100% lab-tested|1–3 day delivery across SA|Section 21 compliant|POPIA secure|Free shipping over R500|Cash on delivery available|Operator + doctor reviewed|100% lab-tested|1–3 day delivery across SA|Section 21 compliant|POPIA secure|Free shipping over R500|Cash on delivery available|Operator + doctor reviewed
CANNABUBEN
0

Formal disclosure

POPIA Compliance Manual

Effective 15 April 2026

Draft — pending legal review

This document is a working template based on standard South African consumer-retail and Section 21 cannabis-supply practice. It will be reviewed and signed off by a POPIA- and consumer-law-qualified attorney before public launch.

This manual is the formal compliance documentation required of Cannabuben (Pty) Ltd (the "Responsible Party") under the Protection of Personal Information Act, 2013 ("POPIA"). For a plain-language summary written for customers, see the Privacy notice.

1. Responsible Party

Legal entity
Cannabuben (Pty) Ltd
Registration number
To be confirmed prior to launch
Registered address
To be confirmed prior to launch · South Africa
Postal address
To be confirmed prior to launch
Email
privacy@cannabuben.co.za

2. Information Officer

Per POPIA section 56, the Responsible Party has appointed an Information Officer registered with the Information Regulator.

Name
To be appointed prior to launch
Role
Director, Cannabuben (Pty) Ltd
Email
io@cannabuben.co.za

3. Purposes of processing

  • Account management: identification, authentication, communication.
  • Order fulfilment: delivery logistics, tax invoicing.
  • Clinical review: screening, HPCSA practitioner routing, SAHPRA Section 21 application for prescription items.
  • Payment processing: order fees via PayFast or manual bank transfer.
  • Audit and compliance: good-faith records of clinical screening, admin decisions, and SAHPRA submissions.
  • Security: fraud prevention, incident response.
  • Marketing: none. No direct-marketing processing performed.

4. Categories of data subjects

  • Customers holding a Cannabuben account
  • HPCSA-registered doctors on the review panel (when staff of ours)
  • Pharmacy contact persons at dispensing partners

5. Categories of personal information processed

Standard personal information

  • Name, contact details (email, phone)
  • South African ID number (when provided by the customer)
  • Date of birth (for age verification)
  • Shipping address and delivery notes
  • Authentication metadata (IP, device, timestamps)

Special personal information (POPIA section 26)

Health information is processed under the POPIA section 32 healthcare exemption (treatment, care, and medication management by a regulated health practitioner):

  • Clinical-screening questionnaire content
  • HPCSA-practitioner decisions and notes on Rx orders
  • SAHPRA Section 21 application content and reference numbers

6. Recipients of personal information

Operators (POPIA section 30)

  • Supabase Inc — authentication and database hosting
  • PayFast (Pty) Ltd — payment processing
  • Email / transactional-messaging provider
  • Courier partners — The Courier Guy, Aramex (or equivalent)
  • Cloud hosting provider for the application layer

Third parties

  • SAHPRA for Section 21 applications (legal obligation)
  • The HPCSA-registered doctor reviewing a Rx case
  • Licensed pharmacy dispensing a Section 21 prescription
  • SARS for tax records

7. Cross-border transfers (POPIA section 72)

Where any operator stores or processes personal information outside South Africa, we rely on contractual safeguards equivalent to POPIA. Where no such safeguards exist, we obtain consent or rely on another lawful exception under section 72.

8. Security safeguards (POPIA section 19)

  • TLS 1.2+ encryption for all data in transit
  • Encryption at rest at the storage layer
  • Row-level security on customer-scoped data
  • Supabase Auth with magic-link authentication
  • Audit logging of administrative and clinical events
  • Principle of least privilege for staff and operator access
  • Documented incident-response procedure with notification under section 22

9. Retention periods (POPIA section 14)

Clinical records
6 years from last interaction (HPCSA records-management standard)
SAHPRA application records
6 years
Order and audit records
6 years (Consumer Protection Act + Tax Administration Act)
Payment records
5 years (Tax Administration Act, FICA)
Account information
Until deletion request, subject to retention above

10. Data subject rights and request procedures

Data subjects may exercise the rights set out in POPIA sections 23–25 by emailing privacy@cannabuben.co.za. Requests are acknowledged within 5 business days and resolved within 30 calendar days.

For formal access requests, see our PAIA Manual. Data subjects may also lodge a complaint with the Information Regulator (section 11 below).

11. Direct marketing (POPIA section 69)

Cannabuben does not conduct direct marketing by electronic communication. If we introduce such marketing in future, opt-in consent will be obtained and an unsubscribe mechanism provided in every message.

12. Information Regulator contact

Authority
Information Regulator (South Africa)
Website
inforegulator.org.za
Complaints
complaints.IR@justice.gov.za

More disclosures: all legal documents.

Payment:VISAMCAMEXpayFastEFT
Shipping:COURIER GUYARAMEXFASTWAYFree over R500 · 1–3 days
Security:SSLPOPIA