of sale/share/targeted advertising (we don’t do these, but we honor the signal for compatibility).
We may update this Policy to reflect changes to our Services or legal requirements. We will post updates here and revise the Effective date above. If changes materially affect how we process your information, we will provide additional notice.