POPIA Compliance Policy

This policy outlines how FEDSA collects, uses, and protects your personal information in compliance with the South African Protection of Personal Information Act (POPIA).

Federation of Dance Sport South Africa (FEDSA)

PROTECTION OF Personal Information Act (POPIA) COMPLIANCE POLICY

---

Document Version: 1.0
Effective Date: March 2026
Last Updated: 11 March 2026
Responsible Party: Federation of Dance Sport South Africa (FEDSA)

---

TABLE OF CONTENTS

1. Introduction
2. Definitions
3. Scope and Application
4. Information Officer Details
5. Categories of Personal Information We Collect
6. Special Personal Information: ID Documents and Passports
7. Purpose and Legal Basis for Processing
8. How We Collect Information
9. Data Storage and Security Measures
10. Third-Party Service Providers
11. Cross-Border Data Transfers
12. Data Retention Periods
13. Your Rights Under POPIA
14. How to Exercise Your Rights
15. Data Deletion Procedures
16. Complaints Procedure
17. Policy Updates
18. Contact Information

---

TABLE OF CONTENTS

1. Introduction
2. Definitions
3. Scope and Application
4. Information Officer Details
5. Categories of Personal Information We Collect
6. Special Personal Information: ID Documents and Passports
7. Purpose and Legal Basis for Processing
8. How We Collect Information
9. Data Storage and Security Measures
10. Third-Party Service Providers
11. Cross-Border Data Transfers
12. Data Retention Periods
13. Your Rights Under POPIA
14. How to Exercise Your Rights
15. Data Deletion Procedures
16. Complaints Procedure
17. Policy Updates
18. Contact Information

---

1. INTRODUCTION

The Federation of Dance Sport South Africa (FEDSA) ("we," "us," or "our") operates the FEDSA Dance Sport Registration Platform ("the Platform"), a comprehensive dance sport management system designed for dance sport competitions, club management, dancer registration, and official coordination in South Africa and internationally.

We are committed to protecting the privacy and personal information of all individuals who use our Platform, including dancers, club administrators, dance sport officials, and competition organizers. This policy demonstrates our compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa, as well as international privacy standards.

This policy explains:

  • • What personal information we collect and why

  • • How we store, process, and protect your data

  • • How long we keep your information

  • • Your rights regarding your personal data

  • • How to request deletion of your information

    • ---

    2. DEFINITIONS

    For the purposes of this policy:

    Term Definition ------------------
    Personal Information Information relating to an identifiable, living natural person or existing juristic person, including but not limited to name, ID number, email address, phone number, and physical address Special Personal Information Personal information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behavior
    Data Subject The person to whom personal information relates (you, the user) Responsible Party The entity that determines the purpose and means of processing personal information (FEDSA)
    Operator A person or entity that processes personal information on behalf of the responsible party Processing Any operation concerning personal information, including collection, storage, use, dissemination, and deletion
    Consent Any voluntary, specific, and informed expression of will regarding the processing of personal information ID Document South African identity document, passport, or any other government-issued identification
    Platform The FEDSA Dance Sport Registration Platform and all associated services ---

    3. SCOPE AND APPLICATION

    This policy applies to:

    3.1 Categories of Data Subjects


  • Dancers: Individual dance sport competitors registered on the Platform

  • Club Administrators: Individuals managing dance clubs, studios, or organizations

  • Dance Sport Officials: Adjudicators, Chairpersons, Music Operators, Compères, Scrutineers, and Administrators

  • Competition Organizers: Individuals responsible for organizing dance sport events

  • System Administrators: Platform administrators with elevated access rights

    • 3.2 Categories of Personal Information


    All personal information collected, stored, processed, and shared through the Platform, with special attention to:
  • • Identity documents and passports

  • • Contact information

  • • Authentication credentials

  • • Competition participation records

  • • Banking details (for competition organizers)

