Key Details

Effective Date: 27 October 2025
Legal Entity: Worksy (Pty) Ltd.
Website: www.worksynow.com
Postal Address: 18 Klaasenbosch Drive, Constantia, Cape Town, South Africa, 7800

Contact

Primary Contact: Gysbert Kappers - gys@worksynow.com
Data Protection Officer: Ferdinand Steenkamp - ferdi@worksynow.com
EU / UK Representative: Not appointed (not required at this time; this page will be updated if that changes).

Quick Summary
No Marketing | No Selling | No Sharing of Personal Information

Use Limitation

We process personal information only to deliver messages and support employer requested HR workflows (e.g., payslips, leave).

Vendors

We use communications and hosting vendors strictly to provide the Services; they may not use data for their own purposes.

WhatsApp

Message content is end-to-end encrypted in transit within WhatsApp; however, cloud backups are not end-to-end encrypted by default unless the user enables encrypted backups in WhatsApp settings.

Privacy Policy

What Data We Process

Because Worksy processes at the employer’s instruction, exact fields depend on the employer’s SAP configuration and the specific HR workflow. 

01

IDENTIFIERS + CONTACT

Name, mobile number (WhatsApp contact), employee or payroll ID, email (if provided for support).

02

EMPLOYMENT + HR RECORDS

Payslip lines (earnings/deductions/net), employment status, job title, leave balances/requests, dates, supervisor/approver details.

03

MESSAGE METADATA

Timestamps, delivery status, sender/recipient identifiers, error codes.

04

WEBSITE DIAGNOSTICS

Minimal logs and security telemetry (IP address, user agent) when you visit our site.

We do not intentionally collect precise geolocation, advertising identifiers, behavioral profiles, or unrelated analytics via the Service. We do not record audio/visual content and do not conduct automated decision‑making that produces legal or similarly significant effects.

Special/sensitive data: Payslips or HR updates may include sensitive elements (e.g., government ID, bank account fragments, union dues), provided by the employer. Where such data is present, we process it solely to transmit it as instructed and apply heightened safeguards.

Purposes + Legal Bases

No marketing: We do not send marketing via the Service, and we do not run advertising
or analytics that profile workers.

Service delivery (core): receive HR payloads from the employer’s SAP and deliver securely to the employee’s WhatsApp, process leave flows, and provide confirmations/status to the employer.

GDPR LEGAL BASES

Performance of a contract (with the employer) and legitimate interests (secure, reliable delivery) as a processor; for our own security logs as controller, legitimate interests and legal obligation.

POPIA

Processing is lawful and minimal to fulfill the employer’s mandate; operators must process with knowledge/authorization and apply appropriate security.

Support, security & compliance: logging, fraud/abuse prevention, incident response, audits, and legal compliance.

GDPR

Legitimate interests; legal obligation.

POPIA

Security safeguard and accountability duties.

WhatsApp Delivery

End‑to‑end encryption

WhatsApp messages are end-to-end encrypted; Worksy cannot read message content once handed off to WhatsApp.

Backups

Cloud backups (iCloud/Google Drive) are not end‑to‑end encrypted by default; users should enable “End‑to‑end encrypted backup” in WhatsApp: Settings → Chats → Chat Backup → End‑to‑end encrypted backup.

Device practices

Set a device screen lock/biometric, keep OS/WhatsApp updated, and avoid forwarding HR messages.

Scope boundary: HR data stored on the employee’s personal device/cloud is outside Worksy’s control. We relay content securely; storage thereafter is governed by the user’s device/app settings and WhatsApp’s policies.

Personal Info Disclosures

We do not sell or share personal information for cross‑context behavioral advertising.

Employers (Controllers)

To provide status, confirmations, and audit evidence they request.

Vendors / Processors

Secure hosting, logging/monitoring, and communications providers (e.g., messaging platforms and telecommunications carriers) strictly for message delivery; contractual terms prohibit use for independent purposes.

Legal and Safety

If required by law or to protect rights, safety, and integrity of the Services.

International Transfers

Under POPIA (South Africa): If personal information is transferred outside South Africa, Worksy (as operator) supports the employer (responsible party) to ensure a lawful mechanism under POPIA s72 (e.g., adequate protection in the recipient country, contractual safeguards, or data subject consent).

Under GDPR/UK GDPR: Where EU/UK data are processed in or accessed from South Africa or the United States, Worksy uses the European Commission Standard Contractual Clauses (SCCs) (and the UK Addendum/IDTA) plus appropriate supplementary measures.

Retention

Message payloads (content): retained only transiently for delivery/retries and troubleshooting, then automatically deleted within 72 hours (configurable per customer contract).

Delivery metadata & security logs: retained for 12 months to evidence delivery, defend legal claims, and ensure service stability.

Website logs: 30 days unless needed longer for security.

Where law requires longer retention (e.g., tax/audit) we keep only what’s necessary, then delete or properly anonymize.

Security

We implement administrative, technical, and physical safeguards appropriate to the risks, including encryption in transit, hardened infrastructure, access controls (least privilege), monitoring, and employee training.

No method is 100% secure; customers should maintain appropriate HR security policies and employee guidance (e.g., WhatsApp backup encryption, device locks).

Cookies + Site Analytics

Our Service (WhatsApp workflows) does not use advertising cookies. Our website may use strictly necessary and limited analytics cookies to operate and understand site performance. Where required by law (e.g., EU/UK), we obtain consent through a cookie banner before setting non‑essential cookies.

Privacy Rights

South Africa (POPIA): Data subjects have rights to be informed, access, correct, object to processing, and request deletion (subject to legal limitations). You may also lodge a complaint with the Information Regulator (South Africa):
Information Regulator (South Africa)

Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191

General enquiries: enquiries@inforegulator.org.za | 010 023 5200 POPIA complaints: POPIAComplaints@inforegulator.org.za EEA/UK (GDPR/UK GDPR): Depending on your location, you may have rights to access, rectify, erase, restrict, port, and object, and withdraw consent where processing is based on consent. You may lodge a complaint with your local supervisory authority.

United States (state privacy laws): If/when Worksy becomes subject to relevant U.S. state privacy laws, residents may have rights to access, delete, correct, and opt out of certain processing. We do not sell or share personal information, and we do not use personal information for targeted advertising.

How to exercise rights (all regions): Email Ferdi@worksynow.com (DPO) or Gys@worksynow.com with your request. If your request pertains to data that your employer controls, we will notify and assist your employer, who will respond as the Controller/Responsible Party.

Our Processor / Operator Role

When Worksy receives HR data from an employer’s SAP environment (“Customer Data”), we act solely on written instructions under our Data Processing Addendum (DPA) and customer agreement. The employer is responsible for the lawful basis, notices to employees, and data subject rights.

Our Processor / Operator Role

Worksy uses vetted vendors (hosting, logging, and communications providers such as messaging platforms/carriers) that act as processors/service providers under written terms. A current list of subprocessors is available from our DPO upon request. We require contractual SCCs/UK Addendum or equivalent safeguards for international transfers, where applicable.

WhatsApp note: WhatsApp provides end‑to‑end encrypted message delivery, but users should enable end‑to‑end encrypted backups to protect cloud backups.

Global Privacy Control

For website visitors in jurisdictions recognizing Global Privacy Control (GPC) signals, we treat a valid GPC signal as an opt‑out of sale/share/targeted advertising (we don’t do these, but we honor the signal for compatibility).

Changes to Policy

We may update this Policy to reflect changes to our Services or legal requirements. We will post updates here and revise the Effective date above. If changes materially affect how we process your information, we will provide additional notice.