Back homeEffective 2026-05-22

Privacy Policy

Privacy Policy

This Privacy Policy describes how Zavon Holdings Group (Pty) Ltd ("Zavon Holdings", "we", "us", or "our"), the operator of the BantuHR platform ("BantuHR" or "the Platform"), collects, processes, stores, and discloses personal information. It applies to every visitor to bantuhr.com, every customer organisation that subscribes to the Platform, and every worker whose data is processed through it.

We comply with the Protection of Personal Information Act, 2013 (POPIA) of the Republic of South Africa. Where another jurisdiction's data-protection law also applies to a particular processing activity, we comply with the stricter standard.

1. Definitions

Personal information has the meaning given in POPIA: information relating to an identifiable natural person or an identifiable existing juristic person.

Responsible Party has the meaning given in POPIA: a public or private body which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

Operator has the meaning given in POPIA: a person who processes personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party.

Customer means an organisation that has entered into a subscription contract with Zavon Holdings to use BantuHR. Customers are Responsible Parties for the personal information of their workers and their workers' dependants.

Worker means any natural person whose employment, contract, or engagement is recorded on BantuHR by a Customer. Workers may also include applicants, contractors, dependants, and emergency contacts whose information a Customer enters into the Platform.

Visitor means any natural person who visits bantuhr.com or accesses the marketing site without holding an active account.

2. Roles under POPIA

Zavon Holdings holds two distinct roles depending on the personal information in question.

For information about Customers and their representatives (the natural persons who sign up, configure, and operate a BantuHR tenant on behalf of their organisation), Zavon Holdings is the Responsible Party. We determine why and how that information is processed.

For information about Workers, applicants, dependants, and other natural persons whose data the Customer uploads, enters, or generates on the Platform, Zavon Holdings is the Operator. The Customer is the Responsible Party for that data; we process it only on the Customer's instructions and only for the purposes set out in the subscription contract.

This split matters in practice. If you are a Worker whose data is on BantuHR because your employer uses it for HR, your first point of contact for access, correction, or deletion of your data is your employer — they are accountable for it under POPIA. We will assist your employer in responding to your request, but we will not act on it without their authority.

3. Information we collect

About Customer representatives:

  • Account creation details: full name, work email address, password (stored as a salted bcrypt hash; we never store the plaintext), and the organisation name + slug they choose at signup.
  • Communication preferences and language settings.
  • Billing information if the Customer subscribes to a paid plan: card token from our payment processor (we do not store full card numbers), billing address, and invoicing history.
  • Diagnostic information about how the representative uses the Platform: pages visited, features used, broad usage timings. This is collected for product improvement only and is never sold.

About Workers (collected on the Customer's behalf, under the Customer's authority):

  • Identity information: full name, identity number or passport number, date of birth, nationality, residential and postal address.
  • Contact information: personal and work phone, personal and work email, emergency contact details.
  • Employment information: job title, business unit, department, team, reporting line, start date, employment type, contract terms, pay band placement.
  • Compensation information: cost-to-company, salary, allowances, deductions, payroll history.
  • Time, attendance, and leave information: schedules, clock events, leave requests, leave balances.
  • Documents: contracts, ID copies, qualifications, banking confirmations, and other HR documents the Worker or the Customer chooses to upload.
  • Communications: workflow messages, leave-request comments, and other system-generated correspondence routed through the Platform.

About Visitors:

  • Standard server logs (IP address, browser user-agent, referring page, timestamps) for security monitoring and aggregate analytics.
  • Cookies as described in section 9.

4. Lawful basis for processing

Each processing activity rests on at least one of the lawful grounds in section 11 of POPIA. The basis depends on the activity.

  • Performance of a contract — for processing necessary to provide BantuHR to a Customer who has subscribed.
  • Compliance with a legal obligation — for processing required by South African labour, tax, or other law (for example, generating EMP201 monthly worksheets for SARS, or retaining payroll records for the period prescribed by the Basic Conditions of Employment Act).
  • Legitimate interest — for product analytics, security monitoring, fraud prevention, and improvement of the Platform, balanced against the data subject's rights and freedoms.
  • Consent — for marketing communications and for any processing that does not have another lawful ground.

5. How we use the information

We process personal information for the following purposes:

  • Operating, maintaining, and improving the Platform.
  • Authenticating users, securing accounts, and preventing fraud and abuse.
  • Generating payslips, leave records, EMP201 worksheets, and other HR documents the Customer requires.
  • Sending transactional emails (verification links, password resets, invitations, payslip-ready notices, workflow updates).
  • Responding to support requests and customer-service queries.
  • Complying with applicable laws and responding to lawful requests from regulators, law enforcement, or courts.
  • Conducting product research and analysis on a de-identified, aggregated basis.