    • ---

    4. INFORMATION OFFICER DETAILS

    In accordance with Section 55 of POPIA, we have designated the following Information Officer: Role Details
    --------------- Information Officer Mr Morris Ndlovu
    Deputy Information Officer [To be appointed] Contact Email info@danceinsportsa.co.za
    Information Officer Email secretariat@danceinsportsa.co.za Physical Address Suite 246, P/Bag X0001, Ballito, 4420
    Registration with Information Regulator [Registration Number to be inserted] ---

    5. CATEGORIES OF PERSONAL INFORMATION WE COLLECT

    5.1 All Users

    Category Information Collected Purpose ----------------------------------------- Identity Full name, Surname User identification and verification Authentication Email address, Password (encrypted) Account access and security Contact Phone number, Physical address Communication and verification Access Control User role, Province/region access Authorization and permissions Identification ID/Passport number, ID document (scan) Identity verification for competition eligibility

    5.2 Dancers

    Category Information Collected Purpose ----------------------------------------- Identity Name, Surname, Passport/ID number Registration and age verification Demographics Date of birth (year), Age group Age-appropriate competition categorization Competition Role (Leader/Follower), Event entries Competition management and pairing Affiliation Studio/Club association Club membership verification Documents ID document scan Age and identity verification

    5.3 Club Administrators

    Category Information Collected Purpose ----------------------------------------- Club Information Club name, Country, Province, Address Club registration and management Contact Person Name, Surname, ID number, Address Primary contact and accountability Access Username, Password, Access permissions Platform access and authorization Documents ID document scan Verification of contact person

    5.4 Dance Sport Officials

    Category Information Collected Purpose ----------------------------------------- Identity Name, Surname, ID/Passport number Official registration and verification Location Country, Province, Address Regional assignment and travel Contact Phone number, Email Communication and coordination Qualifications Official types (Adjudicator, Chair, Music, Compere, Scrutineer, Admin) Role assignment and accreditation Documents ID document scan Credential verification

    5.5 Competition Organizers

    Category Information Collected Purpose ----------------------------------------- Banking Details Bank name, Branch name, Branch code, Account number Competition fee payments Contact Contact name, Email, Phone Competition coordination ---

    6. SPECIAL PERSONAL INFORMATION: ID DOCUMENTS AND PASSPORTS

    We recognize that identity documents and passports contain sensitive personal information. This section details our specific handling procedures.

    6.1 Why We Collect ID Documents

    ID documents and passports are collected for legitimate purposes in the dance sport industry:

    1. Age Verification: To ensure dancers compete in correct age categories as per dance sport federation rules
    2. Identity Verification: To confirm the identity of competitors, officials, and administrators
    3. Competition Eligibility: To verify citizenship/residency status for national and international competitions
    4. Anti-Fraud Prevention: To prevent identity fraud and ensure fair competition
    5. Regulatory Compliance: To meet requirements of national and international dance sport governing bodies

    6.2 Legal Basis for Processing ID Documents

    The processing of ID documents is justified under POPIA on the following grounds: POPIA Condition Application
    ------------------------------ Consent (Section 11(1)(a)) Users explicitly consent to ID document collection during registration
    Contract (Section 11(1)(b)) ID verification is necessary for competition registration contracts Legal Obligation (Section 11(1)(c)) Dance sport federation rules require age and identity verification
    Legitimate Interests (Section 11(1)(f)) Preventing fraud and ensuring fair competition

    6.3 ID Document Processing Procedure


    When you upload an ID document or passport:

    1. Upload: Document is uploaded via secure HTTPS connection
    2. File Validation: System verifies file type (JPEG, PNG, PDF) and size (maximum 5MB)
    3. Storage: Document is stored in a private, non-public cloud storage bucket
    4. Path Protection: File path includes your unique user ID for ownership verification
    5. AI Processing: Google Gemini AI may extract name, surname, ID number, and date of birth for form pre-population
    6. Human Access: Only authorized administrators can view uploaded documents

