Privacy Policy — ESG Navigator

Effective Date: 10 February 2026 | Version: 1.0 | Last Updated: 10 February 2026

1. Introduction

TIS Holdings (Pty) Ltd ("TIS Holdings", "we", "us", or "our"), registered in the Republic of South Africa, operates the ESG Navigator platform at esgnavigator.ai ("the Platform"). We are committed to protecting your personal information in accordance with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) ("POPIA"), the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000) ("PAIA"), and all applicable data protection legislation.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you access or use the Platform.

2. Information Officer

Responsible Party: TIS Holdings (Pty) Ltd

Information Officer: Dr. Terry Ramabulana

Email: terry@tisholdings.co.za

You may contact our Information Officer for any queries regarding this Privacy Policy, to request access to your personal information, or to lodge a complaint.

3. Personal Information We Collect

3.1 Information You Provide

Account Information: Full name, email address, password (stored in hashed form), organisation name, job title, and role designation.
Assessment Data: Responses to ESG compliance questionnaires, uploaded evidence documents, and self-assessment scores submitted through the Platform.
Communication Data: Queries submitted through the AI assistant, support requests, and correspondence with TIS Holdings.

3.2 Information Collected Automatically

Technical Data: IP address, browser type, operating system, device information, and access timestamps.
Usage Data: Pages accessed, features used, session duration, and interaction patterns with the Platform.
Authentication Data: Login timestamps, session tokens, and authentication events for security monitoring.

3.3 Information We Do Not Collect

We do not collect special personal information as defined in POPIA Section 26, including race, ethnic origin, political opinions, religious beliefs, trade union membership, health information, sexual orientation, biometric data, or criminal records — unless explicitly required for a specific ESG assessment and with your express consent.

4. Purpose of Processing

Purpose	Legal Basis (POPIA)
Account creation and authentication	Section 11(1)(a) — Consent
Delivery of ESG compliance assessment services	Section 11(1)(b) — Contractual obligation
AI-powered compliance analysis and recommendations	Section 11(1)(a) — Consent
Platform security, fraud prevention, and access control	Section 11(1)(d) — Legitimate interest
Compliance with legal and regulatory obligations	Section 11(1)(c) — Legal obligation
Service improvement and analytics	Section 11(1)(d) — Legitimate interest
Communication regarding your account and services	Section 11(1)(b) — Contractual obligation

5. AI Processing and Automated Decision-Making

5.1 Use of Artificial Intelligence

The Platform uses AI models, including Anthropic Claude and IBM Watsonx, to provide ESG compliance analysis, risk assessments, and recommendations. When you interact with the AI assistant or submit assessment data:

Your queries and relevant contextual data are transmitted to the AI service provider for processing.
AI-generated outputs are recommendations and analysis — they do not constitute binding legal, financial, or compliance advice.
No automated decisions with legal or similarly significant effects are made without human oversight.

5.2 Your Rights Regarding AI Processing

In accordance with POPIA Section 71, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. You may request human review of any AI-generated assessment or recommendation.

6. Cross-Border Transfer of Personal Information

In accordance with POPIA Section 72, we transfer personal information outside the Republic of South Africa to the following service providers:

Provider	Purpose	Location	Safeguard
Anthropic (Claude AI)	AI processing	United States	Contractual clauses, data minimisation
Amazon Web Services	Infrastructure	Various	AWS DPA, encryption
Neon Tech	Database	United States	Encryption at rest and in transit
Railway	Backend hosting	United States	Environment isolation
Vercel	Frontend hosting	Global CDN	Edge-only static delivery
Cloudflare	Security, DNS	Global	Cloudflare DPA
DRATA	SOC 2 compliance	United States	SOC 2 Type II certified

All cross-border transfers are protected by encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, and data processing agreements with all providers.

7. Data Retention

Data Category	Retention Period
Account information	Active account + 12 months after closure
Assessment data and reports	5 years from assessment date
AI interaction logs	12 months
Authentication and access logs	24 months
Financial and billing records	5 years

8. Security Measures

Technical Measures: JWT-based authentication with token expiry, role-based access control (RBAC), bcrypt password hashing, TLS 1.2+ encryption, database encryption at rest, session management with automatic timeout, and CORS policy restricting API access.

Organisational Measures: Information security policies, staff access limited to role-required data, regular security assessments, incident response procedure, and SOC 2 compliance pathway via DRATA.

9. Your Rights Under POPIA

Right of Access (Section 23): Request confirmation and access to your personal information.
Right to Correction (Section 24): Request correction or deletion of inaccurate information.
Right to Deletion (Section 24): Request deletion where no longer necessary.
Right to Object (Section 11(3)): Object to processing on reasonable grounds.
Right to Withdraw Consent (Section 11(2)): Withdraw previously given consent.
Right Regarding Automated Decision-Making (Section 71): Request human review of AI decisions.

Contact our Information Officer at terry@tisholdings.co.za. We will respond within 30 days.

10. Breach Notification

In accordance with POPIA Section 22, in the event of a security compromise we will notify the Information Regulator and affected data subjects as soon as reasonably possible, document the breach, and take remedial steps.

11. Cookies and Tracking

The Platform currently does not use cookies, third-party tracking scripts, or advertising technologies.

12. Children's Information

The Platform is not directed at children under 18. We do not knowingly collect personal information from children.

13. Changes to This Privacy Policy

Material changes will be communicated via the Platform or email.

14. Complaints

Contact our Information Officer at terry@tisholdings.co.za, or lodge a complaint with the Information Regulator:

Email: inforeg@justice.gov.za
Website: https://inforegulator.org.za
Tel: 012 406 4818

15. Governing Law

This Privacy Policy is governed by the laws of the Republic of South Africa, including POPIA and PAIA.