We do not sell personal information. We do not use Worker personal information to train models that are made available to other Customers.

6. Sharing and disclosure

We share personal information only as follows.

Sub-processors. We use a small number of carefully selected sub-processors to host, process, and deliver the Platform. Each is bound by a written agreement that requires them to apply equivalent or stronger safeguards than this Policy and POPIA require. Our current list of material sub-processors includes:

  • Amazon Web Services — primary cloud hosting (Cape Town region by default).
  • Paystack — payment processing for subscription billing.
  • SendGrid — transactional email delivery.

We maintain an up-to-date sub-processor list and notify Customers of any material additions or changes at least 30 days in advance.

Other Customers and Customer staff. Worker information is visible to other authorised users of the same Customer's BantuHR tenant, according to that Customer's permission settings. We never expose one Customer's data to another Customer.

Legal disclosure. We may disclose personal information when required by law, court order, or a regulatory authority with jurisdiction over us. Where the law allows, we will notify the affected Customer before disclosure so they can challenge the request.

Business transfers. If Zavon Holdings is involved in a merger, acquisition, or sale of all or part of its business, personal information may transfer to the successor entity. The successor remains bound by the protections in this Policy and POPIA.

7. Cross-border transfer

The primary hosting region for BantuHR is AWS Cape Town (af-south-1), which keeps Customer data inside South Africa for most processing. Some sub-processors (transactional email, error reporting, customer-support tooling) may process limited personal information outside South Africa. Where we transfer personal information across borders, we do so only:

  • to a country that the Information Regulator has determined provides adequate protection;
  • to a sub-processor bound by binding corporate rules or equivalent contractual safeguards; or
  • with the data subject's consent.

8. Retention

We retain Customer-account information for as long as the Customer's subscription is active and for 12 months after termination, to support reactivation requests and to comply with audit obligations. After that window, we delete the account and associated metadata, except where law requires longer retention.

Worker information is retained for the duration of the Customer's subscription and is then handed back to the Customer in a portable format. The Customer is responsible for retaining payroll, attendance, and tax records for the periods prescribed by South African law (typically five years for SARS purposes; longer for some BCEA records).

9. Cookies and similar technologies

The marketing site (bantuhr.com) uses a minimal set of cookies for session continuity and aggregate visitor analytics. The Platform itself uses session cookies and a JWT in browser storage to keep users signed in. We do not use third-party advertising cookies and do not participate in cross-site tracking networks.

10. Security

We protect personal information through a layered set of controls:

  • In transit: all connections to BantuHR use TLS 1.2 or higher. The marketing site enforces HSTS.
  • At rest: the production database is encrypted at the storage layer; backups are encrypted with separately managed keys.
  • Authentication: passwords are hashed with bcrypt (cost factor 10 or higher). Magic-link email verification is required at signup. Active sessions can be revoked from the Active Sessions panel.
  • Access: Zavon Holdings staff access to production systems is limited to a small number of personnel with documented operational need. Every authorisation decision in the IAM layer is recorded in an append-only audit log retained for at least seven years.
  • Storage: South African ID numbers and similar high-sensitivity identifiers are masked outside the Worker's own session. Payslips are immutable snapshots at finalise — no live joins to live employee data — so a privilege change after the fact cannot retroactively expose a worker's compensation history.

No system is perfectly secure. We commit to notifying the Information Regulator, affected Customers, and (where required) affected data subjects of any breach in line with section 22 of POPIA.

11. Your rights

If you are a data subject whose personal information we process, POPIA gives you the right to:

  • Access the personal information we hold about you.
  • Correct or update inaccurate or incomplete information.
  • Delete information that is no longer needed for its original purpose, subject to retention required by law.
  • Object to processing on legitimate-interest or direct-marketing grounds.
  • Lodge a complaint with the Information Regulator if you believe we have processed your information unlawfully.

If you are a Worker whose data is on BantuHR through your employer, please direct access, correction, and deletion requests to your employer in the first instance — they are the Responsible Party for your data.

If you are a Customer representative, you can exercise these rights by writing to our Information Officer using the contact details in section 13.

12. Children

BantuHR is not directed at children. We do not knowingly collect information from anyone under the age of 18 in their own right. Worker dependants under 18 may appear on a Customer's records where required for HR purposes (medical-aid dependants, beneficiaries); that information is processed under the Worker's authority and the Customer's instructions.

13. Contact

Information Officer Zavon Holdings Group (Pty) Ltd privacy@bantuhr.com

Information Regulator of South Africa Web: https://inforegulator.org.za Email: complaints.IR@justice.gov.za

14. Changes to this Policy

We may update this Policy from time to time. The "Effective Date" at the top reflects the date of the current version. Material changes will be notified to Customers at least 30 days before they take effect.