    6.4 ID Document Security Measures

    Security Measure Implementation
    ---------------------------------- Storage Access Private bucket - no public URL access
    User Isolation Each user's documents stored in separate folder File Validation Type and size restrictions enforced
    Deletion Verification Users can only delete their own documents Access Logging All access attempts are logged

    6.5 What We Extract from ID Documents


    When you use our automated ID scanning feature, we extract ONLY the following information

  • • First name(s)

  • • Surname

  • • ID/Passport number

  • • Year of birth

    • We do NOT extract or store:

  • • Biometric data (photographs, fingerprints)

  • • Address information from documents

  • • Gender or marital status

  • • Any other information visible on the document

    • 6.6 Third-Party Processing of ID Documents


    Your ID document image may be processed by Google Gemini AI (operated by Google LLC) for optical character recognition (OCR) purposes. This processing
  • • Occurs on Google's secure servers

  • • Is used solely for extracting the limited data listed above

  • • Is subject to Google's privacy and security policies

  • • May involve cross-border data transfer (see Section 11)

    • Your Consent: By using the ID scanning feature, you consent to this third-party processing.

    ---

    7. PURPOSE AND LEGAL BASIS FOR PROCESSING

    7.1 Purposes of Processing


    We process personal information for the following purposes

    Purpose Description ----------------------
    Account Management Creating and managing user accounts, authentication, and access control Competition Registration Registering dancers and officials for dance sport competitions
    Age Verification Verifying age categories for fair competition Club Management Managing dance club memberships and registrations
    Official Accreditation Processing and verifying dance sport official credentials Communication Sending competition updates, registration confirmations, and platform notifications
    Payment Processing Processing competition fees and managing financial transactions Compliance Meeting legal and regulatory requirements of dance sport governing bodies
    Security Preventing fraud, identity theft, and unauthorized access Platform Improvement Improving our services and user experience

    7.2 Legal Basis Under POPIA

    Processing Activity POPIA Legal Basis ---------------------------------------
    User registration Consent (Section 11(1)(a)) and Contract (Section 11(1)(b)) Authentication Contract (Section 11(1)(b)) and Legitimate Interest (Section 11(1)(f))
    Competition registration Contract (Section 11(1)(b)) and Legal Obligation (Section 11(1)(c)) Age verification Legal Obligation (Section 11(1)(c)) and Legitimate Interest (Section 11(1)(f))
    ID document processing Consent (Section 11(1)(a)) and Legal Obligation (Section 11(1)(c)) Communication Consent (Section 11(1)(a)) and Contract (Section 11(1)(b))
    Banking details Contract (Section 11(1)(b)) Security measures Legitimate Interest (Section 11(1)(f)) and Legal Obligation (Section 11(1)(c))

    ---

    8. HOW WE COLLECT INFORMATION


    8.1 Direct Collection


    We collect personal information directly from you when:
  • • You create an account on the Platform

  • • You register as a dancer, club, or official

  • • You upload ID documents or passports

  • • You Register for events

  • • You update your profile information

  • • You contact our support team

    • 8.2 Automated Collection


    We automatically collect:
  • • Login timestamps and session information

  • • IP addresses for security purposes

  • • Browser and device information

  • • Platform usage patterns

    • 8.3 Third-Party Sources


    We may receive information from:
  • • Dance sport federations and associations

  • • Competition organizers

  • • Other Platform users (e.g., club administrators registering dancers)

    • ---

    9. DATA STORAGE AND SECURITY MEASURES


    9.1 Data Storage Location

    Data Type Storage Location Provider
    ---------------------------------------
    Database Records Supabase PostgreSQL Cloud Database Supabase Inc.
    ID Documents Supabase Storage (Private Bucket) Supabase Inc.
    Authentication Tokens User's device (browser storage) Local
    Backup Data Secure cloud backup Supabase Inc.

