Kebbir · Legal

POPIA Operator Agreement

Effective 13 July 2026. This agreement forms part of your Kebbir terms of service and is accepted during onboarding.

1. Parties and roles

This agreement is between the business signing up for Kebbir (“you”, the Responsible Party under the Protection of Personal Information Act 4 of 2013 (“POPIA”)) and Kebbir (“we”, the Operator). You determine the purpose and means of processing your customers’ personal information; we process it only on your behalf and on your instructions, as described here.

2. What we process, and why

To provide the service, we process on your behalf: WhatsApp messages sent to your business number, customer names and phone numbers, order details, invoices, and payment status. Processing is limited to capturing orders from conversations, generating invoices, sending them back via WhatsApp, and reconciling payments. We do not use your customers’ personal information for our own purposes.

3. Security and confidentiality (POPIA s20–21)

We secure the integrity and confidentiality of personal information in our possession by taking appropriate, reasonable technical and organisational measures, including: encryption of message data and personal information at rest, strict per-tenant data isolation, and access limited to what is needed to operate the service. Anyone processing personal information under our authority does so only with our authorisation and under a duty of confidentiality.

Raw chat messages are held only in a short-lived encrypted buffer and are automatically and permanently deleted after the processing window. Only structured order data persists.

4. Sub-operators

You authorise us to use the following sub-operators, who process personal information as part of delivering the service:

  • Meta Platforms — WhatsApp Business Cloud API (message transport).
  • Our AI processing provider — extraction of order details from message text.
  • PayFast — payment links and payment notifications.
  • Our hosting and database providers — infrastructure on which the service runs.

We may update this list; material changes will be notified to you, and continued use of the service constitutes acceptance. Each sub-operator is bound by obligations materially similar to ours under this agreement.

5. Security compromise notification (POPIA s22)

If we become aware of reasonable grounds to believe that personal information we process on your behalf has been accessed or acquired by an unauthorised person, we will notify you without undue delay. As Responsible Party, notifying the Information Regulator and affected data subjects is your obligation; we will provide reasonable assistance.

6. Your obligations as Responsible Party

You warrant and undertake that you:

  • have a lawful basis under POPIA to process your customers’ personal information through Kebbir, and comply with all conditions for lawful processing;
  • provide any notices to, and obtain any consents from, your customers that POPIA or WhatsApp’s terms require;
  • are responsible for responding to data subject requests (access, correction, deletion) from your customers — we will provide reasonable assistance;
  • will not use the service to process special personal information or children’s information except as permitted by POPIA;
  • keep your account credentials secure.

7. Instructions and lawfulness

We process personal information only per this agreement and your documented instructions given through the service, unless processing is required by law. Where a law requires us to process otherwise, we will inform you unless that law prohibits it. If we believe an instruction breaches POPIA, we may suspend it and will notify you.

8. Retention and deletion

On termination of your account, or on your written request, we will delete the personal information we hold on your behalf within a reasonable period, except where retention is required by law (e.g. invoice and tax records) or the information has been de-identified.

9. Limitation of liability

To the maximum extent permitted by law: the service is provided “as is” without warranties of any kind, whether express or implied, including fitness for a particular purpose or accuracy of AI-extracted order data — you must review and confirm every order and invoice before it is sent. We are not liable for any indirect, incidental, special, or consequential damages, or loss of profits, revenue, data, or goodwill. Our total aggregate liability arising out of or related to this agreement is limited to the fees you paid to us in the three (3) months preceding the claim. Nothing in this clause limits liability that cannot be excluded under South African law.

10. Indemnity

You indemnify and hold us harmless against any claim, fine, penalty, or loss arising from (a) your breach of POPIA or this agreement, (b) your failure to have a lawful basis for the processing you instruct, (c) content of the messages and orders you or your customers submit, or (d) your dealings with your customers, including disputes over orders, goods, or payments.

11. General

This agreement is governed by the laws of the Republic of South Africa. We may amend it from time to time; the current version is always available at this page and material changes will be notified to you. If any provision is unenforceable, the remainder stays in force. This agreement, together with our terms of service and privacy policy, is the whole agreement between us regarding the processing of personal information.

Questions about this agreement or POPIA? Contact us via your dashboard.

← Back to Kebbir