    9.2 Technical Security Measures


    We implement the following technical security measures

    Security Measure Description -------------------------------
    Encryption in Transit All data transmitted via HTTPS/TLS 1.2+ encryption Password Hashing Passwords are hashed using SHA-256 and bcrypt algorithms - never stored in plain text
    JWT Authentication Secure JSON Web Token authentication with 7-day expiry Row Level Security Database-level access controls ensuring users can only access authorized data
    Role-Based Access Control Three-tier access system (Administrator, Official, Clubhead) with defined permissions File Validation Strict file type (JPEG, PNG, PDF) and size (5MB max) restrictions
    User Isolation Each user's data stored separately; users can only access/modify their own data Access Logging System access and operations are logged for audit purposes

    9.3 Organizational Security Measures

    Measure Implementation -------------------------
    Access Restrictions Only authorized personnel can access personal information Training Staff trained on POPIA compliance and data protection
    Policies Internal data protection policies and procedures Incident Response Data breach response procedures in place

    9.4 Security Certifications


    Our primary service provider (Supabase) maintains the following certifications:
  • • SOC 2 Type II compliance

  • • GDPR compliance

  • • ISO 27001 certification (where applicable)

    • ---

    10. THIRD-PARTY SERVICE PROVIDERS


    10.1 List of Operators


    We use the following third-party service providers who may have access to your personal information

    Provider Purpose Data Accessed Location --------------------------------------------
    Supabase Inc. Database and file storage All personal information stored in Platform United States/EU Google LLC (Gemini AI) ID document OCR processing ID document images, extracted data United States

    10.2 Operator Agreements


    We have or will enter into written agreements with all operators that
  • • Limit processing to our instructions

  • • Ensure appropriate security measures

  • • Prohibit unauthorized disclosure

  • • Require deletion of data upon termination

    • 10.3 Google Gemini AI Processing


    When you use our ID document scanning feature:
  • • Your ID document image is sent to Google's Gemini AI API

  • • Google processes the image to extract limited information

  • • This processing is necessary for automated form completion

  • • You can opt to manually enter information instead

    • ---

    11. CROSS-BORDER DATA TRANSFERS


    11.1 Transfers Outside South Africa


    Your personal information may be transferred to and processed in the following countries

    Country Purpose Legal Basis for Transfer
    ---------------------------------------------
    United States Supabase database/storage, Google Gemini AI processing Adequate safeguards (Standard Contractual Clauses)
    European Union Supabase backup and redundancy Adequate protection (GDPR compliance)

    11.2 Protections for Cross-Border Transfers


    We ensure adequate protection for cross-border transfers through
  • • Standard Contractual Clauses with service providers

  • • Service provider compliance with GDPR (for EU transfers)

  • • Data processing agreements with all operators

  • • Regular audits of service provider security

    • 11.3 Your Consent


    By using the Platform, you acknowledge and consent to the cross-border transfer of your personal information as described in this section.

    ---

    12. DATA RETENTION PERIODS


    12.1 Retention Schedule


    We retain personal information for the following periods

    Data Category Retention Period Reason
    -----------------------------------------
    User Accounts Duration of account + 2 years Account management, legal compliance
    ID Documents Duration of account + 1 year Verification, audit purposes
    Competition Records 7 years from competition date Regulatory requirements, historical records
    Financial/Banking Details 5 years from last transaction Tax and financial regulations
    Authentication Logs 1 year Security and audit purposes
    Deletion Requests 3 years Legal compliance records

    12.2 Data Retention Principles


  • • We do not retain personal information longer than necessary

  • • Data is reviewed periodically for deletion eligibility

  • • Anonymized/aggregated data may be retained indefinitely

  • • Legal hold requirements may extend retention periods

    • ---

    13. YOUR RIGHTS UNDER POPIA


    As a data subject, you have the following rights under POPIA

    13.1 Right to Access


    You have the right to request
  • • Confirmation that we process your personal information

  • • A description of the personal information we hold

  • • The identity of third parties who have accessed your information

    • 13.2 Right to Correction


    You have the right to request
  • • Correction of inaccurate personal information

  • • Addition of missing information

  • • Deletion of obsolete information

    • 13.3 Right to Deletion


    You have the right to request
  • • Deletion of your personal information

  • • Withdrawal of consent for processing

  • • Destruction of records no longer necessary

    • 13.4 Right to Object


    You have the right to object to
  • • Processing of your personal information

  • • Direct marketing communications

  • • Automated decision-making

    • 13.5 Right to Complain


    You have the right to lodge a complaint with
  • • Our Information Officer

  • • The Information Regulator of South Africa

    • ---

    14. HOW TO EXERCISE YOUR RIGHTS


    14.1 Submitting a Request


    To exercise any of your rights, you may

    Email: info@danceinsportsa.co.za

    Subject Line: "POPIA Request - [Type of Request]"

    Include:

  • • Your full name

  • • Your registered email address

  • • The specific right you wish to exercise

  • • Details of your request

    • 14.2 Response Timeline

    Request Type Response Time -----------------------------
    Access Request Within 30 days Correction Request Within 30 days
    Deletion Request Within 30 days Objection to Processing Within 30 days

    14.3 Verification


    For security purposes, we may require verification of your identity before processing your request. This may include
  • • Confirmation of registered email

  • • Copy of ID document

  • • Security questions

    • 14.4 Fees


    We may charge a reasonable fee for
  • • Extensive access requests requiring significant resources

  • • Repetitive or manifestly unfounded requests

  • • Requests requiring data compilation in specific formats

    • ---

    15. DATA DELETION PROCEDURES


    15.1 Account Deletion


    Upon your request to delete your account

    1. Verification: We verify your identity and ownership of the account
    2. Confirmation: We send confirmation that deletion has been requested
    3. Access Revocation: Your access to the Platform is immediately revoked
    4. Data Deletion: Your personal information is deleted from:
    - User database tables
    - ID document storage
    - Access permission tables
    - Session and authentication records
    5. Retention: Limited records may be retained for legal compliance (see Section 12)
    6. Confirmation: You receive final confirmation of deletion completion

    15.2 ID Document Deletion


    When you delete an ID document
  • • Document is immediately removed from storage

  • • Database references to the document are cleared

  • • Document cannot be recovered after deletion

  • • You can only delete documents associated with your account

    • 15.3 Data Deletion Limitations


    We may be unable to delete certain information where
  • • Legal obligations require retention

  • • Information is required for pending legal proceedings

  • • Anonymization is more appropriate than deletion

  • • Other users' data would be affected

    • ---

    16. COMPLAINTS PROCEDURE


    16.1 Internal Complaints


    If you believe your privacy rights have been violated

    1. Contact Us: Email info@danceinsportsa.co.za with details of your complaint
    2. Investigation: Our Information Officer will investigate within 14 days
    3. Response: You will receive a written response within 30 days
    4. Resolution: We will take appropriate corrective action if warranted

    16.2 External Complaints


    If you are not satisfied with our response, you may lodge a complaint with

    The Information Regulator of South Africa

    Contact Method Details ------------------------
    Physical Address JDG House, 1st Floor, 126 Prinsloo Street, Pretoria, 0002 Postal Address P.O. Box 31533, Braamfontein, Johannesburg, 2017
    Email inforeg@justice.gov.za Website www.justice.gov.za/inforeg

    ---

    17. POLICY UPDATES


    17.1 Notification of Changes


    We may update this policy from time to time. We will notify you of significant changes by
  • • Email notification to registered email addresses

  • • Prominent notice on the Platform

  • • Updated "Last Updated" date on this policy

    • 17.2 Continued Use


    Your continued use of the Platform after policy changes constitutes acceptance of the updated policy.

    ---

    18. CONTACT INFORMATION


    18.1 General Privacy Inquiries

    Contact Method Details ------------------------
    Email info@danceinsportsa.co.za Subject Line "Privacy Inquiry"

    18.2 Information Officer

    Contact Method Details ------------------------
    Email secretariat@danceinsportsa.co.za Physical Address Suite 246, P/Bag X0001, Ballito, 4420

    18.3 Data Protection Inquiries


    For specific questions about
  • • ID document handling: id-documents@danceinsportsa.co.za

  • • Account deletion: deletion@danceinsportsa.co.za

  • • Security concerns: security@danceinsportsa.co.za

    • ---

    APPENDIX A: DATA FLOW DIAGRAM

    ```
    ┌─────────────────────────────────────────────────────────────────┐
    │ USER INTERACTION │
    │ (Registration, Profile Update, ID Upload, Competition Entry) │
    └─────────────────────────────────────────────────────────────────┘


    ┌─────────────────────────────────────────────────────────────────┐
    │ FEDSA PLATFORM │
    │ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────────┐ │
    │ │ Next.js │ │ API │ │ Authentication │ │
    │ │ Frontend │◄─┤ Routes │◄─┤ (JWT, Password Hash) │ │
    │ └─────────────┘ └─────────────┘ └─────────────────────────┘ │
    └─────────────────────────────────────────────────────────────────┘
    │ │
    │ │
    ▼ ▼
    ┌─────────────────┐ ┌───────────────────────────────────────────┐
    │ GOOGLE GEMINI │ │ SUPABASE │
    │ AI │ │ ┌─────────────┐ ┌─────────────────────┐ │
    │ (OCR Service) │ │ │ PostgreSQL │ │ Storage Bucket │ │
    │ │ │ │ Database │ │ (ID Documents) │ │
    │ Processes: │ │ │ │ │ │ │
    │ - ID Images │ │ │ Stores: │ │ Stores: │ │
    │ - Extracts │ │ │ - Users │ │ - ID Scans │ │
    │ limited data │ │ │ - Dancers │ │ - Passports │ │
    │ │ │ │ - Clubs │ │ - Documents │ │
    │ │ │ │ - Officials │ │ │ │
    │ │ │ │ - Calendar │ │ Access: Private │ │
    │ │ │ │ - Entries │ │ (Non-Public) │ │
    └─────────────────┘ │ │ - Entries │ │ (Non-Public) │ │
    │ └─────────────┘ └─────────────────────┘ │
    └───────────────────────────────────────────┘
    ```

    ---

    APPENDIX B: POPIA COMPLIANCE CHECKLIST

    POPIA Requirement Status Reference
    --------------------------------------
    Appoint Information Officer ☑ Completed Section 4
    Register with Information Regulator ☐ Pending Section 4
    Conduct impact assessment ☑ Completed This document
    Define processing purposes ☑ Completed Section 7
    Identify legal basis ☑ Completed Section 7.2
    Implement security measures ☑ Completed Section 9
    Create operator agreements ☐ Pending Section 10
    Establish data retention policy ☑ Completed Section 12
    Enable data subject rights ☑ Completed Sections 13-15
    Create complaints procedure ☑ Completed Section 16
    Cross-border transfer safeguards ☑ Completed Section 11
    Privacy policy publication ☐ Pending This document

    ---

    APPENDIX C: GLOSSARY OF TECHNical Terms

    Term Plain Language Explanation ---------------------------------
    HTTPS Secure encrypted connection between your browser and our servers JWT A secure digital "key" that proves who you are without storing your password
    SHA-256/bcrypt Methods of scrambling passwords so even we cannot see your actual password Row Level Security Database feature that ensures you can only see your own data
    OCR Technology that reads text from images (like scanning an ID document) Cloud Storage Secure remote servers where your data is stored, accessible only with proper authorization
    Private Bucket A secure storage area that cannot be accessed by anyone without specific permissions |

    ---

    END OF DOCUMENT

    ---

    This POPIA Compliance Policy is a living document and will be updated as our practices evolve or as regulatory requirements change.

    Document Control:

  • • Created: 11 March 2026

  • • Created By: Federation of Dance Sport South Africa (FEDSA)

  • • Approved By: [Information Officer Name]

  • • Next Review Date: March 2027

    • Other Legal Documents

    Terms of ServiceRefund PolicyCancellation Policy

    Last Updated: March 2026 | Federation of Dance Sport South Africa